diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/netns.nix | 8 | ||||
-rw-r--r-- | modules/yggdrasil-wg/default.nix | 8 |
2 files changed, 9 insertions, 7 deletions
diff --git a/modules/netns.nix b/modules/netns.nix index 18e066e5..d4f07feb 100644 --- a/modules/netns.nix +++ b/modules/netns.nix | |||
@@ -92,9 +92,11 @@ let | |||
92 | mkdir -p -m 0755 \ | 92 | mkdir -p -m 0755 \ |
93 | "/nix/var/nix/profiles/per-container/${containerName}" \ | 93 | "/nix/var/nix/profiles/per-container/${containerName}" \ |
94 | "/nix/var/nix/gcroots/per-container/${containerName}" | 94 | "/nix/var/nix/gcroots/per-container/${containerName}" |
95 | credsBind="" | 95 | credsBind=() |
96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then | 96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then |
97 | credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" | 97 | while IFS= read -r -d $'\0' credFile; do |
98 | credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}") | ||
99 | done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0) | ||
98 | fi | 100 | fi |
99 | # Run systemd-nspawn without startup notification (we'll | 101 | # Run systemd-nspawn without startup notification (we'll |
100 | # wait for the container systemd to signal readiness). | 102 | # wait for the container systemd to signal readiness). |
@@ -105,7 +107,7 @@ let | |||
105 | --bind-ro=/nix/store \ | 107 | --bind-ro=/nix/store \ |
106 | --bind-ro=/nix/var/nix/db \ | 108 | --bind-ro=/nix/var/nix/db \ |
107 | --bind-ro=/nix/var/nix/daemon-socket \ | 109 | --bind-ro=/nix/var/nix/daemon-socket \ |
108 | $credsBind \ | 110 | ''${credsBind} \ |
109 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ | 111 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ |
110 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ | 112 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ |
111 | --setenv PATH="$PATH" \ | 113 | --setenv PATH="$PATH" \ |
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
@@ -132,11 +132,12 @@ let | |||
132 | Kind = "wireguard"; | 132 | Kind = "wireguard"; |
133 | }; | 133 | }; |
134 | wireguardConfig = { | 134 | wireguardConfig = { |
135 | PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; | 135 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; |
136 | ListenPort = listenPort.${family}; | 136 | ListenPort = listenPort.${family}; |
137 | }; | 137 | }; |
138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; | 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; |
139 | }; | 139 | }; |
140 | familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; | ||
140 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { | 141 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { |
141 | name = "yggdrasil-wg-${family}"; | 142 | name = "yggdrasil-wg-${family}"; |
142 | matchConfig = { | 143 | matchConfig = { |
@@ -159,9 +160,6 @@ let | |||
159 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { | 160 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { |
160 | format = "binary"; | 161 | format = "binary"; |
161 | sopsFile = privateKeyPath family; | 162 | sopsFile = privateKeyPath family; |
162 | mode = "0640"; | ||
163 | owner = "root"; | ||
164 | group = "systemd-network"; | ||
165 | }); | 163 | }); |
166 | 164 | ||
167 | thisHost = host: host == hostName; | 165 | thisHost = host: host == hostName; |
@@ -240,6 +238,8 @@ in { | |||
240 | config.routeTables.yggdrasil = 1024; | 238 | config.routeTables.yggdrasil = 1024; |
241 | }; | 239 | }; |
242 | 240 | ||
241 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); | ||
242 | |||
243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
244 | 244 | ||
245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |