1 files changed, 48 insertions, 7 deletions

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index ed00d187..4252c8d3 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -29,6 +29,9 @@ let
                 Interface = ${netname}
                 Broadcast = no
                 ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
+                ${optionalString (tinc.config.privkey_ed25519 != null)
+                  "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
+                }
                 PrivateKeyFile = ${tinc.config.privkey.path}
                 Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
                 ${tinc.config.extraConfig}
@@ -63,7 +66,7 @@ let
           '';
         };
         tincUp = mkOption {
-          type = types.string;
+          type = types.str;
           default = let
             net = tinc.config.host.nets.${netname};
             iproute = tinc.config.iproutePackage;
@@ -109,13 +112,15 @@ let
 
         hostsArchive = mkOption {
           type = types.package;
-          default = pkgs.runCommand "retiolum-hosts.tar.bz2" {} ''
+          default = pkgs.runCommand "retiolum-hosts.tar.bz2" {
+            nativeBuildInputs = [ pkgs.gnutar pkgs.coreutils ];
+          } ''
             cp \
                 --no-preserve=mode \
                 --recursive \
                 ${tinc.config.hostsPackage} \
                 hosts
-            ${pkgs.gnutar}/bin/tar -cjf $out hosts
+            tar -cjf $out hosts
           '';
           readOnly = true;
         };
@@ -158,12 +163,24 @@ let
         privkey = mkOption {
           type = types.secret-file;
           default = {
+            name = "${tinc.config.netname}.rsa_key.priv";
             path = "${tinc.config.user.home}/tinc.rsa_key.priv";
             owner = tinc.config.user;
             source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
           };
         };
 
+        privkey_ed25519 = mkOption {
+          type = types.nullOr types.secret-file;
+          default =
+            if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
+              name = "${tinc.config.netname}.ed25519_key.priv";
+              path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
+              owner = tinc.config.user;
+              source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
+            };
+        };
+
         connectTo = mkOption {
           type = types.listOf types.str;
           ${if tinc.config.netname == "retiolum" then "default" else null} = [
@@ -197,8 +214,23 @@ let
     # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
     # avoid conflicts in environment if the packages differ
 
-    krebs.secret.files = mapAttrs' (netname: cfg:
-      nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+    krebs.secret.files =
+      let
+        ed25519_keys =
+          filterAttrs
+            (_: key: key != null)
+            (mapAttrs'
+              (netname: cfg:
+                nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
+              )
+              config.krebs.tinc);
+
+        rsa_keys =
+          mapAttrs'
+            (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
+            config.krebs.tinc;
+      in
+        ed25519_keys // rsa_keys;
 
     users.users = mapAttrs' (netname: cfg:
       nameValuePair "${netname}" {
@@ -219,9 +251,18 @@ let
         iproute = cfg.iproutePackage;
       in {
         description = "Tinc daemon for ${netname}";
-        after = [ "network.target" ];
+        after = [
+          "network.target"
+          config.krebs.secret.files."${netname}.rsa_key.priv".service
+        ] ++ optionals (cfg.privkey_ed25519 != null) [
+          config.krebs.secret.files."${netname}.ed25519_key.priv".service
+        ];
+        partOf = [
+          config.krebs.secret.files."${netname}.rsa_key.priv".service
+        ] ++ optionals (cfg.privkey_ed25519 != null) [
+          config.krebs.secret.files."${netname}.ed25519_key.priv".service
+        ];
         wantedBy = [ "multi-user.target" ];
-        requires = [ "secret.service" ];
         path = [ tinc iproute ];
         serviceConfig = rec {
           Restart = "always";