feat: finish vlan setup

2024-12-20 01:05:17 +01:00 · 2024-12-20 01:05:17 +01:00 · 297d19fa0c
commit 297d19fa0c
parent d0448757bf
16 changed files with 115 additions and 100 deletions
--- a/flake.lock
+++ b/flake.lock
@ -901,11 +901,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734279981,
-        "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
+        "lastModified": 1734425854,
+        "narHash": "sha256-nzE5UbJ41aPEKf8R2ZFYtLkqPmF7EIUbNEdHMBLg0Ig=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
+        "rev": "0ddd26d0925f618c3a5d85a4fa5eb1e23a09491d",
        "type": "github"
      },
      "original": {
@ -1113,11 +1113,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734344598,
-        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
+        "lastModified": 1734622215,
+        "narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
+        "rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be",
        "type": "github"
      },
      "original": {
@ -1134,11 +1134,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734093295,
-        "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=",
+        "lastModified": 1734344598,
+        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8",
+        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
        "type": "github"
      },
      "original": {
@ -1387,11 +1387,11 @@
        "pre-commit-hooks": "pre-commit-hooks_4"
      },
      "locked": {
-        "lastModified": 1734266385,
-        "narHash": "sha256-k9P9Sa6jw/Xre8UDp7Ukk75h4Tcq8ZrK+nz6A2MC1IM=",
+        "lastModified": 1734639503,
+        "narHash": "sha256-Z58HeNQpfbi94Cw8VxdF1GtU1S5AoWO0hfJTxA6wu78=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "ba6f61e594a85eabebf1c8f373923b59b3b07448",
+        "rev": "d6edd49bac68dc70e19b5e91617b9f04e8ac1c43",
        "type": "github"
      },
      "original": {
@ -1426,11 +1426,11 @@
        "pre-commit-hooks": "pre-commit-hooks_5"
      },
      "locked": {
-        "lastModified": 1734380133,
-        "narHash": "sha256-gvbWJGjTpGJwyvK72Rf+z0aMVgKzpu+UWxbh7naZtvY=",
+        "lastModified": 1734643696,
+        "narHash": "sha256-W5JSWhhThI9erzhZmpHy1gZGwSxEGPKYmOUBEXH/WGA=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "558954ebb2959ea47bfa593f6a74ce54a21bfafd",
+        "rev": "6a4736e0773a1852b0b6c5f71cbe96dd39c3caf1",
        "type": "github"
      },
      "original": {
@ -1447,11 +1447,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734311693,
-        "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
+        "lastModified": 1734570415,
+        "narHash": "sha256-kcsDNcEr4hYuDc8l+ox41FvEPpmQTV3/3hgdx3tuxHw=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
+        "rev": "b8f266f26bb757e7aec18adeee6919db6666c4f6",
        "type": "github"
      },
      "original": {
@ -1498,11 +1498,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734119587,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "lastModified": 1734424634,
+        "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
        "type": "github"
      },
      "original": {
@ -1711,11 +1711,11 @@
        "treefmt-nix": "treefmt-nix_4"
      },
      "locked": {
-        "lastModified": 1734368549,
-        "narHash": "sha256-D8LYUU+IWbpmyjOAKEnKVOhd7Qfe7q+DvUNZTYoitKY=",
+        "lastModified": 1734567959,
+        "narHash": "sha256-ghNQlnI/r6cnknY58x60695sFrYnI6ZUMg65bmoNGqw=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "6c30476a4d5f761149945a65e74179f4492b1ea6",
+        "rev": "37608b462772e35220e02bfbd9045d0946564436",
        "type": "github"
      },
      "original": {
@ -1928,11 +1928,11 @@
        "nixpkgs-stable": "nixpkgs-stable_5"
      },
      "locked": {
-        "lastModified": 1734379367,
-        "narHash": "sha256-Keu8z5VgT5gnCF4pmB+g7XZFftHpfl4qOn7nqBcywdE=",
+        "lastModified": 1734425854,
+        "narHash": "sha256-nzE5UbJ41aPEKf8R2ZFYtLkqPmF7EIUbNEdHMBLg0Ig=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "0bb4be58f21ff38fc3cdbd6c778eb67db97f0b99",
+        "rev": "0ddd26d0925f618c3a5d85a4fa5eb1e23a09491d",
        "type": "github"
      },
      "original": {
@ -2223,11 +2223,11 @@
        "tinted-tmux": "tinted-tmux"
      },
      "locked": {
-        "lastModified": 1734110168,
-        "narHash": "sha256-Q0eeLYn45ErXlqGQyXmLLHGe1mqnUiK0Y9wZRa1SNFI=",
+        "lastModified": 1734531336,
+        "narHash": "sha256-BWwJTAiWmZudUdUbyets7e3zQfjvZYtkU51blBnUBjw=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "a9e3779949925ef22f5a215c5f49cf520dea30b1",
+        "rev": "a2d66f25478103ac9b4adc6d6713794f7005221e",
        "type": "github"
      },
      "original": {
@ -2519,11 +2519,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733761991,
-        "narHash": "sha256-s4DalCDepD22jtKL5Nw6f4LP5UwoMcPzPZgHWjAfqbQ=",
+        "lastModified": 1734543842,
+        "narHash": "sha256-/QceWozrNg915Db9x/Ie5k67n9wKgGdTFng+Z1Qw0kE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "0ce9d149d99bc383d1f2d85f31f6ebd146e46085",
+        "rev": "76159fc74eeac0599c3618e3601ac2b980a29263",
        "type": "github"
      },
      "original": {
--- a/globals.nix
+++ b/globals.nix
@ -2,6 +2,7 @@
  inputs,
  config,
  lib,
+  nodes,
  ...
 }:
 let
@ -29,15 +30,8 @@ in

