From 7846e26f8660b58d67eb90a21e7249715f49ac89 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 24 Jul 2015 11:22:21 +0200
Subject: 3: {tv -> krebs}.retiolum

---
 3modules/krebs/retiolum.nix | 226 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 226 insertions(+)
 create mode 100644 3modules/krebs/retiolum.nix

(limited to '3modules/krebs/retiolum.nix')

diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix
new file mode 100644
index 000000000..447592eef
--- /dev/null
+++ b/3modules/krebs/retiolum.nix
@@ -0,0 +1,226 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.krebs.retiolum;
+
+  out = {
+    options.krebs.retiolum = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "krebs.retiolum";
+
+    name = mkOption {
+      type = types.str;
+      default = config.networking.hostName;
+      # Description stolen from tinc.conf(5).
+      description = ''
+        This is the name which identifies this tinc daemon.  It must
+        be unique for the virtual private network this daemon will
+        connect to.  The Name may only consist of alphanumeric and
+        underscore characters.  If Name starts with a $, then the
+        contents of the environment variable that follows will be
+        used.  In that case, invalid characters will be converted to
+        underscores.  If Name is $HOST, but no such environment
+        variable exist, the hostname will be read using the
+        gethostnname() system call This is the name which identifies
+        the this tinc daemon.
+      '';
+    };
+
+    generateEtcHosts = mkOption {
+      type = types.str;
+      default = "both";
+      description = ''
+        If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>,
+        then generate entries in <filename>/etc/hosts</filename> from subnets.
+      '';
+    };
+
+    network = mkOption {
+      type = types.str;
+      default = "retiolum";
+      description = ''
+        The tinc network name.
+        It is used to generate long host entries,
+        and name the TUN device.
+      '';
+    };
+
+    tincPackage = mkOption {
+      type = types.package;
+      default = pkgs.tinc;
+      description = "Tincd package to use.";
+    };
+
+    hosts = mkOption {
+      default = null;
+      description = ''
+        Hosts package or path to use.
+        If a path is given, then it will be used to generate an ad-hoc package.
+      '';
+    };
+
+    iproutePackage = mkOption {
+      type = types.package;
+      default = pkgs.iproute;
+      description = "Iproute2 package to use.";
+    };
+
+
+    privateKeyFile = mkOption {
+      # TODO if it's types.path then it gets copied to /nix/store with
+      #      bad unsafe permissions...
+      type = types.str;
+      default = "/root/src/secrets/retiolum.rsa_key.priv";
+      description = "Generate file with <literal>tincd -K</literal>.";
+    };
+
+    connectTo = mkOption {
+      type = types.listOf types.str;
+      default = [ "fastpoke" "pigstarter" "kheurop" ];
+      description = ''
+        The list of hosts in the network which the client will try to connect
+        to.  These hosts should have an 'Address' configured which points to a
+        routeable IPv4 or IPv6 address.
+      '';
+    };
+
+  };
+
+  imp = {
+    environment.systemPackages = [ tinc hosts iproute ];
+
+    networking.extraHosts = retiolumExtraHosts;
+
+    systemd.services.retiolum = {
+      description = "Tinc daemon for Retiolum";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ tinc iproute ];
+      serviceConfig = {
+        PermissionsStartOnly = "true";
+        PrivateTmp = "true";
+        Restart = "always";
+        # TODO we cannot chroot (-R) b/c we use symlinks to hosts
+        #      and the private key.
+        ExecStartPre = pkgs.writeScript "retiolum-init" ''
+          #! /bin/sh
+          install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv
+        '';
+        ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D";
+        SyslogIdentifier = "retiolum";
+      };
+    };
+
+    users.extraUsers = singleton {
+      inherit (user) name uid;
+    };
+  };
+
+  user = {
+    name = "retiolum";
+    uid = 301281149; # genid retiolum
+  };
+
+  tinc = cfg.tincPackage;
+  hostsType = builtins.typeOf cfg.hosts;
+  hosts =
+    if hostsType == "package" then
+      # use package as is
+      cfg.hosts
+    else if hostsType == "path" then
+      # use path to generate a package
+      pkgs.stdenv.mkDerivation {
+        name = "custom-retiolum-hosts";
+        src = cfg.hosts;
+        installPhase = ''
+          mkdir $out
+          find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
+        '';
+      }
+    else
+      abort "The option `services.retiolum.hosts' must be set to a package or a path"
+    ;
+  iproute = cfg.iproutePackage;
+
+  retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
+    { }
+    ''
+      generate() {
+        (cd ${hosts}
+          printf \'\'
+          for i in `ls`; do
+            names=$(hostnames $i)
+            for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do
+              names="$names $(hostnames $j)"
+            done
+            sed -En '
+              s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1  '"$names"'|p
+            ' $i
+          done | sort
+          printf \'\'
+        )
+      }
+
+      case ${cfg.generateEtcHosts} in
+        short)
+          hostnames() { echo "$1"; }
+          generate
+          ;;
+        long)
+          hostnames() { echo "$1.${cfg.network}"; }
+          generate
+          ;;
+        both)
+          hostnames() { echo "$1.${cfg.network} $1"; }
+          generate
+          ;;
+        *)
+          echo '""'
+          ;;
+      esac > $out
+    '');
+
+
+  confDir = pkgs.runCommand "retiolum" {
+    # TODO text
+    executable = true;
+    preferLocalBuild = true;
+  } ''
+    set -euf
+
+    mkdir -p $out
+
+    ln -s ${hosts} $out/hosts
+
+    cat > $out/tinc.conf <<EOF
+    Name = ${cfg.name}
+    Device = /dev/net/tun
+    Interface = ${cfg.network}
+    ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
+    PrivateKeyFile = /tmp/retiolum-rsa_key.priv
+    EOF
+
+    # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
+    cat > $out/tinc-up <<EOF
+    host=$out/hosts/${cfg.name}
+    ${iproute}/sbin/ip link set \$INTERFACE up
+
+    addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
+    if [ -n "\$addr4" ];then
+        ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
+        ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
+    fi
+    addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
+    ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
+    ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
+    EOF
+
+    chmod +x $out/tinc-up
+  '';
+in
+out
-- 
cgit v1.2.3


