diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
| commit | c1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch) | |
| tree | d20ff0f367804bc87996c6312cebe2fa57b5bd4c /modules | |
| parent | de66ba821b2851cb23bcc7b064e84de3dd848e26 (diff) | |
| download | nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2 nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip | |
...
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/netns.nix | 8 | ||||
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 8 |
2 files changed, 9 insertions, 7 deletions
diff --git a/modules/netns.nix b/modules/netns.nix index 18e066e5..d4f07feb 100644 --- a/modules/netns.nix +++ b/modules/netns.nix | |||
| @@ -92,9 +92,11 @@ let | |||
| 92 | mkdir -p -m 0755 \ | 92 | mkdir -p -m 0755 \ |
| 93 | "/nix/var/nix/profiles/per-container/${containerName}" \ | 93 | "/nix/var/nix/profiles/per-container/${containerName}" \ |
| 94 | "/nix/var/nix/gcroots/per-container/${containerName}" | 94 | "/nix/var/nix/gcroots/per-container/${containerName}" |
| 95 | credsBind="" | 95 | credsBind=() |
| 96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then | 96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then |
| 97 | credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" | 97 | while IFS= read -r -d $'\0' credFile; do |
| 98 | credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}") | ||
| 99 | done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0) | ||
| 98 | fi | 100 | fi |
| 99 | # Run systemd-nspawn without startup notification (we'll | 101 | # Run systemd-nspawn without startup notification (we'll |
| 100 | # wait for the container systemd to signal readiness). | 102 | # wait for the container systemd to signal readiness). |
| @@ -105,7 +107,7 @@ let | |||
| 105 | --bind-ro=/nix/store \ | 107 | --bind-ro=/nix/store \ |
| 106 | --bind-ro=/nix/var/nix/db \ | 108 | --bind-ro=/nix/var/nix/db \ |
| 107 | --bind-ro=/nix/var/nix/daemon-socket \ | 109 | --bind-ro=/nix/var/nix/daemon-socket \ |
| 108 | $credsBind \ | 110 | ''${credsBind} \ |
| 109 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ | 111 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ |
| 110 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ | 112 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ |
| 111 | --setenv PATH="$PATH" \ | 113 | --setenv PATH="$PATH" \ |
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -132,11 +132,12 @@ let | |||
| 132 | Kind = "wireguard"; | 132 | Kind = "wireguard"; |
| 133 | }; | 133 | }; |
| 134 | wireguardConfig = { | 134 | wireguardConfig = { |
| 135 | PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; | 135 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; |
| 136 | ListenPort = listenPort.${family}; | 136 | ListenPort = listenPort.${family}; |
| 137 | }; | 137 | }; |
| 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; | 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; |
| 139 | }; | 139 | }; |
| 140 | familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; | ||
| 140 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { | 141 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { |
| 141 | name = "yggdrasil-wg-${family}"; | 142 | name = "yggdrasil-wg-${family}"; |
| 142 | matchConfig = { | 143 | matchConfig = { |
| @@ -159,9 +160,6 @@ let | |||
| 159 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { | 160 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { |
| 160 | format = "binary"; | 161 | format = "binary"; |
| 161 | sopsFile = privateKeyPath family; | 162 | sopsFile = privateKeyPath family; |
| 162 | mode = "0640"; | ||
| 163 | owner = "root"; | ||
| 164 | group = "systemd-network"; | ||
| 165 | }); | 163 | }); |
| 166 | 164 | ||
| 167 | thisHost = host: host == hostName; | 165 | thisHost = host: host == hostName; |
| @@ -240,6 +238,8 @@ in { | |||
| 240 | config.routeTables.yggdrasil = 1024; | 238 | config.routeTables.yggdrasil = 1024; |
| 241 | }; | 239 | }; |
| 242 | 240 | ||
| 241 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); | ||
| 242 | |||
| 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
| 244 | 244 | ||
| 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |