some cleanups

2024-11-17 10:28:43 +05:30 · 2024-11-17 10:28:43 +05:30 · beb635d6db
commit beb635d6db
parent d053b70338
21 changed files with 76 additions and 48 deletions
--- a/hosts/bifrost/default.nix
+++ b/hosts/bifrost/default.nix
@ -10,6 +10,11 @@
  nodeconfig = {
    minimize = true;
    nix.auto-gc = true;
+    facts = {
+      external-ip = "128.199.30.141";
+      local-ip = "10.122.0.3";
+      wireguard-ip = "10.10.10.1";
+    };
  };

  i18n = {
--- a/hosts/bifrost/network/default.nix
+++ b/hosts/bifrost/network/default.nix
@ -1,6 +1,8 @@
 { lib, ... }: {
  imports = [ ./wireguard.nix ];
+
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
  systemd = {
    network = {
      enable = true;
@ -42,6 +44,7 @@
    ];
    useDHCP = lib.mkDefault false;
    useNetworkd = true;
+    nftables.enable = true;
  };

 }
--- a/hosts/bifrost/network/wireguard.nix
+++ b/hosts/bifrost/network/wireguard.nix
@ -1,9 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../../shared/wireguard-peers.nix;
-in
-{
-  nodeconfig.facts.wireguard-ip = "10.10.10.1";
+let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/bifrost/pk" = {
      mode = "400";
@ -22,7 +18,7 @@ in
          listenPort = 51821;
          privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path;
          address = [
-            "10.10.10.1/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/hosts/bifrost/services/ssh.nix
+++ b/hosts/bifrost/services/ssh.nix
@ -1,6 +1,13 @@
-_: {
+{ config, ... }:
+let facts = config.nodeconfig.facts; in {
+  networking.firewall.interfaces.ens3.allowedTCPPorts = [ 22 ];
  services.openssh = {
    enable = true;
+    openFirewall = false;
+    listenAddresses = [
+      { addr = facts.wireguard-ip; port = 22; }
+      { addr = facts.local-ip; port = 22; }
+    ];
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
--- a/hosts/layne/default.nix
+++ b/hosts/layne/default.nix
@ -12,6 +12,11 @@ _: {
    minimize = true;
    nix.auto-gc = true;
    is-server = true;
+    facts = {
+      external-ip = null;
+      local-ip = "192.168.1.14";
+      wireguard-ip = "10.10.10.14";
+    };
  };

  environment.sessionVariables = {
--- a/hosts/layne/network/default.nix
+++ b/hosts/layne/network/default.nix
@ -40,5 +40,6 @@
      "10.10.10.12"
    ];
    useNetworkd = true;
+    nftables.enable = true;
  };
 }
--- a/hosts/layne/network/wireguard.nix
+++ b/hosts/layne/network/wireguard.nix
@ -1,8 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../../shared/wireguard-peers.nix;
-in
-{
+let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/layne/pk" = {
      mode = "400";
@ -21,7 +18,7 @@ in
          listenPort = 51834;
          privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
          address = [
-            "10.10.10.14/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/hosts/rico0/default.nix
+++ b/hosts/rico0/default.nix
@ -13,6 +13,11 @@ _: {
    nix.auto-gc = true;
    is-pi = true;
    is-server = true;
+    facts = {
+      external-ip = null;
+      local-ip = "192.168.1.10";
+      wireguard-ip = "10.10.10.10";
+    };
  };

  i18n = {
--- a/hosts/rico0/network/default.nix
+++ b/hosts/rico0/network/default.nix
@ -1,7 +1,7 @@
-{ lib, ... }:
-{
+{ lib, ... }: {
  imports = [ ./wireguard.nix ];
  systemd = {
+
    network = {
      enable = true;
      wait-online.enable = false;
--- a/hosts/rico0/network/wireguard.nix
+++ b/hosts/rico0/network/wireguard.nix
@ -1,8 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../../shared/wireguard-peers.nix;
-in
-{
+let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/rico0/pk" = {
      mode = "400";
@ -21,7 +18,7 @@ in
          listenPort = 51830;
          privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
          address = [
-            "10.10.10.10/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/hosts/rico1/default.nix
+++ b/hosts/rico1/default.nix
@ -13,6 +13,11 @@ _: {
    nix.auto-gc = true;
    is-pi = true;
    is-server = true;
+    facts = {
+      external-ip = null;
+      local-ip = "192.168.1.11";
+      wireguard-ip = "10.10.10.11";
+    };
  };

