nixpkgs/nixos/modules/services/networking/tinc.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.tinc;

in

{

  ###### interface

  options = {

    services.tinc = {

      networks = mkOption {
        default = { };
        type = with types; attrsOf (submodule {
          options = {

            extraConfig = mkOption {
              default = "";
              type = types.lines;
              description = ''
                Extra lines to add to the tinc service configuration file.
              '';
            };

            name = mkOption {
              default = null;
              type = types.nullOr types.str;
              description = ''
                The name of the node which is used as an identifier when communicating
                with the remote nodes in the mesh. If null then the hostname of the system
                is used to derive a name (note that tinc may replace non-alphanumeric characters in
                hostnames by underscores).
              '';
            };

            ed25519PrivateKeyFile = mkOption {
              default = null;
              type = types.nullOr types.path;
              description = ''
                Path of the private ed25519 keyfile.
              '';
            };

            debugLevel = mkOption {
              default = 0;
              type = types.addCheck types.int (l: l >= 0 && l <= 5);
              description = ''
                The amount of debugging information to add to the log. 0 means little
                logging while 5 is the most logging. <command>man tincd</command> for
                more details.
              '';
            };

            hosts = mkOption {
              default = { };
              type = types.attrsOf types.lines;
              description = ''
                The name of the host in the network as well as the configuration for that host.
                This name should only contain alphanumerics and underscores.
              '';
            };

            interfaceType = mkOption {
              default = "tun";
              type = types.enum [ "tun" "tap" ];
              description = ''
                The type of virtual interface used for the network connection
              '';
            };

            listenAddress = mkOption {
              default = null;
              type = types.nullOr types.str;
              description = ''
                The ip address to listen on for incoming connections.
              '';
            };

            bindToAddress = mkOption {
              default = null;
              type = types.nullOr types.str;
              description = ''
                The ip address to bind to (both listen on and send packets from).
              '';
            };

            package = mkOption {
              type = types.package;
              default = pkgs.tinc_pre;
              defaultText = "pkgs.tinc_pre";
              description = ''
                The package to use for the tinc daemon's binary.
              '';
            };

            chroot = mkOption {
              default = true;
              type = types.bool;
              description = ''
                Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security.
                The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.

                Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.
              '';
            };
          };
        });

        description = ''
          Defines the tinc networks which will be started.
          Each network invokes a different daemon.
        '';
      };
    };

  };


  ###### implementation

  config = mkIf (cfg.networks != { }) {

    environment.etc = fold (a: b: a // b) { }
      (flip mapAttrsToList cfg.networks (network: data:
        flip mapAttrs' data.hosts (host: text: nameValuePair
          ("tinc/${network}/hosts/${host}")
          ({ mode = "0644"; user = "tinc.${network}"; inherit text; })
        ) // {
          "tinc/${network}/tinc.conf" = {
            mode = "0444";
            text = ''
              Name = ${if data.name == null then "$HOST" else data.name}
              DeviceType = ${data.interfaceType}
              ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"}
              ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"}
              ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"}
              Interface = tinc.${network}
              ${data.extraConfig}
            '';
          };
        }
      ));

    systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair
      ("tinc.${network}")
      ({
        description = "Tinc Daemon - ${network}";
        wantedBy = [ "multi-user.target" ];
        path = [ data.package ];
        restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ];
        serviceConfig = {
          Type = "simple";
          Restart = "always";
          RestartSec = "3";
          ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}";
        };
        preStart = ''
          mkdir -p /etc/tinc/${network}/hosts
          chown tinc.${network} /etc/tinc/${network}/hosts
          mkdir -p /etc/tinc/${network}/invitations
          chown tinc.${network} /etc/tinc/${network}/invitations

          # Determine how we should generate our keys
          if type tinc >/dev/null 2>&1; then
            # Tinc 1.1+ uses the tinc helper application for key generation
          ${if data.ed25519PrivateKeyFile != null then "  # Keyfile managed by nix" else ''
            # Prefer ED25519 keys (only in 1.1+)
            [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys
          ''}
            # Otherwise use RSA keys
            [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096
          else
            # Tinc 1.0 uses the tincd application
            [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096
          fi
        '';
      })
    );

    environment.systemPackages = let
      cli-wrappers = pkgs.stdenv.mkDerivation {
        name = "tinc-cli-wrappers";
        buildInputs = [ pkgs.makeWrapper ];
        buildCommand = ''
          mkdir -p $out/bin
          ${concatStringsSep "\n" (mapAttrsToList (network: data:
            optionalString (versionAtLeast data.package.version "1.1pre") ''
              makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \
                --add-flags "--pidfile=/run/tinc.${network}.pid" \
                --add-flags "--config=/etc/tinc/${network}"
            '') cfg.networks)}
        '';
      };
    in [ cli-wrappers ];

    users.users = flip mapAttrs' cfg.networks (network: _:
      nameValuePair ("tinc.${network}") ({
        description = "Tinc daemon user for ${network}";
        isSystemUser = true;
      })
    );

  };

}
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.services.tinc;`

			`in`

			`{`

			`###### interface`

			`options = {`

			`services.tinc = {`

			`networks = mkOption {`
			`default = { };`
tinc module: networks, hosts option loaOf -> attrsOf 2016-11-16 16:32:02 +09:00			`type = with types; attrsOf (submodule {`
tinc module: optionSet -> submodule 2016-09-11 18:37:46 +09:00			`options = {`

			`extraConfig = mkOption {`
			`default = "";`
			`type = types.lines;`
			`description = ''`
			`Extra lines to add to the tinc service configuration file.`
			`'';`
			`};`

			`name = mkOption {`
			`default = null;`
			`type = types.nullOr types.str;`
			`description = ''`
			`The name of the node which is used as an identifier when communicating`
			`with the remote nodes in the mesh. If null then the hostname of the system`
tinc: Mention in docs that the host name may not be used verbatim. (#26157) * tinc: Mention in docs that the host name may not be used verbatim. Source: https://github.com/gsliepen/tinc/blob/5c344f297682cf11793407fca4547968aee22d95/src/net_setup.c#L341 * tinc: also replaces non-alphanumeric characters. 2017-05-27 17:31:25 +02:00			`is used to derive a name (note that tinc may replace non-alphanumeric characters in`
			`hostnames by underscores).`
tinc module: optionSet -> submodule 2016-09-11 18:37:46 +09:00			`'';`
			`};`

			`ed25519PrivateKeyFile = mkOption {`
			`default = null;`
			`type = types.nullOr types.path;`
			`description = ''`
			`Path of the private ed25519 keyfile.`
			`'';`
			`};`

			`debugLevel = mkOption {`
			`default = 0;`
			`type = types.addCheck types.int (l: l >= 0 && l <= 5);`
			`description = ''`
			`The amount of debugging information to add to the log. 0 means little`
			`logging while 5 is the most logging. <command>man tincd</command> for`
			`more details.`
			`'';`
			`};`

			`hosts = mkOption {`
			`default = { };`
tinc module: networks, hosts option loaOf -> attrsOf 2016-11-16 16:32:02 +09:00			`type = types.attrsOf types.lines;`
tinc module: optionSet -> submodule 2016-09-11 18:37:46 +09:00			`description = ''`
			`The name of the host in the network as well as the configuration for that host.`
			`This name should only contain alphanumerics and underscores.`
			`'';`
			`};`

			`interfaceType = mkOption {`
			`default = "tun";`
tinc module: use enum 2016-11-04 13:04:17 +09:00			`type = types.enum [ "tun" "tap" ];`
tinc module: optionSet -> submodule 2016-09-11 18:37:46 +09:00			`description = ''`
			`The type of virtual interface used for the network connection`
			`'';`
			`};`

			`listenAddress = mkOption {`
			`default = null;`
			`type = types.nullOr types.str;`
			`description = ''`
tinc service: BindToAddress and ListenAddress are different options, they should not be mistaken 2017-07-14 11:47:15 +01:00			`The ip address to listen on for incoming connections.`
			`'';`
			`};`

			`bindToAddress = mkOption {`
			`default = null;`
			`type = types.nullOr types.str;`
			`description = ''`
			`The ip address to bind to (both listen on and send packets from).`
tinc module: optionSet -> submodule 2016-09-11 18:37:46 +09:00			`'';`
			`};`

			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.tinc_pre;`
			`defaultText = "pkgs.tinc_pre";`
			`description = ''`
			`The package to use for the tinc daemon's binary.`
			`'';`
			`};`

			`chroot = mkOption {`
			`default = true;`
			`type = types.bool;`
			`description = ''`
			`Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security.`
			`The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.`

			`Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.`
			`'';`
			`};`
			`};`
			`});`

nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`description = ''`
			`Defines the tinc networks which will be started.`
			`Each network invokes a different daemon.`
			`'';`
			`};`
			`};`

			`};`


			`###### implementation`

			`config = mkIf (cfg.networks != { }) {`

			`environment.etc = fold (a: b: a // b) { }`
			`(flip mapAttrsToList cfg.networks (network: data:`
			`flip mapAttrs' data.hosts (host: text: nameValuePair`
			`("tinc/${network}/hosts/${host}")`
tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts 2017-07-15 08:58:07 +00:00			`({ mode = "0644"; user = "tinc.${network}"; inherit text; })`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`) // {`
			`"tinc/${network}/tinc.conf" = {`
			`mode = "0444";`
			`text = ''`
			`Name = ${if data.name == null then "$HOST" else data.name}`
			`DeviceType = ${data.interfaceType}`
tinc module: Ed25519PrivateKeyFile, listenAddress 2015-11-09 18:21:30 +01:00			`${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"}`
tinc service: BindToAddress and ListenAddress are different options, they should not be mistaken 2017-07-14 11:47:15 +01:00			`${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"}`
			`${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"}`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`Interface = tinc.${network}`
			`${data.extraConfig}`
			`'';`
			`};`
			`}`
			`));`

