nospoon/module.nix at main · jjacke13/nospoon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
{ self }:

{ config, lib, pkgs, ... }:

let
  cfg = config.services.nospoon;

  isServer = cfg.mode == "server";
  isClient = cfg.mode == "client";

  defaultIp = if isServer then "10.0.0.1/24" else "10.0.0.2/24";

  seedFilePath = if cfg.seedFile != null then cfg.seedFile
                  else if isServer then "${cfg.dataDir}/seed"
                  else null;

  generatedConfig = builtins.toJSON ({
    mode = cfg.mode;
    ip = cfg.ip;
    mtu = cfg.mtu;
    fullTunnel = cfg.fullTunnel;
  }
  // lib.optionalAttrs (cfg.ipv6 != null) { ipv6 = cfg.ipv6; }
  // lib.optionalAttrs (seedFilePath != null) { seedFile = seedFilePath; }
  // lib.optionalAttrs isClient { server = cfg.serverAddress; }
  // lib.optionalAttrs (cfg.outInterface != null) { outInterface = cfg.outInterface; }
  // lib.optionalAttrs (cfg.peers != { }) { peers = cfg.peers; }
  );

  generatedConfigFile = pkgs.writeText "nospoon-config.json" generatedConfig;

  configFilePath = if cfg.configFile != null then cfg.configFile
                   else generatedConfigFile;

in {
  options.services.nospoon = {
    enable = lib.mkEnableOption "nospoon P2P VPN";

    package = lib.mkOption {
      type = lib.types.package;
      default = self.packages.${pkgs.system}.nospoon;
      description = "The nospoon package to use";
    };

    configFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = ''
        Path to a user-managed nospoon config file (JSONC format).
        When set, all other nospoon options except 'package' are ignored.
        Use this to keep secrets (seed) out of the Nix store.
      '';
    };

    mode = lib.mkOption {
      type = lib.types.enum [ "server" "client" ];
      default = "server";
      description = "Operation mode";
    };

    dataDir = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/nospoon";
      description = "State directory for nospoon";
    };

    ip = lib.mkOption {
      type = lib.types.str;
      default = defaultIp;
      description = "TUN interface IPv4 address in CIDR notation";
    };

    ipv6 = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "TUN interface IPv6 address in CIDR notation";
    };

    seedFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = ''
        Path to file containing 64-char hex seed for deterministic key.
        If null and mode is server, defaults to dataDir/seed (auto-generated on first boot).
      '';
    };

    mtu = lib.mkOption {
      type = lib.types.int;
      default = 1400;
      description = "TUN interface MTU";
    };

    fullTunnel = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Enable full tunnel mode. For server: acts as NAT for clients.
        For client: routes all internet traffic through the VPN.
      '';
    };

    outInterface = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "Outgoing network interface for NAT (auto-detected if null)";
    };

    serverAddress = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        Server public key (64-char hex) to connect to.
        Required for client mode when configFile is not set.
      '';
    };

    peers = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = { };
      example = {
        "abc123def456789012345678901234567890123456789012345678901234" = "10.0.0.2";
        "fedcba987654321098765432109876543210987654321098765432109876" = "10.0.0.3";
      };
      description = ''
        Map of client public keys to IP addresses for authenticated mode.
        Embedded directly in the generated config file.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.configFile != null || !isClient || cfg.serverAddress != null;
        message = "services.nospoon.serverAddress is required in client mode when configFile is not set";
      }
      {
        assertion = cfg.configFile == null || (cfg.peers == { } && cfg.seedFile == null);
        message = "services.nospoon: configFile is mutually exclusive with peers and seedFile — those options are ignored when configFile is set";
      }
    ];

    systemd.tmpfiles.rules = [
      "d ${cfg.dataDir} 0755 root root -"
    ];

    system.activationScripts.nospoon-seed = lib.mkIf (cfg.configFile == null && isServer) (
      lib.stringAfter ["users"] ''
        if [ ! -f "${cfg.dataDir}/seed" ]; then
          ${pkgs.openssl}/bin/openssl rand -hex 32 > "${cfg.dataDir}/seed"
          chmod 600 "${cfg.dataDir}/seed"
          echo "nospoon: generated seed file at ${cfg.dataDir}/seed"
        fi
      ''
    );

    systemd.services.nospoon = {
      description = "nospoon P2P VPN (${cfg.mode})";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      path = [ pkgs.iptables pkgs.iproute2 pkgs.procps ];

      serviceConfig = {
        Type = "simple";
        User = "root";
        Group = "root";
        WorkingDirectory = cfg.dataDir;
        ExecStart = "${cfg.package}/bin/nospoon up ${configFilePath}";
        Restart = "on-failure";
        RestartSec = "5s";
      };
    };
  };
}