wg-home: move to shared module so that host and client config can be adjacent

hosts/by-name/servo/net.nix

@@ -168,41 +168,6 @@
   };
 
 
-  # host a wireguard VPN which allows access to other wg clients and forwards to internet
-  networking.firewall.allowedUDPPorts = [ 51820 ];
-  networking.wireguard.interfaces.wg-home = {
-    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
-    listenPort = 51820;
-    ips = [
-      "10.0.10.5/24"
-    ];
-    peers = [
-      {
-        # peers and host all use the same key
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
-        allowedIPs = [ "10.0.10.0/24" ];
-        # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-        # allowedIPs = [ "0.0.0.0/0" ];
-      }
-      # {
-      #   # lappy
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.20/32" ];
-      # }
-      # {
-      #   # desko
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.22/32" ];
-      # }
-      # {
-      #   # moby
-      #   publicKey = "TODO";
-      #   allowedIPs = [ "10.0.10.48/32" ];
-      # }
-    ];
-  };
-
-
   # HURRICANE ELECTRIC CONFIG:
   # networking.sits = {
   #   hurricane = {

hosts/common/net.nix

@@ -40,28 +40,4 @@
     '';
     generated.script.scriptArgs = [ "/run/secrets/iwd" "/var/lib/iwd" ];
   };
-
-  networking.firewall.allowedUDPPorts = [ 51820 ];
-  # TODO: remove this hacky `if` block
-  networking.wireguard.interfaces.wg-home = lib.mkIf (config.networking.hostName != "servo") {
-    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
-    # client IP (TODO: make host-specific)
-    ips = [ "10.100.0.20/32" ];
-    listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-
-    peers = [
-      {
-        # server pubkey
-        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
-
-        # accept traffic from any IP addr on the other side of the tunnel
-        allowedIPs = [ "0.0.0.0/0" ];
-
-        endpoint = "uninsane.org:51820";
-
-        # send keepalives every 25 seconds to keep NAT routes live
-        persistentKeepalive = 25;
-      }
-    ];
-  };
 }

hosts/common/ssh.nix

@@ -22,7 +22,7 @@ in
       mapAttrs (host: cfg: {
         colin = cfg.ssh.user_pubkey;
         root = cfg.ssh.host_pubkey;
-      }) config.sane.hosts
+      }) config.sane.hosts.by-name
     );
   in mkMerge (map
     ({ path, value }: {

hosts/instantiate.nix

@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 
 # module args
-{ ... }:
+{ config, ... }:
 
 {
   imports = [
@@ -13,6 +13,7 @@
     ./modules
   ];
 
+  sane.hosts.by-name."${hostName}".is-target = true;
   networking.hostName = hostName;
 
   nixpkgs.overlays = [

hosts/modules/default.nix

@@ -4,5 +4,6 @@
   imports = [
     ./hardware
     ./hosts.nix
+    ./wg-home.nix
   ];
 }

hosts/modules/hosts.nix

@@ -1,16 +1,16 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) types mkOption;
+  inherit (lib) attrValues filterAttrs mkMerge mkOption types;
   cfg = config.sane.hosts;
 
   host = types.submodule ({ config, ... }: {
     options = {
       is-target = mkOption {
         type = types.bool;
+        default = false;
         description = ''
-          true if the config is being built for deployment to this host.
-          set internally.
+          set to true if the config is being built for deployment to this host.
         '';
       };
 
@@ -44,16 +44,11 @@ let
         '';
       };
     };
-
-    config = {
-      # user should set `sane.hosts.target = config.sane.hosts."${host}"` to build for it.
-      is-target = cfg ? "target" && cfg.target == config;
-    };
   });
 in
 {
   options = {
-    sane.hosts = mkOption {
+    sane.hosts.by-name = mkOption {
       type = types.attrsOf host;
       default = {};
       description = ''
@@ -61,32 +56,44 @@ in
         like its ssh pubkey, etc.
       '';
     };
+    # TODO: questionable. the target should specifically output config rather than other bits peeking at this.
+    sane.hosts.target = mkOption {
+      type = host;
+      description = ''
+        host to which the config being built applies to.
+      '';
+    };
   };
 
   config = {
-    sane.hosts."desko" = {
+    # TODO: this should be populated per-host
+    sane.hosts.by-name."desko" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
       roles.client = true;
     };
-    sane.hosts."lappy" = {
+    sane.hosts.by-name."lappy" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       roles.client = true;
     };
-    sane.hosts."moby" = {
+    sane.hosts.by-name."moby" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       roles.client = true;
     };
-    sane.hosts."servo" = {
+    sane.hosts.by-name."servo" = {
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
       roles.server = true;
     };
-    sane.hosts."rescue" = {
+    sane.hosts.by-name."rescue" = {
       ssh.user_pubkey = null;
       ssh.host_pubkey = null;
     };
+
+    sane.hosts."target" = mkMerge (attrValues
+      (filterAttrs (host: c: c.is-target) cfg.by-name)
+    );
   };
 }

hosts/modules/wg-home.nix

@@ -0,0 +1,64 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) optionalAttrs;
+  me = config.sane.hosts.target;
+in
+{
+  # wireguard VPN which allows everything on my domain to speak to each other even when
+  # not behind a shared LAN.
+  # this config defines both the endpoint (server) and client configs
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  # TODO: remove this hacky `if` block
+  networking.wireguard.interfaces.wg-home = {
+    privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+    listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+  } // (optionalAttrs me.roles.client {
+    # client IP (TODO: make host-specific)
+    ips = [ "10.0.10.20/32" ];
+
+    peers = [
+      {
+        # server pubkey
+        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+
+        # accept traffic from any IP addr on the other side of the tunnel
+        allowedIPs = [ "0.0.0.0/0" ];
+
+        endpoint = "uninsane.org:51820";
+
+        # send keepalives every 25 seconds to keep NAT routes live
+        persistentKeepalive = 25;
+      }
+    ];
+  }) // (optionalAttrs me.roles.server {
+    ips = [
+      "10.0.10.5/24"
+    ];
+    peers = [
+      {
+        # peers and host all use the same key
+        publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+        allowedIPs = [ "10.0.10.0/24" ];
+        # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
+        # allowedIPs = [ "0.0.0.0/0" ];
+      }
+      # {
+      #   # lappy
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.20/32" ];
+      # }
+      # {
+      #   # desko
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.22/32" ];
+      # }
+      # {
+      #   # moby
+      #   publicKey = "TODO";
+      #   allowedIPs = [ "10.0.10.48/32" ];
+      # }
+    ];
+  });
+}