From faf5f6c172d6a6915e18cdec85e3543051eb0449 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 24 Jul 2015 12:41:41 +0200
Subject: krebs.retiolum: define type of hosts

---
 3modules/krebs/retiolum.nix | 40 ++++++++++++++++++----------------------
 1 file changed, 18 insertions(+), 22 deletions(-)

(limited to '3modules/krebs/retiolum.nix')

diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix
index 447592eef..1406f2fc4 100644
--- a/3modules/krebs/retiolum.nix
+++ b/3modules/krebs/retiolum.nix
@@ -57,9 +57,9 @@ let
     };
 
     hosts = mkOption {
-      default = null;
+      type = with types; either package path;
+      default = ../../Zhosts;
       description = ''
-        Hosts package or path to use.
         If a path is given, then it will be used to generate an ad-hoc package.
       '';
     };
@@ -127,24 +127,20 @@ let
   };
 
   tinc = cfg.tincPackage;
-  hostsType = builtins.typeOf cfg.hosts;
-  hosts =
-    if hostsType == "package" then
-      # use package as is
-      cfg.hosts
-    else if hostsType == "path" then
-      # use path to generate a package
-      pkgs.stdenv.mkDerivation {
-        name = "custom-retiolum-hosts";
-        src = cfg.hosts;
-        installPhase = ''
-          mkdir $out
-          find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
-        '';
-      }
-    else
-      abort "The option `services.retiolum.hosts' must be set to a package or a path"
-    ;
+
+  hosts = getAttr (typeOf cfg.hosts) {
+    package = cfg.hosts;
+    path = pkgs.stdenv.mkDerivation {
+      name = "custom-retiolum-hosts";
+      src = cfg.hosts;
+      installPhase = ''
+        mkdir $out
+        find . -name .git -prune -o -type f -print0 \
+          | xargs -0 cp --target-directory $out
+      '';
+    };
+  };
+
   iproute = cfg.iproutePackage;
 
   retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
@@ -222,5 +218,5 @@ let
 
     chmod +x $out/tinc-up
   '';
-in
-out
+
+in out
-- 
cgit v1.2.3


From c63c87311d9cc533aaf3a5a6e59d8bc1aea9067b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Fri, 24 Jul 2015 14:06:48 +0200
Subject: krebs/retiolum.nix: add doc for secretKeyFile

---
 3modules/krebs/retiolum.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to '3modules/krebs/retiolum.nix')

diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix
index 447592eef..e9b1244e1 100644
--- a/3modules/krebs/retiolum.nix
+++ b/3modules/krebs/retiolum.nix
@@ -76,7 +76,11 @@ let
       #      bad unsafe permissions...
       type = types.str;
       default = "/root/src/secrets/retiolum.rsa_key.priv";
-      description = "Generate file with <literal>tincd -K</literal>.";
+      description = ''
+          Generate file with <literal>tincd -K</literal>.
+          This file must exist on the local system. The default points to 
+          <secrets/retiolum.rsa_key.priv>.
+        '';
     };
 
     connectTo = mkOption {
-- 
cgit v1.2.3


From 4826257ea3c239d77a58934d34bb02505426e39f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Fri, 24 Jul 2015 14:07:39 +0200
Subject: krebs/retiolum.nix: remove kheurop from default list for connectTo

kheurop is a dead host for a long time now
---
 3modules/krebs/retiolum.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to '3modules/krebs/retiolum.nix')

diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix
index e9b1244e1..5c26dff18 100644
--- a/3modules/krebs/retiolum.nix
+++ b/3modules/krebs/retiolum.nix
@@ -85,7 +85,7 @@ let
 
     connectTo = mkOption {
       type = types.listOf types.str;
-      default = [ "fastpoke" "pigstarter" "kheurop" ];
+      default = [ "fastpoke" "pigstarter" "gum" ];
       description = ''
         The list of hosts in the network which the client will try to connect
         to.  These hosts should have an 'Address' configured which points to a
-- 
cgit v1.2.3