From 17d901fdd0f0cbd6fddbca62bb4b4d835e9f059b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 2 Jul 2015 20:48:08 +0200 Subject: First work an tinc --- custom/tinc/def.nix | 175 +++++++++++++++++++++++++++++++++++++++ custom/tinc/generate_hostfile.hs | 19 +++++ custom/tinc/laeradhr-hosts.nix | 92 ++++++++++++++++++++ custom/tinc/laeradhr.nix | 33 ++++++++ custom/tinc/yggdrasil-hosts.nix | 81 ++++++++++++++++++ custom/tinc/yggdrasil.nix | 33 ++++++++ 6 files changed, 433 insertions(+) create mode 100644 custom/tinc/def.nix create mode 100755 custom/tinc/generate_hostfile.hs create mode 100644 custom/tinc/laeradhr-hosts.nix create mode 100644 custom/tinc/laeradhr.nix create mode 100644 custom/tinc/yggdrasil-hosts.nix create mode 100644 custom/tinc/yggdrasil.nix (limited to 'custom') diff --git a/custom/tinc/def.nix b/custom/tinc/def.nix new file mode 100644 index 00000000..e191168f --- /dev/null +++ b/custom/tinc/def.nix @@ -0,0 +1,175 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.tinc; + +in + +{ + + ###### interface + + options = { + + services.tinc = { + + networks = mkOption { + default = { }; + type = types.loaOf types.optionSet; + description = '' + Defines the tinc networks which will be started. + Each network invokes a different daemon. + ''; + options = { + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Extra lines to add to the tinc service configuration file. + ''; + }; + + name = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The name of the node which is used as an identifier when communicating + with the remote nodes in the mesh. If null then the hostname of the system + is used. + ''; + }; + + debugLevel = mkOption { + default = 0; + type = types.addCheck types.int (l: l >= 0 && l <= 5); + description = '' + The amount of debugging information to add to the log. 0 means little + logging while 5 is the most logging. man tincd for + more details. + ''; + }; + + hosts = mkOption { + default = { }; + type = types.loaOf types.lines; + description = '' + The name of the host in the network as well as the configuration for that host. + This name should only contain alphanumerics and underscores. + ''; + }; + + interfaceType = mkOption { + default = "tun"; + type = types.addCheck types.str (n: n == "tun" || n == "tap"); + description = '' + The type of virtual interface used for the network connection + ''; + }; + + package = mkOption { + default = pkgs.tinc_pre; + description = '' + The package to use for the tinc daemon's binary. + ''; + }; + + scripts = mkOption { + default = { }; + type = types.loaOf (types.nullOr types.str); + description = '' + Hook scripts + ''; + }; + + }; + }; + }; + + }; + + + ###### implementation + + config = mkIf (cfg.networks != { }) { + + environment.etc = fold (a: b: a // b) { } + (flip mapAttrsToList cfg.networks (network: data: + flip mapAttrs' data.hosts (host: text: nameValuePair + ("tinc/${network}/hosts/${host}") + ({ inherit text; }) + ) // (flip mapAttrs' data.scripts (scriptName: text: nameValuePair + ("tinc/${network}/${scriptName}") + ({ mode = "0555"; inherit text; }) + )) // { + "tinc/${network}/tinc.conf" = { + text = '' + Name = ${if data.name == null then "$HOST" else data.name} + DeviceType = ${data.interfaceType} + Device = /dev/net/tun + Interface = tinc.${network} + ${data.extraConfig} + ''; + }; + } + )); + + networking.interfaces = flip mapAttrs' cfg.networks (network: data: nameValuePair + ("tinc.${network}") + ({ + virtual = true; + virtualType = "${data.interfaceType}"; + }) + ); + + systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair + ("tinc.${network}") + ({ + description = "Tinc Daemon - ${network}"; + wantedBy = [ "network.target" ]; + after = [ "network-interfaces.target" ]; + path = [ data.package ]; + restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ] + ++ mapAttrsToList (host: _ : config.environment.etc."tinc/${network}/hosts/${host}".source) data.hosts; + serviceConfig = { + Type = "simple"; + PIDFile = "/run/tinc.${network}.pid"; + }; + preStart = '' + ${pkgs.openresolv}/bin/resolvconf -d tinc.${network} || true + ''; + # preStart = '' + # mkdir -p /etc/tinc/${network}/hosts + + # # Determine how we should generate our keys + # if type tinc >/dev/null 2>&1; then + # # Tinc 1.1+ uses the tinc helper application for key generation + + # # Prefer ED25519 keys (only in 1.1+) + # [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys + + # # Otherwise use RSA keys + # [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 + # else + # # Tinc 1.0 uses the tincd application + # [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 + # fi + # ''; + script = '' + tincd -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} + ''; + }) + ); + + users.extraUsers = flip mapAttrs' cfg.networks (network: _: + nameValuePair ("tinc.${network}") ({ + description = "Tinc daemon user for ${network}"; + }) + ); + + }; + +} diff --git a/custom/tinc/generate_hostfile.hs b/custom/tinc/generate_hostfile.hs new file mode 100755 index 00000000..a8420780 --- /dev/null +++ b/custom/tinc/generate_hostfile.hs @@ -0,0 +1,19 @@ +#!