summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/netns.nix8
-rw-r--r--modules/yggdrasil-wg/default.nix8
2 files changed, 9 insertions, 7 deletions
diff --git a/modules/netns.nix b/modules/netns.nix
index 18e066e5..d4f07feb 100644
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -92,9 +92,11 @@ let
92 mkdir -p -m 0755 \ 92 mkdir -p -m 0755 \
93 "/nix/var/nix/profiles/per-container/${containerName}" \ 93 "/nix/var/nix/profiles/per-container/${containerName}" \
94 "/nix/var/nix/gcroots/per-container/${containerName}" 94 "/nix/var/nix/gcroots/per-container/${containerName}"
95 credsBind="" 95 credsBind=()
96 if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then 96 if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then
97 credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" 97 while IFS= read -r -d $'\0' credFile; do
98 credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}")
99 done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0)
98 fi 100 fi
99 # Run systemd-nspawn without startup notification (we'll 101 # Run systemd-nspawn without startup notification (we'll
100 # wait for the container systemd to signal readiness). 102 # wait for the container systemd to signal readiness).
@@ -105,7 +107,7 @@ let
105 --bind-ro=/nix/store \ 107 --bind-ro=/nix/store \
106 --bind-ro=/nix/var/nix/db \ 108 --bind-ro=/nix/var/nix/db \
107 --bind-ro=/nix/var/nix/daemon-socket \ 109 --bind-ro=/nix/var/nix/daemon-socket \
108 $credsBind \ 110 ''${credsBind} \
109 --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ 111 --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \
110 --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ 112 --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \
111 --setenv PATH="$PATH" \ 113 --setenv PATH="$PATH" \
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 1e52ba06..c27eb286 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -132,11 +132,12 @@ let
132 Kind = "wireguard"; 132 Kind = "wireguard";
133 }; 133 };
134 wireguardConfig = { 134 wireguardConfig = {
135 PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; 135 PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv";
136 ListenPort = listenPort.${family}; 136 ListenPort = listenPort.${family};
137 }; 137 };
138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; 138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family};
139 }; 139 };
140 familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}";
140 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { 141 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" {
141 name = "yggdrasil-wg-${family}"; 142 name = "yggdrasil-wg-${family}";
142 matchConfig = { 143 matchConfig = {
@@ -159,9 +160,6 @@ let
159 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { 160 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) {
160 format = "binary"; 161 format = "binary";
161 sopsFile = privateKeyPath family; 162 sopsFile = privateKeyPath family;
162 mode = "0640";
163 owner = "root";
164 group = "systemd-network";
165 }); 163 });
166 164
167 thisHost = host: host == hostName; 165 thisHost = host: host == hostName;
@@ -240,6 +238,8 @@ in {
240 config.routeTables.yggdrasil = 1024; 238 config.routeTables.yggdrasil = 1024;
241 }; 239 };
242 240
241 systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies);
242
243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); 243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
244 244
245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; 245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];