hosts: remove the is-target attribute and opt into roles via the config system instead

hosts/by-name/lappy/default.nix

@@ -4,6 +4,8 @@
     ./fs.nix
   ];
 
+  sane.roles.client = true;
+
   # sane.packages.enableDevPkgs = true;
 
   # sane.users.guest.enable = true;

hosts/by-name/servo/default.nix

@@ -17,6 +17,8 @@
   ];
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
+  sane.services.wg-home.enable = true;
+  sane.services.wg-home.role = "server";
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   boot.loader.efi.canTouchEfiVariables = false;

hosts/instantiate.nix

@@ -13,7 +13,6 @@
     ./modules
   ];
 
-  sane.hosts.by-name."${hostName}".is-target = true;
   networking.hostName = hostName;
 
   nixpkgs.overlays = [

hosts/modules/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ./hardware
     ./hosts.nix
+    ./roles
     ./wg-home.nix
   ];
 }

hosts/modules/hosts.nix

@@ -6,29 +6,6 @@ let
 
   host = types.submodule ({ config, ... }: {
     options = {
-      is-target = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          set to true if the config is being built for deployment to this host.
-        '';
-      };
-
-      roles.server = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          whether this machine is a server for domain-level services like wireguard, rss aggregation, etc.
-        '';
-      };
-      roles.client = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          whether this machine is a client to domain-level services like wireguard, rss aggregation, etc.
-        '';
-      };
-
       ssh.user_pubkey = mkOption {
         type = types.nullOr types.str;
         description = ''
@@ -56,13 +33,6 @@ in
         like its ssh pubkey, etc.
       '';
     };
-    # TODO: questionable. the target should specifically output config rather than other bits peeking at this.
-    sane.hosts.target = mkOption {
-      type = host;
-      description = ''
-        host to which the config being built applies to.
-      '';
-    };
   };
 
   config = {
@@ -70,30 +40,22 @@ in
     sane.hosts.by-name."desko" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-      roles.client = true;
     };
     sane.hosts.by-name."lappy" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-      roles.client = true;
     };
     sane.hosts.by-name."moby" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-      roles.client = true;
     };
     sane.hosts.by-name."servo" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-      roles.server = true;
     };
     sane.hosts.by-name."rescue" = {
       ssh.user_pubkey = null;
       ssh.host_pubkey = null;
     };
-
-    sane.hosts."target" = mkMerge (attrValues
-      (filterAttrs (host: c: c.is-target) cfg.by-name)
-    );
   };
 }

hosts/modules/roles/client.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+in
+{
+  options.sane.roles.client = mkOption {
+    type = types.bool;
+    default = false;
+  };
+
+  config = mkIf config.sane.roles.client {
+    sane.services.wg-home.enable = true;
+    sane.services.wg-home.role = "client";
+  };
+}

hosts/modules/roles/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./client.nix
+  ];
+}

hosts/modules/wg-home.nix

@@ -1,64 +1,75 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) optionalAttrs;
+  inherit (lib) mkIf mkOption optionalAttrs types;
-  me = config.sane.hosts.target;
+  cfg = config.sane.services.wg-home;
 in
 {
-  # wireguard VPN which allows everything on my domain to speak to each other even when
+  options = {
-  # not behind a shared LAN.
+    sane.services.wg-home.enable = mkOption {
-  # this config defines both the endpoint (server) and client configs
+      type = types.bool;
+      default = false;
+    };
+    sane.services.wg-home.role = mkOption {
+      type = types.enum [ "client" "server" ];
+    };
+  };
 
-  networking.firewall.allowedUDPPorts = [ 51820 ];
+  config = mkIf cfg.enable {
-  # TODO: remove this hacky `if` block
+    # wireguard VPN which allows everything on my domain to speak to each other even when
-  networking.wireguard.interfaces.wg-home = {
+    # not behind a shared LAN.
-    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+    # this config defines both the endpoint (server) and client configs
-    listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-  } // (optionalAttrs me.roles.client {
-    # client IP (TODO: make host-specific)
-    ips = [ "10.0.10.20/32" ];
 
-    peers = [
+    networking.firewall.allowedUDPPorts = [ 51820 ];
-      {
+    networking.wireguard.interfaces.wg-home = {
-        # server pubkey
+      privateKeyFile = config.sops.secrets.wg_home_privkey.path;
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+    } // (optionalAttrs (cfg.role == "client") {
+      # client IP (TODO: make host-specific)
+      ips = [ "10.0.10.20/32" ];
 
-        # accept traffic from any IP addr on the other side of the tunnel
+      peers = [
-        allowedIPs = [ "0.0.0.0/0" ];
+        {
+          # server pubkey
+          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
 
-        endpoint = "uninsane.org:51820";
+          # accept traffic from any IP addr on the other side of the tunnel
+          allowedIPs = [ "0.0.0.0/0" ];
 
-        # send keepalives every 25 seconds to keep NAT routes live
+          endpoint = "uninsane.org:51820";
-        persistentKeepalive = 25;
+
-      }
+          # send keepalives every 25 seconds to keep NAT routes live
-    ];
+          persistentKeepalive = 25;
-  }) // (optionalAttrs me.roles.server {
+        }
-    ips = [
+      ];
-      "10.0.10.5/24"
+    }) // (optionalAttrs (cfg.role == "server") {
-    ];
+      ips = [
-    peers = [
+        "10.0.10.5/24"
-      {
+      ];
-        # peers and host all use the same key
+      peers = [
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+        {
-        allowedIPs = [ "10.0.10.0/24" ];
+          # peers and host all use the same key
-        # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
+          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
-        # allowedIPs = [ "0.0.0.0/0" ];
+          allowedIPs = [ "10.0.10.0/24" ];
-      }
+          # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-      # {
+          # allowedIPs = [ "0.0.0.0/0" ];
-      #   # lappy
+        }
-      #   publicKey = "TODO";
+        # {
-      #   allowedIPs = [ "10.0.10.20/32" ];
+        #   # lappy
-      # }
+        #   publicKey = "TODO";
-      # {
+        #   allowedIPs = [ "10.0.10.20/32" ];
-      #   # desko
+        # }
-      #   publicKey = "TODO";
+        # {
-      #   allowedIPs = [ "10.0.10.22/32" ];
+        #   # desko
-      # }
+        #   publicKey = "TODO";
-      # {
+        #   allowedIPs = [ "10.0.10.22/32" ];
-      #   # moby
+        # }
-      #   publicKey = "TODO";
+        # {
-      #   allowedIPs = [ "10.0.10.48/32" ];
+        #   # moby
-      # }
+        #   publicKey = "TODO";
-    ];
+        #   allowedIPs = [ "10.0.10.48/32" ];
-  });
+        # }
+      ];
+    });
+  };
 }