hosts: remove the is-target attribute and opt into roles via the config system instead
This commit is contained in:
parent
5a232eb832
commit
038a9034d7
|
@ -4,6 +4,8 @@
|
||||||
./fs.nix
|
./fs.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sane.roles.client = true;
|
||||||
|
|
||||||
# sane.packages.enableDevPkgs = true;
|
# sane.packages.enableDevPkgs = true;
|
||||||
|
|
||||||
# sane.users.guest.enable = true;
|
# sane.users.guest.enable = true;
|
||||||
|
|
|
@ -17,6 +17,8 @@
|
||||||
];
|
];
|
||||||
sane.persist.enable = true;
|
sane.persist.enable = true;
|
||||||
sane.services.dyn-dns.enable = true;
|
sane.services.dyn-dns.enable = true;
|
||||||
|
sane.services.wg-home.enable = true;
|
||||||
|
sane.services.wg-home.role = "server";
|
||||||
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
||||||
|
|
||||||
boot.loader.efi.canTouchEfiVariables = false;
|
boot.loader.efi.canTouchEfiVariables = false;
|
||||||
|
|
|
@ -13,7 +13,6 @@
|
||||||
./modules
|
./modules
|
||||||
];
|
];
|
||||||
|
|
||||||
sane.hosts.by-name."${hostName}".is-target = true;
|
|
||||||
networking.hostName = hostName;
|
networking.hostName = hostName;
|
||||||
|
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
./hardware
|
./hardware
|
||||||
./hosts.nix
|
./hosts.nix
|
||||||
|
./roles
|
||||||
./wg-home.nix
|
./wg-home.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,29 +6,6 @@ let
|
||||||
|
|
||||||
host = types.submodule ({ config, ... }: {
|
host = types.submodule ({ config, ... }: {
|
||||||
options = {
|
options = {
|
||||||
is-target = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
set to true if the config is being built for deployment to this host.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
roles.server = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
whether this machine is a server for domain-level services like wireguard, rss aggregation, etc.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
roles.client = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
whether this machine is a client to domain-level services like wireguard, rss aggregation, etc.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
ssh.user_pubkey = mkOption {
|
ssh.user_pubkey = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -56,13 +33,6 @@ in
|
||||||
like its ssh pubkey, etc.
|
like its ssh pubkey, etc.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
# TODO: questionable. the target should specifically output config rather than other bits peeking at this.
|
|
||||||
sane.hosts.target = mkOption {
|
|
||||||
type = host;
|
|
||||||
description = ''
|
|
||||||
host to which the config being built applies to.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
@ -70,30 +40,22 @@ in
|
||||||
sane.hosts.by-name."desko" = {
|
sane.hosts.by-name."desko" = {
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
|
||||||
roles.client = true;
|
|
||||||
};
|
};
|
||||||
sane.hosts.by-name."lappy" = {
|
sane.hosts.by-name."lappy" = {
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
||||||
roles.client = true;
|
|
||||||
};
|
};
|
||||||
sane.hosts.by-name."moby" = {
|
sane.hosts.by-name."moby" = {
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
||||||
roles.client = true;
|
|
||||||
};
|
};
|
||||||
sane.hosts.by-name."servo" = {
|
sane.hosts.by-name."servo" = {
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
||||||
roles.server = true;
|
|
||||||
};
|
};
|
||||||
sane.hosts.by-name."rescue" = {
|
sane.hosts.by-name."rescue" = {
|
||||||
ssh.user_pubkey = null;
|
ssh.user_pubkey = null;
|
||||||
ssh.host_pubkey = null;
|
ssh.host_pubkey = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.hosts."target" = mkMerge (attrValues
|
|
||||||
(filterAttrs (host: c: c.is-target) cfg.by-name)
|
|
||||||
);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
16
hosts/modules/roles/client.nix
Normal file
16
hosts/modules/roles/client.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) mkIf mkOption types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.sane.roles.client = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf config.sane.roles.client {
|
||||||
|
sane.services.wg-home.enable = true;
|
||||||
|
sane.services.wg-home.role = "client";
|
||||||
|
};
|
||||||
|
}
|
6
hosts/modules/roles/default.nix
Normal file
6
hosts/modules/roles/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./client.nix
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,64 +1,75 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) optionalAttrs;
|
inherit (lib) mkIf mkOption optionalAttrs types;
|
||||||
me = config.sane.hosts.target;
|
cfg = config.sane.services.wg-home;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# wireguard VPN which allows everything on my domain to speak to each other even when
