From 01ee8749acb258431eee769e3993fa12bf716e24 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:13:22 +0200 Subject: k 3 retiolum-bootstrap: use secrets path as default, not /root/secrets --- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 40382d098..9d393c90b 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -27,12 +27,12 @@ let ssl_certificate_key = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.key"; + default = "${toString }/tinc.krebsco.de.key"; }; ssl_certificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.crt" ; + default = "${toString }/tinc.krebsco.de.crt" ; }; # in use: # -- cgit v1.2.3 From a6a0cddeaabe2e30e314cdb3d7106180660c43cf Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:35:36 +0200 Subject: k 3 m: filepimp,omo expose lan net --- krebs/3modules/makefu/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d5537cf56..52db3de85 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -259,8 +259,13 @@ with config.krebs.lib; }; filepimp = rec { cores = 1; - nets = { + lan = { + ip4.addr = "192.168.1.12"; + aliases = [ + "filepimp.lan" + ]; + }; retiolum = { ip4.addr = "10.243.153.102"; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; @@ -286,6 +291,12 @@ with config.krebs.lib; cores = 2; nets = { + lan = { + ip4.addr = "192.168.1.11"; + aliases = [ + "omo.lan" + ]; + }; retiolum = { ip4.addr = "10.243.0.89"; ip6.addr = "42:f9f0::10"; -- cgit v1.2.3 From 835ddb0de049850c113de4f9870edb49fff05494 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 18:57:36 +0200 Subject: m 1 vbob: document forticlientsslvpn mess --- krebs/5pkgs/fortclientsslvpn/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'krebs') diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix index 11d567408..07420c4d3 100644 --- a/krebs/5pkgs/fortclientsslvpn/default.nix +++ b/krebs/5pkgs/fortclientsslvpn/default.nix @@ -5,9 +5,10 @@ stdenv.mkDerivation rec { # forticlient will be copied into /tmp before execution. this is necessary as # the software demands $base to be writeable + # TODO: chroot and create the following files instead of copying files manually # mkdir /etc/ppp ; touch /etc/ppp/options - ## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc # ln -s /run/current-system/sw/bin/tail /usr/bin/tail + # ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd src = fetchurl { # archive.org mirror: @@ -62,7 +63,7 @@ stdenv.mkDerivation rec { cp -r 64bit/. "$out/opt/fortinet" wrapProgram $out/opt/fortinet/forticlientsslvpn \ --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \ - --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp + --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd mkdir -p "$out/bin/" -- cgit v1.2.3 From 24db6439c4bc64d39b991a677a8dac4a6581ed74 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 10:06:04 +0200 Subject: retiolum: config which is working but not functioning (see TODO in retiolum.nix) --- krebs/3modules/exim-retiolum.nix | 2 +- krebs/3modules/retiolum.nix | 299 ++++++++++++++++++++------------------- 2 files changed, 152 insertions(+), 149 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index d6b7ab753..fc127a414 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -37,7 +37,7 @@ let config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.krebs.retiolum.enable; + assert (lib.hasAttr "retiolum" config.krebs.tinc); '' keep_environment = diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 22991f093..1107e8575 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -1,130 +1,164 @@ { config, pkgs, lib, ... }: with config.krebs.lib; let - cfg = config.krebs.retiolum; - out = { - options.krebs.retiolum = api; - config = lib.mkIf cfg.enable imp; + options.krebs.tinc = api; + config = imp; }; - api = { - enable = mkEnableOption "krebs.retiolum"; - - host = mkOption { - type = types.host; - default = config.krebs.build.host; - }; - - netname = mkOption { - type = types.enum (attrNames cfg.host.nets); - default = "retiolum"; - description = '' - The tinc network name. - It is used to name the TUN device and to generate the default value for - config.krebs.retiolum.hosts. - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Extra Configuration to be appended to tinc.conf - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; attrsOf host; - default = - filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts; - description = '' - Hosts to generate config.krebs.retiolum.hostsPackage. - Note that these hosts must have a network named - config.krebs.retiolum.netname. - ''; - }; - - hostsPackage = mkOption { - type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${cfg.