Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
29b796f521
3
ci.nix
3
ci.nix
@ -8,6 +8,9 @@ let
|
||||
imports = [
|
||||
./krebs
|
||||
./krebs/2configs
|
||||
({ config, ... }: {
|
||||
krebs.build.host = config.krebs.hosts.test-all-krebs-modules;
|
||||
})
|
||||
];
|
||||
}];
|
||||
}
|
||||
|
@ -50,6 +50,7 @@ let
|
||||
./shadow.nix
|
||||
./ssl.nix
|
||||
./sync-containers.nix
|
||||
./systemd.nix
|
||||
./tinc.nix
|
||||
./tinc_graphs.nix
|
||||
./upstream
|
||||
|
@ -36,7 +36,7 @@ let
|
||||
type = types.user;
|
||||
default = {
|
||||
name = "fcgiwrap";
|
||||
home = toString pkgs.empty;
|
||||
home = toString pkgs.emptyDirectory;
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -111,7 +111,7 @@ let
|
||||
type = types.user;
|
||||
default = {
|
||||
name = "git";
|
||||
home = toString pkgs.empty;
|
||||
home = toString pkgs.emptyDirectory;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
67
krebs/3modules/systemd.nix
Normal file
67
krebs/3modules/systemd.nix
Normal file
@ -0,0 +1,67 @@
|
||||
{ config, pkgs, ... }: let {
|
||||
lib = import ../../lib;
|
||||
|
||||
body.options.krebs.systemd.services = lib.mkOption {
|
||||
default = {};
|
||||
type = lib.types.attrsOf (lib.types.submodule {
|
||||
options = {
|
||||
ifCredentialsChange = lib.mkOption {
|
||||
default = "restart";
|
||||
description = ''
|
||||
Whether to reload or restart the service whenever any its
|
||||
credentials change. Only credentials with an absolute path in
|
||||
LoadCredential= are supported.
|
||||
'';
|
||||
type = lib.types.enum [
|
||||
"reload"
|
||||
"restart"
|
||||
null
|
||||
];
|
||||
};
|
||||
serviceConfig.LoadCredential = lib.mkOption {
|
||||
apply = lib.toList;
|
||||
type =
|
||||
lib.types.either lib.types.str (lib.types.listOf lib.types.str);
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
body.config.systemd =
|
||||
lib.mkMerge
|
||||
(lib.flatten
|
||||
(lib.mapAttrsToList (serviceName: cfg: let
|
||||
paths =
|
||||
lib.filter
|
||||
lib.types.absolute-pathname.check
|
||||
(map
|
||||
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
|
||||
cfg.serviceConfig.LoadCredential);
|
||||
in
|
||||
lib.singleton {
|
||||
services.${serviceName} = {
|
||||
serviceConfig = {
|
||||
LoadCredential = cfg.serviceConfig.LoadCredential;
|
||||
};
|
||||
};
|
||||
}
|
||||
++
|
||||
lib.optionals (cfg.ifCredentialsChange != null) (map (path: let
|
||||
triggerName = "trigger-${lib.systemd.encodeName path}";
|
||||
in {
|
||||
paths.${triggerName} = {
|
||||
wantedBy = ["multi-user.target"];
|
||||
pathConfig.PathChanged = path;
|
||||
};
|
||||
services.${triggerName} = {
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = lib.singleton (toString [
|
||||
"${pkgs.systemd}/bin/systemctl ${cfg.ifCredentialsChange}"
|
||||
(lib.shell.escape serviceName)
|
||||
]);
|
||||
};
|
||||
};
|
||||
}) paths)
|
||||
) config.krebs.systemd.services));
|
||||
}
|
@ -1,12 +1,6 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
out = {
|
||||
options.krebs.tinc = api;
|
||||
config = imp;
|
||||
};
|
||||
|
||||
api = mkOption {
|
||||
{ config, pkgs, ... }: {
|
||||
options.krebs.tinc = mkOption {
|
||||
default = {};
|
||||
description = ''
|
||||
define a tinc network
|
||||
@ -28,10 +22,6 @@ let
|
||||
Interface = ${netname}
|
||||
Broadcast = no
|
||||
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
||||
${optionalString (tinc.config.privkey_ed25519 != null)
|
||||
"Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
|
||||
}
|
||||
PrivateKeyFile = ${tinc.config.privkey.path}
|
||||
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
||||
${tinc.config.extraConfig}
|
||||
'';
|
||||
@ -169,25 +159,17 @@ let
|
||||
};
|
||||
|
||||
privkey = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "${tinc.config.netname}.rsa_key.priv";
|
||||
path = "${tinc.config.user.home}/tinc.rsa_key.priv";
|
||||
owner = tinc.config.user;
|
||||
source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
|
||||
};
|
||||
|
||||
privkey_ed25519 = mkOption {
