From 450e0db1a1ad900f93519c00f0ef132ec42a3728 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 10 Oct 2023 00:54:30 +0200
Subject: [PATCH] Add tinc configuration

---
 deploy/flake.lock                        | 12 ++---
 flake.lock                               |  4 +-
 flakes/flake.lock                        |  2 +-
 systems/eldiron/vpn/default.nix          | 61 ++++++++++++++++--------
 systems/eldiron/vpn/tinc/ImmaeEu         | 10 ++++
 systems/eldiron/vpn/tinc/ImmaeEu-down    | 14 ++++++
 systems/eldiron/vpn/tinc/ImmaeEu-up      | 27 +++++++++++
 systems/eldiron/websites/vpn/default.nix |  5 ++
 8 files changed, 107 insertions(+), 28 deletions(-)
 create mode 100644 systems/eldiron/vpn/tinc/ImmaeEu
 create mode 100755 systems/eldiron/vpn/tinc/ImmaeEu-down
 create mode 100755 systems/eldiron/vpn/tinc/ImmaeEu-up

diff --git a/deploy/flake.lock b/deploy/flake.lock
index 07a5473..5cdf632 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
         "path": "../flakes",
         "type": "path"
       },
@@ -3903,7 +3903,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
         "path": "../systems/eldiron",
         "type": "path"
       },
@@ -8888,11 +8888,11 @@
         "nixpkgs": "nixpkgs_106"
       },
       "locked": {
-        "lastModified": 1696596844,
-        "narHash": "sha256-qtQL21ZF1N3EMqGo5RJq4ytWngsKYOv5mE/pSSxaJJM=",
+        "lastModified": 1697062813,
+        "narHash": "sha256-pbS3ZgZzCkbL3XO0DpoqQU4JHOMd980vTPX4seMH+U8=",
         "ref": "master",
-        "rev": "ac58ff30d8f1712ef115d3c8aaf8da2211662e90",
-        "revCount": 698,
+        "rev": "6f65e826f8baaf08a651366f8e05b58d6a7326ad",
+        "revCount": 701,
         "type": "git",
         "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
       },
diff --git a/flake.lock b/flake.lock
index 61d7371..6cc709e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
         "path": "./flakes",
         "type": "path"
       },
@@ -3919,7 +3919,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
         "path": "../systems/eldiron",
         "type": "path"
       },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 677625d..751316c 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
         "path": "../systems/eldiron",
         "type": "path"
       },
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix
index df56249..a5cc423 100644
--- a/systems/eldiron/vpn/default.nix
+++ b/systems/eldiron/vpn/default.nix
@@ -1,10 +1,50 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.myServices.vpn;
+  configFiles = pkgs.runCommand "tinc-files" {
+    mainInterface = "eth0";
+    hostName = "ImmaeEu";
+    network = "Immae";
+    keyFile = config.secrets.fullPaths."tinc/key.priv";
+  } ''
+    mkdir -p $out
+    for i in ${./tinc}/*; do
+      substituteAll $i $out/$(basename $i)
+    done
+  '';
+  keyPaths = lib.flatten (lib.mapAttrsToList
+    (ns: lib.mapAttrsToList
+      (name: s:
+        lib.nameValuePair
+          "${ns}${name}"
+          (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s)
+      )
+    ) config.myServices.vpn.keys);
+  keysDir = pkgs.runCommand "tinc-config" {} (''
+    install -m755 -d $out $out/hosts
+    install -m755 -t $out ${configFiles}/{host-*,tinc-*}
+    install -m444 -t $out ${configFiles}/tinc.conf
+    install -m755 -t $out/hosts ${configFiles}/ImmaeEu-*
+    install -m444 -t $out/hosts ${configFiles}/ImmaeEu
+  '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + ''
+
+    cd $out
+    tar -czf $out/hosts.tar.gz hosts/
+  '');
 in
 {
   options.myServices = {
     vpn.enable = lib.mkEnableOption "Enable vpn service";
+    vpn.keys = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str));
+      description = "Keys sorted by namespaces and names";
+      default = {};
+    };
+    vpn.hostsPath = lib.mkOption {
+      type = lib.types.path;
+      default = "${keysDir}/hosts.tar.gz";
+      readOnly = true;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -50,25 +90,8 @@ in
       };
     };
     networking.firewall.allowedTCPPorts = [ 655 1194 ];
-    system.activationScripts.tinc = let
-      configFiles = pkgs.runCommand "tinc-files" {
-        mainInterface = "eth0";
-        hostName = "ImmaeEu";
-        network = "Immae";
-        keyFile = config.secrets.fullPaths."tinc/key.priv";
-      } ''
-        mkdir -p $out
-        for i in ${./tinc}/*; do
-          substituteAll $i $out/$(basename $i)
-        done
-      '';
-    in ''
+    system.activationScripts.tinc = ''
       install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
-      install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
-      install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
-      if [ ! -d /var/lib/tinc/Immae/hosts ]; then
-        ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
-      fi
     '';
 
