aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cluster/staging/cluster.nix2
-rwxr-xr-xdeploy_nixos3
-rw-r--r--nix/deuxfleurs.nix1
-rw-r--r--nix/wgautomesh.nix14
4 files changed, 18 insertions, 2 deletions
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 788ac69..8629f3a 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -34,7 +34,7 @@
site_name = "corrin";
publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
IP = "10.14.3.1";
- endpoint = "82.120.233.78:33721";
+ #endpoint = "82.120.233.78:33721";
}
{
hostname = "df-pw5";
diff --git a/deploy_nixos b/deploy_nixos
index b1c9be7..48ef9ea 100755
--- a/deploy_nixos
+++ b/deploy_nixos
@@ -9,6 +9,9 @@ copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
if [ "$CLUSTER" = "staging" ]; then
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
+
+ cmd mkdir -p /var/lib/wgautomesh
+ write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
fi
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 4de99cf..e82e3f6 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -249,6 +249,7 @@ in
enable = true;
interface = "wg0";
gossipPort = 1666;
+ gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
upnpForwardPublicPort =
let
us = filter ({ hostname, ...}: hostname == config.networking.hostName) cfg.cluster_nodes;
diff --git a/nix/wgautomesh.nix b/nix/wgautomesh.nix
index 8812fb3..c09b874 100644
--- a/nix/wgautomesh.nix
+++ b/nix/wgautomesh.nix
@@ -23,6 +23,10 @@ in
type = types.port;
description = "wgautomesh gossip port";
};
+ gossipSecretFile = mkOption {
+ type = types.nullOr types.str;
+ description = "File containing the gossip secret encryption key";
+ };
lanDiscovery = mkOption {
type = types.bool;
default = true;
@@ -72,13 +76,16 @@ in
${endpointDef}
'') cfg.peers;
extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
+ ++ (if (cfg.gossipSecretFile != null)
+ then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
++ (if (cfg.upnpForwardPublicPort != null)
then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
configfile = pkgs.writeText "wgautomesh.toml" ''
interface = "${cfg.interface}"
gossip_port = ${toString cfg.gossipPort}
+ ${concatStringsSep "\n" extraDefs}
- ${concatStringsSep "\n" (extraDefs ++ peerDefs)}
+ ${concatStringsSep "\n" peerDefs}
'';
in {
systemd.services.wgautomesh = {
@@ -95,7 +102,12 @@ in
Restart = "always";
RestartSec = "30";
+ ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
+
DynamicUser = true;
+ User = "wgautomesh";
+ StateDirectory = "wgautomesh";
+ StateDirectoryMode = "0700";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
};