nixos/modules/services/networking/mycelium.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / mycelium.nix
at 25.11-pre 5.2 kB view raw
  1{
  2  config,
  3  pkgs,
  4  lib,
  5  utils,
  6  ...
  7}:
  8
  9let
 10  cfg = config.services.mycelium;
 11in
 12{
 13  options.services.mycelium = {
 14    enable = lib.mkEnableOption "mycelium network";
 15    peers = lib.mkOption {
 16      type = lib.types.listOf lib.types.str;
 17      description = ''
 18        List of peers to connect to, in the formats:
 19         - `quic://[2001:0db8::1]:9651`
 20         - `quic://192.0.2.1:9651`
 21         - `tcp://[2001:0db8::1]:9651`
 22         - `tcp://192.0.2.1:9651`
 23
 24        If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
 25      '';
 26      default = [ ];
 27    };
 28    keyFile = lib.mkOption {
 29      type = lib.types.nullOr lib.types.path;
 30      default = null;
 31      description = ''
 32        Optional path to a file containing the mycelium key material.
 33        If unset, the default location (`/var/lib/mycelium/key.bin`) will be used.
 34        If no key exist at this location, it will be generated on startup.
 35      '';
 36    };
 37    openFirewall = lib.mkOption {
 38      type = lib.types.bool;
 39      default = false;
 40      description = "Open the firewall for mycelium";
 41    };
 42    package = lib.mkOption {
 43      type = lib.types.package;
 44      default = pkgs.mycelium;
 45      defaultText = lib.literalExpression ''"''${pkgs.mycelium}"'';
 46      description = "The mycelium package to use";
 47    };
 48    addHostedPublicNodes = lib.mkOption {
 49      type = lib.types.bool;
 50      default = true;
 51      description = ''
 52        Adds the hosted peers from https://github.com/threefoldtech/mycelium#hosted-public-nodes.
 53      '';
 54    };
 55    extraArgs = lib.mkOption {
 56      type = lib.types.listOf lib.types.str;
 57      default = [ ];
 58      description = ''
 59        Extra command-line arguments to pass to mycelium.
 60
 61        See `mycelium --help` for all available options.
 62      '';
 63    };
 64  };
 65  config = lib.mkIf cfg.enable {
 66    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ 9651 ];
 67    networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [
 68      9650
 69      9651
 70    ];
 71
 72    environment.systemPackages = [ cfg.package ];
 73
 74    systemd.services.mycelium = {
 75      description = "Mycelium network";
 76      after = [
 77        "network.target"
 78        "network-online.target"
 79      ];
 80      wants = [
 81        "network-online.target"
 82      ];
 83      wantedBy = [ "multi-user.target" ];
 84      restartTriggers = [
 85        cfg.keyFile
 86      ];
 87
 88      unitConfig.Documentation = "https://github.com/threefoldtech/mycelium";
 89
 90      serviceConfig = {
 91        User = "mycelium";
 92        DynamicUser = true;
 93        StateDirectory = "mycelium";
 94        ProtectHome = true;
 95        ProtectSystem = true;
 96        LoadCredential = lib.mkIf (cfg.keyFile != null) "keyfile:${cfg.keyFile}";
 97        SyslogIdentifier = "mycelium";
 98        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
 99        MemoryDenyWriteExecute = true;
100        ProtectControlGroups = true;
101        ProtectKernelModules = true;
102        ProtectKernelTunables = true;
103        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
104        RestrictNamespaces = true;
105        RestrictRealtime = true;
106        SystemCallArchitectures = "native";
107        SystemCallFilter = [
108          "@system-service"
109          "~@privileged @keyring"
110        ];
111        ExecStart = lib.concatStringsSep " " (
112          [
113            (lib.getExe cfg.package)
114            (
115              if (cfg.keyFile != null) then
116                "--key-file \${CREDENTIALS_DIRECTORY}/keyfile"
117              else
118                "--key-file %S/mycelium/key.bin"
119            )
120            "--tun-name"
121            "mycelium"
122            "${utils.escapeSystemdExecArgs cfg.extraArgs}"
123          ]
124          ++ (lib.optional (cfg.addHostedPublicNodes || cfg.peers != [ ]) "--peers")
125          ++ cfg.peers
126          ++ (lib.optionals cfg.addHostedPublicNodes [
127            "tcp://188.40.132.242:9651" # DE 01
128            "tcp://[2a01:4f8:221:1e0b::2]:9651"
129            "quic://188.40.132.242:9651"
130            "quic://[2a01:4f8:221:1e0b::2]:9651"
131
132            "tcp://136.243.47.186:9651" # DE 02
133            "tcp://[2a01:4f8:212:fa6::2]:9651"
134            "quic://136.243.47.186:9651"
135            "quic://[2a01:4f8:212:fa6::2]:9651"
136
137            "tcp://185.69.166.7:9651" # BE 03
138            "tcp://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
139            "quic://185.69.166.7:9651"
140            "quic://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
141
142            "tcp://185.69.166.8:9651" # BE 04
143            "tcp://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
144            "quic://185.69.166.8:9651"
145            "quic://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
146
147            "tcp://65.21.231.58:9651" # FI 05
148            "tcp://[2a01:4f9:6a:1dc5::2]:9651"
149            "quic://65.21.231.58:9651"
150            "quic://[2a01:4f9:6a:1dc5::2]:9651"
151
152            "tcp://65.109.18.113:9651" # FI 06
153            "tcp://[2a01:4f9:5a:1042::2]:9651"
154            "quic://65.109.18.113:9651"
155            "quic://[2a01:4f9:5a:1042::2]:9651"
156          ])
157        );
158        Restart = "always";
159        RestartSec = 5;
160        TimeoutStopSec = 5;
161      };
162    };
163  };
164  meta = {
165    maintainers = with lib.maintainers; [
166      flokli
167      lassulus
168    ];
169  };
170}