diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 2d43c3d962dd..828bbe130e67 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -43,6 +43,14 @@ in ''; }; + ed25519PrivateKeyFile = mkOption { + default = null; + type = types.nullOr types.path; + description = '' + Path of the private ed25519 keyfile. + ''; + }; + debugLevel = mkOption { default = 0; type = types.addCheck types.int (l: l >= 0 && l <= 5); @@ -70,6 +78,14 @@ in ''; }; + listenAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The ip adress to bind to. + ''; + }; + package = mkOption { default = pkgs.tinc_pre; description = '' @@ -99,6 +115,8 @@ in text = '' Name = ${if data.name == null then "$HOST" else data.name} DeviceType = ${data.interfaceType} + ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"} + ${optionalString (data.listenAddress != null) "BindToAddress = ${data.listenAddress}"} Device = /dev/net/tun Interface = tinc.${network} ${data.extraConfig} @@ -134,10 +152,10 @@ in # Determine how we should generate our keys if type tinc >/dev/null 2>&1; then # Tinc 1.1+ uses the tinc helper application for key generation - + ${if data.ed25519PrivateKeyFile != null then " # Keyfile managed by nix" else '' # Prefer ED25519 keys (only in 1.1+) [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys - + ''} # Otherwise use RSA keys [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 else