      home-lan = {
        vlans = {
-          personal = {
-            id = 10;
-            cidrv4 = "192.168.10.0/24";
-            cidrv6 = "fd10::/64";
-            hosts.ward.id = 1;
-            hosts.ward-adguardhome.id = 3;
-          };
          services = {
-            id = 20;
+            id = 5;
            cidrv4 = "192.168.20.0/24";
            cidrv6 = "fd20::/64";
            hosts.ward.id = 1;
@ -52,11 +46,18 @@ in
            };
            hosts.sire-samba = {
              id = 10;
-              inherit (nodes.sire-samba.config.lib.microvm.interfaces.vlan-services) mac;
+              inherit (nodes.sire-samba.config.lib.microvm.interfaces.lan) mac;
            };
          };
+          home = {
+            id = 10;
+            cidrv4 = "192.168.10.0/24";
+            cidrv6 = "fd10::/64";
+            hosts.ward.id = 1;
+            hosts.ward-adguardhome.id = 3;
+          };
          devices = {
-            id = 30;
+            id = 20;
            cidrv4 = "192.168.30.0/24";
            cidrv6 = "fd30::/64";
            hosts.ward.id = 1;
@ -71,14 +72,14 @@ in
            };
          };
          iot = {
-            id = 40;
+            id = 30;
            cidrv4 = "192.168.40.0/24";
            cidrv6 = "fd40::/64";
            hosts.ward.id = 1;
            hosts.ward-adguardhome.id = 3;
          };
          guests = {
-            id = 50;
+            id = 40;
            cidrv4 = "192.168.50.0/24";
            cidrv6 = "fd50::/64";
            hosts.ward.id = 1;
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -95,7 +95,9 @@
            {
              node.secretsDir = ./secrets/${guestName};
              networking.nftables.firewall = {
-                zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
+                zones.untrusted.interfaces = lib.mkIf (
+                  lib.length config.guests.${guestName}.networking.links == 1
+                ) config.guests.${guestName}.networking.links;
              };
            }
          ];
@ -106,8 +108,8 @@
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
-            macvtap = "lan";
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
+            interfaces.lan = { };
          };
          extraSpecialArgs = {
            inherit (inputs.self) nodes globals;
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -65,12 +65,13 @@ in
      group = "influxdb2";
    };

-    services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" = {
-      readBuckets = [ "telegraf" ];
-      writeBuckets = [ "telegraf" ];
-      tokenFile =
-        nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
-    };
+    services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" =
+      {
+        readBuckets = [ "telegraf" ];
+        writeBuckets = [ "telegraf" ];
+        tokenFile =
+          nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
+      };

    age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
      inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
@ -78,12 +79,13 @@ in
      group = "influxdb2";
    };

