|
8 | 8 | configFileProvided = cfg.configFile != null; |
9 | 9 |
|
10 | 10 | format = pkgs.formats.json { }; |
11 | | -in { |
| 11 | +in |
| 12 | +{ |
12 | 13 | imports = [ |
13 | 14 | (mkRenamedOptionModule |
14 | 15 | [ "services" "yggdrasil" "config" ] |
|
21 | 22 |
|
22 | 23 | settings = mkOption { |
23 | 24 | type = format.type; |
24 | | - default = {}; |
| 25 | + default = { }; |
25 | 26 | example = { |
26 | 27 | Peers = [ |
27 | 28 | "tcp://aa.bb.cc.dd:eeeee" |
|
90 | 91 |
|
91 | 92 | denyDhcpcdInterfaces = mkOption { |
92 | 93 | type = listOf str; |
93 | | - default = []; |
| 94 | + default = [ ]; |
94 | 95 | example = [ "tap*" ]; |
95 | 96 | description = lib.mdDoc '' |
96 | 97 | Disable the DHCP client for any interface whose name matches |
@@ -118,80 +119,82 @@ in { |
118 | 119 | }; |
119 | 120 | }; |
120 | 121 |
|
121 | | - config = mkIf cfg.enable (let binYggdrasil = cfg.package + "/bin/yggdrasil"; |
122 | | - in { |
123 | | - assertions = [{ |
124 | | - assertion = config.networking.enableIPv6; |
125 | | - message = "networking.enableIPv6 must be true for yggdrasil to work"; |
126 | | - }]; |
127 | | - |
128 | | - system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' |
129 | | - if [ ! -e ${keysPath} ] |
130 | | - then |
131 | | - mkdir --mode=700 -p ${builtins.dirOf keysPath} |
132 | | - ${binYggdrasil} -genconf -json \ |
133 | | - | ${pkgs.jq}/bin/jq \ |
134 | | - 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ |
135 | | - > ${keysPath} |
136 | | - fi |
137 | | - ''; |
138 | | - |
139 | | - systemd.services.yggdrasil = { |
140 | | - description = "Yggdrasil Network Service"; |
141 | | - after = [ "network-pre.target" ]; |
142 | | - wants = [ "network.target" ]; |
143 | | - before = [ "network.target" ]; |
144 | | - wantedBy = [ "multi-user.target" ]; |
145 | | - |
146 | | - preStart = |
147 | | - (if settingsProvided || configFileProvided || cfg.persistentKeys then |
148 | | - "echo " |
149 | | - |
150 | | - + (lib.optionalString settingsProvided |
151 | | - "'${builtins.toJSON cfg.settings}'") |
152 | | - + (lib.optionalString configFileProvided "$(cat ${cfg.configFile})") |
153 | | - + (lib.optionalString cfg.persistentKeys "$(cat ${keysPath})") |
154 | | - + " | ${pkgs.jq}/bin/jq -s add | ${binYggdrasil} -normaliseconf -useconf" |
155 | | - else |
156 | | - "${binYggdrasil} -genconf") + " > /run/yggdrasil/yggdrasil.conf"; |
157 | | - |
158 | | - serviceConfig = { |
159 | | - ExecStart = |
160 | | - "${binYggdrasil} -useconffile /run/yggdrasil/yggdrasil.conf"; |
161 | | - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
162 | | - Restart = "always"; |
163 | | - |
164 | | - DynamicUser = true; |
165 | | - StateDirectory = "yggdrasil"; |
166 | | - RuntimeDirectory = "yggdrasil"; |
167 | | - RuntimeDirectoryMode = "0750"; |
168 | | - BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile |
169 | | - ++ lib.optional cfg.persistentKeys keysPath; |
170 | | - ReadWritePaths = "/run/yggdrasil"; |
171 | | - |
172 | | - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; |
173 | | - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; |
174 | | - MemoryDenyWriteExecute = true; |
175 | | - ProtectControlGroups = true; |
176 | | - ProtectHome = "tmpfs"; |
177 | | - ProtectKernelModules = true; |
178 | | - ProtectKernelTunables = true; |
179 | | - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; |
180 | | - RestrictNamespaces = true; |
181 | | - RestrictRealtime = true; |
182 | | - SystemCallArchitectures = "native"; |
183 | | - SystemCallFilter = [ "@system-service" "~@privileged @keyring" ]; |
184 | | - } // (if (cfg.group != null) then { |
185 | | - Group = cfg.group; |
