Basic module set up

modules/my-tinc/default.nix

@@ -0,0 +1,89 @@
+{ config, pkgs, ... }:
+
+with lib;
+let
+  hosts = import ./hosts;
+
+  cfg = config.services.my-tinc;
+
+  hostNames = builtins.attrNames hosts;
+in
+{
+  imports = [ ./hosts.nix ];
+  
+  options.services.my-tinc = {
+    enable = mkEnableOption "my private tinc cloud configuration";
+    rsaPrivateKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "./my-key.priv";
+      description = "The key file to be used as the private key";
+    };
+    ed25519PrivateKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "./my-key-ed25519.priv";
+      description = "The key file to be used as the private key";
+    };
+    hostName = mkOption {
+      type = types.enum hostNames;
+      description = "The configured host name";
+    };
+  };
+
+  config = mkIf cfg.enable (builtins.seq
+    (mkIf (isNull cfg.rsaPrivateKey && isNull cfg.ed25519PrivateKey) (builtins.abort "one of the keys must be defined"))
+    let
+      networkName = "my-tinc";
+
+      myHost = builtins.getAttr cfg.hostName hosts;
+      myMeshIp = myHost.subnetAddr;
+    in
+    {
+      # Scripts that set up the tinc services
+      environment.etc = {
+        "tinc/${networkName}/tinc-up".source = pkgs.writeScript "tinc-up-${networkName}" ''
+            #!${pkgs.stdenv.shell}
+            ${pkgs.nettools}/bin/ifconfig $INTERFACE ${myMeshIp} netmask 255.255.255.0
+        '';
+        "tinc/${networkName}/tinc-down".source = pkgs.writeScript "tinc-down-${networkName}" ''
+            #!${pkgs.stdenv.shell}
+            /run/wrappers/bin/sudo ${pkgs.nettools}/bin/ifconfig $INTERFACE down
+        '';
+
+        # Allow the tinc service to call ifconfig without sudo password.
+        security.sudo.extraRules = [
+          {
+            users    = [ "tinc.${networkName}" ];
+            commands = [
+              {
+                command  = "${pkgs.nettools}/bin/ifconfig";
+                options  = [ "NOPASSWD" ];
+              }
+            ];
+          }
+        ];
+
+        # simple interface setup
+        # ----------------------
+        networking.interfaces."tinc.${networkName}".ipv4.addresses = [ { address = myMeshIp; prefixLength = 24; } ];
+
+        # firewall
+        networking.firewall.allowedUDPPorts = [ 655 ];
+        networking.firewall.allowedTCPPorts = [ 655 ];
+
+        # configure tinc service
+        # ----------------------
+        services.tinc.networks."${networkName}"= {
+
+          name          = ${cfg.hostName};       # who are we in this network.
+
+          debugLevel    = 3;            # the debug level for journal -u tinc.private
+          chroot        = false;        # otherwise addresses can't be a DNS
+          interfaceType = "tap";        # tun might also work.
+
+          ed25519PrivateKeyFile = cfg.ed25519PrivateKey;
+          rsaPrivateKeyFile = cfg.rsaPrivateKey;
+      };
+  );
+}

modules/my-tinc/hosts.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+with lib;
+let
+  hosts = import ./hosts;
+
+  cfg = config.services.my-tinc;
+
+  mapAttrs = f: attrs: builtins.listToAttrs (
+    map (name: { inherit name; value = f name (builtins.getAttr name attrs); }) (builtins.attrNames attrs)
+  );
+in
+{
+  config = mkIf cfg.enable {
+    # All hosts we know of
+    services.tinc.networks.my-tinc.hostSettings = mapAttrs (name: host: {
+      addresses = [ { inherit (host) address; } ];
+      subnets = [ { address = host.subnetAddr; } ];
+      rsaPublicKey = mkIf (host ? "rsaPublicKey") (builtins.readFile host.rsaPublicKey);
+      ed25519PublicKey = mkIf (host ? "ed25519PublicKey") (builtins.readFile host.ed25519PublicKey);
+    }) hosts;
+  };
+}

modules/my-tinc/hosts/default.nix

@@ -0,0 +1,10 @@
+{
+  # TODO: Edit the list of hosts here.
+  hosts = {
+    nki-cloud = {
+      subnetAddr = "10.0.0.10";
+      address = "nki.personal";
+      rsaPublicKey = ./nki-cloud;
+    };
+  };
+}