-    services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" = {
-      readBuckets = [ "home_assistant" ];
-      writeBuckets = [ "home_assistant" ];
-      tokenFile =
-        nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
-    };
+    services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" =
+      {
+        readBuckets = [ "home_assistant" ];
+        writeBuckets = [ "home_assistant" ];
+        tokenFile =
+          nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
+      };
  };

  globals.services.grafana.domain = grafanaDomain;
@ -144,8 +146,8 @@ in
          proxyWebsockets = true;
        };
        extraConfig = ''
-          allow ${globals.net.home-lan.cidrv4};
-          allow ${globals.net.home-lan.cidrv6};
+          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.services.cidrv6};
          deny all;
        '';
      };
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -249,8 +249,8 @@ in
          proxy_read_timeout 600s;
          proxy_send_timeout 600s;
          send_timeout       600s;
-          allow ${globals.net.home-lan.cidrv4};
-          allow ${globals.net.home-lan.cidrv6};
+          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.services.cidrv6};
          deny all;
        '';
      };
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -79,8 +79,8 @@ in
        useACMEWildcardHost = true;
        extraConfig = ''
          client_max_body_size 512M;
-          allow ${globals.net.home-lan.cidrv4};
-          allow ${globals.net.home-lan.cidrv6};
+          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.services.cidrv6};
          deny all;
        '';
        locations."/" = {
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -148,9 +148,9 @@ in
  };

  globals.monitoring.tcp.samba = {
-    host = globals.net.home-lan.hosts.sire-samba.ipv4;
+    host = globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4;
    port = 445;
-    network = "home-lan";
+    network = "home-lan.vlans.services";
  };

  services.samba = {
@ -179,7 +179,8 @@ in
            # Deny access to all hosts by default.
            "hosts deny" = "0.0.0.0/0";
            # Allow access to local network and TODO: wireguard
-            "hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}";
+            "hosts allow" =
+              "${globals.net.home-lan.vlans.services.cidrv4} ${globals.net.home-lan.vlans.services.cidrv6}";
            # Don't advertise inaccessible shares to users
            "access based share enum" = "yes";

--- a/hosts/sire/net.nix
+++ b/hosts/sire/net.nix
@ -8,16 +8,16 @@
  networking.hostId = config.repo.secrets.local.networking.hostId;

  globals.monitoring.ping.sire = {
-    hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv4;
-    hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv6;
-    network = "home-lan";
+    hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv4;
+    hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv6;
+    network = "home-lan.vlans.services";
  };

  boot.initrd.systemd.network = {
    enable = true;
    networks."10-lan" = {
-      address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
-      gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
+      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
+      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
@ -54,8 +54,8 @@
      '';
    };
    "20-lan-self" = {
-      address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
-      gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
+      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
+      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
      matchConfig.Name = "lan-self";
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -79,7 +79,9 @@
          {
            node.secretsDir = ./secrets/${guestName};
            networking.nftables.firewall = {
-              zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
+              zones.untrusted.interfaces = lib.mkIf (
+                lib.length config.guests.${guestName}.networking.links == 1
+              ) config.guests.${guestName}.networking.links;
            };
          }
        ];
@ -90,8 +92,8 @@
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
-            macvtap = "lan";
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
+            interfaces.vlan-services = { };
          };
          extraSpecialArgs = {
            inherit (inputs.self) nodes globals;
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -16,9 +16,9 @@ in

  globals.services.adguardhome.domain = adguardhomeDomain;
  globals.monitoring.dns.adguardhome = {
-    server = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
+    server = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
    domain = ".";
-    network = "home-lan";
+    network = "home-lan.vlans.services";
  };

  nodes.sentinel = {
@ -99,7 +99,7 @@ in
          map
            (domain: {
              inherit domain;
-              answer = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
+              answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
            })
            [
              # FIXME: dont hardcode, filter global service domains by internal state
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -22,7 +22,7 @@ in
  meta.telegraf.availableMonitoringNetworks = [
    "internet"
    "home-wan"
-    "home-lan"
+    "home-lan.vlans.services"
  ];

  age.secrets.acme-cloudflare-dns-token = {
@ -70,8 +70,8 @@ in
      # is over TLS.
      extraConfig = ''
        proxy_ssl_verify off;
-        allow ${globals.net.home-lan.cidrv4};
-        allow ${globals.net.home-lan.cidrv6};
+        allow ${globals.net.home-lan.vlans.services.cidrv4};
+        allow ${globals.net.home-lan.vlans.services.cidrv6};
        deny all;
      '';
    };
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -5,7 +5,11 @@
  ...
 }:
 let
-  inherit (lib) net;
+  inherit (lib)
+    flip
+    mapAttrsToList
+    net
+    ;
 in
 {
  environment.persistence."/persist".directories = [
@ -32,7 +36,7 @@ in
        interfaces = map (name: "me-${name}") (builtins.attrNames globals.net.home-lan.vlans);
        service-sockets-max-retries = -1;
      };
-      subnet4 = lib.mapAttrsToList globals.net.home-lan.vlans (
+      subnet4 = flip mapAttrsToList globals.net.home-lan.vlans (
        vlanName: vlanCfg: [
          {
            inherit (vlanCfg) id;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -9,9 +9,9 @@
  networking.hostId = config.repo.secrets.local.networking.hostId;

