You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

84 lines
2.9 KiB
Nix

/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
{ hostname, nodes, pingInterval ? 10 }:
{ pkgs, lib, ... }: let
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
generateConfiguration = options:
let
keys = builtins.attrNames options;
toPairs = map (key: {key = key; value = options.${key};});
createConfigEntries = map (item: "${item.key} = ${toString item.value}");
in
builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
in {
deployment.secrets = {
"tinc-key" = {
source = "../private/${hostname}/tinc-key.priv";
destination = "/etc/tinc/cryto/ed25519_key.priv";
owner = { user = "tinc.cryto"; };
action = [ "systemctl" "restart" "tinc.cryto.service" ];
};
};
services.tinc.networks.cryto = {
debugLevel = 3;
chroot = false;
extraConfig = generateConfiguration {
AutoConnect = "yes";
PingInterval = pingInterval;
};
hosts = let
mapper = nodeName: nodeConfiguration:
lib.nameValuePair
/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
( generateConfiguration {
# Address = nodeName;
/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
Address = nodeConfiguration.ipv4;
Subnet = "${nodeConfiguration.internalIpv4}/32";
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
} );
in lib.mapAttrs' mapper nodes;
};
# networking.interfaces."tinc.cryto".ipv4.addresses = [{
# address = nodes.${hostname}.internalIpv4;
# prefixLength = 24;
# }];
networking.firewall = {
allowedTCPPorts = [
655
];
allowedUDPPorts = [
655
];
trustedInterfaces = [
"tinc.cryto"
];
};
# FIXME: Make the netmask be generated from the prefixLength, instead of hard-coding it
environment.etc = {
"tinc/cryto/tinc-up".source = pkgs.writeScript "tinc-up-cryto" ''
#!${pkgs.stdenv.shell}
${pkgs.nettools}/bin/ifconfig tinc.cryto ${nodes.${hostname}.internalIpv4} netmask 255.255.255.0
'';
"tinc/cryto/tinc-down".source = pkgs.writeScript "tinc-down-cryto" ''
#!${pkgs.stdenv.shell}
/run/wrappers/bin/sudo ${pkgs.nettools}/bin/ifconfig tinc.cryto down
'';
};
security.sudo.extraRules = [{
users = [ "tinc.cryto" ];
commands = [{
command = "${pkgs.nettools}/bin/ifconfig tinc.cryto down";
options = [ "NOPASSWD" ];
}];
}];
}