2023-06-10 12:50:53 +02:00
|
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
with import ../../lib/pure.nix { inherit lib; }; {
|
2021-12-23 03:16:44 +01:00
|
|
|
|
options.krebs.tinc = mkOption {
|
2016-07-20 10:06:04 +02:00
|
|
|
|
default = {};
|
|
|
|
|
description = ''
|
|
|
|
|
define a tinc network
|
|
|
|
|
'';
|
2017-10-03 18:40:44 +02:00
|
|
|
|
type = types.attrsOf (types.submodule (tinc: {
|
2016-07-26 14:02:04 +02:00
|
|
|
|
options = let
|
|
|
|
|
netname = tinc.config._module.args.name;
|
|
|
|
|
in {
|
2016-07-20 14:15:47 +02:00
|
|
|
|
|
2016-07-26 14:02:04 +02:00
|
|
|
|
enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
|
2016-07-20 14:15:47 +02:00
|
|
|
|
|
2017-05-16 22:03:42 +02:00
|
|
|
|
confDir = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.linkFarm "${netname}-etc-tinc"
|
|
|
|
|
(mapAttrsToList (name: path: { inherit name path; }) {
|
|
|
|
|
"hosts" = tinc.config.hostsPackage;
|
|
|
|
|
"tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
|
|
|
|
|
Name = ${tinc.config.host.name}
|
2022-03-03 10:53:25 +01:00
|
|
|
|
LogLevel = ${toString tinc.config.logLevel}
|
2017-05-16 22:03:42 +02:00
|
|
|
|
Interface = ${netname}
|
2019-01-16 11:10:34 +01:00
|
|
|
|
Broadcast = no
|
2017-05-16 22:03:42 +02:00
|
|
|
|
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
|
|
|
|
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
|
|
|
|
${tinc.config.extraConfig}
|
|
|
|
|
'';
|
2023-01-23 18:44:56 +01:00
|
|
|
|
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" tinc.config.tincUp;
|
2017-05-16 22:03:42 +02:00
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
2016-07-20 10:06:04 +02:00
|
|
|
|
host = mkOption {
|
|
|
|
|
type = types.host;
|
|
|
|
|
default = config.krebs.build.host;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
netname = mkOption {
|
|
|
|
|
type = types.enum (attrNames tinc.config.host.nets);
|
2016-07-26 14:02:04 +02:00
|
|
|
|
default = netname;
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = ''
|
|
|
|
|
The tinc network name.
|
|
|
|
|
It is used to name the TUN device and to generate the default value for
|
|
|
|
|
<literal>config.krebs.tinc.retiolum.hosts</literal>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
2022-01-29 23:45:55 +01:00
|
|
|
|
type = types.lines;
|
2016-07-20 10:06:04 +02:00
|
|
|
|
default = "";
|
|
|
|
|
description = ''
|
|
|
|
|
Extra Configuration to be appended to tinc.conf
|
|
|
|
|
'';
|
|
|
|
|
};
|
2016-07-26 14:02:04 +02:00
|
|
|
|
tincUp = mkOption {
|
2020-01-14 20:39:30 +01:00
|
|
|
|
type = types.str;
|
2016-07-26 14:02:04 +02:00
|
|
|
|
default = let
|
|
|
|
|
net = tinc.config.host.nets.${netname};
|
2022-03-06 10:51:05 +01:00
|
|
|
|
iproute = tinc.config.iproutePackage;
|
2023-01-23 18:24:47 +01:00
|
|
|
|
in /* sh */ ''
|
|
|
|
|
${tinc.config.iproutePackage}/sbin/ip link set ${netname} up
|
2016-07-26 14:02:04 +02:00
|
|
|
|
${optionalString (net.ip4 != null) /* sh */ ''
|
2022-03-06 10:51:05 +01:00
|
|
|
|
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
|
|
|
|
|
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
|
2016-07-26 14:02:04 +02:00
|
|
|
|
''}
|
|
|
|
|
${optionalString (net.ip6 != null) /* sh */ ''
|
2022-03-06 10:51:05 +01:00
|
|
|
|
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
|
|
|
|
|
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