     systemd.slices.tinc = {
@@ -85,7 +108,7 @@ in
         Type = "simple";
         Restart = "always";
         RestartSec = "3";
-        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid";
       };
     };
   };
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu b/systems/eldiron/vpn/tinc/ImmaeEu
new file mode 100644
index 0000000..db9949b
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu
@@ -0,0 +1,10 @@
+Address = vpn.immae.eu
+Address = vpn.immae.eu 1194
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA6sJagBYTGUNjtiaPm3Se3BAa1nWbnHS7feTQ1C+L9WifgGkQICkr
+TXkQpGKIN+1mVD3Tl/Mx3BWtGGUMNgJhZ3p7rJgEXNuiWptEpG7BmujW61gVxQ2v
+0FJuGwgT8GvNI9s2BeWtxQKdmX6MOOdtRMmd33F8Zffw6TdJtPuj1dvTwGmkBl71
+RNd6TXi5LR5r1A01Z88TPeZJo1BNkl8P9qkMGv+fTYmX9lnd9brQ0MDVNldJwGhI
+/KU7J7tW20KizhgOdkYJU75JgWX+7QKJMjvOc6nv8ORWk5jLfv6MNKoG3UirBV4t
+ariPo+Gb/u7BU3R2mPHhxKMrC7NVdp+JNQIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-down b/systems/eldiron/vpn/tinc/ImmaeEu-down
new file mode 100755
index 0000000..d983a3b
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu-down
@@ -0,0 +1,14 @@
+#!/bin/sh
+# This file closes down the tap device.
+
+[ -e /tmp/tinc_$NETNAME ] && . /tmp/tinc_$NETNAME
+[ -e /run/tinc_$NETNAME.vars ] && . /run/tinc_$NETNAME.vars
+rm -f /tmp/tinc_$NETNAME /run/tinc_$NETNAME.vars || true
+[ -n "$GWIP" ] && ip -6 route del default via $GWIP table 655
+for MYIP in $MYIPS; do
+  ip -6 addr del $MYIP/96 dev $INTERFACE
+  ip -6 rule del from $MYIP/96 table 655
+  ip -6 rule del to $MYIP/96 table 655
+done
+ip -6 link set $INTERFACE down
+
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-up b/systems/eldiron/vpn/tinc/ImmaeEu-up
new file mode 100755
index 0000000..e14fd5a
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu-up
@@ -0,0 +1,27 @@
+#!/bin/sh
+# This file sets up the tap device.
+# It gives you the freedom to do anything you want with it.
+# Use the correct name for the tap device:
+# The environment variable $INTERFACE is set to the right name
+# on most platforms, but if it doesn't work try to set it manually.
+
+# Give it the right ip and netmask. Remember, the subnet of the
+# tap device must be larger than that of the individual Subnets
+# as defined in the host configuration file!
+SCRIPT_DIR=$(dirname -- "$( readlink -f -- "$0"; )")
+SUBDOMAIN=$(echo "$NAME" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
+while [ -z "$MYIPS" -o -z "$GWIP" ]; do
+  MYIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '`
+  GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+  sleep 5
+done
+rm -f /run/tinc_$NETNAME.vars
+echo -e "MYIPS=\"$MYIPS\"\nGWIP=\"$GWIP\"" > /run/tinc_$NETNAME.vars
+ip -6 link set $INTERFACE up mtu 1280
+for MYIP in $MYIPS; do
+  ip -6 addr add $MYIP/96 dev $INTERFACE
+  ip -6 rule add from $MYIP/96 table 655
+  ip -6 rule add to $MYIP/96 table 655
+done
+ip -6 route add default via $GWIP dev $INTERFACE table 655
+(cd "$SCRIPT_DIR" && (curl -s https://vpn.immae.eu/hosts.tar.gz | tar -xz --strip-components=1)) || true
diff --git a/systems/eldiron/websites/vpn/default.nix b/systems/eldiron/websites/vpn/default.nix
index ea54691..3ee0a20 100644
--- a/systems/eldiron/websites/vpn/default.nix
+++ b/systems/eldiron/websites/vpn/default.nix
@@ -8,6 +8,11 @@ in {
       certName    = "eldiron";
       hosts       = [ "vpn.immae.eu" ];
       root        = ./www;
+      extraConfig = [
+        ''
+          Alias /hosts.tar.gz "${config.myServices.vpn.hostsPath}"
+        ''
+      ];
     };
   };
 }
-- 
2.41.0