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \ - > $out/${shell.escape host.name} - '') cfg.hosts)} - ''; + api = mkOption { + default = {}; + description = '' + define a tinc network + ''; + type = with types; attrsOf (submodule (tinc: { + options = { + host = mkOption { + type = types.host; + default = config.krebs.build.host; + }; + + netname = mkOption { + type = types.enum (attrNames tinc.config.host.nets); + default = tinc.config._module.args.name; + description = '' + The tinc network name. + It is used to name the TUN device and to generate the default value for + config.krebs.tinc.retiolum.hosts. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Extra Configuration to be appended to tinc.conf + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + type = with types; attrsOf host; + default = + filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; + description = '' + Hosts to generate config.krebs.retiolum.hostsPackage. + Note that these hosts must have a network named + config.krebs.retiolum.netname. + ''; + }; + + hostsPackage = mkOption { + type = types.package; + default = pkgs.stdenv.mkDerivation { + name = "${tinc.config.netname}-tinc-hosts"; + phases = [ "installPhase" ]; + installPhase = '' + mkdir $out + ${concatStrings (lib.mapAttrsToList (_: host: '' + echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ + > $out/${shell.escape host.name} + '') tinc.config.hosts)} + ''; + }; + description = '' + Package of tinc host configuration files. By default, a package will + be generated from config.krebs.${tinc.config.netname}.hosts. This + option's main purpose is to expose the generated hosts package to other + modules, like config.krebs.tinc_graphs. But it can + also be used to provide a custom hosts directory. + ''; + example = literalExample '' + (pkgs.stdenv.mkDerivation { + name = "my-tinc-hosts"; + src = /home/tv/my-tinc-hosts; + installPhase = "cp -R . $out"; + }) + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + privkey = mkOption { + type = types.secret-file; + default = { + path = "${tinc.config.user.home}/tinc.rsa_key.priv"; + owner = tinc.config.user; + source-path = toString + "/${tinc.config.netname}.rsa_key.priv"; + }; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "cd" "prism" "gum" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + + In stockholm this can be done by configuring: + krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = + [ "${external-ip} ${external-port}" ] + ''; + }; + + user = mkOption { + type = types.user; + default = { + name = tinc.config.netname; + home = "/var/lib/${tinc.config.user.name}"; + }; + }; }; - description = '' - Package of tinc host configuration files. By default, a package will - be generated from config.krebs.retiolum.hosts. This - option's main purpose is to expose the generated hosts package to other - modules, like config.krebs.tinc_graphs. But it can - also be used to provide a custom hosts directory. + })); + }; + imp = lib.mkMerge ( lib.mapAttrsToList (netname: cfg: + let + net = cfg.host.nets.${netname}; + + tinc = cfg.tincPackage; + + iproute = cfg.iproutePackage; + + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} ''; - example = literalExample '' - (pkgs.stdenv.mkDerivation { - name = "my-tinc-hosts"; - src = /home/tv/my-tinc-hosts; - installPhase = "cp -R . $out"; - }) + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - privkey = mkOption { - type = types.secret-file; - default = { - path = "${cfg.user.home}/tinc.rsa_key.priv"; - owner = cfg.user; - source-path = toString + "/${cfg.netname}.rsa_key.priv"; - }; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "cd" "prism" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - - In stockholm this can be done by configuring: - krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = - [ "${external-ip} ${external-port}" ] - ''; - }; - - user = mkOption { - type = types.user; - default = { - name = cfg.netname; - home = "/var/lib/${cfg.user.name}"; - }; - }; - }; - - imp = { - krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; + }); + in { + krebs.secret.files."${netname}.rsa_key.priv" = cfg.privkey; environment.systemPackages = [ tinc iproute ]; - systemd.services.