|
2016-07-26 14:02:04 +02:00
|
|
|
|
''}
|
|
|
|
|
'';
|
2023-01-23 18:24:47 +01:00
|
|
|
|
defaultText = /* sh */ ''
|
|
|
|
|
ip link set ‹netname› up
|
|
|
|
|
ip -4 addr add ‹net.ip4.addr› dev ‹netname›
|
|
|
|
|
ip -4 route add ‹net.ip4.prefix› dev ‹netname›
|
|
|
|
|
ip -6 addr add ‹net.ip6.addr› dev ‹netname›
|
|
|
|
|
ip -6 route add ‹net.ip6.prefix› dev ‹netname›
|
2021-11-08 01:54:39 +01:00
|
|
|
|
'';
|
2016-07-26 14:02:04 +02:00
|
|
|
|
description = ''
|
|
|
|
|
tinc-up script to be used. Defaults to setting the
|
2021-11-08 01:54:39 +01:00
|
|
|
|
krebs.host.nets.‹netname›.ip4 and ip6 for the new ips and
|
2016-07-26 14:02:04 +02:00
|
|
|
|
configures forwarding of the respecitive netmask as subnet.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2016-07-20 10:06:04 +02:00
|
|
|
|
|
|
|
|
|
tincPackage = mkOption {
|
|
|
|
|
type = types.package;
|
2021-12-21 12:08:47 +01:00
|
|
|
|
default = pkgs.tinc_pre;
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = "Tincd package to use.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
hosts = mkOption {
|
|
|
|
|
type = with types; attrsOf host;
|
|
|
|
|
default =
|
|
|
|
|
filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
|
2021-11-08 01:54:39 +01:00
|
|
|
|
defaultText = "‹all-hosts-of-‹netname››";
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = ''
|
2016-07-20 17:20:47 +02:00
|
|
|
|
Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
|
2016-07-20 10:06:04 +02:00
|
|
|
|
Note that these hosts must have a network named
|
2016-07-20 17:20:47 +02:00
|
|
|
|
<literal>config.krebs.tinc.retiolum.netname</literal>.
|
2016-07-20 10:06:04 +02:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2016-10-27 22:04:21 +02:00
|
|
|
|
hostsArchive = mkOption {
|
|
|
|
|
type = types.package;
|
2020-11-19 23:36:52 +01:00
|
|
|
|
default = pkgs.runCommand "retiolum-hosts.tar.bz2" {
|
|
|
|
|
nativeBuildInputs = [ pkgs.gnutar pkgs.coreutils ];
|
|
|
|
|
} ''
|
2019-09-11 14:37:26 +02:00
|
|
|
|
cp \
|
|
|
|
|
--no-preserve=mode \
|
|
|
|
|
--recursive \
|
|
|
|
|
${tinc.config.hostsPackage} \
|
|
|
|
|
hosts
|
2020-11-19 23:36:52 +01:00
|
|
|
|
tar -cjf $out hosts
|
2016-10-27 22:04:21 +02:00
|
|
|
|
'';
|
|
|
|
|
readOnly = true;
|
|
|
|
|
};
|
|
|
|
|
|
2016-07-20 10:06:04 +02:00
|
|
|
|
hostsPackage = mkOption {
|
|
|
|
|
type = types.package;
|
2023-01-19 15:23:03 +01:00
|
|
|
|
default =
|
|
|
|
|
pkgs.write "${tinc.config.netname}-tinc-hosts"
|
|
|
|
|
(mapAttrs'
|
2023-01-19 15:38:56 +01:00
|
|
|
|
(_: host: nameValuePair "/${host.name}" {
|
2023-01-19 15:23:03 +01:00
|
|
|
|
text = host.nets.${tinc.config.netname}.tinc.config;
|
2023-01-19 15:38:56 +01:00
|
|
|
|
})
|
2023-01-19 15:23:03 +01:00
|
|
|
|
tinc.config.hosts);
|
2021-11-08 01:54:39 +01:00
|
|
|
|
defaultText = "‹netname›-tinc-hosts";
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = ''
|
|
|
|
|
Package of tinc host configuration files. By default, a package will
|
2021-11-08 01:54:39 +01:00
|
|
|
|
be generated from <literal>config.krebs.‹netname›.hosts</literal>. This
|
2016-07-20 10:06:04 +02:00
|
|
|
|
option's main purpose is to expose the generated hosts package to other
|
|
|
|
|
modules, like <literal>config.krebs.tinc_graphs</literal>. But it can
|
|
|
|
|
also be used to provide a custom hosts directory.
