diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-04-20 10:50:42 +0200 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-04-20 10:50:42 +0200 |
| commit | 50e9f0b589b6387d193fcb420ddc045c0bc6d632 (patch) | |
| tree | bdd0ec8bc62b8e85bd0ae6e2df31ffaf3c98c83f | |
| parent | db081fad0e3b3933ca963fae085fd0c5c0764f80 (diff) | |
| download | nixcfg-50e9f0b589b6387d193fcb420ddc045c0bc6d632.tar.gz nixcfg-50e9f0b589b6387d193fcb420ddc045c0bc6d632.zip | |
Wesher secret key in /var/lib/wesher/secrets
| -rw-r--r-- | nix/configuration.nix | 1 | ||||
| -rw-r--r-- | nix/wesher_service.nix | 21 |
2 files changed, 19 insertions, 3 deletions
diff --git a/nix/configuration.nix b/nix/configuration.nix index 8af35e9..3f3aa49 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -85,6 +85,7 @@ SystemMaxUse=1G enable = true; join = [ "192.168.1.22" "192.168.1.23" ]; bindAddr = config.deuxfleurs.lan_ip; # for now + overlayNet = "10.14.0.0/16"; }; # ---- CONFIG FOR DEUXFLEURS CLUSTER ---- diff --git a/nix/wesher_service.nix b/nix/wesher_service.nix index be33a76..d269a2f 100644 --- a/nix/wesher_service.nix +++ b/nix/wesher_service.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ... }: with lib; let + keysPath = "/var/lib/wesher/secrets"; cfg = config.services.wesher; - in { options = with types; { services.wesher = { @@ -18,7 +18,7 @@ in { clusterKey = mkOption { type = nullOr str; default = null; - description = "shared key for cluster membership; must be 32 bytes base64 encoded; will be generated if not provided"; + description = "shared key for cluster membership to use on first initialization, if no key was previously used by Wesher. Must be 32 bytes base64 encoded; will be generated if not provided. Setting this parameter value will not overwrite an existing cluster key; to do so please delete ${keysPath}"; }; bindAddr = mkOption { @@ -74,6 +74,20 @@ in { config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher"; in { + system.activationScripts.wesher = if (cfg.clusterKey != null) then '' + if [ ! -e ${keysPath} ] + then + mkdir --mode=700 -p ${builtins.dirOf keysPath} + echo "WESHER_CLUSTER_KEY=${cfg.clusterKey}" > ${keysPath} + fi + '' else '' + if [ ! -e ${keysPath} ] + then + mkdir --mode=700 -p ${builtins.dirOf keysPath} + echo "WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)" > ${keysPath} + fi + ''; + systemd.services.wesher = { description = "wesher wireguard overlay mesh network manager"; bindsTo = [ "network-online.target" ]; @@ -89,7 +103,6 @@ in { WESHER_LOG_LEVEL = cfg.logLevel; WESHER_NO_ETC_HOSTS = "true"; } - // (if (cfg.clusterKey != null) then { WESHER_CLUSTER_KEY = cfg.clusterKey; } else {}) // (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {}) // (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {}) ; @@ -98,6 +111,8 @@ in { ExecStart = "${binWesher}"; Restart = "always"; + EnvironmentFile = keysPath; + User = "wesher"; DynamicUser = true; StateDirectory = "wesher"; |