From patchwork Thu Jun 11 13:56:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Csepp X-Patchwork-Id: 22642 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EA3EE27BBE3; Thu, 11 Jun 2020 14:58:15 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,T_DKIM_INVALID, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 3F09C27BBE1 for ; Thu, 11 Jun 2020 14:58:12 +0100 (BST) Received: from localhost ([::1]:54852 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jjNid-0001p6-Qb for patchwork@mira.cbaines.net; Thu, 11 Jun 2020 09:58:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51466) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jjNiU-0001oz-Lj for guix-patches@gnu.org; Thu, 11 Jun 2020 09:58:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:54297) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jjNiU-0001da-5Z for guix-patches@gnu.org; Thu, 11 Jun 2020 09:58:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jjNiU-00036o-2r for guix-patches@gnu.org; Thu, 11 Jun 2020 09:58:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41803] [PATCH] Yggdrasil package and accompanying shepherd service (mesh network) Resent-From: raingloom Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jun 2020 13:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41803@debbugs.gnu.org X-Debbugs-Original-To: Guix Patches Received: via spool by submit@debbugs.gnu.org id=B.159188387011924 (code B ref -1); Thu, 11 Jun 2020 13:58:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Jun 2020 13:57:50 +0000 Received: from localhost ([127.0.0.1]:37610 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjNiB-000367-2V for submit@debbugs.gnu.org; Thu, 11 Jun 2020 09:57:49 -0400 Received: from lists.gnu.org ([209.51.188.17]:56400) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjNi4-00035o-Nd for submit@debbugs.gnu.org; Thu, 11 Jun 2020 09:57:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51402) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jjNi4-0001Uv-D1 for guix-patches@gnu.org; Thu, 11 Jun 2020 09:57:36 -0400 Received: from mx1.riseup.net ([198.252.153.129]:52732) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jjNhz-0001a8-TB for guix-patches@gnu.org; Thu, 11 Jun 2020 09:57:36 -0400 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 49jQQy3RtZzFf2V for ; Thu, 11 Jun 2020 06:57:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1591883850; bh=+Dz23O9J7I5QO2ayHJdAfZ2KWP62WpK3zwI0dT2LZ6s=; h=Date:From:To:Subject:From; b=ark/c41gJzUEDORfNihR+PJaW5KsyXb3NNRcTwO8B5bObzWTnTyv3yspc38TByMym sD9VNp5ef974BBEcNERTBI4ZoYBNxYc406ZWZSmVs4p6YcwGzgx6V4G3kFdfNq/346 a/01uqZ4YAiy6TmkrM061fjuG64NIMzRXqNSa7/c= X-Riseup-User-ID: 6419B8FEDDB26BE44BC7F72BEB2246DCF65D41DCF8D9945D4D8AD143E5E33D04 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 49jQQx5PtkzJqp2 for ; Thu, 11 Jun 2020 06:57:29 -0700 (PDT) Date: Thu, 11 Jun 2020 15:56:56 +0200 From: raingloom Message-ID: <20200611155656.7ece9c24@riseup.net> MIME-Version: 1.0 Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/11 09:57:29 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches from: https://yggdrasil-network.github.io/ "Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6 network." I spent the last few days packaging it and now it's in a state where I think it's usable. The configuration can include private keys, so that part should NOT go in the operating system config, because it would get stored in the world-readable Guix store. Nix works around this by merging the generated config with a JSON file and sending it to yggdrasil over its stdin. I chose not to do that because I couldn't figure out how to open a service's stdin and because I think the way I did it is much more elegant in the long run. The package is lightly patched to take not one but two config files, and it simply merges them internally. The patch is completely backwards compatible and unobtrusive. It took me about an hour to write and debug and most of that was just figuring out Go's syntax and type system. I will try to get upstream to accept it, or implement similar functionality. Still TODO: documenting the service as an info page. The gist of using it is: 1. look at example operating system 2. see yggdrasil -genconf -json for config options (3.) optional: save output as /etc/yggdrasil-secret.conf (4.) chmod 600 /etc/yggdrasil-secret.conf (5.) delete everything but the signing and encryption keys 6. add peers as needed, or set autoconf? to #t to connect through a local peer It seems to work fine. I could connect to open peers from one machine and another one could auto-configure itself to connect through the first one over the LAN. It's pretty nifty. From d2d9ad6c3402924edd6090ffcad50e2c9d2bd448 Mon Sep 17 00:00:00 2001 From: raingloom Date: Thu, 11 Jun 2020 14:16:42 +0200 Subject: [PATCH 5/5] gnu: system: add example with yggdrasil * gnu/system/examples/yggdrasil.tmpl: New file. --- gnu/system/examples/yggdrasil.tmpl | 61 ++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 gnu/system/examples/yggdrasil.tmpl diff --git a/gnu/system/examples/yggdrasil.tmpl b/gnu/system/examples/yggdrasil.tmpl new file mode 100644 index 0000000000..244a899bd0 --- /dev/null +++ b/gnu/system/examples/yggdrasil.tmpl @@ -0,0 +1,61 @@ +;; This is an operating system configuration template +;; for a "bare bones" setup, with no X11 display server. + +(use-modules (gnu)) +(use-service-modules networking ssh) +(use-package-modules admin networking screen) + +(operating-system + (host-name "ruby-guard-5545") + (timezone "Europe/Budapest") + (locale "en_US.utf8") + + ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the + ;; target hard disk, and "my-root" is the label of the target + ;; root file system. + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sdX"))) + (file-systems (cons (file-system + (device (file-system-label "my-root")) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + + ;; This is where user accounts are specified. The "root" + ;; account is implicit, and is initially created with the + ;; empty password. + (users (cons (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "wheel" group + ;; makes it a sudoer. Adding it to "audio" + ;; and "video" allows the user to play sound + ;; and access the webcam. + (supplementary-groups '("wheel" + "audio" "video"))) + %base-user-accounts)) + + ;; Globally-installed packages. + (packages (cons* screen yggdrasil htop %base-packages)) + + ;; Add services to the baseline: a DHCP client and + ;; an SSH server. + (services + (append + (list + (service dhcp-client-service-type) + (service yggdrasil-service-type + (yggdrasil-configuration + (log-to 'stdout) + (log-level 'debug) + (autoconf? #f) + (json-config + ;; choose one from https://github.com/yggdrasil-network/public-peers + '((peers . #("tcp://1.2.3.4:1337")))))) + (service openssh-service-type + (openssh-configuration + (port-number 2222)))) + %base-services))) -- 2.26.2