${cfg.netname} = { - description = "Tinc daemon for Retiolum"; + systemd.services.${netname} = { + description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; requires = [ "secret.service" ]; @@ -132,7 +166,7 @@ let serviceConfig = rec { Restart = "always"; ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = cfg.netname; + SyslogIdentifier = netname; }; }; @@ -140,36 +174,5 @@ let inherit (cfg.user) home name uid; createHome = true; }; - }; - - net = cfg.host.nets.${cfg.netname}; - - tinc = cfg.tincPackage; - - iproute = cfg.iproutePackage; - - confDir = let - namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${cfg.netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${cfg.netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname} - ''} - ''; - }); - + }) {} ); # TODO <<<< replace with the "config.krebs.tinc" and avoid infinite recursion in out -- cgit v1.2.3 From d35fc9f6d2fac0f9a4b1c26f78860ce9d9afbe6e Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:15:47 +0200 Subject: k 3 retiolum: explicitly build users, secrets and services --- krebs/3modules/retiolum.nix | 107 +++++++++++++++++++++++--------------------- 1 file changed, 55 insertions(+), 52 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 1107e8575..7bf710dca 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -13,6 +13,9 @@ let ''; type = with types; attrsOf (submodule (tinc: { options = { + + enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + host = mkOption { type = types.host; default = config.krebs.build.host; @@ -121,58 +124,58 @@ let }; })); }; - imp = lib.mkMerge ( lib.mapAttrsToList (netname: cfg: - let - net = cfg.host.nets.${netname}; - - tinc = cfg.tincPackage; - - iproute = cfg.iproutePackage; - - confDir = let - namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} - ''} - ''; - }); - in { - krebs.secret.files."${netname}.rsa_key.priv" = cfg.privkey; - - environment.systemPackages = [ tinc iproute ]; - - systemd.services.${netname} = { - description = "Tinc daemon for ${netname}"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = netname; - }; - }; - - users.users.${cfg.user.name} = { + imp = { + # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts + krebs.secret.files = lib.mapAttrs' (netname: cfg: + nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + users.users = lib.mapAttrs' (netname: cfg: + nameValuePair "${netname}" { inherit (cfg.user) home name uid; createHome = true; - }; - }) {} ); # TODO <<<< replace with the "config.krebs.tinc" and avoid infinite recursion + } ) config.krebs.tinc; + + systemd.services = lib.mapAttrs (netname: cfg: + let + net = cfg.host.nets.${netname}; + + tinc = cfg.tincPackage; + + iproute = cfg.iproutePackage; + + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + }); + in { + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + path = [ tinc iproute ]; + serviceConfig = rec { + Restart = "always"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = netname; + }; + } ) config.krebs.tinc; + }; in out -- cgit v1.2.3 From 2d4b0dc227b2dc10fa6fe4aa9659391ac1c8c2b4 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:24:58 +0200 Subject: k 3 retiolum: remove lib. for imp part --- krebs/3modules/retiolum.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 7bf710dca..326dfa7fb 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -126,15 +126,15 @@ let }; imp = { # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts - krebs.secret.files = lib.mapAttrs' (netname: cfg: + krebs.secret.files = mapAttrs' (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; - users.users = lib.mapAttrs' (netname: cfg: + users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { inherit (cfg.user) home name uid; createHome = true; } ) config.krebs.tinc; - systemd.services = lib.mapAttrs (netname: cfg: + systemd.services = mapAttrs (netname: cfg: let net = cfg.host.nets.