nixos/modules/services/networking/mycelium.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / mycelium.nix
at master 5.1 kB view raw
  1{
  2  config,
  3  pkgs,
  4  lib,
  5  utils,
  6  ...
  7}:
  8
  9let
 10  cfg = config.services.mycelium;
 11in
 12{
 13  options.services.mycelium = {
 14    enable = lib.mkEnableOption "mycelium network";
 15    peers = lib.mkOption {
 16      type = lib.types.listOf lib.types.str;
 17      description = ''
 18        List of peers to connect to, in the formats:
 19         - `quic://[2001:0db8::1]:9651`
 20         - `quic://192.0.2.1:9651`
 21         - `tcp://[2001:0db8::1]:9651`
 22         - `tcp://192.0.2.1:9651`
 23
 24        If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
 25      '';
 26      default = [ ];
 27    };
 28    keyFile = lib.mkOption {
 29      type = lib.types.nullOr lib.types.path;
 30      default = null;
 31      description = ''
 32        Optional path to a file containing the mycelium key material.
 33        If unset, the default location (`/var/lib/mycelium/key.bin`) will be used.
 34        If no key exist at this location, it will be generated on startup.
 35      '';
 36    };
 37    openFirewall = lib.mkOption {
 38      type = lib.types.bool;
 39      default = false;
 40      description = "Open the firewall for mycelium";
 41    };
 42    package = lib.mkPackageOption pkgs "mycelium" { };
 43    addHostedPublicNodes = lib.mkOption {
 44      type = lib.types.bool;
 45      default = true;
 46      description = ''
 47        Adds the hosted peers from <https://github.com/threefoldtech/mycelium#hosted-public-nodes>.
 48      '';
 49    };
 50    extraArgs = lib.mkOption {
 51      type = lib.types.listOf lib.types.str;
 52      default = [ ];
 53      description = ''
 54        Extra command-line arguments to pass to mycelium.
 55
 56        See `mycelium --help` for all available options.
 57      '';
 58    };
 59  };
 60  config = lib.mkIf cfg.enable {
 61    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ 9651 ];
 62    networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [
 63      9650
 64      9651
 65    ];
 66
 67    environment.systemPackages = [ cfg.package ];
 68
 69    systemd.services.mycelium = {
 70      description = "Mycelium network";
 71      after = [
 72        "network.target"
 73        "network-online.target"
 74      ];
 75      wants = [
 76        "network-online.target"
 77      ];
 78      wantedBy = [ "multi-user.target" ];
 79      restartTriggers = [
 80        cfg.keyFile
 81      ];
 82
 83      unitConfig.Documentation = "https://github.com/threefoldtech/mycelium";
 84
 85      serviceConfig = {
 86        User = "mycelium";
 87        DynamicUser = true;
 88        StateDirectory = "mycelium";
 89        ProtectHome = true;
 90        ProtectSystem = true;
 91        LoadCredential = lib.mkIf (cfg.keyFile != null) "keyfile:${cfg.keyFile}";
 92        SyslogIdentifier = "mycelium";
 93        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
 94        MemoryDenyWriteExecute = true;
 95        ProtectControlGroups = true;
 96        ProtectKernelModules = true;
 97        ProtectKernelTunables = true;
 98        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
 99        RestrictNamespaces = true;
100        RestrictRealtime = true;
101        SystemCallArchitectures = "native";
102        SystemCallFilter = [
103          "@system-service"
104          "~@privileged @keyring"
105        ];
106        ExecStart = lib.concatStringsSep " " (
107          [
108            (lib.getExe cfg.package)
109            (
110              if (cfg.keyFile != null) then
111                "--key-file \${CREDENTIALS_DIRECTORY}/keyfile"
112              else
113                "--key-file %S/mycelium/key.bin"
114            )
115            "--tun-name"
116            "mycelium"
117            "${utils.escapeSystemdExecArgs cfg.extraArgs}"
118          ]
119          ++ (lib.optional (cfg.addHostedPublicNodes || cfg.peers != [ ]) "--peers")
120          ++ cfg.peers
121          ++ (lib.optionals cfg.addHostedPublicNodes [
122            "tcp://188.40.132.242:9651" # DE 01
123            "tcp://[2a01:4f8:221:1e0b::2]:9651"
124            "quic://188.40.132.242:9651"
125            "quic://[2a01:4f8:221:1e0b::2]:9651"
126
127            "tcp://136.243.47.186:9651" # DE 02
128            "tcp://[2a01:4f8:212:fa6::2]:9651"
129            "quic://136.243.47.186:9651"
130            "quic://[2a01:4f8:212:fa6::2]:9651"
131
132            "tcp://185.69.166.7:9651" # BE 03
133            "tcp://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
134            "quic://185.69.166.7:9651"
135            "quic://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
136
137            "tcp://185.69.166.8:9651" # BE 04
138            "tcp://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
139            "quic://185.69.166.8:9651"
140            "quic://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
141
142            "tcp://65.21.231.58:9651" # FI 05
143            "tcp://[2a01:4f9:6a:1dc5::2]:9651"
144            "quic://65.21.231.58:9651"
145            "quic://[2a01:4f9:6a:1dc5::2]:9651"
146
147            "tcp://65.109.18.113:9651" # FI 06
148            "tcp://[2a01:4f9:5a:1042::2]:9651"
149            "quic://65.109.18.113:9651"
150            "quic://[2a01:4f9:5a:1042::2]:9651"
151          ])
152        );
153        Restart = "always";
154        RestartSec = 5;
155        TimeoutStopSec = 5;
156      };
157    };
158  };
159  meta = {
160    maintainers = with lib.maintainers; [
161      flokli
162      lassulus
163    ];
164  };
165}