From 50e9f0b589b6387d193fcb420ddc045c0bc6d632 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 20 Apr 2022 10:50:42 +0200
Subject: [PATCH] Wesher secret key in /var/lib/wesher/secrets

---
 nix/configuration.nix  |  1 +
 nix/wesher_service.nix | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/nix/configuration.nix b/nix/configuration.nix
index 8af35e9..3f3aa49 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -85,6 +85,7 @@ SystemMaxUse=1G
     enable = true;
     join = [ "192.168.1.22" "192.168.1.23" ];
     bindAddr = config.deuxfleurs.lan_ip;  # for now
+    overlayNet = "10.14.0.0/16";
   };
 
   # ---- CONFIG FOR DEUXFLEURS CLUSTER ----
diff --git a/nix/wesher_service.nix b/nix/wesher_service.nix
index be33a76..d269a2f 100644
--- a/nix/wesher_service.nix
+++ b/nix/wesher_service.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
+  keysPath = "/var/lib/wesher/secrets";
   cfg = config.services.wesher;
-
 in {
   options = with types; {
     services.wesher = {
@@ -18,7 +18,7 @@ in {
       clusterKey = mkOption {
         type = nullOr str;
         default = null;
-        description = "shared key for cluster membership; must be 32 bytes base64 encoded; will be generated if not provided";
+        description = "shared key for cluster membership to use on first initialization, if no key was previously used by Wesher. Must be 32 bytes base64 encoded; will be generated if not provided. Setting this parameter value will not overwrite an existing cluster key; to do so please delete ${keysPath}";
       };
 
       bindAddr = mkOption {
@@ -74,6 +74,20 @@ in {
 
   config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher";
   in {
+    system.activationScripts.wesher = if (cfg.clusterKey != null) then ''
+      if [ ! -e ${keysPath} ]
+      then
+        mkdir --mode=700 -p ${builtins.dirOf keysPath}
+        echo "WESHER_CLUSTER_KEY=${cfg.clusterKey}" > ${keysPath}
+      fi
+    '' else ''
+      if [ ! -e ${keysPath} ]
+      then
+        mkdir --mode=700 -p ${builtins.dirOf keysPath}
+        echo "WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)" > ${keysPath}
+      fi
+    '';
+
     systemd.services.wesher = {
       description = "wesher wireguard overlay mesh network manager";
       bindsTo = [ "network-online.target" ];
@@ -89,7 +103,6 @@ in {
         WESHER_LOG_LEVEL = cfg.logLevel;
         WESHER_NO_ETC_HOSTS = "true";
       } 
-      // (if (cfg.clusterKey != null) then { WESHER_CLUSTER_KEY = cfg.clusterKey; } else {})
       // (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {})
       // (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {})
       ;
@@ -98,6 +111,8 @@ in {
         ExecStart = "${binWesher}";
         Restart = "always";
 
+        EnvironmentFile = keysPath;
+
         User = "wesher";
         DynamicUser = true;
         StateDirectory = "wesher";