modules/my-tinc/nki-cloud.pub

@@ -0,0 +1,25 @@
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIECgKCBAEAxwaMWpHG9ZK33q5Q+Ug7wRowK5CTgBlAyGCTmyDjRwMA10qQQB+U
+THW2fm3HFgToeHpxXC5Ja76hSg9JPew0/zpdpmBn3Rmh9hF2JsqJ1JuEm0Ce/YyB
+4OHLPgAZ1KKBtL2bgs2ZTB8ssG7ZIxNEF4t2StYQV/yEAQD4tIhro4v4MoFlLnw4
+2bxbm+vfxMOC3U9q5G0nryxZDChOcDbtC984W4lFxPShIpKEz09zvnkCDRm7TFxD
+mk7lw3dvM392dbQtcU8JxzSE1TdnkRcJxE1N4A2BhvSD1CR0FomvLDzf7PkcICN1
+nmwQnptyjhBXU6Rs4uvBCHy6pp420ypSf8ryG+gJqbk6Eet7pNZKO7GSDzD9Quor
+Gd+8X55cjB+7TZ42Gy8FL7fS72Gb7m1XMzXFH3YHBCy8wKDpDhWzjFT5peSiTZ7K
+1fFECEyQffMG6o3ax48/8gTn5uezkjBaiOIeb9hcaoyU9pLtF8toL8ZYG9gOyKov
+YPJthdpV4sglpORAOs61kUtLgR0ZX4iM5BibPVWLZ7fMIk1/xT4UC8CcYUSs7jib
+8cx+bpuIehpIEf+biwmtv7IYgOKFXhsM7P1y49VOIXDa1xr/9IXumKQMRWmQ4V//
+JzBoRwcB2vQPOG6yLQqpx14arlPfD0W61RUsnI/mmXPA7t1E0g0tpyPtPvDBXlqi
+jPL1NQli0fyv3fD5qmn6KJag9pOEMvdsvL1gD9wyZbM66uoi3BE0xmUOKI9gAz1Q
+sFdpjGq3NHaZmCv8uhywe1aD6gh5fcFXr/musU87HIRi6NJDMt3Njz54kjnSlayH
+cr4hTkiQy4/N2aR5ymIp/OaNQGgogMv+SgEOwaP4kPdDGDwVYiXwr6ZqIoO/ZocC
+0BhS7RQ0SC0xGzJWCF6HLyjEPRmhQ7UHnuv+cPUnx5R0nJogCvCBUyZlKszpa5cF
+lO6FaWR9qhtmn6TcfqtfDIcuU4b8ojUAaqQVfV6STZxWKC3KS/bimJrOYCGhVl5c
+z+vQMQN/CTP1RNoMfgBSbYdgfeC1PZAhoVEaVFOkEeYmmPvidXPVnWSO4UHs7Gor
+wd7lKxVd63lZ5tGXsAO9j8h7cn4J9YoBuQx9jEDBsTepd+CeCkIVHrf27DU2QQuE
+Xnrx5ek9d38P1Wvtze5d/KcdjFHmkBlv85HvT3A1p8B4cgA26NQz25Rcil2RTnGG
+igrZ9FfT6COFaFkM/vXR2/3nPQiL8Y8QcKSqAC32OcHaETd0vf6jVcHDS3OEhO8/
+SWQT4wG2UNysNdVIcvkGSycIa4+fx6lQ+jIe/BDxNUAcGAmNqbF5aTAILFxxFbTN
+qu6wIwypM4EpfUHrOslyx00+PZGjVR3azQIDAQAB
+-----END RSA PUBLIC KEY-----

nki-personal-do/flake.nix

@@ -8,7 +8,10 @@
     # DigitalOcean node
     nixosConfigurations."nki-personal" = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
-      modules = [ ./configuration.nix ];
+      modules = [
+        ../modules/my-tinc
+        ./configuration.nix
+      ];
     };
     deploy.nodes."nki-personal" = {
       hostname = "nki-personal";

nki-personal-do/secrets/recipient.txt

@@ -0,0 +1 @@
+age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36