|
options = {
|
||||||
# not behind a shared LAN.
|
sane.services.wg-home.enable = mkOption {
|
||||||
# this config defines both the endpoint (server) and client configs
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
sane.services.wg-home.role = mkOption {
|
||||||
|
type = types.enum [ "client" "server" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
config = mkIf cfg.enable {
|
||||||
# TODO: remove this hacky `if` block
|
# wireguard VPN which allows everything on my domain to speak to each other even when
|
||||||
networking.wireguard.interfaces.wg-home = {
|
# not behind a shared LAN.
|
||||||
privateKeyFile = config.sops.secrets.wg_home_privkey.path;
|
# this config defines both the endpoint (server) and client configs
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
|
||||||
} // (optionalAttrs me.roles.client {
|
|
||||||
# client IP (TODO: make host-specific)
|
|
||||||
ips = [ "10.0.10.20/32" ];
|
|
||||||
|
|
||||||
peers = [
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
{
|
networking.wireguard.interfaces.wg-home = {
|
||||||
# server pubkey
|
privateKeyFile = config.sops.secrets.wg_home_privkey.path;
|
||||||
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||||
|
} // (optionalAttrs (cfg.role == "client") {
|
||||||
|
# client IP (TODO: make host-specific)
|
||||||
|
ips = [ "10.0.10.20/32" ];
|
||||||
|
|
||||||
# accept traffic from any IP addr on the other side of the tunnel
|
peers = [
|
||||||
allowedIPs = [ "0.0.0.0/0" ];
|
{
|
||||||
|
# server pubkey
|
||||||
|
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
||||||
|
|
||||||
endpoint = "uninsane.org:51820";
|
# accept traffic from any IP addr on the other side of the tunnel
|
||||||
|
allowedIPs = [ "0.0.0.0/0" ];
|
||||||
|
|
||||||
# send keepalives every 25 seconds to keep NAT routes live
|
endpoint = "uninsane.org:51820";
|
||||||
persistentKeepalive = 25;
|
|
||||||
}
|
# send keepalives every 25 seconds to keep NAT routes live
|
||||||
];
|
persistentKeepalive = 25;
|
||||||
}) // (optionalAttrs me.roles.server {
|
}
|
||||||
ips = [
|
];
|
||||||
"10.0.10.5/24"
|
}) // (optionalAttrs (cfg.role == "server") {
|
||||||
];
|
ips = [
|
||||||
peers = [
|
"10.0.10.5/24"
|
||||||
{
|
];
|
||||||
# peers and host all use the same key
|
peers = [
|
||||||
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
{
|
||||||
allowedIPs = [ "10.0.10.0/24" ];
|
# peers and host all use the same key
|
||||||
# allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
|
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
||||||
# allowedIPs = [ "0.0.0.0/0" ];
|
allowedIPs = [ "10.0.10.0/24" ];
|
||||||
}
|
# allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
|
||||||
# {
|
# allowedIPs = [ "0.0.0.0/0" ];
|
||||||
# # lappy
|
}
|
||||||
# publicKey = "TODO";
|
# {
|
||||||
# allowedIPs = [ "10.0.10.20/32" ];
|
# # lappy
|
||||||
# }
|
# publicKey = "TODO";
|
||||||
# {
|
# allowedIPs = [ "10.0.10.20/32" ];
|
||||||
# # desko
|
# }
|
||||||
# publicKey = "TODO";
|
# {
|
||||||
# allowedIPs = [ "10.0.10.22/32" ];
|
# # desko
|
||||||
# }
|
# publicKey = "TODO";
|
||||||
# {
|
# allowedIPs = [ "10.0.10.22/32" ];
|
||||||
# # moby
|
# }
|
||||||
# publicKey = "TODO";
|
# {
|
||||||
# allowedIPs = [ "10.0.10.48/32" ];
|
# # moby
|
||||||
# }
|
# publicKey = "TODO";
|
||||||
];
|
# allowedIPs = [ "10.0.10.48/32" ];
|
||||||
});
|
# }
|
||||||
|
];
|
||||||
|
});
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user