blob: 9c4bca7c686187baa9db85f0347d2a49ecb11967 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
{ config, pkgs, lib, ... }:
let
cfg = config.services.mycelium;
in
{
options.services.mycelium = {
enable = lib.mkEnableOption "mycelium network";
peers = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of peers to connect to, in the formats:
- `quic://[2001:0db8::1]:9651`
- `quic://192.0.2.1:9651`
- `tcp://[2001:0db8::1]:9651`
- `tcp://192.0.2.1:9651`
If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
'';
default = [ ];
};
keyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Optional path to a file containing the mycelium key material.
If unset, the default location (`/var/lib/mycelium/key.bin`) will be used.
If no key exist at this location, it will be generated on startup.
'';
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Open the firewall for mycelium";
};
package = lib.mkOption {
type = lib.types.package;
default = pkgs.mycelium;
defaultText = lib.literalExpression ''"''${pkgs.mycelium}"'';
description = "The mycelium package to use";
};
addHostedPublicNodes = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Adds the hosted peers from https://github.com/threefoldtech/mycelium#hosted-public-nodes.
'';
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ 9651 ];
networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 9650 9651 ];
systemd.services.mycelium = {
description = "Mycelium network";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.keyFile
];
unitConfig.Documentation = "https://github.com/threefoldtech/mycelium";
serviceConfig = {
User = "mycelium";
DynamicUser = true;
StateDirectory = "mycelium";
ProtectHome = true;
ProtectSystem = true;
LoadCredential = lib.mkIf (cfg.keyFile != null) "keyfile:${cfg.keyFile}";
SyslogIdentifier = "mycelium";
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
ExecStart = lib.concatStringsSep " " ([
(lib.getExe cfg.package)
(if (cfg.keyFile != null) then
"--key-file \${CREDENTIALS_DIRECTORY}/keyfile" else
"--key-file %S/mycelium/key.bin"
)
"--tun-name"
"mycelium"
] ++
(lib.optional (cfg.addHostedPublicNodes || cfg.peers != [ ]) "--peers")
++ cfg.peers ++ (lib.optionals cfg.addHostedPublicNodes [
"tcp://188.40.132.242:9651" # DE 01
"tcp://[2a01:4f8:221:1e0b::2]:9651"
"quic://188.40.132.242:9651"
"quic://[2a01:4f8:221:1e0b::2]:9651"
"tcp://136.243.47.186:9651" # DE 02
"tcp://[2a01:4f8:212:fa6::2]:9651"
"quic://136.243.47.186:9651"
"quic://[2a01:4f8:212:fa6::2]:9651"
"tcp://185.69.166.7:9651" # BE 03
"tcp://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
"quic://185.69.166.7:9651"
"quic://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
"tcp://185.69.166.8:9651" # BE 04
"tcp://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
"quic://185.69.166.8:9651"
"quic://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
"tcp://65.21.231.58:9651" # FI 05
"tcp://[2a01:4f9:6a:1dc5::2]:9651"
"quic://65.21.231.58:9651"
"quic://[2a01:4f9:6a:1dc5::2]:9651"
"tcp://65.109.18.113:9651" # FI 06
"tcp://[2a01:4f9:5a:1042::2]:9651"
"quic://65.109.18.113:9651"
"quic://[2a01:4f9:5a:1042::2]:9651"
]));
Restart = "always";
RestartSec = 5;
TimeoutStopSec = 5;
};
};
};
meta = {
maintainers = with lib.maintainers; [ flokli lassulus ];
};
}
|