home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 3efd043b508d2bf4ff8a4c67d4ece9389569fcad
parent ea23657b3e7e289762be818bdbe9d759df40bf8b
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Wed,  3 Jun 2020 15:33:52 +0200

systems: fix wireguard configuration…

Using optional(s) function is awesome 💃

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Msystems/hokkaido.nix | 54+++++++++++++++++++++++++++++++++++-------------------
Msystems/wakasu.nix | 58++++++++++++++++++++++++++++------------------------------
2 files changed, 63 insertions(+), 49 deletions(-)

diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix @@ -1,31 +1,37 @@ -{ lib, pkgs, ... }: +{ lib, ... }: +with lib; +let + hostname = "hokkaido"; + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in { imports = [ - # hardware ../hardware/thinkpad-x220.nix - # modules ../modules - # users (import ../users).vincent (import ../users).root ]; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb"; - fsType = "ext4"; - }; - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/C036-34B9"; - fsType = "vfat"; - }; - swapDevices = - [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }]; + fileSystems."/" = { + device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb"; + fsType = "ext4"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/C036-34B9"; + fsType = "vfat"; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }]; networking = { - hostName = "hokkaido"; + hostName = hostname; }; profiles = { @@ -34,11 +40,21 @@ git.enable = true; ssh.enable = true; dev.enable = true; - users.enable = false; yubikey.enable = true; + # FIXME remove the need for it + users.enable = false; }; - services.fprintd.enable = true; + services = { + fprintd.enable = true; + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; virtualisation.containers = { enable = true; diff --git a/systems/wakasu.nix b/systems/wakasu.nix @@ -1,21 +1,27 @@ { lib, pkgs, ... }: + +with lib; let - inCi = builtins.pathExists /home/build; - enableHome = !inCi; + hostname = "wakasu"; + secretPath = ../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; in { imports = [ - # hardware ../hardware/lenovo-p50.nix - # modules ../modules - # users (import ../users).vincent (import ../users).root ]; networking = { - hostName = "wakasu"; + hostName = hostname; }; boot.initrd.luks.devices = { @@ -30,23 +36,16 @@ in }; }; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a"; - fsType = "ext4"; - options = [ "noatime" "discard" ]; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/E974-AB5D"; - fsType = "vfat"; - }; - - swapDevices = - [ - { device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; } - ]; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/E974-AB5D"; + fsType = "vfat"; + }; + swapDevices = [{ device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; }]; profiles = { dev.enable = true; @@ -56,6 +55,8 @@ in ssh = { enable = true; forwardX11 = true; }; virtualization = { enable = true; nested = true; listenTCP = true; }; yubikey.enable = true; + # FIXME remove the need for it + users.enable = false; }; programs = { podman.enable = true; @@ -79,16 +80,13 @@ in enable = true; devices = [{ device = "/dev/nvme0n1"; }]; }; - # FIXME handle secrets - /* wireguard = { enable = true; - ips = [ "${wireguard.ips.wakasu}/24" ]; - endpoint = wg.endpointIP; - endpointPort = wg.listenPort; - endpointPublicKey = wireguard.kerkouane.publicKey; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; }; - */ xserver = { videoDrivers = [ "nvidia" ]; dpi = 96;