summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/git.nix4
-rw-r--r--krebs/3modules/systemd.nix67
-rw-r--r--krebs/3modules/tinc.nix123
4 files changed, 116 insertions, 79 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 2772d8d37..f76d3c536 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -50,6 +50,7 @@ let
./shadow.nix
./ssl.nix
./sync-containers.nix
+ ./systemd.nix
./tinc.nix
./tinc_graphs.nix
./upstream
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 1bfd58e31..c038fd4c6 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -36,7 +36,7 @@ let
type = types.user;
default = {
name = "fcgiwrap";
- home = toString pkgs.empty;
+ home = toString pkgs.emptyDirectory;
};
};
};
@@ -111,7 +111,7 @@ let
type = types.user;
default = {
name = "git";
- home = toString pkgs.empty;
+ home = toString pkgs.emptyDirectory;
};
};
};
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
new file mode 100644
index 000000000..6b0fe9672
--- /dev/null
+++ b/krebs/3modules/systemd.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, ... }: let {
+ lib = import ../../lib;
+
+ body.options.krebs.systemd.services = lib.mkOption {
+ default = {};
+ type = lib.types.attrsOf (lib.types.submodule {
+ options = {
+ ifCredentialsChange = lib.mkOption {
+ default = "restart";
+ description = ''
+ Whether to reload or restart the service whenever any its
+ credentials change. Only credentials with an absolute path in
+ LoadCredential= are supported.
+ '';
+ type = lib.types.enum [
+ "reload"
+ "restart"
+ null
+ ];
+ };
+ serviceConfig.LoadCredential = lib.mkOption {
+ apply = lib.toList;
+ type =
+ lib.types.either lib.types.str (lib.types.listOf lib.types.str);
+ };
+ };
+ });
+ };
+
+ body.config.systemd =
+ lib.mkMerge
+ (lib.flatten
+ (lib.mapAttrsToList (serviceName: cfg: let
+ paths =
+ lib.filter
+ lib.types.absolute-pathname.check
+ (map
+ (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
+ cfg.serviceConfig.LoadCredential);
+ in
+ lib.singleton {
+ services.${serviceName} = {
+ serviceConfig = {
+ LoadCredential = cfg.serviceConfig.LoadCredential;
+ };
+ };
+ }
+ ++
+ lib.optionals (cfg.ifCredentialsChange != null) (map (path: let
+ triggerName = "trigger-${lib.systemd.encodeName path}";
+ in {
+ paths.${triggerName} = {
+ wantedBy = ["multi-user.target"];
+ pathConfig.PathChanged = path;
+ };
+ services.${triggerName} = {
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = lib.singleton (toString [
+ "${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange}"
+ (lib.shell.escape serviceName)
+ ]);
+ };
+ };
+ }) paths)
+ ) config.krebs.systemd.services));
+}
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 3d0cc8fb4..dca764f63 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -1,12 +1,6 @@
with import <stockholm/lib>;
-{ config, pkgs, ... }:
-let
- out = {
- options.krebs.tinc = api;
- config = imp;
- };
-
- api = mkOption {
+{ config, pkgs, ... }: {
+ options.krebs.tinc = mkOption {
default = {};
description = ''
define a tinc network
@@ -28,10 +22,6 @@ let
Interface = ${netname}
Broadcast = no
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
- ${optionalString (tinc.config.privkey_ed25519 != null)
- "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
- }
- PrivateKeyFile = ${tinc.config.privkey.path}
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
${tinc.config.extraConfig}
'';
@@ -169,25 +159,17 @@ let
};
privkey = mkOption {
- type = types.secret-file;
- default = {
- name = "${tinc.config.netname}.rsa_key.priv";
- path = "${tinc.config.user.home}/tinc.rsa_key.priv";
- owner = tinc.config.user;
- source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
};
privkey_ed25519 = mkOption {
- type = types.nullOr types.secret-file;
+ type = types.nullOr types.absolute-pathname;
default =
- if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
- name = "${tinc.config.netname}.ed25519_key.priv";
- path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
- owner = tinc.config.user;
- source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
- };
+ if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
+ then null
+ else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
};
@@ -226,28 +208,7 @@ let
}));
};
- imp = {
- # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
- # avoid conflicts in environment if the packages differ
-
- krebs.secret.files =
- let
- ed25519_keys =
- filterAttrs
- (_: key: key != null)
- (mapAttrs'
- (netname: cfg:
- nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
- )
- config.krebs.tinc);
-
- rsa_keys =
- mapAttrs'
- (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
- config.krebs.tinc;
- in
- ed25519_keys // rsa_keys;
-
+ config = {
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
inherit (cfg.user) home name uid;
@@ -267,34 +228,42 @@ let
}
) config.krebs.tinc;
- systemd.services = mapAttrs (netname: cfg:
- let
- tinc = cfg.tincPackage;
- iproute = cfg.iproutePackage;
- in {
- description = "Tinc daemon for ${netname}";
- after = [
- "network.target"
- config.krebs.secret.files."${netname}.rsa_key.priv".service
- ] ++ optionals (cfg.privkey_ed25519 != null) [
- config.krebs.secret.files."${netname}.ed25519_key.priv".service
- ];
- partOf = [
- config.krebs.secret.files."${netname}.rsa_key.priv".service
- ] ++ optionals (cfg.privkey_ed25519 != null) [
- config.krebs.secret.files."${netname}.ed25519_key.priv".service
+ krebs.systemd.services = mapAttrs (netname: cfg: {
+ serviceConfig.LoadCredential = filter (x: x != "") [
+ (optionalString (cfg.privkey_ed25519 != null)
+ "ed25519_key:${cfg.privkey_ed25519}"
+ )
+ "rsa_key:${cfg.privkey}"
+ ];
+ }) config.krebs.tinc;
+
+ systemd.services = mapAttrs (netname: cfg: {
+ description = "Tinc daemon for ${netname}";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ path = [
+ cfg.iproutePackage
+ cfg.tincPackage
+ ];
+ reloadIfChanged = true;
+ restartTriggers = [ cfg.confDir ];
+ serviceConfig = {
+ Restart = "always";
+ ExecStart = toString [
+ "${cfg.tincPackage}/sbin/tincd"
+ "-D"
+ "-U ${cfg.user.name}"
+ "-c /etc/tinc/${netname}"
+ "-d 0"
+ (optionalString (cfg.privkey_ed25519 != null)
+ "-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key"
+ )
+ "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
+ "--pidfile=/var/run/tinc.${netname}.pid"
];
- wantedBy = [ "multi-user.target" ];
- path = [ tinc iproute ];
- reloadIfChanged = true;
- restartTriggers = [ cfg.confDir ];
- serviceConfig = rec {
- Restart = "always";
- ExecStart = "${tinc}/sbin/tincd -c /etc/tinc/${netname} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
- ExecReload = "${tinc}/sbin/tinc -n ${netname} reload";
- SyslogIdentifier = netname;
- };
- }
- ) config.krebs.tinc;
+ ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
+ SyslogIdentifier = netname;
+ };
+ }) config.krebs.tinc;
};
-in out
+}