diff options
Diffstat (limited to 'krebs/3modules/tinc.nix')
-rw-r--r-- | krebs/3modules/tinc.nix | 61 |
1 files changed, 53 insertions, 8 deletions
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 24eac715..4252c8d3 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -29,6 +29,9 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} + ${optionalString (tinc.config.privkey_ed25519 != null) + "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" + } PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} @@ -63,7 +66,7 @@ let ''; }; tincUp = mkOption { - type = types.string; + type = types.str; default = let net = tinc.config.host.nets.${netname}; iproute = tinc.config.iproutePackage; @@ -109,9 +112,15 @@ let hostsArchive = mkOption { type = types.package; - default = pkgs.runCommand "retiolum-hosts.tar.bz2" {} '' - ${pkgs.coreutils}/bin/ln -s ${tinc.config.hostsPackage} hosts - ${pkgs.gnutar}/bin/tar -hcjf $out hosts + default = pkgs.runCommand "retiolum-hosts.tar.bz2" { + nativeBuildInputs = [ pkgs.gnutar pkgs.coreutils ]; + } '' + cp \ + --no-preserve=mode \ + --recursive \ + ${tinc.config.hostsPackage} \ + hosts + tar -cjf $out hosts ''; readOnly = true; }; @@ -154,12 +163,24 @@ let privkey = mkOption { type = types.secret-file; default = { + name = "${tinc.config.netname}.rsa_key.priv"; path = "${tinc.config.user.home}/tinc.rsa_key.priv"; owner = tinc.config.user; source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; }; }; + privkey_ed25519 = mkOption { + type = types.nullOr types.secret-file; + default = + if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { + name = "${tinc.config.netname}.ed25519_key.priv"; + path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; + owner = tinc.config.user; + source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + }; + }; + connectTo = mkOption { type = types.listOf types.str; ${if tinc.config.netname == "retiolum" then "default" else null} = [ @@ -193,8 +214,23 @@ let # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, # avoid conflicts in environment if the packages differ - krebs.secret.files = mapAttrs' (netname: cfg: - nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + krebs.secret.files = + let + ed25519_keys = + filterAttrs + (_: key: key != null) + (mapAttrs' + (netname: cfg: + nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 + ) + config.krebs.tinc); + + rsa_keys = + mapAttrs' + (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) + config.krebs.tinc; + in + ed25519_keys // rsa_keys; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { @@ -215,9 +251,18 @@ let iproute = cfg.iproutePackage; in { description = "Tinc daemon for ${netname}"; - after = [ "network.target" ]; + after = [ + "network.target" + config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service + ]; + partOf = [ + config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service + ]; wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; path = [ tinc iproute ]; serviceConfig = rec { Restart = "always"; |