From 038a9034d799fa2817d957bcd9a2a47e349e0f36 Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Fri, 20 Jan 2023 00:13:13 +0000
Subject: [PATCH] hosts: remove the is-target attribute and opt into roles via
 the config system instead

---
 hosts/by-name/lappy/default.nix |   2 +
 hosts/by-name/servo/default.nix |   2 +
 hosts/instantiate.nix           |   1 -
 hosts/modules/default.nix       |   1 +
 hosts/modules/hosts.nix         |  38 -----------
 hosts/modules/roles/client.nix  |  16 +++++
 hosts/modules/roles/default.nix |   6 ++
 hosts/modules/wg-home.nix       | 117 +++++++++++++++++---------------
 8 files changed, 91 insertions(+), 92 deletions(-)
 create mode 100644 hosts/modules/roles/client.nix
 create mode 100644 hosts/modules/roles/default.nix

diff --git a/hosts/by-name/lappy/default.nix b/hosts/by-name/lappy/default.nix
index 3a3885e7..c7bf1b9b 100644
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  sane.roles.client = true;
+
   # sane.packages.enableDevPkgs = true;
 
   # sane.users.guest.enable = true;
diff --git a/hosts/by-name/servo/default.nix b/hosts/by-name/servo/default.nix
index 68ab5ea2..261c2669 100644
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -17,6 +17,8 @@
   ];
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.role = "server";
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   boot.loader.efi.canTouchEfiVariables = false;
diff --git a/hosts/instantiate.nix b/hosts/instantiate.nix
index c3bdfa03..4dfc3be0 100644
--- a/hosts/instantiate.nix
+++ b/hosts/instantiate.nix
@@ -13,7 +13,6 @@
     ./modules
   ];
 
-  sane.hosts.by-name."${hostName}".is-target = true;
   networking.hostName = hostName;
 
   nixpkgs.overlays = [
diff --git a/hosts/modules/default.nix b/hosts/modules/default.nix
index ae9197bb..eb5508b4 100644
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware
     ./hosts.nix
+    ./roles
     ./wg-home.nix
   ];
 }
diff --git a/hosts/modules/hosts.nix b/hosts/modules/hosts.nix
index 2499be7d..c27c5de0 100644
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -6,29 +6,6 @@ let
 
   host = types.submodule ({ config, ... }: {
     options = {
-      is-target = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          set to true if the config is being built for deployment to this host.
-        '';
-      };
-
-      roles.server = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          whether this machine is a server for domain-level services like wireguard, rss aggregation, etc.
-        '';
-      };
-      roles.client = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          whether this machine is a client to domain-level services like wireguard, rss aggregation, etc.
-        '';
-      };
-
       ssh.user_pubkey = mkOption {
         type = types.nullOr types.str;
         description = ''
@@ -56,13 +33,6 @@ in
         like its ssh pubkey, etc.
       '';
     };
-    # TODO: questionable. the target should specifically output config rather than other bits peeking at this.
-    sane.hosts.target = mkOption {
-      type = host;
-      description = ''
-        host to which the config being built applies to.
-      '';
-    };
   };
 