|
|
|
|
|
'';
|
|
|
|
|
example = literalExample ''
|
|
|
|
|
(pkgs.stdenv.mkDerivation {
|
|
|
|
|
name = "my-tinc-hosts";
|
|
|
|
|
src = /home/tv/my-tinc-hosts;
|
|
|
|
|
installPhase = "cp -R . $out";
|
|
|
|
|
})
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
iproutePackage = mkOption {
|
|
|
|
|
type = types.package;
|
2022-09-27 12:28:15 +02:00
|
|
|
|
default = pkgs.iproute2;
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = "Iproute2 package to use.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
privkey = mkOption {
|
2021-12-23 01:12:38 +01:00
|
|
|
|
type = types.absolute-pathname;
|
2023-09-07 19:00:57 +02:00
|
|
|
|
default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
|
2021-11-08 01:54:39 +01:00
|
|
|
|
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
|
2016-07-20 10:06:04 +02:00
|
|
|
|
};
|
|
|
|
|
|
2020-09-05 01:17:51 +02:00
|
|
|
|
privkey_ed25519 = mkOption {
|
2021-12-23 01:12:38 +01:00
|
|
|
|
type = types.nullOr types.absolute-pathname;
|
2020-09-05 01:17:51 +02:00
|
|
|
|
default =
|
2021-12-23 01:12:38 +01:00
|
|
|
|
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
|
|
|
|
|
then null
|
2023-09-07 19:00:57 +02:00
|
|
|
|
else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
|
2021-11-08 01:54:39 +01:00
|
|
|
|
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
|
2020-09-05 01:17:51 +02:00
|
|
|
|
};
|
|
|
|
|
|
2016-07-20 10:06:04 +02:00
|
|
|
|
connectTo = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
2021-11-08 01:54:39 +01:00
|
|
|
|
${if netname == "retiolum" then "default" else null} = [
|
2022-02-08 18:20:21 +01:00
|
|
|
|
"eve"
|
2016-11-10 23:00:04 +01:00
|
|
|
|
"ni"
|
|
|
|
|
"prism"
|
|
|
|
|
];
|
2016-07-20 10:06:04 +02:00
|
|
|
|
description = ''
|
|
|
|
|
The list of hosts in the network which the client will try to connect
|
|
|
|
|
to. These hosts should have an 'Address' configured which points to a
|
|
|
|
|
routeable IPv4 or IPv6 address.
|
|
|
|
|
|
|
|
|
|
In stockholm this can be done by configuring:
|
2021-11-08 01:54:39 +01:00
|
|
|
|
{
|
|
|
|
|
krebs.hosts.‹host›.nets.‹netname›.via.ip4.addr = external-ip;
|
|
|
|
|
krebs.hosts.‹host›.nets.‹netname›.tinc.port = 1655;
|
|
|
|
|
}
|
2016-07-20 10:06:04 +02:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2022-03-03 10:53:25 +01:00
|
|
|
|
logLevel = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = ''
|
|
|
|
|
LogLevel in tinc.conf
|
|
|
|
|
'';
|
|
|
|
|
default = 3;
|
|
|
|
|
};
|
|
|
|
|
|
2023-05-15 13:31:19 +02:00
|
|
|
|
username = mkOption {
|
|
|
|
|
type = types.username;
|
|
|
|
|
default = tinc.config.netname;
|
|
|
|
|
defaultText = literalExample "netname";
|
2016-07-20 10:06:04 +02:00
|
|
|
|
};
|
2016-02-11 23:16:08 +01:00
|
|
|
|
};
|
