Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/tinc: allow configuration of RSA private key file #93538

Merged
merged 1 commit into from Aug 1, 2020

Conversation

@erictapen
Copy link
Member

@erictapen erictapen commented Jul 20, 2020

Motivation for this change

This is necessary for VPNs where some of the nodes run pre-1.1 versions, as those nodes can't use Ed25519 keys.

Most of Linux distros and even the nixpkgs.tinc attribute run on that version, so it might be useful to have that option.

Things done

Created a new option to use RAS key files. I ran this for three months now without an issue.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
This is necessary for VPNs where some of the nodes run pre-1.1 versions.

Most of Linux distros [0] and even the nixpkgs.tinc attribute run on that
version, so it might be useful to have that option.

[0] https://repology.org/project/tinc/versions
@erictapen erictapen force-pushed the erictapen:tinc-rsa-key-file branch from 44a6f19 to 1192255 Jul 20, 2020
[ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096
''}
# In case there isn't anything to do
true

This comment has been minimized.

@mweinelt

mweinelt Jul 26, 2020
Member

I don't quite understand the need for these two lines.

This comment has been minimized.

@erictapen

erictapen Jul 26, 2020
Author Member

If data.rsaed25519PrivateKeyFile != null && data.rsaPrivateKeyFile != null, then the then block would be empty, which is not permitted in bash. Therefore the noop.

@xeji
xeji approved these changes Aug 1, 2020
@xeji xeji merged commit 89e0d97 into NixOS:master Aug 1, 2020
14 checks passed
14 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="1192255"; rev="1192255677b4cd5f328a601c562c456ae06eb33d"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.