krebs.tinc: add support for ED25519 keys

This commit is contained in:
tv 2020-09-05 01:17:51 +02:00
parent 69c052b7d3
commit 6b248db017
2 changed files with 40 additions and 3 deletions

View File

@ -29,6 +29,9 @@ let
Interface = ${netname} Interface = ${netname}
Broadcast = no Broadcast = no
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
${optionalString (tinc.config.privkey_ed25519 != null)
"Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}"
}
PrivateKeyFile = ${tinc.config.privkey.path} PrivateKeyFile = ${tinc.config.privkey.path}
Port = ${toString tinc.config.host.nets.${netname}.tinc.port} Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
${tinc.config.extraConfig} ${tinc.config.extraConfig}
@ -165,6 +168,17 @@ let
}; };
}; };
privkey_ed25519 = mkOption {
type = types.nullOr types.secret-file;
default =
if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else {
name = "${tinc.config.netname}.ed25519_key.priv";
path = "${tinc.config.user.home}/tinc.ed25519_key.priv";
owner = tinc.config.user;
source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
};
};
connectTo = mkOption { connectTo = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
${if tinc.config.netname == "retiolum" then "default" else null} = [ ${if tinc.config.netname == "retiolum" then "default" else null} = [
@ -198,8 +212,23 @@ let
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
# avoid conflicts in environment if the packages differ # avoid conflicts in environment if the packages differ
krebs.secret.files = mapAttrs' (netname: cfg: krebs.secret.files =
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; let
ed25519_keys =
filterAttrs
(_: key: key != null)
(mapAttrs'
(netname: cfg:
nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519
)
config.krebs.tinc);
rsa_keys =
mapAttrs'
(netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey)
config.krebs.tinc;
in
ed25519_keys // rsa_keys;
users.users = mapAttrs' (netname: cfg: users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" { nameValuePair "${netname}" {
@ -221,11 +250,15 @@ let
in { in {
description = "Tinc daemon for ${netname}"; description = "Tinc daemon for ${netname}";
after = [ after = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
"network.target" "network.target"
config.krebs.secret.files."${netname}.rsa_key.priv".service
] ++ optionals (cfg.privkey_ed25519 != null) [
config.krebs.secret.files."${netname}.ed25519_key.priv".service
]; ];
partOf = [ partOf = [
config.krebs.secret.files."${netname}.rsa_key.priv".service config.krebs.secret.files."${netname}.rsa_key.priv".service
] ++ optionals (cfg.privkey_ed25519 != null) [
config.krebs.secret.files."${netname}.ed25519_key.priv".service
]; ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ tinc iproute ]; path = [ tinc iproute ];

View File

@ -179,6 +179,10 @@ rec {
pubkey = mkOption { pubkey = mkOption {
type = tinc-pubkey; type = tinc-pubkey;
}; };
pubkey_ed25519 = mkOption {
type = nullOr tinc-pubkey;
default = null;
};
extraConfig = mkOption { extraConfig = mkOption {
description = "Extra Configuration to be appended to the hosts file"; description = "Extra Configuration to be appended to the hosts file";
default = ""; default = "";