From 560371d038888dc028bdda51d55ff81cbf82eeb9 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 10:50:41 +0100
Subject: Revert "tinc tinc-up: don't rely on store path interpreter"

This reverts commit 6002189225e347418f07a99d6a85b033fa0edaf7.
---
 krebs/3modules/tinc.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 1b28628d..96d17e2d 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -26,8 +26,7 @@ with import <stockholm/lib>;
                 Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
                 ${tinc.config.extraConfig}
               '';
-              "tinc-up" = pkgs.writeScript "${netname}-tinc-up" ''
-                #!/bin/sh
+              "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
                 ip link set ${netname} up
                 ${tinc.config.tincUp}
               '';
-- 
cgit v1.2.3


From ccc7796402ccdb9e2c10d6f7ebd46957d23b3cbb Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 10:51:05 +0100
Subject: Revert "tinc: use ip from path"

This reverts commit 332d4f5e1719df2b27f835c4fd0718317867043c.
---
 krebs/3modules/tinc.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 96d17e2d..8fb8961c 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -27,7 +27,7 @@ with import <stockholm/lib>;
                 ${tinc.config.extraConfig}
               '';
               "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
-                ip link set ${netname} up
+                ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up
                 ${tinc.config.tincUp}
               '';
             });
@@ -59,14 +59,15 @@ with import <stockholm/lib>;
           type = types.str;
           default = let
             net = tinc.config.host.nets.${netname};
+            iproute = tinc.config.iproutePackage;
           in ''
             ${optionalString (net.ip4 != null) /* sh */ ''
-              ip -4 addr add ${net.ip4.addr} dev ${netname}
-              ip -4 route add ${net.ip4.prefix} dev ${netname}
+              ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
+              ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
             ''}
             ${optionalString (net.ip6 != null) /* sh */ ''
-              ip -6 addr add ${net.ip6.addr} dev ${netname}
-              ip -6 route add ${net.ip6.prefix} dev ${netname}
+              ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
+              ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
             ''}
             ${tinc.config.tincUpExtra}
           '';
-- 
cgit v1.2.3


From 4fa1783c64dccdc7ddc11057894fe44c0b100aaa Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 11:35:22 +0100
Subject: tinc: stopIfChanged = false instead of reload

---
 krebs/3modules/tinc.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 8fb8961c..9e0688d7 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -242,7 +242,9 @@ with import <stockholm/lib>;
         cfg.iproutePackage
         cfg.tincPackage
       ];
-      reloadIfChanged = true;
+      # Restart the service in a single step in order to prevent potential
+      # connection timeouts and subsequent issues while deploying via tinc.
+      stopIfChanged = false;
       serviceConfig = {
         Restart = "always";
         LoadCredential = filter (x: x != "") [
@@ -270,7 +272,6 @@ with import <stockholm/lib>;
           "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
           "--pidfile=/var/run/tinc.${netname}.pid"
         ];
-        ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart";
         SyslogIdentifier = netname;
       };
     }) config.krebs.tinc;
-- 
cgit v1.2.3


From f6cba3d856da8a95fcb3b2fd2b932c81ae3cfa9a Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 11:35:44 +0100
Subject: tinc: drop unused path definition

---
 krebs/3modules/tinc.nix | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 9e0688d7..44443614 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -238,10 +238,6 @@ with import <stockholm/lib>;
       description = "Tinc daemon for ${netname}";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      path = [
-        cfg.iproutePackage
-        cfg.tincPackage
-      ];
       # Restart the service in a single step in order to prevent potential
       # connection timeouts and subsequent issues while deploying via tinc.
       stopIfChanged = false;
-- 
cgit v1.2.3


From dd1584574a454bc628ebadc2be41c93e7cc0418b Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 14:24:02 +0100
Subject: tinc: rsync using checksum

