summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/konsens.nix7
-rw-r--r--krebs/3modules/tinc.nix37
2 files changed, 16 insertions, 28 deletions
diff --git a/krebs/3modules/konsens.nix b/krebs/3modules/konsens.nix
index 439bcc7f4..81dbb33e1 100644
--- a/krebs/3modules/konsens.nix
+++ b/krebs/3modules/konsens.nix
@@ -60,12 +60,17 @@ let
systemd.services = mapAttrs' (name: repo:
nameValuePair "konsens-${name}" {
after = [ "network.target" ];
- path = [ pkgs.git ];
+ path = [
+ pkgs.git
+ pkgs.openssh
+ ];
restartIfChanged = false;
serviceConfig = {
Type = "simple";
PermissionsStartOnly = true;
ExecStart = pkgs.writeDash "konsens-${name}" ''
+ set -efu
+ git config --global --replace-all safe.directory *
if ! test -e ${name}; then
git clone ${repo.url} ${name}
fi
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 52cdafe67..437f3b633 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -190,35 +190,16 @@ with import <stockholm/lib>;
default = 3;
};
- user = mkOption {
- type = types.user;
- default = {
- name = tinc.config.netname;
- home = "/var/lib/${tinc.config.user.name}";
- };
- defaultText = {
- name = "‹netname›";
- home = "/var/lib/‹netname›";
- };
+ username = mkOption {
+ type = types.username;
+ default = tinc.config.netname;
+ defaultText = literalExample "netname";
};
};
}));
};
config = {
- users.users = mapAttrs' (netname: cfg:
- nameValuePair "${netname}" {
- inherit (cfg.user) home name uid;
- createHome = true;
- isSystemUser = true;
- group = netname;
- }
- ) config.krebs.tinc;
-
- users.groups = mapAttrs' (netname: cfg:
- nameValuePair netname {}
- ) config.krebs.tinc;
-
krebs.systemd.services = mapAttrs (netname: cfg: {
restartIfCredentialsChange = true;
}) config.krebs.tinc;
@@ -238,11 +219,11 @@ with import <stockholm/lib>;
)
"rsa_key.priv:${cfg.privkey}"
];
- ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
+ ExecStartPre = "+" + pkgs.writers.writeDash "init-tinc-${netname}" ''
set -efu
${pkgs.coreutils}/bin/mkdir -p /etc/tinc
${pkgs.rsync}/bin/rsync -Lacv --delete \
- --chown ${cfg.user.name} \
+ --chown ${cfg.username} \
--chmod u=rwX,g=rX \
--exclude='/*.priv' \
${cfg.confDir}/ /etc/tinc/${netname}/
@@ -255,14 +236,16 @@ with import <stockholm/lib>;
"$CREDENTIALS_DIRECTORY"/rsa_key.priv \
/etc/tinc/${netname}/
'';
- ExecStart = toString [
+ ExecStart = "+" + toString [
"${cfg.tincPackage}/sbin/tincd"
"-D"
- "-U ${cfg.user.name}"
+ "-U ${cfg.username}"
"-d 0"
"-n ${netname}"
];
SyslogIdentifier = netname;
+ DynamicUser = true;
+ User = cfg.username;
};
}) config.krebs.tinc;
};