diff options
Diffstat (limited to 'krebs/3modules/tinc.nix')
| -rw-r--r-- | krebs/3modules/tinc.nix | 97 |
1 files changed, 34 insertions, 63 deletions
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 38e31090..d73d5ca6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,5 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: { +{ config, pkgs, lib, ... }: +with import ../../lib/pure.nix { inherit lib; }; { options.krebs.tinc = mkOption { default = {}; description = '' @@ -26,10 +26,7 @@ with import <stockholm/lib>; Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up - ${tinc.config.tincUp} - ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" tinc.config.tincUp; }); }; @@ -60,7 +57,8 @@ with import <stockholm/lib>; default = let net = tinc.config.host.nets.${netname}; iproute = tinc.config.iproutePackage; - in '' + in /* sh */ '' + ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up ${optionalString (net.ip4 != null) /* sh */ '' ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} @@ -69,14 +67,13 @@ with import <stockholm/lib>; ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} ''} - ${tinc.config.tincUpExtra} ''; - defaultText = '' - ip -4 addr add ‹net.ip4.addr› dev ${netname} - ip -4 route add ‹net.ip4.prefix› dev ${netname} - ip -6 addr add ‹net.ip6.addr› dev ${netname} - ip -6 route add ‹net.ip6.prefix› dev ${netname} - ${tinc.config.tincUpExtra} + defaultText = /* sh */ '' + ip link set ‹netname› up + ip -4 addr add ‹net.ip4.addr› dev ‹netname› + ip -4 route add ‹net.ip4.prefix› dev ‹netname› + ip -6 addr add ‹net.ip6.addr› dev ‹netname› + ip -6 route add ‹net.ip6.prefix› dev ‹netname› ''; description = '' tinc-up script to be used. Defaults to setting the @@ -85,11 +82,6 @@ with import <stockholm/lib>; ''; }; - tincUpExtra = mkOption { - type = types.str; - default = ""; - }; - tincPackage = mkOption { type = types.package; default = pkgs.tinc_pre; @@ -125,17 +117,13 @@ with import <stockholm/lib>; hostsPackage = mkOption { type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${tinc.config.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ - > $out/${shell.escape host.name} - '') tinc.config.hosts)} - ''; - }; + default = + pkgs.write "${tinc.config.netname}-tinc-hosts" + (mapAttrs' + (_: host: nameValuePair "/${host.name}" { + text = host.nets.${tinc.config.netname}.tinc.config; + }) + tinc.config.hosts); defaultText = "‹netname›-tinc-hosts"; description = '' Package of tinc host configuration files. By default, a package will @@ -155,13 +143,13 @@ with import <stockholm/lib>; iproutePackage = mkOption { type = types.package; - default = pkgs.iproute; + default = pkgs.iproute2; description = "Iproute2 package to use."; }; privkey = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -170,7 +158,7 @@ with import <stockholm/lib>; default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; @@ -202,46 +190,27 @@ with import <stockholm/lib>; default = 3; }; - user = mkOption { - type = types.user; - default = { - name = tinc.config.netname; - home = "/var/lib/${tinc.config.user.name}"; - }; - defaultText = { - name = "‹netname›"; - home = "/var/lib/‹netname›"; - }; + username = mkOption { + type = types.username; + default = tinc.config.netname; + defaultText = literalExample "netname"; }; }; })); }; config = { - users.users = mapAttrs' (netname: cfg: - nameValuePair "${netname}" { - inherit (cfg.user) home name uid; - createHome = true; - isSystemUser = true; - group = netname; - } - ) config.krebs.tinc; - - users.groups = mapAttrs' (netname: cfg: - nameValuePair netname {} - ) config.krebs.tinc; - krebs.systemd.services = mapAttrs (netname: cfg: { + restartIfCredentialsChange = true; }) config.krebs.tinc; systemd.services = mapAttrs (netname: cfg: { description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - # Restart the service in a single step in order to prevent potential - # connection timeouts and subsequent issues while deploying via tinc. - stopIfChanged = false; + reloadIfChanged = true; serviceConfig = { + ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; Restart = "always"; LoadCredential = filter (x: x != "") [ (optionalString (cfg.privkey_ed25519 != null) @@ -249,11 +218,11 @@ with import <stockholm/lib>; ) "rsa_key.priv:${cfg.privkey}" ]; - ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" '' + ExecStartPre = "+" + pkgs.writers.writeDash "init-tinc-${netname}" '' set -efu ${pkgs.coreutils}/bin/mkdir -p /etc/tinc ${pkgs.rsync}/bin/rsync -Lacv --delete \ - --chown ${cfg.user.name} \ + --chown ${cfg.username} \ --chmod u=rwX,g=rX \ --exclude='/*.priv' \ ${cfg.confDir}/ /etc/tinc/${netname}/ @@ -266,14 +235,16 @@ with import <stockholm/lib>; "$CREDENTIALS_DIRECTORY"/rsa_key.priv \ /etc/tinc/${netname}/ ''; - ExecStart = toString [ + ExecStart = "+" + toString [ "${cfg.tincPackage}/sbin/tincd" "-D" - "-U ${cfg.user.name}" + "-U ${cfg.username}" "-d 0" "-n ${netname}" ]; SyslogIdentifier = netname; + DynamicUser = true; + User = cfg.username; }; }) config.krebs.tinc; }; |