nixos/modules/services/networking/mycelium.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   utils,
   6   ...
   7 }:
   8
   9 let
  10   cfg = config.services.mycelium;
  11 in
  12 {
  13   options.services.mycelium = {
  14     enable = lib.mkEnableOption "mycelium network";
  15     peers = lib.mkOption {
  16       type = lib.types.listOf lib.types.str;
  17       description = ''
  18         List of peers to connect to, in the formats:
  19          - `quic://[2001:0db8::1]:9651`
  20          - `quic://192.0.2.1:9651`
  21          - `tcp://[2001:0db8::1]:9651`
  22          - `tcp://192.0.2.1:9651`
  23
  24         If addHostedPublicNodes is set to true, the hosted public nodes will also be added.
  25       '';
  26       default = [ ];
  27     };
  28     keyFile = lib.mkOption {
  29       type = lib.types.nullOr lib.types.path;
  30       default = null;
  31       description = ''
  32         Optional path to a file containing the mycelium key material.
  33         If unset, the default location (`/var/lib/mycelium/key.bin`) will be used.
  34         If no key exist at this location, it will be generated on startup.
  35       '';
  36     };
  37     openFirewall = lib.mkOption {
  38       type = lib.types.bool;
  39       default = false;
  40       description = "Open the firewall for mycelium";
  41     };
  42     package = lib.mkOption {
  43       type = lib.types.package;
  44       default = pkgs.mycelium;
  45       defaultText = lib.literalExpression ''"''${pkgs.mycelium}"'';
  46       description = "The mycelium package to use";
  47     };
  48     addHostedPublicNodes = lib.mkOption {
  49       type = lib.types.bool;
  50       default = true;
  51       description = ''
  52         Adds the hosted peers from https://github.com/threefoldtech/mycelium#hosted-public-nodes.
  53       '';
  54     };
  55     extraArgs = lib.mkOption {
  56       type = lib.types.listOf lib.types.str;
  57       default = [ ];
  58       description = ''
  59         Extra command-line arguments to pass to mycelium.
  60
  61         See `mycelium --help` for all available options.
  62       '';
  63     };
  64   };
  65   config = lib.mkIf cfg.enable {
  66     networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ 9651 ];
  67     networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [
  68       9650
  69       9651
  70     ];
  71
  72     environment.systemPackages = [ cfg.package ];
  73
  74     systemd.services.mycelium = {
  75       description = "Mycelium network";
  76       after = [ "network.target" ];
  77       wantedBy = [ "multi-user.target" ];
  78       restartTriggers = [
  79         cfg.keyFile
  80       ];
  81
  82       unitConfig.Documentation = "https://github.com/threefoldtech/mycelium";
  83
  84       serviceConfig = {
  85         User = "mycelium";
  86         DynamicUser = true;
  87         StateDirectory = "mycelium";
  88         ProtectHome = true;
  89         ProtectSystem = true;
  90         LoadCredential = lib.mkIf (cfg.keyFile != null) "keyfile:${cfg.keyFile}";
  91         SyslogIdentifier = "mycelium";
  92         AmbientCapabilities = [ "CAP_NET_ADMIN" ];
  93         MemoryDenyWriteExecute = true;
  94         ProtectControlGroups = true;
  95         ProtectKernelModules = true;
  96         ProtectKernelTunables = true;
  97         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
  98         RestrictNamespaces = true;
  99         RestrictRealtime = true;
 100         SystemCallArchitectures = "native";
 101         SystemCallFilter = [
 102           "@system-service"
 103           "~@privileged @keyring"
 104         ];
 105         ExecStart = lib.concatStringsSep " " (
 106           [
 107             (lib.getExe cfg.package)
 108             (
 109               if (cfg.keyFile != null) then
 110                 "--key-file \${CREDENTIALS_DIRECTORY}/keyfile"
 111               else
 112                 "--key-file %S/mycelium/key.bin"
 113             )
 114             "--tun-name"
 115             "mycelium"
 116             "${utils.escapeSystemdExecArgs cfg.extraArgs}"
 117           ]
 118           ++ (lib.optional (cfg.addHostedPublicNodes || cfg.peers != [ ]) "--peers")
 119           ++ cfg.peers
 120           ++ (lib.optionals cfg.addHostedPublicNodes [
 121             "tcp://188.40.132.242:9651" # DE 01
 122             "tcp://[2a01:4f8:221:1e0b::2]:9651"
 123             "quic://188.40.132.242:9651"
 124             "quic://[2a01:4f8:221:1e0b::2]:9651"
 125
 126             "tcp://136.243.47.186:9651" # DE 02
 127             "tcp://[2a01:4f8:212:fa6::2]:9651"
 128             "quic://136.243.47.186:9651"
 129             "quic://[2a01:4f8:212:fa6::2]:9651"
 130
 131             "tcp://185.69.166.7:9651" # BE 03
 132             "tcp://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
 133             "quic://185.69.166.7:9651"
 134             "quic://[2a02:1802:5e:0:8478:51ff:fee2:3331]:9651"
 135
 136             "tcp://185.69.166.8:9651" # BE 04
 137             "tcp://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
 138             "quic://185.69.166.8:9651"
 139             "quic://[2a02:1802:5e:0:8c9e:7dff:fec9:f0d2]:9651"
 140
 141             "tcp://65.21.231.58:9651" # FI 05
 142             "tcp://[2a01:4f9:6a:1dc5::2]:9651"
 143             "quic://65.21.231.58:9651"
 144             "quic://[2a01:4f9:6a:1dc5::2]:9651"
 145
 146             "tcp://65.109.18.113:9651" # FI 06
 147             "tcp://[2a01:4f9:5a:1042::2]:9651"
 148             "quic://65.109.18.113:9651"
 149             "quic://[2a01:4f9:5a:1042::2]:9651"
 150           ])
 151         );
 152         Restart = "always";
 153         RestartSec = 5;
 154         TimeoutStopSec = 5;
 155       };
 156     };
 157   };
 158   meta = {
 159     maintainers = with lib.maintainers; [
 160       flokli
 161       lassulus
 162     ];
 163   };
 164 }