  globals.monitoring.ping.ward = {
-    hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv4;
-    hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv6;
-    network = "home-lan.vlans.devices";
+    hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv4;
+    hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv6;
+    network = "home-lan.vlans.services";
  };

  boot.initrd.availableKernelModules = [ "8021q" ];
@ -43,8 +43,8 @@
      };
      "30-vlan-home" = {
        address = [
-          globals.net.home-lan.hosts.ward.cidrv4
-          globals.net.home-lan.hosts.ward.cidrv6
+          globals.net.home-lan.vlans.home.hosts.ward.cidrv4
+          globals.net.home-lan.vlans.home.hosts.ward.cidrv6
        ];
        matchConfig.Name = "vlan-home";
        networkConfig = {
@ -157,7 +157,7 @@
          # ipv6SendRAConfig = {
          #   Managed = true;
          #   EmitDNS = true;
-          # FIXME: this is not the true ipv6 of adguardhome   DNS = globals.net.home-lan.hosts.ward-adguardhome.ipv6;
+          # FIXME: this is not the true ipv6 of adguardhome   DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6;
          # FIXME: todo assign static additional to reservation in kea
          # };
          linkConfig.RequiredForOnline = "routable";
@ -178,15 +178,15 @@
      }
      // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
        vlanName: _: {
-          "me-${vlanName}".interfaces = [ "me-${vlanName}" ];
+          "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
        }
      );

    rules = {
      masquerade-internet = {
        from = [
-          "vlan-home"
          "vlan-services"
+          "vlan-home"
          "vlan-devices"
          "vlan-guests"
        ];
@ -222,7 +222,7 @@
  #};

  wireguard.proxy-home.server = {
-    host = globals.net.home-lan.hosts.ward.ipv4;
+    host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
    port = 51444;
    reservedAddresses = [
      globals.net.proxy-home.cidrv4
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -154,7 +154,9 @@ in
  };

  # Connect to fritzbox via https proxy (to ensure valid cert)
-  networking.hosts.${globals.net.home-lan.hosts.ward-web-proxy.ipv4} = [ fritzboxDomain ];
+  networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = [
+    fritzboxDomain
+  ];

  nodes.ward-web-proxy = {
    services.nginx = {
@ -174,8 +176,8 @@ in
          proxyWebsockets = true;
        };
        extraConfig = ''
-          allow ${globals.net.home-lan.cidrv4};
-          allow ${globals.net.home-lan.cidrv6};
+          allow ${globals.net.home-lan.vlans.services.cidrv4};
+          allow ${globals.net.home-lan.vlans.services.cidrv6};
          deny all;
        '';
      };
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -14,7 +14,7 @@ in
  globals.monitoring.ping.zackbiene = {
    hostv4 = "zackbiene.local";
    hostv6 = "zackbiene.local";
-    network = "home-lan";
+    network = "home-lan.vlans.services";
  };

  wireguard.proxy-home.client.via = "ward";
@ -70,8 +70,8 @@ in
      lan-interface.interfaces = [ "lan1" ];
      lan = {
        parent = "lan-interface";
-        ipv4Addresses = [ globals.net.home-lan.cidrv4 ];
-        ipv6Addresses = [ globals.net.home-lan.cidrv6 ];
+        ipv4Addresses = [ globals.net.home-lan.vlans.services.cidrv4 ];
+        ipv6Addresses = [ globals.net.home-lan.vlans.services.cidrv6 ];
      };
      iot.interfaces = [ "wlan1" ];
    };
--- a/nix/globals.nix
+++ b/nix/globals.nix
@ -14,6 +14,7 @@
            specialArgs = {
              inherit (inputs.self.pkgs.x86_64-linux) lib;
              inherit inputs;
+              inherit (config) nodes;
            };
            modules = [
              ../modules/globals.nix