stockholm/krebs/3modules/tinc.nix

281 lines
9.6 KiB
Nix
Raw Normal View History

2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
{ config, pkgs, ... }: {
options.krebs.tinc = mkOption {
default = {};
description = ''
define a tinc network
'';
type = types.attrsOf (types.submodule (tinc: {
2016-07-26 14:02:04 +02:00
options = let
netname = tinc.config._module.args.name;
in {
2016-07-26 14:02:04 +02:00
enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
2017-05-16 22:03:42 +02:00
confDir = mkOption {
type = types.package;
default = pkgs.linkFarm "${netname}-etc-tinc"
(mapAttrsToList (name: path: { inherit name path; }) {
"hosts" = tinc.config.hostsPackage;
"tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
Name = ${tinc.config.host.name}
2022-03-03 10:53:25 +01:00
LogLevel = ${toString tinc.config.logLevel}
2017-05-16 22:03:42 +02:00
Interface = ${netname}
2019-01-16 11:10:34 +01:00
Broadcast = no
2017-05-16 22:03:42 +02:00
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
${tinc.config.extraConfig}
'';
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
${tinc.config.iproutePackage}/sbin/ip link set ${netname} up
2017-05-16 22:03:42 +02:00
${tinc.config.tincUp}
'';
});
};
host = mkOption {
type = types.host;
default = config.krebs.build.host;
};
netname = mkOption {
type = types.enum (attrNames tinc.config.host.nets);
2016-07-26 14:02:04 +02:00
default = netname;
description = ''
The tinc network name.
It is used to name the TUN device and to generate the default value for
<literal>config.krebs.tinc.retiolum.hosts</literal>.
'';
};
extraConfig = mkOption {
2022-01-29 23:45:55 +01:00
type = types.lines;
default = "";
description = ''
Extra Configuration to be appended to tinc.conf
'';
};
2016-07-26 14:02:04 +02:00
tincUp = mkOption {
2020-01-14 20:39:30 +01:00
type = types.str;
2016-07-26 14:02:04 +02:00
default = let
net = tinc.config.host.nets.${netname};
iproute = tinc.config.iproutePackage;
2016-07-26 14:02:04 +02:00
in ''
${optionalString (net.ip4 != null) /* sh */ ''
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
2016-07-26 14:02:04 +02:00
''}
${optionalString (net.ip6 != null) /* sh */ ''
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
2016-07-26 14:02:04 +02:00
''}
2018-10-30 22:47:57 +01:00
${tinc.config.tincUpExtra}
2016-07-26 14:02:04 +02:00
'';
2021-11-08 01:54:39 +01:00
defaultText = ''
ip -4 addr add net.ip4.addr dev ${netname}
ip -4 route add net.ip4.prefix dev ${netname}
ip -6 addr add net.ip6.addr dev ${netname}
ip -6 route add net.ip6.prefix dev ${netname}
${tinc.config.tincUpExtra}
'';
2016-07-26 14:02:04 +02:00
description = ''
tinc-up script to be used. Defaults to setting the
2021-11-08 01:54:39 +01:00
krebs.host.nets.netname.ip4 and ip6 for the new ips and
2016-07-26 14:02:04 +02:00
configures forwarding of the respecitive netmask as subnet.
'';
};
2018-10-30 22:47:57 +01:00
tincUpExtra = mkOption {
type = types.str;
default = "";
};
tincPackage = mkOption {
type = types.package;
default = pkgs.tinc_pre;
description = "Tincd package to use.";
};
hosts = mkOption {
type = with types; attrsOf host;
default =
filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
2021-11-08 01:54:39 +01:00
defaultText = "all-hosts-of-netname";
description = ''
Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
Note that these hosts must have a network named
<literal>config.krebs.tinc.retiolum.netname</literal>.
'';
};
2016-10-27 22:04:21 +02:00
hostsArchive = mkOption {
type = types.package;
2020-11-19 23:36:52 +01:00
default = pkgs.runCommand "retiolum-hosts.tar.bz2" {
nativeBuildInputs = [ pkgs.gnutar pkgs.coreutils ];
} ''
cp \
--no-preserve=mode \
--recursive \
${tinc.config.hostsPackage} \
hosts
2020-11-19 23:36:52 +01:00
tar -cjf $out hosts
2016-10-27 22:04:21 +02:00
'';
readOnly = true;
};
hostsPackage = mkOption {
type = types.package;
default = pkgs.stdenv.mkDerivation {
name = "${tinc.config.netname}-tinc-hosts";
phases = [ "installPhase" ];
installPhase = ''
mkdir $out
${concatStrings (mapAttrsToList (_: host: ''
echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
> $out/${shell.escape host.name}
'') tinc.config.hosts)}
'';
};
2021-11-08 01:54:39 +01:00
defaultText = "netname-tinc-hosts";
description = ''
Package of tinc host configuration files. By default, a package will
2021-11-08 01:54:39 +01:00
be generated from <literal>config.krebs.netname.hosts</literal>. This
option's main purpose is to expose the generated hosts package to other
modules, like <literal>config.krebs.tinc_graphs</literal>. But it can
also be used to provide a custom hosts directory.