			`systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair`
			`("tinc.${network}")`
			`({`
			`description = "Tinc Daemon - ${network}";`
tinc service: remove use of network-interfaces.target 2016-09-10 20:18:51 +02:00			`wantedBy = [ "multi-user.target" ];`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`path = [ data.package ];`
nixos/tinc: minor fixes 2018-06-12 23:27:52 +00:00			`restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ];`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`serviceConfig = {`
			`Type = "simple";`
tinc_pre: avoid infinite loop with EBADFD on network restart 2017-07-27 13:17:13 +00:00			`Restart = "always";`
			`RestartSec = "3";`
nixos/tinc: remove useless script argument ExecStart is sufficient and more transparent to the user. 2017-09-27 16:02:23 +01:00			`ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}";`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`};`
			`preStart = ''`
			`mkdir -p /etc/tinc/${network}/hosts`
tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts Follow up https://github.com/NixOS/nixpkgs/pull/27756: tinc daemon may also create new files in ```/etc/tinc/$network/hosts``` 2017-08-09 22:07:01 +00:00			`chown tinc.${network} /etc/tinc/${network}/hosts`
tinc: enable invitations 2018-02-23 11:59:37 -05:00			`mkdir -p /etc/tinc/${network}/invitations`
			`chown tinc.${network} /etc/tinc/${network}/invitations`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00
nixos/tinc: Fix key generation behavior and use tinc 1.1 by default 2015-02-05 23:37:20 -08:00			`# Determine how we should generate our keys`
			`if type tinc >/dev/null 2>&1; then`
			`# Tinc 1.1+ uses the tinc helper application for key generation`
tinc module: Ed25519PrivateKeyFile, listenAddress 2015-11-09 18:21:30 +01:00			`${if data.ed25519PrivateKeyFile != null then " # Keyfile managed by nix" else ''`
nixos/tinc: Fix key generation behavior and use tinc 1.1 by default 2015-02-05 23:37:20 -08:00			`# Prefer ED25519 keys (only in 1.1+)`
			`[ -f "/etc/tinc/${network}/ed25519_key.priv" ] \|\| tinc -n ${network} generate-ed25519-keys`
tinc module: Ed25519PrivateKeyFile, listenAddress 2015-11-09 18:21:30 +01:00			`''}`
nixos/tinc: Fix key generation behavior and use tinc 1.1 by default 2015-02-05 23:37:20 -08:00			`# Otherwise use RSA keys`
			`[ -f "/etc/tinc/${network}/rsa_key.priv" ] \|\| tinc -n ${network} generate-rsa-keys 4096`
			`else`
			`# Tinc 1.0 uses the tincd application`
			`[ -f "/etc/tinc/${network}/rsa_key.priv" ] \|\| tincd -n ${network} -K 4096`
			`fi`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`'';`
			`})`
			`);`

tinc service: add CLI tools to the $PATH Now user can execute e.g. "sudo tinc.netname dump nodes" 2017-07-21 13:43:44 +00:00			`environment.systemPackages = let`
			`cli-wrappers = pkgs.stdenv.mkDerivation {`
			`name = "tinc-cli-wrappers";`
			`buildInputs = [ pkgs.makeWrapper ];`
			`buildCommand = ''`
			`mkdir -p $out/bin`
nixos/tinc: Fix tinc cli wrapper for tinc 1.0. tinc prior to 1.1 doesn't have the `tinc` executable, and `tincd` isn't of any use while the daemon already runs. 2017-09-16 22:05:25 +02:00			`${concatStringsSep "\n" (mapAttrsToList (network: data:`
			`optionalString (versionAtLeast data.package.version "1.1pre") ''`
			`makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \`
nixos/tinc: minor fixes 2018-06-12 23:27:52 +00:00			`--add-flags "--pidfile=/run/tinc.${network}.pid" \`
			`--add-flags "--config=/etc/tinc/${network}"`
tinc service: add CLI tools to the $PATH Now user can execute e.g. "sudo tinc.netname dump nodes" 2017-07-21 13:43:44 +00:00			`'') cfg.networks)}`
			`'';`
			`};`
			`in [ cli-wrappers ];`

nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.users = flip mapAttrs' cfg.networks (network: _:`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`nameValuePair ("tinc.${network}") ({`
			`description = "Tinc daemon user for ${network}";`
nixos/tinc: users are system users 2015-05-21 20:11:13 -07:00			`isSystemUser = true;`
nixos/tinc: Add daemon configuration 2014-08-23 17:33:31 -07:00			`})`
			`);`

			`};`

			`}`