Host private yggdrasil peer

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>

machines/celerrime/default.nix

@@ -23,6 +23,7 @@ in {
     torrent.enable = true;
     virtualisation.enable = false;
     yggdrasil-client.enable = true;
+    yggdrasil-peer.enable = false;
 
     server = { ivabus-dev.enable = false; };
   };

machines/periculo/default.nix

@@ -22,6 +22,7 @@ in {
     torrent.enable = false;
     virtualisation.enable = false;
     yggdrasil-client.enable = false;
+    yggdrasil-peer.enable = false;
 
     server = { ivabus-dev.enable = false; };
   };

machines/rubusidaeus/default.nix

@@ -25,7 +25,7 @@ in {
     ntp-server.enable = true;
     torrent.enable = false;
     virtualisation.enable = false;
-    yggdrasil-client.enable = true;
+    yggdrasil-peer.enable = true;
 
     server = { ivabus-dev.enable = true; };
   };

machines/stella/default.nix

@@ -29,7 +29,8 @@ in {
     media-client.enable = true;
     torrent.enable = false;
     virtualisation.enable = false;
-    yggdrasil-client.enable = false;
+    yggdrasil-client.enable = true;
+    yggdrasil-peer.enable = false;
   };
 
   my.users = {

machines/vetus/default.nix

@@ -19,6 +19,7 @@ in {
     latex.enable = true;
     virtualisation.enable = true;
     yggdrasil-client.enable = true;
+    yggdrasil-peer.enable = false;
   };
 
   my.users = {

roles/default.nix

@@ -11,6 +11,7 @@
     ./torrent.nix
     ./virtualisation.nix
     ./yggdrasil-client.nix
+    ./yggdrasil-peer.nix
 
     ./server/nginx.nix
     ./server/ivabus-dev.nix

roles/yggdrasil-client.nix

@@ -1,17 +1,20 @@
-{ config, lib, ... }:
+{ config, lib, secrets, ... }:
 
 let cfg = config.my.roles.yggdrasil-client;
 in {
   options.my.roles.yggdrasil-client.enable =
     lib.mkEnableOption "Enable yggdrasil";
   config = lib.mkIf (cfg.enable) {
+    my.features.secrets = lib.mkForce true;
     services.yggdrasil = {
       enable = true;
       persistentKeys = true;
-      settings = {
-        Peers = [
-          # TODO: Maybe add more peers, not only mine. But for now it's ok
-          "tls://ygg.iva.bz:50002"
+      settings = 
+      {
+        # Not connecting to global ygg network
+        Peers = lib.mkDefault [
+          "quic://${secrets.yggdrasil-peer}:60003?password=${secrets.yggdrasil-password}"
+          "tls://${secrets.yggdrasil-peer}:60002?password=${secrets.yggdrasil-password}"
         ];
       };
     };

roles/yggdrasil-peer.nix

@@ -0,0 +1,26 @@
+{ config, lib, secrets, ... }:
+
+let cfg = config.my.roles.yggdrasil-peer;
+in {
+  options.my.roles.yggdrasil-peer.enable =
+    lib.mkEnableOption "Enable yggdrasil (semi-public) peer";
+  config = lib.mkIf (cfg.enable) {
+    my.features.secrets = lib.mkForce true;
+	my.roles.yggdrasil-client.enable = true;
+    services.yggdrasil = {
+      enable = true;
+      persistentKeys = true;
+      settings = 
+      {
+        # Not connecting to global ygg network
+        Peers = lib.mkForce [];
+		Listen = [
+          "quic://[::]:60003?password=${secrets.yggdrasil-password}"
+          "tls://[::]:60002?password=${secrets.yggdrasil-password}"
+		];
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 60002 ];
+    networking.firewall.allowedUDPPorts = [ 60003 ];
+  };
+}

secrets.nix

@@ -8,4 +8,6 @@ in if (canaryHash != expectedHash && config.my.features.secrets) then
 else {
   hashed-password = builtins.readFile ./secrets/hashed-password;
   maas-address = builtins.readFile ./secrets/maas-address;
+  yggdrasil-peer = builtins.readFile ./secrets/yggdrasil-peer;
+  yggdrasil-password = builtins.readFile ./secrets/yggdrasil-password;
 }