'';
example = literalExample ''
(pkgs.stdenv.mkDerivation {
name = "my-tinc-hosts";
src = /home/tv/my-tinc-hosts;
installPhase = "cp -R . $out";
})
'';
};
iproutePackage = mkOption {
type = types.package;
default = pkgs.iproute;
description = "Iproute2 package to use.";
};
privkey = mkOption {
2021-12-23 01:12:38 +01:00
type = types.absolute-pathname;
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
2021-11-08 01:54:39 +01:00
defaultText = "secrets/netname.rsa_key.priv";
};
privkey_ed25519 = mkOption {
2021-12-23 01:12:38 +01:00
type = types.nullOr types.absolute-pathname;
default =
2021-12-23 01:12:38 +01:00
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
then null
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
2021-11-08 01:54:39 +01:00
defaultText = "secrets/netname.ed25519_key.priv";
};
connectTo = mkOption {
type = types.listOf types.str;
2021-11-08 01:54:39 +01:00
${if netname == "retiolum" then "default" else null} = [
2022-02-08 18:20:21 +01:00
"eve"
"ni"
"prism"
];
description = ''
The list of hosts in the network which the client will try to connect
to. These hosts should have an 'Address' configured which points to a
routeable IPv4 or IPv6 address.
In stockholm this can be done by configuring:
2021-11-08 01:54:39 +01:00
{
krebs.hosts.host.nets.netname.via.ip4.addr = external-ip;
krebs.hosts.host.nets.netname.tinc.port = 1655;
}
'';
};
2022-03-03 10:53:25 +01:00
logLevel = mkOption {
type = types.int;
description = ''
LogLevel in tinc.conf
'';
default = 3;
};
user = mkOption {
type = types.user;
default = {
name = tinc.config.netname;
home = "/var/lib/${tinc.config.user.name}";
};
2021-11-08 01:54:39 +01:00
defaultText = {
name = "netname";
home = "/var/lib/netname";
};
};
};
}));
};
2016-07-20 14:38:59 +02:00
config = {
2016-07-20 14:24:58 +02:00
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
2016-07-20 14:38:59 +02:00
inherit (cfg.user) home name uid;
createHome = true;
isSystemUser = true;
2021-10-23 12:07:40 +02:00
group = netname;
2016-07-20 14:38:59 +02:00
}
) config.krebs.tinc;
2021-10-23 12:07:40 +02:00
users.groups = mapAttrs' (netname: cfg:
nameValuePair netname {}
) config.krebs.tinc;
krebs.systemd.services = mapAttrs (netname: cfg: {
}) config.krebs.tinc;
systemd.services = mapAttrs (netname: cfg: {
description = "Tinc daemon for ${netname}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
# Restart the service in a single step in order to prevent potential
# connection timeouts and subsequent issues while deploying via tinc.
stopIfChanged = false;
serviceConfig = {
Restart = "always";
LoadCredential = filter (x: x != "") [
(optionalString (cfg.privkey_ed25519 != null)
"ed25519_key.priv:${cfg.privkey_ed25519}"
)
"rsa_key.priv:${cfg.privkey}"
];
ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" ''
set -efu
${pkgs.coreutils}/bin/mkdir -p /etc/tinc
${pkgs.rsync}/bin/rsync -Lacv --delete \
--chown ${cfg.user.name} \
--chmod u=rwX,g=rX \
--exclude='/*.priv' \
${cfg.confDir}/ /etc/tinc/${netname}/
${optionalString (cfg.privkey_ed25519 != null) /* sh */ ''
${pkgs.coreutils}/bin/ln -fns \
"$CREDENTIALS_DIRECTORY"/ed25519_key.priv \
/etc/tinc/${netname}/
''}
${pkgs.coreutils}/bin/ln -fns \
"$CREDENTIALS_DIRECTORY"/rsa_key.priv \
/etc/tinc/${netname}/
'';
ExecStart = toString [
"${cfg.tincPackage}/sbin/tincd"
"-D"
"-U ${cfg.user.name}"
"-d 0"
2022-03-06 15:14:21 +01:00
"-n ${netname}"
];
SyslogIdentifier = netname;
};
}) config.krebs.tinc;
};
}