|
||||
type = types.nullOr types.secret-file;
|
||||
type = types.nullOr types.absolute-pathname;
|
||||
default =
|
||||
if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
|
||||
name = "${tinc.config.netname}.ed25519_key.priv";
|
||||
path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
|
||||
owner = tinc.config.user;
|
||||
source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||
};
|
||||
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
|
||||
then null
|
||||
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
|
||||
};
|
||||
|
||||
@ -226,28 +208,7 @@ let
|
||||
}));
|
||||
};
|
||||
|
||||
imp = {
|
||||
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
||||
# avoid conflicts in environment if the packages differ
|
||||
|
||||
krebs.secret.files =
|
||||
let
|
||||
ed25519_keys =
|
||||
filterAttrs
|
||||
(_: key: key != null)
|
||||
(mapAttrs'
|
||||
(netname: cfg:
|
||||
nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
|
||||
)
|
||||
config.krebs.tinc);
|
||||
|
||||
rsa_keys =
|
||||
mapAttrs'
|
||||
(netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
|
||||
config.krebs.tinc;
|
||||
in
|
||||
ed25519_keys // rsa_keys;
|
||||
|
||||
config = {
|
||||
users.users = mapAttrs' (netname: cfg:
|
||||
nameValuePair "${netname}" {
|
||||
inherit (cfg.user) home name uid;
|
||||
@ -267,34 +228,42 @@ let
|
||||
}
|
||||
) config.krebs.tinc;
|
||||
|
||||
systemd.services = mapAttrs (netname: cfg:
|
||||
let
|
||||
tinc = cfg.tincPackage;
|
||||
iproute = cfg.iproutePackage;
|
||||
in {
|
||||
description = "Tinc daemon for ${netname}";
|
||||
after = [
|
||||
"network.target"
|
||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||
krebs.systemd.services = mapAttrs (netname: cfg: {
|
||||
serviceConfig.LoadCredential = filter (x: x != "") [
|
||||
(optionalString (cfg.privkey_ed25519 != null)
|
||||
"ed25519_key:${cfg.privkey_ed25519}"
|
||||
)
|
||||
"rsa_key:${cfg.privkey}"
|
||||
];
|
||||
}) config.krebs.tinc;
|
||||
|
||||
systemd.services = mapAttrs (netname: cfg: {
|
||||
description = "Tinc daemon for ${netname}";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [
|
||||
cfg.iproutePackage
|
||||
cfg.tincPackage
|
||||
];
|
||||
reloadIfChanged = true;
|
||||
restartTriggers = [ cfg.confDir ];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
ExecStart = toString [
|
||||
"${cfg.tincPackage}/sbin/tincd"
|
||||
"-D"
|
||||
"-U ${cfg.user.name}"
|
||||
"-c /etc/tinc/${netname}"
|
||||
"-d 0"
|
||||
(optionalString (cfg.privkey_ed25519 != null)
|
||||
"-o Ed25519PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/ed25519_key"
|
||||
)
|
||||
"-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
|
||||
"--pidfile=/var/run/tinc.${netname}.pid"
|
||||
];
|
||||
partOf = [
|
||||
config.krebs.secret.files."${netname}.rsa_key.priv".service
|
||||
] ++ optionals (cfg.privkey_ed25519 != null) [
|
||||
config.krebs.secret.files."${netname}.ed25519_key.priv".service
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ tinc iproute ];
|
||||
reloadIfChanged = true;
|
||||
restartTriggers = [ cfg.confDir ];
|
||||
serviceConfig = rec {
|
||||
Restart = "always";
|
||||
ExecStart = "${tinc}/sbin/tincd -c /etc/tinc/${netname} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
|
||||
ExecReload = "${tinc}/sbin/tinc -n ${netname} reload";
|
||||
SyslogIdentifier = netname;
|
||||
};
|
||||
}
|
||||
) config.krebs.tinc;
|
||||
ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
|
||||
SyslogIdentifier = netname;
|
||||
};
|
||||
}) config.krebs.tinc;
|
||||
};
|
||||
in out
|
||||
}
|
||||
|
@ -1,2 +0,0 @@
|
||||
{ pkgs }:
|
||||
pkgs.runCommand "empty-1.0.0" {} "mkdir $out"
|
@ -39,6 +39,8 @@ let
|
||||
listToAttrs (map (name: nameValuePair name set.${name})
|
||||
(filter (flip hasAttr set) names));
|
||||
|
||||
maybeHead = x: if isList x && length x > 0 then head x else null;
|
||||
|
||||
packageName = pkg:
|
||||
pkg.pname or (parseDrvName pkg.name).name;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user