  i18n = {
--- a/hosts/rico1/network/default.nix
+++ b/hosts/rico1/network/default.nix
@ -1,6 +1,6 @@
-{ lib, ... }:
-{
+{ lib, ... }: {
  imports = [ ./wireguard.nix ];
+
  systemd = {
    network = {
      enable = true;
--- a/hosts/rico1/network/wireguard.nix
+++ b/hosts/rico1/network/wireguard.nix
@ -1,8 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../../shared/wireguard-peers.nix;
-in
-{
+let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/rico1/pk" = {
      mode = "400";
@ -21,7 +18,7 @@ in
          listenPort = 51831;
          privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
          address = [
-            "10.10.10.11/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/hosts/rico2/default.nix
+++ b/hosts/rico2/default.nix
@ -13,6 +13,11 @@ _: {
    nix.auto-gc = true;
    is-pi = true;
    is-server = true;
+    facts = {
+      external-ip = null;
+      local-ip = "192.168.1.12";
+      wireguard-ip = "10.10.10.12";
+    };
  };

  i18n = {
--- a/hosts/rico2/network/default.nix
+++ b/hosts/rico2/network/default.nix
@ -1,6 +1,6 @@
-{ lib, ... }:
-{
+{ lib, ... }: {
  imports = [ ./wireguard.nix ];
+
  systemd = {
    network = {
      enable = true;
--- a/hosts/rico2/network/wireguard.nix
+++ b/hosts/rico2/network/wireguard.nix
@ -1,8 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../shared/wireguard-peers.nix;
-in
-{
+let wireguard-peers = import ../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/rico2/pk" = {
      mode = "400";
@ -21,7 +18,7 @@ in
          listenPort = 51832;
          privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
          address = [
-            "10.10.10.12/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/hosts/shared/prometheus-exporters.nix
+++ b/hosts/shared/prometheus-exporters.nix
@ -1,8 +1,4 @@
-{ lib, config, ... }:
-let
-  inherit (import ./caddy-helpers.nix) logFormat;
-in
-{
+{ lib, config, ... }: {
  services = {
    caddy =
      let
@ -10,9 +6,7 @@ in
      in
      {
        virtualHosts."${vHost}" = {
-          inherit logFormat;
          extraConfig = ''
-            metrics /caddy-metrics
            handle /metrics {
              reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}
            }
--- a/hosts/wynne/default.nix
+++ b/hosts/wynne/default.nix
@ -11,6 +11,11 @@ _: {
    minimize = true;
    nix.auto-gc = true;
    is-server = true;
+    facts = {
+      external-ip = null;
+      local-ip = "192.168.1.13";
+      wireguard-ip = "10.10.10.13";
+    };
  };

  environment.sessionVariables = {
--- a/hosts/wynne/network/default.nix
+++ b/hosts/wynne/network/default.nix
@ -1,6 +1,6 @@
-{ lib, ... }:
-{
+{ lib, ... }: {
  imports = [ ./wireguard.nix ];
+
  systemd = {
    network = {
      enable = true;
--- a/hosts/wynne/network/wireguard.nix
+++ b/hosts/wynne/network/wireguard.nix
@ -1,8 +1,5 @@
 { config, ... }:
-let
-  wireguard-peers = import ../../shared/wireguard-peers.nix;
-in
-{
+let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
  sops.secrets = {
    "wireguard/wynne/pk" = {
      mode = "400";
@ -21,7 +18,7 @@ in
          listenPort = 51833;
          privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
          address = [
-            "10.10.10.13/24"
+            "${config.nodeconfig.facts.wireguard-ip}/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
--- a/modules/facts.nix
+++ b/modules/facts.nix
@ -2,11 +2,23 @@
  options.nodeconfig = {
    facts = {
      wireguard-ip = lib.mkOption {
-        type = lib.types.str;
+        type = lib.types.nullOr lib.types.str;
        default = null;
        example = "10.0.0.1";
        description = "Wireguard IP of the node";
      };
+      local-ip = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        example = "192.168.1.1";
+        description = "Local IP of the node";
+      };
+      external-ip = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        example = "11.1.1.2";
+        description = "Public facing IP of the node";
+      };
    };
  };
 }