Wesher secret key in /var/lib/wesher/secrets

This commit is contained in:
Alex 2022-04-20 10:50:42 +02:00
parent db081fad0e
commit 50e9f0b589
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
2 changed files with 19 additions and 3 deletions

View file

@ -85,6 +85,7 @@ SystemMaxUse=1G
enable = true; enable = true;
join = [ "192.168.1.22" "192.168.1.23" ]; join = [ "192.168.1.22" "192.168.1.23" ];
bindAddr = config.deuxfleurs.lan_ip; # for now bindAddr = config.deuxfleurs.lan_ip; # for now
overlayNet = "10.14.0.0/16";
}; };
# ---- CONFIG FOR DEUXFLEURS CLUSTER ---- # ---- CONFIG FOR DEUXFLEURS CLUSTER ----

View file

@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
keysPath = "/var/lib/wesher/secrets";
cfg = config.services.wesher; cfg = config.services.wesher;
in { in {
options = with types; { options = with types; {
services.wesher = { services.wesher = {
@ -18,7 +18,7 @@ in {
clusterKey = mkOption { clusterKey = mkOption {
type = nullOr str; type = nullOr str;
default = null; default = null;
description = "shared key for cluster membership; must be 32 bytes base64 encoded; will be generated if not provided"; description = "shared key for cluster membership to use on first initialization, if no key was previously used by Wesher. Must be 32 bytes base64 encoded; will be generated if not provided. Setting this parameter value will not overwrite an existing cluster key; to do so please delete ${keysPath}";
}; };
bindAddr = mkOption { bindAddr = mkOption {
@ -74,6 +74,20 @@ in {
config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher"; config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher";
in { in {
system.activationScripts.wesher = if (cfg.clusterKey != null) then ''
if [ ! -e ${keysPath} ]
then
mkdir --mode=700 -p ${builtins.dirOf keysPath}
echo "WESHER_CLUSTER_KEY=${cfg.clusterKey}" > ${keysPath}
fi
'' else ''
if [ ! -e ${keysPath} ]
then
mkdir --mode=700 -p ${builtins.dirOf keysPath}
echo "WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)" > ${keysPath}
fi
'';
systemd.services.wesher = { systemd.services.wesher = {
description = "wesher wireguard overlay mesh network manager"; description = "wesher wireguard overlay mesh network manager";
bindsTo = [ "network-online.target" ]; bindsTo = [ "network-online.target" ];
@ -89,7 +103,6 @@ in {
WESHER_LOG_LEVEL = cfg.logLevel; WESHER_LOG_LEVEL = cfg.logLevel;
WESHER_NO_ETC_HOSTS = "true"; WESHER_NO_ETC_HOSTS = "true";
} }
// (if (cfg.clusterKey != null) then { WESHER_CLUSTER_KEY = cfg.clusterKey; } else {})
// (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {}) // (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {})
// (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {}) // (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {})
; ;
@ -98,6 +111,8 @@ in {
ExecStart = "${binWesher}"; ExecStart = "${binWesher}";
Restart = "always"; Restart = "always";
EnvironmentFile = keysPath;
User = "wesher"; User = "wesher";
DynamicUser = true; DynamicUser = true;
StateDirectory = "wesher"; StateDirectory = "wesher";