Passer wgautomesh en prod #9
4 changed files with 18 additions and 2 deletions
|
@ -34,7 +34,7 @@
|
||||||
site_name = "corrin";
|
site_name = "corrin";
|
||||||
publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
|
publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
|
||||||
IP = "10.14.3.1";
|
IP = "10.14.3.1";
|
||||||
endpoint = "82.120.233.78:33721";
|
#endpoint = "82.120.233.78:33721";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostname = "df-pw5";
|
hostname = "df-pw5";
|
||||||
|
|
|
@ -9,6 +9,9 @@ copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||||
|
|
||||||
if [ "$CLUSTER" = "staging" ]; then
|
if [ "$CLUSTER" = "staging" ]; then
|
||||||
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
||||||
|
|
||||||
|
cmd mkdir -p /var/lib/wgautomesh
|
||||||
|
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
|
||||||
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -249,6 +249,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
interface = "wg0";
|
interface = "wg0";
|
||||||
gossipPort = 1666;
|
gossipPort = 1666;
|
||||||
|
gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
|
||||||
upnpForwardPublicPort =
|
upnpForwardPublicPort =
|
||||||
let
|
let
|
||||||
us = filter ({ hostname, ...}: hostname == config.networking.hostName) cfg.cluster_nodes;
|
us = filter ({ hostname, ...}: hostname == config.networking.hostName) cfg.cluster_nodes;
|
||||||
|
|
|
@ -23,6 +23,10 @@ in
|
||||||
type = types.port;
|
type = types.port;
|
||||||
description = "wgautomesh gossip port";
|
description = "wgautomesh gossip port";
|
||||||
};
|
};
|
||||||
|
gossipSecretFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
description = "File containing the gossip secret encryption key";
|
||||||
|
};
|
||||||
lanDiscovery = mkOption {
|
lanDiscovery = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
|
@ -72,13 +76,16 @@ in
|
||||||
${endpointDef}
|
${endpointDef}
|
||||||
'') cfg.peers;
|
'') cfg.peers;
|
||||||
extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
|
extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
|
||||||
|
++ (if (cfg.gossipSecretFile != null)
|
||||||
|
then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
|
||||||
++ (if (cfg.upnpForwardPublicPort != null)
|
++ (if (cfg.upnpForwardPublicPort != null)
|
||||||
then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
|
then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
|
||||||
configfile = pkgs.writeText "wgautomesh.toml" ''
|
configfile = pkgs.writeText "wgautomesh.toml" ''
|
||||||
interface = "${cfg.interface}"
|
interface = "${cfg.interface}"
|
||||||
gossip_port = ${toString cfg.gossipPort}
|
gossip_port = ${toString cfg.gossipPort}
|
||||||
|
${concatStringsSep "\n" extraDefs}
|
||||||
|
|
||||||
${concatStringsSep "\n" (extraDefs ++ peerDefs)}
|
${concatStringsSep "\n" peerDefs}
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
systemd.services.wgautomesh = {
|
systemd.services.wgautomesh = {
|
||||||
|
@ -95,7 +102,12 @@ in
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "30";
|
RestartSec = "30";
|
||||||
|
|
||||||
|
ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
|
||||||
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
User = "wgautomesh";
|
||||||
|
StateDirectory = "wgautomesh";
|
||||||
|
StateDirectoryMode = "0700";
|
||||||
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue