diff options
| author | lassulus <lassulus@lassul.us> | 2021-12-23 21:49:55 +0100 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2021-12-23 21:49:55 +0100 |
| commit | 29b796f5216a6743f6c0230b23048fada0d6c2ef (patch) | |
| tree | 77a856185e5d0b47b334651900a54d6e566c1c83 /krebs/3modules/tinc.nix | |
| parent | fb9ef6eda60b4d36c288c0c8806dbcb32df54a10 (diff) | |
| parent | d4521eb339a47c52c5e8f7d82969b54f6dce1e9c (diff) | |
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'krebs/3modules/tinc.nix')
| -rw-r--r-- | krebs/3modules/tinc.nix | 123 |
1 files changed, 46 insertions, 77 deletions
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 3d0cc8fb4..dca764f63 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,12 +1,6 @@ with import <stockholm/lib>; -{ config, pkgs, ... }: -let - out = { - options.krebs.tinc = api; - config = imp; - }; - - api = mkOption { +{ config, pkgs, ... }: { + options.krebs.tinc = mkOption { default = {}; description = '' define a tinc network @@ -28,10 +22,6 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} - ${optionalString (tinc.config.privkey_ed25519 != null) - "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" - } - PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; @@ -169,25 +159,17 @@ let }; privkey = mkOption { - type = types.secret-file; - default = { - name = "${tinc.config.netname}.rsa_key.priv"; - path = "${tinc.config.user.home}/tinc.rsa_key.priv"; - owner = tinc.config.user; - source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; privkey_ed25519 = mkOption { - type = types.nullOr types.secret-file; + type = types.nullOr types.absolute-pathname; default = - if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { - name = "${tinc.config.netname}.ed25519_key.priv"; - path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; - owner = tinc.config.user; - source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; - }; + if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null + then null + else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; @@ -226,28 +208,7 @@ let })); }; - imp = { - # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, - # avoid conflicts in environment if the packages differ - - krebs.secret.files = - let - ed25519_keys = - filterAttrs - (_: key: key != null) - (mapAttrs' - (netname: cfg: - nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 - ) - config.krebs.tinc); - - rsa_keys = - mapAttrs' - (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) - config.krebs.tinc; - in - ed25519_keys // rsa_keys; - + config = { users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { inherit (cfg.user) home name uid; @@ -267,34 +228,42 @@ let } ) config.krebs.tinc; - systemd.services = mapAttrs (netname: cfg: - let - tinc = cfg.tincPackage; - iproute = cfg.iproutePackage; - in { - description = "Tinc daemon for ${netname}"; - after = [ - "network.target" - config.krebs.secret.files."${netname}.rsa_key.priv".service - ] ++ optionals (cfg.privkey_ed25519 != null) [ - config.krebs.secret.files."${netname}.ed25519_key.priv".service - ]; - partOf = [ - config.krebs.secret.files."${netname}.rsa_key.priv".service - ] ++ optionals (cfg.privkey_ed25519 != null) [ - config.krebs.secret.files."${netname}.ed25519_key.priv".service + krebs.systemd.services = mapAttrs (netname: cfg: { + serviceConfig.LoadCredential = filter (x: x != "") [ + (optionalString (cfg.privkey_ed25519 != null) + "ed25519_key:${cfg.privkey_ed25519}" + ) + "rsa_key:${cfg.privkey}" + ]; + }) config.krebs.tinc; + + systemd.services = mapAttrs (netname: cfg: { + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ + cfg.iproutePackage + cfg.tincPackage + ]; + reloadIfChanged = true; + restartTriggers = [ cfg.confDir ]; + serviceConfig = { + Restart = "always"; + ExecStart = toString [ + "${cfg.tincPackage}/sbin/tincd" + "-D" + "-U ${cfg.user.name}" + "-c /etc/tinc/${netname}" + "-d 0" + (optionalString (cfg.privkey_ed25519 != null) + "-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key" + ) + "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" + "--pidfile=/var/run/tinc.${netname}.pid" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - reloadIfChanged = true; - restartTriggers = [ cfg.confDir ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c /etc/tinc/${netname} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - ExecReload = "${tinc}/sbin/tinc -n ${netname} reload"; - SyslogIdentifier = netname; - }; - } - ) config.krebs.tinc; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + SyslogIdentifier = netname; + }; + }) config.krebs.tinc; }; -in out +} |