127 lines
4.0 KiB
Nix
127 lines
4.0 KiB
Nix
{ ... }:
|
|
{
|
|
_class = "clan.service";
|
|
manifest.name = "clan-core/yggdrasil";
|
|
manifest.description = "Yggdrasil encrypted IPv6 routing overlay network";
|
|
|
|
roles.default = {
|
|
description = "Placeholder role to apply the yggdrasil service";
|
|
interface =
|
|
{ lib, ... }:
|
|
{
|
|
options.extraMulticastInterfaces = lib.mkOption {
|
|
type = lib.types.listOf lib.types.attrs;
|
|
default = [ ];
|
|
description = ''
|
|
Additional interfaces to use for Multicast. See
|
|
https://yggdrasil-network.github.io/configurationref.html#multicastinterfaces
|
|
for reference.
|
|
'';
|
|
example = [
|
|
{
|
|
Regex = "(wg).*";
|
|
Beacon = true;
|
|
Listen = true;
|
|
Port = 5400;
|
|
Priority = 1020;
|
|
}
|
|
];
|
|
};
|
|
|
|
options.peers = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
description = ''
|
|
Static peers to configure for this host.
|
|
If not set, local peers will be auto-discovered
|
|
'';
|
|
example = [
|
|
"tcp://192.168.1.1:6443"
|
|
"quic://192.168.1.1:6443"
|
|
"tls://192.168.1.1:6443"
|
|
"ws://192.168.1.1:6443"
|
|
];
|
|
};
|
|
};
|
|
perInstance =
|
|
{ settings, ... }:
|
|
{
|
|
nixosModule =
|
|
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
|
|
clan.core.vars.generators.yggdrasil = {
|
|
|
|
files.privateKey = { };
|
|
files.publicKey.secret = false;
|
|
files.address.secret = false;
|
|
|
|
runtimeInputs = with pkgs; [
|
|
yggdrasil
|
|
jq
|
|
openssl
|
|
];
|
|
|
|
script = ''
|
|
# Generate private key
|
|
openssl genpkey -algorithm Ed25519 -out $out/privateKey
|
|
|
|
# Generate corresponding public key
|
|
openssl pkey -in $out/privateKey -pubout -out $out/publicKey
|
|
|
|
# Derive IPv6 address from key
|
|
echo "{\"PrivateKeyPath\": \"$out/privateKey\"}" | yggdrasil -useconf -address | tr -d '\n' > $out/address
|
|
'';
|
|
};
|
|
|
|
systemd.services.yggdrasil.serviceConfig.BindReadOnlyPaths = [
|
|
"%d/key:/key"
|
|
];
|
|
|
|
systemd.services.yggdrasil.serviceConfig.LoadCredential =
|
|
"key:${config.clan.core.vars.generators.yggdrasil.files.privateKey.path}";
|
|
|
|
services.yggdrasil = {
|
|
enable = true;
|
|
openMulticastPort = true;
|
|
# We don't need this option, because we persist our keys with
|
|
# vars by ourselves. This option creates an unnecesary additional
|
|
# systemd service to save/load the keys and should be removed
|
|
# from the NixOS module entirely, as it can be replaced by the
|
|
# (at the time of writing undocumented) PrivateKeyPath= setting.
|
|
# See https://github.com/NixOS/nixpkgs/pull/440910#issuecomment-3301835895 for details.
|
|
persistentKeys = false;
|
|
settings = {
|
|
PrivateKeyPath = "/key";
|
|
IfName = "ygg";
|
|
Peers = settings.peers;
|
|
MulticastInterfaces = [
|
|
# Ethernet is preferred over WIFI
|
|
{
|
|
Regex = "(eth|en).*";
|
|
Beacon = true;
|
|
Listen = true;
|
|
Port = 5400;
|
|
Priority = 1024;
|
|
}
|
|
{
|
|
Regex = "(wl).*";
|
|
Beacon = true;
|
|
Listen = true;
|
|
Port = 5400;
|
|
Priority = 1025;
|
|
}
|
|
]
|
|
++ settings.extraMulticastInterfaces;
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = [ 5400 ];
|
|
};
|
|
};
|
|
};
|
|
}
|