${netname}; @@ -144,7 +144,7 @@ let confDir = let namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${netname}-etc-tinc" (lib.mapAttrsToList namePathPair { + in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair { "hosts" = cfg.hostsPackage; "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' Name = ${cfg.host.name} -- cgit v1.2.3 From 4e0eb7d9c07fde00bff4b4b2875bf3a49a5bd7b8 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 14:38:59 +0200 Subject: k 3 retiolum: formatting --- krebs/3modules/retiolum.nix | 80 ++++++++++++++++++++++++--------------------- 1 file changed, 42 insertions(+), 38 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 326dfa7fb..a80c510a5 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -14,7 +14,7 @@ let type = with types; attrsOf (submodule (tinc: { options = { - enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; host = mkOption { type = types.host; @@ -124,58 +124,62 @@ let }; })); }; + imp = { - # TODO environment.systemPackages = [ tinc iproute ]; AND avoid conflicts + # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, + # avoid conflicts in environment if the packages differ + krebs.secret.files = mapAttrs' (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { - inherit (cfg.user) home name uid; - createHome = true; - } ) config.krebs.tinc; + inherit (cfg.user) home name uid; + createHome = true; + } + ) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: let net = cfg.host.nets.${netname}; - tinc = cfg.tincPackage; - iproute = cfg.iproutePackage; confDir = let namePathPair = name: path: { inherit name path; }; in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} - ''} - ''; - }); + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + } + ); in { - description = "Tinc daemon for ${netname}"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = netname; - }; - } ) config.krebs.tinc; + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + path = [ tinc iproute ]; + serviceConfig = rec { + Restart = "always"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = netname; + }; + } + ) config.krebs.tinc; }; in out -- cgit v1.2.3 From d04b0b4ebeffb347e998abd72fccfe718063c973 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:50:32 +0200 Subject: k 3 retiolum: prepare fallback to krebs.retiolum --- krebs/3modules/retiolum.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index a80c510a5..d0dbd2660 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -2,6 +2,7 @@ with config.krebs.lib; let out = { + options.krebs.retiolum = trace "krebs.retiolum is obsolete, use krebs.tinc.retiolum instead" config.krebs.tinc.retiolum; options.krebs.tinc = api; config = imp; }; -- cgit v1.2.3 From c5d7e14e9087097e55b809b33cd39de079c09bf1 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:51:25 +0200 Subject: k 3 exim-retiolum: assert to krebs.tinc.retiolum.enable again --- krebs/3modules/exim-retiolum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index fc127a414..a18f1c979 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -37,7 +37,7 @@ let config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert (lib.hasAttr "retiolum" config.krebs.tinc); + assert config.krebs.tinc.retiolum.enable; '' keep_environment = -- cgit v1.2.3 From 13a5662feb58b91287ac00c19925c70156612755 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 16:55:22 +0200 Subject: k 3 retiolum: krebs.retiolum is now officially obsolete --- krebs/3modules/retiolum.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index d0dbd2660..a80c510a5 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -2,7 +2,6 @@ with config.krebs.lib; let out = { - options.krebs.retiolum = trace "krebs.retiolum is obsolete, use krebs.tinc.retiolum instead" config.krebs.tinc.retiolum; options.krebs.tinc = api; config = imp; }; -- cgit v1.2.3 From 0c40af375f26788bd098b7594ae5425fedd68fb4 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 17:20:47 +0200 Subject: / : s/krebs\.retiolum/krebs.tinc.retiolum/g --- krebs/3modules/retiolum.nix | 4 ++-- krebs/3modules/tinc_graphs.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index a80c510a5..0bd815211 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -50,9 +50,9 @@ let default = filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; description = '' - Hosts to generate config.krebs.retiolum.hostsPackage. + Hosts to generate config.krebs.tinc.retiolum.hostsPackage. Note that these hosts must have a network named - config.krebs.retiolum.netname. + config.krebs.tinc.retiolum.netname. ''; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 0f1bae090..d783ba03b 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -23,7 +23,7 @@ let hostsPath = mkOption { type = types.str; description = "Path to Hosts directory"; - default = "${config.krebs.retiolum.hostsPackage}"; + default = "${config.krebs.tinc.retiolum.hostsPackage}"; }; network = mkOption { -- cgit v1.2.3