public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #93538 from erictapen/tinc-rsa-key-file 

nixos/tinc: allow configuration of RSA private key file
This commit is contained in:
xeji 2020-08-01 23:32:26 +02:00 committed by GitHub
parent 2dee11d4de 1192255677
commit 89e0d97d7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/services/networking/tinc.nix
View File

@ -48,6 +48,14 @@ in
''; '';
}; };
rsaPrivateKeyFile = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path of the private RSA keyfile.
'';
};
debugLevel = mkOption { debugLevel = mkOption {
default = 0; default = 0;
type = types.addCheck types.int (l: l >= 0 && l <= 5); type = types.addCheck types.int (l: l >= 0 && l <= 5);
@ -139,6 +147,7 @@ in
Name = ${if data.name == null then "$HOST" else data.name} Name = ${if data.name == null then "$HOST" else data.name}
DeviceType = ${data.interfaceType} DeviceType = ${data.interfaceType}
${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"} ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"}
${optionalString (data.rsaPrivateKeyFile != null) "PrivateKeyFile = ${data.rsaPrivateKeyFile}"}
${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"} ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"}
${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"} ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"}
Interface = tinc.${network} Interface = tinc.${network}
@ -170,12 +179,15 @@ in
# Determine how we should generate our keys # Determine how we should generate our keys
if type tinc >/dev/null 2>&1; then if type tinc >/dev/null 2>&1; then
# Tinc 1.1+ uses the tinc helper application for key generation # Tinc 1.1+ uses the tinc helper application for key generation
${if data.ed25519PrivateKeyFile != null then " # Keyfile managed by nix" else '' ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else ''
# Prefer ED25519 keys (only in 1.1+) # Prefer ED25519 keys (only in 1.1+)
[ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys
''} ''}
# Otherwise use RSA keys ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else ''
[ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096
''}
# In case there isn't anything to do
true
else else
# Tinc 1.0 uses the tincd application # Tinc 1.0 uses the tincd application
[ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096