wip: prepare for autogenerated wireguard ips; prepare for sentinel server

hosts/ward/default.nix

@@ -1,20 +1,12 @@
 {
   config,
+  nodes,
   nixos-hardware,
   pkgs,
   ...
 }: let
-  # TODO byebyebye
+  inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
-  # TODO byebyebye
+  authDomain = "auth.${personalDomain}";
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  inherit (config.repo.secrets.local) acme;
-  auth.domain = config.repo.secrets.local.auth.domain;
 in {
   imports = [
     nixos-hardware.common-cpu-intel
@@ -79,51 +71,8 @@ in {
   }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
 
-    rekey.secrets."dhparams.pem" = {
+    extra.wireguard.proxy-sentinel = {
-      # TODO make own?
+      client.via = "sentinel";
-      file = ../zackbiene/secrets/dhparams.pem.age;
-      mode = "440";
-      group = "nginx";
-    };
-
-    rekey.secrets.acme-credentials = {
-      file = ./secrets/acme-credentials.age;
-      mode = "440";
-      group = "acme";
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        inherit (acme) email;
-        credentialsFile = config.rekey.secrets.acme-credentials.path;
-        dnsProvider = "cloudflare";
-        dnsPropagationCheck = true;
-        reloadServices = ["nginx"];
-      };
-    };
-    extra.acme.wildcardDomains = acme.domains;
-    users.groups.acme.members = ["nginx"];
-    services.nginx.enable = true;
-
-    services.nginx = {
-      upstreams."kanidm" = {
-        servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
-        extraConfig = ''
-          zone kanidm 64k;
-          keepalive 2;
-        '';
-      };
-      virtualHosts.${auth.domain} = {
-        forceSSL = true;
-        useACMEHost = config.lib.extra.matchingWildcardCert auth.domain;
-        locations."/".proxyPass = "https://kanidm";
-        # Allow using self-signed certs to satisfy kanidm's requirement
-        # for TLS connections. (This is over wireguard anyway)
-        extraConfig = ''
-          proxy_ssl_verify off;
-        '';
-      };
     };
 
     networking.nftables.firewall = {
@@ -155,7 +104,7 @@ in {
       enableServer = true;
       # enablePAM = true;
       serverSettings = {
-        inherit (auth) domain;
+        domain = authDomain;
         origin = "https://${config.services.kanidm.serverSettings.domain}";
         #tls_chain = "/run/credentials/kanidm.service/fullchain.pem";
         #tls_key = "/run/credentials/kanidm.service/key.pem";

modules/wireguard.nix

@@ -288,9 +288,9 @@ in {
             default = [];
             example = ["10.0.0.1/24" "fd00:cafe::/64"];
             description = mdDoc ''
-              Allows defining extra cidr network ranges that shall be reserved for this machine
+              Allows defining extra cidr network ranges that shall be reserved for this network.
-              and its children (i.e. external peers or via clients). Reservation means that those
+              Reservation means that those address spaces will be guaranteed to be included in
-              address spaces will be guaranteed to be included in the spanned network.
+              the spanned network, but no rules will be enforced as to who in the network may use them.
 
               By default, this module will try to allocate the smallest address space that includes
               all network peers. If you know that there might be additional external peers added later,
@@ -341,12 +341,26 @@ in {
 
         ipv4 = mkOption {
           type = net.types.ipv4;
-          description = mdDoc "The ipv4 address for this machine.";
+          default = spannedReservedNetwork.cidrv4;
+          description = mdDoc ''
+            The ipv4 address for this machine. If you do not set this explicitly,
+            a semi-stable ipv4 address will be derived automatically based on the
+            hostname of this machine. At least one participating server must reserve
+            a big-enough space of addresses by setting `reservedAddresses`.
+            See `net.cidr.assignIps` for more information on the algorithm.
+          '';
         };
 
         ipv6 = mkOption {
           type = net.types.ipv6;
-          description = mdDoc "The ipv6 address for this machine.";
+          default = ;
+          description = mdDoc ''
+            The ipv6 address for this machine. If you do not set this explicitly,
+            a semi-stable ipv6 address will be derived automatically based on the
+            hostname of this machine. At least one participating server must reserve
+            a big-enough space of addresses by setting `reservedAddresses`.
+            See `net.cidr.assignIps` for more information on the algorithm.
+          '';
         };
 
         addresses = mkOption {

nix/lib.nix

@@ -31,7 +31,6 @@
     stringToCharacters
     substring
     unique
-    warnIf
     ;
 in rec {
   # Counts how often each element occurrs in xs
@@ -245,6 +244,11 @@ in rec {
       concatMap (n: (wgCfgOf n).addresses) associatedNodes
       ++ flatten (concatMap (n: attrValues (wgCfgOf n).server.externalPeers) associatedNodes);
 
+    # The cidrv4 and cidrv6 of the network spanned by all reserved addresses only.
+    # Used to determine automatically assigned addresses first.
+    spannedReservedNetwork =
+      net.cidr.merge (concatMap (n: (wgCfgOf n).server.reservedAddresses) associatedServerNodes);
+
     # The cidrv4 and cidrv6 of the network spanned by all participating peer addresses.
     # This also takes into account any reserved address ranges that should be part of the network.
     networkAddresses =