Wesher secret key in /var/lib/wesher/secrets

2022-04-20 10:50:42 +02:00 · 2022-04-20 10:50:42 +02:00 · 50e9f0b589
commit 50e9f0b589
parent db081fad0e
2 changed files with 19 additions and 3 deletions
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@ -85,6 +85,7 @@ SystemMaxUse=1G
    enable = true;
    join = [ "192.168.1.22" "192.168.1.23" ];
    bindAddr = config.deuxfleurs.lan_ip;  # for now
+    overlayNet = "10.14.0.0/16";
  };

  # ---- CONFIG FOR DEUXFLEURS CLUSTER ----
--- a/nix/wesher_service.nix
+++ b/nix/wesher_service.nix
@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
+  keysPath = "/var/lib/wesher/secrets";
  cfg = config.services.wesher;
-
 in {
  options = with types; {
    services.wesher = {
@ -18,7 +18,7 @@ in {
      clusterKey = mkOption {
        type = nullOr str;
        default = null;
-        description = "shared key for cluster membership; must be 32 bytes base64 encoded; will be generated if not provided";
+        description = "shared key for cluster membership to use on first initialization, if no key was previously used by Wesher. Must be 32 bytes base64 encoded; will be generated if not provided. Setting this parameter value will not overwrite an existing cluster key; to do so please delete ${keysPath}";
      };

      bindAddr = mkOption {
@ -74,6 +74,20 @@ in {

  config = mkIf cfg.enable (let binWesher = cfg.package + "/bin/wesher";
  in {
+    system.activationScripts.wesher = if (cfg.clusterKey != null) then ''
+      if [ ! -e ${keysPath} ]
+      then
+        mkdir --mode=700 -p ${builtins.dirOf keysPath}
+        echo "WESHER_CLUSTER_KEY=${cfg.clusterKey}" > ${keysPath}
+      fi
+    '' else ''
+      if [ ! -e ${keysPath} ]
+      then
+        mkdir --mode=700 -p ${builtins.dirOf keysPath}
+        echo "WESHER_CLUSTER_KEY=$(head -c 32 /dev/urandom | base64)" > ${keysPath}
+      fi
+    '';
+
    systemd.services.wesher = {
      description = "wesher wireguard overlay mesh network manager";
      bindsTo = [ "network-online.target" ];
@ -89,7 +103,6 @@ in {
        WESHER_LOG_LEVEL = cfg.logLevel;
        WESHER_NO_ETC_HOSTS = "true";
      } 
-      // (if (cfg.clusterKey != null) then { WESHER_CLUSTER_KEY = cfg.clusterKey; } else {})
      // (if (cfg.bindAddr != null) then { WESHER_BIND_ADDR = cfg.bindAddr; } else {})
      // (if (cfg.bindIface != null) then { WESHER_BIND_IFACE = cfg.bindIface; } else {})
      ;
@ -98,6 +111,8 @@ in {
        ExecStart = "${binWesher}";
        Restart = "always";

+        EnvironmentFile = keysPath;
+
        User = "wesher";
        DynamicUser = true;
        StateDirectory = "wesher";