186 | | - } else {}); |
187 | | - }; |
| 122 | + config = mkIf cfg.enable ( |
| 123 | + let binYggdrasil = cfg.package + "/bin/yggdrasil"; |
| 124 | + in { |
| 125 | + assertions = [{ |
| 126 | + assertion = config.networking.enableIPv6; |
| 127 | + message = "networking.enableIPv6 must be true for yggdrasil to work"; |
| 128 | + }]; |
| 129 | + |
| 130 | + system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' |
| 131 | + if [ ! -e ${keysPath} ] |
| 132 | + then |
| 133 | + mkdir --mode=700 -p ${builtins.dirOf keysPath} |
| 134 | + ${binYggdrasil} -genconf -json \ |
| 135 | + | ${pkgs.jq}/bin/jq \ |
| 136 | + 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ |
| 137 | + > ${keysPath} |
| 138 | + fi |
| 139 | + ''; |
| 140 | + |
| 141 | + systemd.services.yggdrasil = { |
| 142 | + description = "Yggdrasil Network Service"; |
| 143 | + after = [ "network-pre.target" ]; |
| 144 | + wants = [ "network.target" ]; |
| 145 | + before = [ "network.target" ]; |
| 146 | + wantedBy = [ "multi-user.target" ]; |
| 147 | + |
| 148 | + preStart = |
| 149 | + (if settingsProvided || configFileProvided || cfg.persistentKeys then |
| 150 | + "echo " |
| 151 | + |
| 152 | + + (lib.optionalString settingsProvided |
| 153 | + "'${builtins.toJSON cfg.settings}'") |
| 154 | + + (lib.optionalString configFileProvided "$(cat ${cfg.configFile})") |
| 155 | + + (lib.optionalString cfg.persistentKeys "$(cat ${keysPath})") |
| 156 | + + " | ${pkgs.jq}/bin/jq -s add | ${binYggdrasil} -normaliseconf -useconf" |
| 157 | + else |
| 158 | + "${binYggdrasil} -genconf") + " > /run/yggdrasil/yggdrasil.conf"; |
| 159 | + |
| 160 | + serviceConfig = { |
| 161 | + ExecStart = |
| 162 | + "${binYggdrasil} -useconffile /run/yggdrasil/yggdrasil.conf"; |
| 163 | + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
| 164 | + Restart = "always"; |
| 165 | + |
| 166 | + DynamicUser = true; |
| 167 | + StateDirectory = "yggdrasil"; |
| 168 | + RuntimeDirectory = "yggdrasil"; |
| 169 | + RuntimeDirectoryMode = "0750"; |
| 170 | + BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile |
| 171 | + ++ lib.optional cfg.persistentKeys keysPath; |
| 172 | + ReadWritePaths = "/run/yggdrasil"; |
| 173 | + |
| 174 | + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; |
| 175 | + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; |
| 176 | + MemoryDenyWriteExecute = true; |
| 177 | + ProtectControlGroups = true; |
| 178 | + ProtectHome = "tmpfs"; |
| 179 | + ProtectKernelModules = true; |
| 180 | + ProtectKernelTunables = true; |
| 181 | + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; |
| 182 | + RestrictNamespaces = true; |
| 183 | + RestrictRealtime = true; |
| 184 | + SystemCallArchitectures = "native"; |
| 185 | + SystemCallFilter = [ "@system-service" "~@privileged @keyring" ]; |
| 186 | + } // (if (cfg.group != null) then { |
| 187 | + Group = cfg.group; |
| 188 | + } else { }); |
| 189 | + }; |
188 | 190 |
|
189 | | - networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; |
190 | | - networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; |
| 191 | + networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; |
| 192 | + networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; |
191 | 193 |
|
192 | | - # Make yggdrasilctl available on the command line. |
193 | | - environment.systemPackages = [ cfg.package ]; |
194 | | - }); |
| 194 | + # Make yggdrasilctl available on the command line. |
| 195 | + environment.systemPackages = [ cfg.package ]; |
| 196 | + } |
| 197 | + ); |
195 | 198 | meta = { |
196 | 199 | doc = ./yggdrasil.md; |
197 | 200 | maintainers = with lib.maintainers; [ gazally ehmry ]; |
|
0 commit comments