From bf6424fc841f3ece624611a6a057e76aaae544a6 Mon Sep 17 00:00:00 2001
From: Sven Slootweg <admin@cryto.net>
Date: Sun, 31 May 2020 02:17:16 +0200
Subject: [PATCH] Use tinc-up/tinc-down scripts instead of
 networking.interfaces, to sidestep the rebuild bug

---
 configuration/lib/tinc-configuration.nix | 31 ++++++++++++++++++++----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/configuration/lib/tinc-configuration.nix b/configuration/lib/tinc-configuration.nix
index a513f01..7d2bcd8 100644
--- a/configuration/lib/tinc-configuration.nix
+++ b/configuration/lib/tinc-configuration.nix
@@ -1,7 +1,7 @@
 /* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
 
 { hostname, nodes, pingInterval ? 10 }:
-	{ lib, ... }: let
+	{ pkgs, lib, ... }: let
 		/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
 		generateConfiguration = options:
 			let
@@ -22,6 +22,7 @@
 
 		services.tinc.networks.cryto = {
 			debugLevel = 3;
+			chroot = false;
 
 			extraConfig = generateConfiguration {
 				AutoConnect = "yes";
@@ -43,10 +44,10 @@
 			in lib.mapAttrs' mapper nodes;
 		};
 
-		networking.interfaces."tinc.cryto".ipv4.addresses = [{
-			address = nodes.${hostname}.internalIpv4;
-			prefixLength = 24;
-		}];
+		# networking.interfaces."tinc.cryto".ipv4.addresses = [{
+		# 	address = nodes.${hostname}.internalIpv4;
+		# 	prefixLength = 24;
+		# }];
 
 		networking.firewall = {
 			allowedTCPPorts = [
@@ -59,4 +60,24 @@
 				"tinc.cryto"
 			];
 		};
+
+		# FIXME: Make the netmask be generated from the prefixLength, instead of hard-coding it
+		environment.etc = {
+			"tinc/cryto/tinc-up".source = pkgs.writeScript "tinc-up-cryto" ''
+				#!${pkgs.stdenv.shell}
+				${pkgs.nettools}/bin/ifconfig tinc.cryto ${nodes.${hostname}.internalIpv4} netmask 255.255.255.0
+			'';
+			"tinc/cryto/tinc-down".source = pkgs.writeScript "tinc-down-cryto" ''
+				#!${pkgs.stdenv.shell}
+				/run/wrappers/bin/sudo ${pkgs.nettools}/bin/ifconfig tinc.cryto down
+			'';
+		};
+
+		security.sudo.extraRules = [{
+			users    = [ "tinc.cryto" ];
+			commands = [{
+				command  = "${pkgs.nettools}/bin/ifconfig tinc.cryto down";
+				options  = [ "NOPASSWD" ];
+			}];
+		}];
 	}