commit 3efd043b508d2bf4ff8a4c67d4ece9389569fcad
parent ea23657b3e7e289762be818bdbe9d759df40bf8b
Author: Vincent Demeester <vincent@sbr.pm>
Date: Wed, 3 Jun 2020 15:33:52 +0200
systems: fix wireguard configuration…
Using optional(s) function is awesome 💃
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
2 files changed, 63 insertions(+), 49 deletions(-)
diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix
@@ -1,31 +1,37 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
+with lib;
+let
+ hostname = "hokkaido";
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+in
{
imports = [
- # hardware
../hardware/thinkpad-x220.nix
- # modules
../modules
- # users
(import ../users).vincent
(import ../users).root
];
- fileSystems."/" =
- {
- device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb";
- fsType = "ext4";
- };
- fileSystems."/boot" =
- {
- device = "/dev/disk/by-uuid/C036-34B9";
- fsType = "vfat";
- };
- swapDevices =
- [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }];
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb";
+ fsType = "ext4";
+ };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/C036-34B9";
+ fsType = "vfat";
+ };
+ swapDevices = [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }];
networking = {
- hostName = "hokkaido";
+ hostName = hostname;
};
profiles = {
@@ -34,11 +40,21 @@
git.enable = true;
ssh.enable = true;
dev.enable = true;
- users.enable = false;
yubikey.enable = true;
+ # FIXME remove the need for it
+ users.enable = false;
};
- services.fprintd.enable = true;
+ services = {
+ fprintd.enable = true;
+ wireguard = {
+ enable = true;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
+ };
+ };
virtualisation.containers = {
enable = true;
diff --git a/systems/wakasu.nix b/systems/wakasu.nix
@@ -1,21 +1,27 @@
{ lib, pkgs, ... }:
+
+with lib;
let
- inCi = builtins.pathExists /home/build;
- enableHome = !inCi;
+ hostname = "wakasu";
+ secretPath = ../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
in
{
imports = [
- # hardware
../hardware/lenovo-p50.nix
- # modules
../modules
- # users
(import ../users).vincent
(import ../users).root
];
networking = {
- hostName = "wakasu";
+ hostName = hostname;
};
boot.initrd.luks.devices = {
@@ -30,23 +36,16 @@ in
};
};
- fileSystems."/" =
- {
- device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a";
- fsType = "ext4";
- options = [ "noatime" "discard" ];
- };
-
- fileSystems."/boot" =
- {
- device = "/dev/disk/by-uuid/E974-AB5D";
- fsType = "vfat";
- };
-
- swapDevices =
- [
- { device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; }
- ];
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a";
+ fsType = "ext4";
+ options = [ "noatime" "discard" ];
+ };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/E974-AB5D";
+ fsType = "vfat";
+ };
+ swapDevices = [{ device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; }];
profiles = {
dev.enable = true;
@@ -56,6 +55,8 @@ in
ssh = { enable = true; forwardX11 = true; };
virtualization = { enable = true; nested = true; listenTCP = true; };
yubikey.enable = true;
+ # FIXME remove the need for it
+ users.enable = false;
};
programs = {
podman.enable = true;
@@ -79,16 +80,13 @@ in
enable = true;
devices = [{ device = "/dev/nvme0n1"; }];
};
- # FIXME handle secrets
- /*
wireguard = {
enable = true;
- ips = [ "${wireguard.ips.wakasu}/24" ];
- endpoint = wg.endpointIP;
- endpointPort = wg.listenPort;
- endpointPublicKey = wireguard.kerkouane.publicKey;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
};
- */
xserver = {
videoDrivers = [ "nvidia" ];
dpi = 96;