gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 07:40:30 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
dddadb67b859feb0d2431c74afd00caa0341d587
rosenpass/tests/integration/rp-key-sync.nix

86 lines
2.6 KiB
Nix
Raw Blame History

{
pkgs,
lib,
config,
...
}:
let
cfg = config.services.rosenpassKeySync;
servicePrefix = "rp-key-sync-";
timerPrefix = "rp-key-sync-timer-";
rpKeySyncOpts =
{ name, ... }:
{
# Each instance of ths service is defined by the following information:
options = {
enable = lib.mkEnableOption "RP Keysync for ${name}";
wgInterface = lib.mkOption {
type = lib.types.str;
description = "Wireguard interface name";
};
rpHost = lib.mkOption {
type = lib.types.str;
description = "network address of the host that runs rosenpass";
};
peerPubkey = lib.mkOption {
type = lib.types.str;
description = "Public key of wireguard peer";
};
remoteKeyPath = lib.mkOption {
type = lib.types.path;
description = "Location of the .osk file on the key exchange server";
};
};
};
in
{
options.services.rosenpassKeySync = {
instances = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule rpKeySyncOpts);
default = { };
description = "RP key sync instances";
};
};
config = {
systemd.services = lib.mapAttrs' (instanceName: instanceCfg: {
name = "${servicePrefix}${instanceName}";
value = {
description = "Rosenpass Key Downloader ${instanceName}";
wantedBy = [ "multi-user.target" ];
requires = [ "network-online.target" ];
# The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
script = ''
set -euo pipefail
${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \
| ${pkgs.wireguard-tools}/bin/wg \
set ${instanceCfg.wgInterface} \
peer ${instanceCfg.peerPubkey} \
preshared-key /dev/stdin
'';
serviceConfig = {
Restart = "always";
RestartSec = 10;
};
};
}) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd service (as above) per configured instance.
systemd.timers = lib.mapAttrs' (instanceName: instanceCfg: {
name = "${timerPrefix}${instanceName}";
value = {
wantedBy = [ "timers.target" ];
timerConfig = {
requires = [ "network-online.target" ];
OnUnitActiveSec = "1m";
Unit = "${servicePrefix}${instanceName}.service";
};
};
}) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd time (as above) per configured instance.
};
}
Reference in New Issue View Git Blame Copy Permalink