|
|
@ -1,7 +1,7 @@
|
|
|
|
/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
|
|
|
|
/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
|
|
|
|
|
|
|
|
|
|
|
|
{ hostname, nodes, pingInterval ? 10 }:
|
|
|
|
{ hostname, nodes, pingInterval ? 10 }:
|
|
|
|
{ lib, ... }: let
|
|
|
|
{ pkgs, lib, ... }: let
|
|
|
|
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
|
|
|
|
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
|
|
|
|
generateConfiguration = options:
|
|
|
|
generateConfiguration = options:
|
|
|
|
let
|
|
|
|
let
|
|
|
@ -22,6 +22,7 @@
|
|
|
|
|
|
|
|
|
|
|
|
services.tinc.networks.cryto = {
|
|
|
|
services.tinc.networks.cryto = {
|
|
|
|
debugLevel = 3;
|
|
|
|
debugLevel = 3;
|
|
|
|
|
|
|
|
chroot = false;
|
|
|
|
|
|
|
|
|
|
|
|
extraConfig = generateConfiguration {
|
|
|
|
extraConfig = generateConfiguration {
|
|
|
|
AutoConnect = "yes";
|
|
|
|
AutoConnect = "yes";
|
|
|
@ -43,10 +44,10 @@
|
|
|
|
in lib.mapAttrs' mapper nodes;
|
|
|
|
in lib.mapAttrs' mapper nodes;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
networking.interfaces."tinc.cryto".ipv4.addresses = [{
|
|
|
|
# networking.interfaces."tinc.cryto".ipv4.addresses = [{
|
|
|
|
address = nodes.${hostname}.internalIpv4;
|
|
|
|
# address = nodes.${hostname}.internalIpv4;
|
|
|
|
prefixLength = 24;
|
|
|
|
# prefixLength = 24;
|
|
|
|
}];
|
|
|
|
# }];
|
|
|
|
|
|
|
|
|
|
|
|
networking.firewall = {
|
|
|
|
networking.firewall = {
|
|
|
|
allowedTCPPorts = [
|
|
|
|
allowedTCPPorts = [
|
|
|
@ -59,4 +60,24 @@
|
|
|
|
"tinc.cryto"
|
|
|
|
"tinc.cryto"
|
|
|
|
];
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# FIXME: Make the netmask be generated from the prefixLength, instead of hard-coding it
|
|
|
|
|
|
|
|
environment.etc = {
|
|
|
|
|
|
|
|
"tinc/cryto/tinc-up".source = pkgs.writeScript "tinc-up-cryto" ''
|
|
|
|
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
|
|
|
|
${pkgs.nettools}/bin/ifconfig tinc.cryto ${nodes.${hostname}.internalIpv4} netmask 255.255.255.0
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
"tinc/cryto/tinc-down".source = pkgs.writeScript "tinc-down-cryto" ''
|
|
|
|
|
|
|
|
#!${pkgs.stdenv.shell}
|
|
|
|
|
|
|
|
/run/wrappers/bin/sudo ${pkgs.nettools}/bin/ifconfig tinc.cryto down
|
|
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
security.sudo.extraRules = [{
|
|
|
|
|
|
|
|
users = [ "tinc.cryto" ];
|
|
|
|
|
|
|
|
commands = [{
|
|
|
|
|
|
|
|
command = "${pkgs.nettools}/bin/ifconfig tinc.cryto down";
|
|
|
|
|
|
|
|
options = [ "NOPASSWD" ];
|
|
|
|
|
|
|
|
}];
|
|
|
|
|
|
|
|
}];
|
|
|
|
}
|
|
|
|
}
|
|
|
|