wip: prepare for autogenerated wireguard ips; prepare for sentinel server

2023-05-28 01:05:23 +02:00 · 2023-05-28 01:05:23 +02:00 · 4e8103af47
commit 4e8103af47
parent 05813fafb4
4 changed files with 30 additions and 63 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -1,20 +1,12 @@
 {
  config,
+  nodes,
  nixos-hardware,
  pkgs,
  ...
 }: let
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  # TODO byebyebye
-  inherit (config.repo.secrets.local) acme;
-  auth.domain = config.repo.secrets.local.auth.domain;
+  inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
+  authDomain = "auth.${personalDomain}";
 in {
  imports = [
    nixos-hardware.common-cpu-intel
@ -79,51 +71,8 @@ in {
  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";

-    rekey.secrets."dhparams.pem" = {
-      # TODO make own?
-      file = ../zackbiene/secrets/dhparams.pem.age;
-      mode = "440";
-      group = "nginx";
-    };
-
-    rekey.secrets.acme-credentials = {
-      file = ./secrets/acme-credentials.age;
-      mode = "440";
-      group = "acme";
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        inherit (acme) email;
-        credentialsFile = config.rekey.secrets.acme-credentials.path;
-        dnsProvider = "cloudflare";
-        dnsPropagationCheck = true;
-        reloadServices = ["nginx"];
-      };
-    };
-    extra.acme.wildcardDomains = acme.domains;
-    users.groups.acme.members = ["nginx"];
-    services.nginx.enable = true;
-
-    services.nginx = {
-      upstreams."kanidm" = {
-        servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
-        extraConfig = ''
-          zone kanidm 64k;
-          keepalive 2;
-        '';
-      };
-      virtualHosts.${auth.domain} = {
-        forceSSL = true;
-        useACMEHost = config.lib.extra.matchingWildcardCert auth.domain;
-        locations."/".proxyPass = "https://kanidm";
-        # Allow using self-signed certs to satisfy kanidm's requirement
-        # for TLS connections. (This is over wireguard anyway)
-        extraConfig = ''
-          proxy_ssl_verify off;
-        '';
-      };
+    extra.wireguard.proxy-sentinel = {
+      client.via = "sentinel";
    };

    networking.nftables.firewall = {
@ -155,7 +104,7 @@ in {
      enableServer = true;
      # enablePAM = true;
      serverSettings = {
-        inherit (auth) domain;
+        domain = authDomain;
        origin = "https://${config.services.kanidm.serverSettings.domain}";
        #tls_chain = "/run/credentials/kanidm.service/fullchain.pem";
        #tls_key = "/run/credentials/kanidm.service/key.pem";
--- a/hosts/ward/secrets/local.nix.age
+++ b/hosts/ward/secrets/local.nix.age
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -288,9 +288,9 @@ in {
            default = [];
            example = ["10.0.0.1/24" "fd00:cafe::/64"];
            description = mdDoc ''
-              Allows defining extra cidr network ranges that shall be reserved for this machine
-              and its children (i.e. external peers or via clients). Reservation means that those
-              address spaces will be guaranteed to be included in the spanned network.
+              Allows defining extra cidr network ranges that shall be reserved for this network.
+              Reservation means that those address spaces will be guaranteed to be included in
+              the spanned network, but no rules will be enforced as to who in the network may use them.

              By default, this module will try to allocate the smallest address space that includes
              all network peers. If you know that there might be additional external peers added later,
@ -341,12 +341,26 @@ in {

        ipv4 = mkOption {
          type = net.types.ipv4;
-          description = mdDoc "The ipv4 address for this machine.";
+          default = spannedReservedNetwork.cidrv4;
+          description = mdDoc ''
+            The ipv4 address for this machine. If you do not set this explicitly,
+            a semi-stable ipv4 address will be derived automatically based on the
+            hostname of this machine. At least one participating server must reserve
+            a big-enough space of addresses by setting `reservedAddresses`.
+            See `net.cidr.assignIps` for more information on the algorithm.
+          '';
        };

        ipv6 = mkOption {
          type = net.types.ipv6;
-          description = mdDoc "The ipv6 address for this machine.";
+          default = ;
+          description = mdDoc ''
+            The ipv6 address for this machine. If you do not set this explicitly,
+            a semi-stable ipv6 address will be derived automatically based on the
+            hostname of this machine. At least one participating server must reserve
+            a big-enough space of addresses by setting `reservedAddresses`.
+            See `net.cidr.assignIps` for more information on the algorithm.
+          '';
        };

        addresses = mkOption {
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -31,7 +31,6 @@
    stringToCharacters
    substring
    unique
-    warnIf
    ;
 in rec {
  # Counts how often each element occurrs in xs
@ -245,6 +244,11 @@ in rec {
      concatMap (n: (wgCfgOf n).addresses) associatedNodes
      ++ flatten (concatMap (n: attrValues (wgCfgOf n).server.externalPeers) associatedNodes);

+    # The cidrv4 and cidrv6 of the network spanned by all reserved addresses only.
+    # Used to determine automatically assigned addresses first.
+    spannedReservedNetwork =
+      net.cidr.merge (concatMap (n: (wgCfgOf n).server.reservedAddresses) associatedServerNodes);
+
    # The cidrv4 and cidrv6 of the network spanned by all participating peer addresses.
    # This also takes into account any reserved address ranges that should be part of the network.
    networkAddresses =