wg-home: auto-generate peer list from hosts.nix config

2023-01-20 07:22:34 +00:00 · 2023-01-20 07:22:34 +00:00 · 708cb841fe
commit 708cb841fe
parent 094b7223c7
2 changed files with 20 additions and 25 deletions
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@ -27,6 +27,13 @@ let
          e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
        '';
      };
+      wg-home.ip = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          IP address to use on the wg-home VPN.
+          e.g. "10.0.10.5";
+        '';
+      };
      lan-ip = mkOption {
        type = types.str;
        description = ''
@ -61,6 +68,7 @@ in
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
      wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+      wg-home.ip = "10.0.10.20";
      lan-ip = "192.168.0.20";
    };

@ -74,6 +82,7 @@ in
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
      wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
+      wg-home.ip = "10.0.10.5";
      lan-ip = "192.168.0.5";
    };
  };
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@ -1,8 +1,10 @@
 { config, lib, pkgs, ... }:

 let
+  inherit (builtins) mapAttrsToList;
  inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
  cfg = config.sane.services.wg-home;
+  server-cfg = config.sane.hosts.by-name."servo".wg-home;
 in
 {
  options = {
@ -48,7 +50,7 @@ in
        peers = [
          {
            # server pubkey
-            publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;
+            publicKey = server-cfg.pubkey;

            # accept traffic from any IP addr on the other side of the tunnel
            # allowedIPs = [ "0.0.0.0/0" ];
@ -68,30 +70,14 @@ in
        ips = [
          "10.0.10.5/24"
        ];
-        peers = [
-          {
-            # lappy
-            publicKey = config.sane.hosts.by-name."lappy".wg-home.pubkey;
-            allowedIPs = [ "10.0.10.20/32" ];
-            # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-            # allowedIPs = [ "0.0.0.0/0" ];
-          }
-          # {
-          #   # lappy
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.20/32" ];
-          # }
-          # {
-          #   # desko
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.22/32" ];
-          # }
-          # {
-          #   # moby
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.48/32" ];
-          # }
-        ];
+        peers = mapAttrsToList
+          (name: hostcfg:
+            lib.mkIf (hostcfg.wg-home.ip or server-cfg.ip != server-cfg.ip) {
+              publicKey = hostcfg.wg-home.pubkey;
+              allowedIPs = [ "${hostcfg.wg-home.ip}/32" ];
+            }
+          )
+          config.sane.hosts.by-name;
      };
    }
  ]);