/usr/bin/env runhaskell + +import System.Directory.Tree +import Data.List + +main :: IO () +main = readDirectory "." >>= putStrLn . genHostFile + +genHostFile :: AnchoredDirTree String -> String +genHostFile (_ :/ (Dir _ contents)) = "{\n" ++ entries ++ "\n}\n" + where + entries = concat [ genEntry name content | (File name content) <- contents, name `notElem` hidden ] + genEntry fileName fileContent = unlines . indent $ [ "\"" ++ fileName ++ "\" = ''" ] ++ indent (lines fileContent) ++ [ "'';" ] + hidden = [ "to_nix.sh" + , "signup.sh" + ] + +indent :: [String] -> [String] +indent = map (" " ++) diff --git a/custom/tinc/laeradhr-hosts.nix b/custom/tinc/laeradhr-hosts.nix new file mode 100644 index 00000000..83b72899 --- /dev/null +++ b/custom/tinc/laeradhr-hosts.nix @@ -0,0 +1,92 @@ +{ + "heimdallr" = '' + Subnet = 10.142.0.2 + Subnet = 10.141.1.0/24 + + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAzphcufJwioUu3I9120c7gimAC325metgKg3W8V3RfmRh2GWn/H+t + DvKRH3BwSTYrNnwNgyp60gY/XexVED0xCIDoGjWZsK2o60g5xA8fPAPckVaPP3Vj + a3gyN6Y2Tlb4Ef2uWNe8irPL928v6UgxGl9dlgG3G2hW19hfuBBziDFdQCtyR1FH + GKvpS2rgHHIljh51LRDN9G2eIv9FGVDmiAgUYKAgzhwOr+TIHOPshcgMYD0iZ86s + 7iXJzWaiNTzx35ZzV5lkt+DafAQcWYrSV6858PXbx5HihU+ugTF+mbLuFitWNuja + DIZayUszmK/OBP8Mz3DP+NjRJugBv3hozpjMnSDZLMl7NcbwEn6+mj4Rrk9yMGPe + sNFclKtSiGHAJdCIdjK3gvC2z68NqRB23hxiPqfM0LBYlbZsA4AuYZyHlcoOTApe + 3y+69VRyG2H++MIVheHqqvIckq/p3XqWT5dHtI3YU7cunNGc5OofKjmpO1x+UV2l + 18H3DzW916pCNpqBlCj0wbv0h35ZUcxFCjTwSTPdjsqjninm6tPCXc2CgO2XOrPW + f4AekYifCwetD8bXbtycrYnykXLYJexIlFdUkUANa3H6cZ5gqGPE1ZF4Te1FVGCF + CSJrzSMDE0IidXqc/0dp9dsZQ5D4pi+/XYvAdx/HWV5PwD9UxmlB100CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + "sirius" = '' + Subnet = 10.142.0.100 + + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAl+YcFEkCPtBJmKj9rFRr+Tcez3nV53cKhWj9kSuGbZ8idZdC+Qop + eEN00LRQsEJwVg8RHqdK96qbgf21DBNjXXURqkslvDyhOOH1CzXvxlzZHbppAeI8 + lE3by62FaT2Uu7I6IKk+rcLnAOc2P5koYM8tm6C0deJM7uegutBrPNDJq7vgHidH + nhtduC/qX3wPf3D+69to0eIzswbIq5eQ+mrXoQJ2VMNsWZdEKCP23w/i+ikRkU6j + bU10sQt97KuqSNRE9QkTwtdPT2dduv6RdfgxDU1vSfWhv3xd3YPIgdfegF5sHBBc + W2v/R9pb01efcdev1+aW4TRZb9qN9qv3sr6Na2Jyti+Baqki1B8xwxjXX1vfm7k1 + mxkScIfbxCWK5H9WzCoOsU+Vat3PWNUxZbGlPI+Bo8UJ+Ay5wuAwXEZA9XWNnSuj + D/UtxalyNMlHQzPqFgTdkuT1lyYZKoDLTAZxlAgDUcGvyQ+bx6uPj6yBZxqy26TM + ZJb9tK3BklIzc1vojs9XfNQnnMkCIHtMLsmqyzudE+FwJycishnUHKAJ5W8/tt6S + sFOfXN97FHUfAp1652Cax2xYznjpnrakNbsIGVThkpA9xm+GaLS4FQtVmYLMNna0 + mE6NGf83Esgg1s9F9IR95O87WlYXAb99Ahcf3iOIZELBSTEu3JifBYcCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + "arbro" = '' + Subnet = 10.142.0.102 + + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEArS7bRAiVQMP+bIRrXs+FYLFm8SezgL/KEbbVTEy7N0fij1Yb/CtN + CRUhQDqQjIKPYwrXtd+fZCFIgAtn9RvtZPEaHAL1WUusuN1/zT4edZN1AOjr7ux5 + 2SIuMcdjo5S7tFhqvyBADs1oYeD9usmOzjEHd9AwFJGHVMWJKHjguHXi26vRfTIL + VkpEegzIo09dju98NUJr4iQPGKkHA15KV9iWO6DzOBSeHoxKk3ddqvp38oQmyvS2 + MbjDuCBZNOe8GRmp82WawQOtyT9BGRfwXhYcXdzPgaVjBeR8bY4DmT8kqPnZqeXA + xigKk92rS2EUvB3QpBr8VDKaIwNXjxl+ASXqEWqOXbEO4KeOl41Cx61mKUZ7/Cg7 + 8RO6Ws/2kq8jBplYTKgF8Zb84goR6qHehjl9toCn84f3pYFgyRBAUmTOUhohS+/0 + 8M9M1MYRHKgJgIkzNeAGEo4Zv7AeWBpkN2VDyTkoWEeeezxqhz1w0U6UKxNZdIW/ + oGHrImnCc4GE/JMkkh7FaweeIT4e7/xeDVKvF1xW6bCWksemD1ulZFToqEdpFd53 + jN+UDo1vMwL8R0xJNXHRzlqlRovoDqHz9NcIVtsbs3vm/lIjlCutXo2ulIFO2ENC + emyCjZRlXhhPUrf8UD5Mbg20ksIDO46xJxLJmPqOM4sh39F6VRFgPz0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + "surtr" = '' + Address = surtr.yggdrasil.li + Subnet = 10.142.0.1 + Port = 656 + + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAxZVZU4NxeB5uVzIgOKF5TWp5K/GcV9e4H1q6IHmp+qauST5vQS8i + 3YPuTapKwMZnqHLMQG6+HkCAAVdKBMyKm9alznjfR+M8mtj/zNgce360JjeAXko6 + mSBX02AeVhbj7WyhACt7sTKSIS6alXNCUnz038+qETgjrbNi518RPPBLz2Mf1woW + 73ZkKmEjpG6khG3alzw5Ne3eaKWiy3DHymEH9jeqGmT83hkVjpgtTeCMnT35b1uR + ZJs1w7vn7ur/UV4FzuZHYMmPpS1OvXJqb8uolfrikdB760wJuyfPyus5Y49fC7PM + yxZZgpIdWlMyowLtv8zYO9iwpilQpwwyK8GMywzHQBga5/0EEh7gcy3MRVwRyP6Y + TP84VMntniIRaJ/JhwNxn9JLKMeI6ggiVwcj8KQ68nDf/SwodIFHPU7GCstOfk4i + LsG6/fRCCJc9exeBAU7PZEGDOEjwi6kAscy1pmKx6BwHaBjj74zLjn3VjzFvKH1b + ycydEFznNOUk8y3cFkT/zbDMz3Y7+/P/tEgMDWDynF4wGtFmTOpwbq3nVFMjRsww + yLEppO9LtGIS/vvXr4UEBG0T1NtOP5ht3xPuVyTNCK7hg/W0lybV30LhaSJzhO+l + qkmXVF8CqHuhA1e2UfQRTSVKCrTikbPIQnOazXI3Vt3Kw53qdscRuKMCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + "reimar" = '' + Subnet = 10.142.0.101 + + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA361NGc6b0tmjD52jrudgWlWAVrGrRX8ApjuWhFLHpyfTD3g4D6Sl + QHAUU7xzBBrDMZ3YeMqbL5C96ar55InCxj0XccfFk/i0Decsi5kdBSp42nQdB9df + YTn1wGxgmTYljjlbxMCY8/zrn6AvyDJH2LGqk8fDf84+EfIjRLaGn4toI3GGcCB4 + 5tqjPEbfNXMdhFlErRyw7CZpIInMIpyoQG6TAgf09w+OyBPybudR3p8nXQliTkN6 + idqH1g9W3hSaw0vNYJu7XCzUSPo+KguGpBZbNom21AXokIsZuPh2WornnTdUW7OZ + strVjctWuhqoa35Fp5pmkBHNQI6EoJLTfOzlxVdEGHhRo7X9HoCBj2q+ZoiU8/zu + MJPHSkPu7Iqdgx7EoBwSY7x72XStzQPQFpkFXTkS1ZGd/AdVvpYxraFrxnDZJ49Z + FxnGYCx7gc2VoKzVzczDqXWyYK9p3yd5T1n2kpOZ21iwcTQLYuLhLzsi7vNcMQZ6 + 9o0eLBIM5oHCZ77/Kyf0FT7s5UVceRxogsdEwcHEp84jhCpRSyp5Qt/yUPrytOrp + 8OJWrkfDTqF8awOywPNTSlP8S4FvYF8p26Mx/VLIrDYyNlDbHSXHz5FzJcUacUxc + /SubpKAZ9yLC59PC0h1/Tca8jIqVcHbNUEqfxGsI/xhyviZIigwO/QECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + +} + diff --git a/custom/tinc/laeradhr.nix b/custom/tinc/laeradhr.nix new file mode 100644 index 00000000..cf1b196d --- /dev/null +++ b/custom/tinc/laeradhr.nix @@ -0,0 +1,33 @@ +{ config, pkgs, name, ip, ... }: + +{ + config.services.tinc = { + networks = { + "laeradhr" = { + name = name; + debugLevel = 2; + hosts = ( import ./laeradhr-hosts.nix ); + extraConfig = "ConnectTo = surtr"; + scripts = { + tinc-up = '' + #!${pkgs.stdenv.shell} + ${pkgs.nettools}/bin/route add -net 10.141.1.0 netmask 255.255.255.0 gw 10.142.0.2 dev $INTERFACE metric 9999 + ${pkgs.openresolv}/bin/resolvconf -m 0 -a tinc.laeradhr <