2016-07-20 10:06:04 +02:00
|
|
|
|
}));
|
|
|
|
|
};
|
2016-07-20 14:38:59 +02:00
|
|
|
|
|
2021-12-23 03:16:44 +01:00
|
|
|
|
config = {
|
2021-12-23 03:12:02 +01:00
|
|
|
|
krebs.systemd.services = mapAttrs (netname: cfg: {
|
2022-12-29 13:44:45 +01:00
|
|
|
|
restartIfCredentialsChange = true;
|
2021-12-23 20:09:06 +01:00
|
|
|
|
}) config.krebs.tinc;
|
|
|
|
|
|
|
|
|
|
systemd.services = mapAttrs (netname: cfg: {
|
2021-12-23 03:12:02 +01:00
|
|
|
|
description = "Tinc daemon for ${netname}";
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2023-11-09 21:21:24 +01:00
|
|
|
|
reloadIfChanged = true;
|
2021-12-23 03:12:02 +01:00
|
|
|
|
serviceConfig = {
|
2023-11-09 21:21:24 +01:00
|
|
|
|
ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
|
2021-12-23 03:12:02 +01:00
|
|
|
|
Restart = "always";
|
2021-12-23 23:42:59 +01:00
|
|
|
|
LoadCredential = filter (x: x != "") [
|
|
|
|
|
(optionalString (cfg.privkey_ed25519 != null)
|
2022-03-06 15:55:04 +01:00
|
|
|
|
"ed25519_key.priv:${cfg.privkey_ed25519}"
|
2021-12-23 23:42:59 +01:00
|
|
|
|
)
|
2022-03-06 15:55:04 +01:00
|
|
|
|
"rsa_key.priv:${cfg.privkey}"
|
2021-12-23 23:42:59 +01:00
|
|
|
|
];
|
2023-05-15 13:31:19 +02:00
|
|
|
|
ExecStartPre = "+" + pkgs.writers.writeDash "init-tinc-${netname}" ''
|
2022-03-06 16:07:07 +01:00
|
|
|
|
set -efu
|
2022-01-02 23:21:28 +01:00
|
|
|
|
${pkgs.coreutils}/bin/mkdir -p /etc/tinc
|
2022-03-06 14:24:02 +01:00
|
|
|
|
${pkgs.rsync}/bin/rsync -Lacv --delete \
|
2023-05-15 13:31:19 +02:00
|
|
|
|
--chown ${cfg.username} \
|
2022-01-02 23:21:28 +01:00
|
|
|
|
--chmod u=rwX,g=rX \
|
2022-03-06 15:55:04 +01:00
|
|
|
|
--exclude='/*.priv' \
|
2022-01-02 23:21:28 +01:00
|
|
|
|
${cfg.confDir}/ /etc/tinc/${netname}/
|
2022-03-06 15:55:04 +01:00
|
|
|
|
${optionalString (cfg.privkey_ed25519 != null) /* sh */ ''
|
|
|
|
|
${pkgs.coreutils}/bin/ln -fns \
|
|
|
|
|
"$CREDENTIALS_DIRECTORY"/ed25519_key.priv \
|
|
|
|
|
/etc/tinc/${netname}/
|
|
|
|
|
''}
|
|
|
|
|
${pkgs.coreutils}/bin/ln -fns \
|
|
|
|
|
"$CREDENTIALS_DIRECTORY"/rsa_key.priv \
|
|
|
|
|
/etc/tinc/${netname}/
|
2022-01-02 23:21:28 +01:00
|
|
|
|
'';
|
2023-05-15 13:31:19 +02:00
|
|
|
|
ExecStart = "+" + toString [
|
2021-12-23 03:12:02 +01:00
|
|
|
|
"${cfg.tincPackage}/sbin/tincd"
|
|
|
|
|
"-D"
|
2023-05-15 13:31:19 +02:00
|
|
|
|
"-U ${cfg.username}"
|
2021-12-23 03:12:02 +01:00
|
|
|
|
"-d 0"
|
2022-03-06 15:14:21 +01:00
|
|
|
|
"-n ${netname}"
|
2021-12-23 03:12:02 +01:00
|
|
|
|
];
|
|
|
|
|
SyslogIdentifier = netname;
|
2023-05-15 13:31:19 +02:00
|
|
|
|
DynamicUser = true;
|
|
|
|
|
User = cfg.username;
|
2021-12-23 03:12:02 +01:00
|
|
|
|
};
|
|
|
|
|
}) config.krebs.tinc;
|
2016-07-20 14:15:47 +02:00
|
|
|
|
};
|
2021-12-23 03:16:44 +01:00
|
|
|
|
}
|