Because timestamps in the Nix store cannot be used.
---
 krebs/3modules/tinc.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 44443614..4feb02d1 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -251,7 +251,7 @@ with import <stockholm/lib>;
         ];
         ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
           ${pkgs.coreutils}/bin/mkdir -p /etc/tinc
-          ${pkgs.rsync}/bin/rsync -vaL --delete \
+          ${pkgs.rsync}/bin/rsync -Lacv --delete \
             --chown ${cfg.user.name} \
             --chmod u=rwX,g=rX \
             ${cfg.confDir}/ /etc/tinc/${netname}/
-- 
cgit v1.2.3


From 3f5851a4bb2b8677d0a969319267b72ade34e09b Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 15:14:21 +0100
Subject: tinc: start tincd using -n

---
 krebs/3modules/tinc.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 4feb02d1..fc7b0e8e 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -260,13 +260,12 @@ with import <stockholm/lib>;
           "${cfg.tincPackage}/sbin/tincd"
           "-D"
           "-U ${cfg.user.name}"
-          "-c /etc/tinc/${netname}"
           "-d 0"
+          "-n ${netname}"
           (optionalString (cfg.privkey_ed25519 != null)
             "-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key"
           )
           "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
-          "--pidfile=/var/run/tinc.${netname}.pid"
         ];
         SyslogIdentifier = netname;
       };
-- 
cgit v1.2.3


From 7f4aef1ffbf21ae3c199ad63a371a0498d521e19 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 15:55:04 +0100
Subject: tinc: use default key locations

This fixes a warning about missing keys wenn reloading tinc services.
---
 krebs/3modules/tinc.nix | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index fc7b0e8e..36ee906d 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -245,16 +245,25 @@ with import <stockholm/lib>;
         Restart = "always";
         LoadCredential = filter (x: x != "") [
           (optionalString (cfg.privkey_ed25519 != null)
-            "ed25519_key:${cfg.privkey_ed25519}"
+            "ed25519_key.priv:${cfg.privkey_ed25519}"
           )
-          "rsa_key:${cfg.privkey}"
+          "rsa_key.priv:${cfg.privkey}"
         ];
         ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
           ${pkgs.coreutils}/bin/mkdir -p /etc/tinc
           ${pkgs.rsync}/bin/rsync -Lacv --delete \
             --chown ${cfg.user.name} \
             --chmod u=rwX,g=rX \
+            --exclude='/*.priv' \
             ${cfg.confDir}/ /etc/tinc/${netname}/
+          ${optionalString (cfg.privkey_ed25519 != null) /* sh */ ''
+            ${pkgs.coreutils}/bin/ln -fns \
+                "$CREDENTIALS_DIRECTORY"/ed25519_key.priv \
+                /etc/tinc/${netname}/
+          ''}
+          ${pkgs.coreutils}/bin/ln -fns \
+              "$CREDENTIALS_DIRECTORY"/rsa_key.priv \
+              /etc/tinc/${netname}/
         '';
         ExecStart = toString [
           "${cfg.tincPackage}/sbin/tincd"
@@ -262,10 +271,6 @@ with import <stockholm/lib>;
           "-U ${cfg.user.name}"
           "-d 0"
           "-n ${netname}"
-          (optionalString (cfg.privkey_ed25519 != null)
-            "-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key"
-          )
-          "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
         ];
         SyslogIdentifier = netname;
       };
-- 
cgit v1.2.3


From 54f5cca6a5bd30454aa2f70903ca5533319eaa81 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 6 Mar 2022 16:07:07 +0100
Subject: tinc: allow initialization to fail fast

---
 krebs/3modules/tinc.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 36ee906d..38e31090 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -250,6 +250,7 @@ with import <stockholm/lib>;
           "rsa_key.priv:${cfg.privkey}"
         ];
         ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
+          set -efu
           ${pkgs.coreutils}/bin/mkdir -p /etc/tinc
           ${pkgs.rsync}/bin/rsync -Lacv --delete \
             --chown ${cfg.user.name} \
-- 
cgit v1.2.3