retiolum/modules/retiolum/default.nix

113 lines
3.0 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
netname = "retiolum";
cfg = config.networking.retiolum;
hosts = ../../hosts;
genipv6 = import ./genipv6.nix { inherit lib; };
in {
options = {
networking.retiolum.ipv4 = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
own ipv4 address
'';
};
networking.retiolum.ipv6 = mkOption {
type = types.str;
default = (genipv6 "retiolum" "external" {
hostName = cfg.nodename;
}).address;
description = ''
own ipv6 address
'';
};
networking.retiolum.nodename = mkOption {
type = types.str;
default = config.networking.hostName;
description = ''
tinc network name
'';
};
};
config = {
services.tinc.networks.${netname} = {
name = cfg.nodename;
# allow resolving dns
chroot = false;
extraConfig = ''
LocalDiscovery = yes
ConnectTo = eva
ConnectTo = eve
ConnectTo = ni
ConnectTo = prism
AutoConnect = yes
'';
};
networking.extraHosts = if (cfg.ipv4 == null) then
builtins.readFile ../../etc.hosts-v6only
else
builtins.readFile ../../etc.hosts;
environment.systemPackages = [
config.services.tinc.networks.${netname}.package
];
systemd.services."tinc.${netname}-host-keys" = let
install-keys = pkgs.writeShellScript "install-keys" ''
rm -rf /etc/tinc/${netname}/hosts
cp -R ${hosts} /etc/tinc/${netname}/hosts
chown -R tinc.${netname} /etc/tinc/${netname}/hosts
chmod -R u+w /etc/tinc/${netname}/hosts
'';
in {
description = "Install tinc.${netname} host keys";
wantedBy = [ "multi-user.target" ];
before = [ "tinc.${netname}.service" ];
# we reload here to be reloaded before tinc reloads
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
ExecStart = install-keys;
ExecReload = install-keys;
RemainAfterExit = true;
};
};
systemd.services."tinc.${netname}" = {
restartTriggers = [ hosts ];
# Some hosts require VPN for nixos-rebuild, so we don't want to restart it on update
reloadIfChanged = true;
# also in https://github.com/NixOS/nixpkgs/pull/106715
serviceConfig.ExecReload = "${config.services.tinc.networks.${netname}.package}/bin/tinc -n ${netname} reload";
};
networking.firewall.allowedTCPPorts = [ 655 ];
networking.firewall.allowedUDPPorts = [ 655 ];
warnings = lib.optional (cfg.ipv6 == null) ''
`networking.retiolum.ipv6` is not set
'';
systemd.network.enable = true;
systemd.network.networks."${netname}".extraConfig = ''
[Match]
Name = tinc.${netname}
[Link]
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
MTUBytes=1377
[Network]
${optionalString (cfg.ipv4 != null) "Address=${cfg.ipv4}/12"}
${optionalString (cfg.ipv6 != null) "Address=${cfg.ipv6}/12"}
'';
};
}