forked from Deuxfleurs/nixcfg
Wesher secret key in /var/lib/wesher/secrets
This commit is contained in:
parent
db081fad0e
commit
50e9f0b589
2 changed files with 19 additions and 3 deletions
|
@ -85,6 +85,7 @@ SystemMaxUse=1G
|
||||||
enable = true;
|
enable = true;
|
||||||
join = [ "192.168.1.22" "192.168.1.23" ];
|
join = [ "192.168.1.22" "192.168.1.23" ];
|
||||||
bindAddr = config.deuxfleurs.lan_ip; # for now
|
bindAddr = config.deuxfleurs.lan_ip; # for now
|
||||||
|
overlayNet = "10.14.0.0/16";
|
||||||
};
|
};
|
||||||
|
|
||||||
# ---- CONFIG FOR DEUXFLEURS CLUSTER ----
|
# ---- CONFIG FOR DEUXFLEURS CLUSTER ----
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
|
keysPath = "/var/lib/wesher/secrets";
|
||||||
cfg = config.services.wesher;
|
cfg = config.services.wesher;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
options = with types; {
|
options = with types; {
|
||||||
services.wesher = {
|
services.wesher = {
|
||||||
|
@ -18,7 +18,7 @@ in {
|
||||||
clusterKey = mkOption {
|
clusterKey = mkOption {
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
default = null;
|
default = null;
|
||||||
description = "shared key for cluster membership; must be 32 bytes base64 encoded; will be generated if not provided";
|
description = "shared key for cluster membership to use on first initialization, if no key was previously used by Wesher. Must be 32 bytes base64 encoded; will be generated if not provided. Setting this parameter value will not overwrite an existing cluster key; to do so please delete ${keysPath}";
|
||||||
};
|
};
|
||||||
|
|
||||||
bindAddr = mkOption {
|
bindAddr = mkOption {
|
||||||
|
@ -74,6 +74,20 @@ in {
|
||||||
|
|
||||||
config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher";
|
config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher";
|
||||||
in {
|
in {
|
||||||
|
system.activationScripts.wesher = if (cfg.clusterKey != null) then ''
|
||||||
|
if [ ! -e ${keysPath} ]
|
||||||
|
then
|
||||||
|
mkdir --mode=700 -p ${builtins.dirOf keysPath}
|
||||||
|
echo "WESHER_CLUSTER_KEY=${cfg.clusterKey}" > ${keysPath}
|
||||||
|
fi
|
||||||
|
'' else ''
|
||||||
|
if [ ! -e ${keysPath} ]
|
||||||
|
then
|
||||||
|
mkdir --mode=700 -p ${builtins.dirOf keysPath}
|
||||||
|
echo "WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)" > ${keysPath}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
systemd.services.wesher = {
|
systemd.services.wesher = {
|
||||||
description = "wesher wireguard overlay mesh network manager";
|
description = "wesher wireguard overlay mesh network manager";
|
||||||
bindsTo = [ "network-online.target" ];
|
bindsTo = [ "network-online.target" ];
|
||||||
|
@ -89,7 +103,6 @@ in {
|
||||||
WESHER_LOG_LEVEL = cfg.logLevel;
|
WESHER_LOG_LEVEL = cfg.logLevel;
|
||||||
WESHER_NO_ETC_HOSTS = "true";
|
WESHER_NO_ETC_HOSTS = "true";
|
||||||
}
|
}
|
||||||
// (if (cfg.clusterKey != null) then { WESHER_CLUSTER_KEY = cfg.clusterKey; } else {})
|
|
||||||
// (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {})
|
// (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {})
|
||||||
// (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {})
|
// (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {})
|
||||||
;
|
;
|
||||||
|
@ -98,6 +111,8 @@ in {
|
||||||
ExecStart = "${binWesher}";
|
ExecStart = "${binWesher}";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
|
|
||||||
|
EnvironmentFile = keysPath;
|
||||||
|
|
||||||
User = "wesher";
|
User = "wesher";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = "wesher";
|
StateDirectory = "wesher";
|
||||||
|
|
Loading…
Reference in a new issue