   config = {
@@ -70,30 +40,22 @@ in
     sane.hosts.by-name."desko" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      roles.client = true;
     };
     sane.hosts.by-name."lappy" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-      roles.client = true;
     };
     sane.hosts.by-name."moby" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-      roles.client = true;
     };
     sane.hosts.by-name."servo" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      roles.server = true;
     };
     sane.hosts.by-name."rescue" = {
       ssh.user_pubkey = null;
       ssh.host_pubkey = null;
     };
-
-    sane.hosts."target" = mkMerge (attrValues
-      (filterAttrs (host: c: c.is-target) cfg.by-name)
-    );
   };
 }
diff --git a/hosts/modules/roles/client.nix b/hosts/modules/roles/client.nix
new file mode 100644
index 00000000..2f22aac6
--- /dev/null
+++ b/hosts/modules/roles/client.nix
@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+in
+{
+  options.sane.roles.client = mkOption {
+    type = types.bool;
+    default = false;
+  };
+
+  config = mkIf config.sane.roles.client {
+    sane.services.wg-home.enable = true;
+    sane.services.wg-home.role = "client";
+  };
+}
diff --git a/hosts/modules/roles/default.nix b/hosts/modules/roles/default.nix
new file mode 100644
index 00000000..01de1f4c
--- /dev/null
+++ b/hosts/modules/roles/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./client.nix
+  ];
+}
diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index 502e70a3..3896627e 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -1,64 +1,75 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) optionalAttrs;
-  me = config.sane.hosts.target;
+  inherit (lib) mkIf mkOption optionalAttrs types;
+  cfg = config.sane.services.wg-home;
 in
 {
-  # wireguard VPN which allows everything on my domain to speak to each other even when
-  # not behind a shared LAN.
-  # this config defines both the endpoint (server) and client configs
+  options = {
+    sane.services.wg-home.enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    sane.services.wg-home.role = mkOption {
+      type = types.enum [ "client" "server" ];
+    };
+  };
 
-  networking.firewall.allowedUDPPorts = [ 51820 ];
-  # TODO: remove this hacky `if` block
-  networking.wireguard.interfaces.wg-home = {
-    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
-    listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-  } // (optionalAttrs me.roles.client {
-    # client IP (TODO: make host-specific)
-    ips = [ "10.0.10.20/32" ];
+  config = mkIf cfg.enable {
+    # wireguard VPN which allows everything on my domain to speak to each other even when
+    # not behind a shared LAN.
+    # this config defines both the endpoint (server) and client configs
 
-    peers = [
-      {
-        # server pubkey
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+    networking.firewall.allowedUDPPorts = [ 51820 ];
+    networking.wireguard.interfaces.wg-home = {
+      privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+    } // (optionalAttrs (cfg.role == "client") {
+      # client IP (TODO: make host-specific)
+      ips = [ "10.0.10.20/32" ];
 
-        # accept traffic from any IP addr on the other side of the tunnel
-        allowedIPs = [ "0.0.0.0/0" ];
+      peers = [
+        {
+          # server pubkey
+          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
 
-        endpoint = "uninsane.org:51820";
+          # accept traffic from any IP addr on the other side of the tunnel
+          allowedIPs = [ "0.0.0.0/0" ];
 
-        # send keepalives every 25 seconds to keep NAT routes live
-        persistentKeepalive = 25;
-      }
-    ];
-  }) // (optionalAttrs me.roles.server {
-    ips = [
-      "10.0.10.5/24"
-    ];
-    peers = [
-      {
-        # peers and host all use the same key
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
-        allowedIPs = [ "10.0.10.0/24" ];
-        # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-        # allowedIPs = [ "0.0.0.0/0" ];
-      }
-      # {
-      #   # lappy
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.20/32" ];
-      # }
-      # {
-      #   # desko
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.22/32" ];
-      # }
-      # {
-      #   # moby
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.48/32" ];
-      # }
-    ];
-  });
+          endpoint = "uninsane.org:51820";
+
+          # send keepalives every 25 seconds to keep NAT routes live
+          persistentKeepalive = 25;
+        }
+      ];
+    }) // (optionalAttrs (cfg.role == "server") {
+      ips = [
+        "10.0.10.5/24"
+      ];
+      peers = [
+        {
+          # peers and host all use the same key
+          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+          allowedIPs = [ "10.0.10.0/24" ];
+          # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
+          # allowedIPs = [ "0.0.0.0/0" ];
+        }
+        # {
+        #   # lappy
+        #   publicKey = "TODO";
+        #   allowedIPs = [ "10.0.10.20/32" ];
+        # }
+        # {
+        #   # desko
+        #   publicKey = "TODO";
+        #   allowedIPs = [ "10.0.10.22/32" ];
+        # }
+        # {
+        #   # moby
+        #   publicKey = "TODO";
+        #   allowedIPs = [ "10.0.10.48/32" ];
+        # }
+      ];
+    });
+  };
 }