diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 2320b54..4bad082 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -1,20 +1,12 @@ { config, + nodes, nixos-hardware, pkgs, ... }: let - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - inherit (config.repo.secrets.local) acme; - auth.domain = config.repo.secrets.local.auth.domain; + inherit (nodes.sentinel.config.repo.secrets.local) personalDomain; + authDomain = "auth.${personalDomain}"; in { imports = [ nixos-hardware.common-cpu-intel @@ -79,51 +71,8 @@ in { }: { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - rekey.secrets."dhparams.pem" = { - # TODO make own? - file = ../zackbiene/secrets/dhparams.pem.age; - mode = "440"; - group = "nginx"; - }; - - rekey.secrets.acme-credentials = { - file = ./secrets/acme-credentials.age; - mode = "440"; - group = "acme"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - inherit (acme) email; - credentialsFile = config.rekey.secrets.acme-credentials.path; - dnsProvider = "cloudflare"; - dnsPropagationCheck = true; - reloadServices = ["nginx"]; - }; - }; - extra.acme.wildcardDomains = acme.domains; - users.groups.acme.members = ["nginx"]; - services.nginx.enable = true; - - services.nginx = { - upstreams."kanidm" = { - servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {}; - extraConfig = '' - zone kanidm 64k; - keepalive 2; - ''; - }; - virtualHosts.${auth.domain} = { - forceSSL = true; - useACMEHost = config.lib.extra.matchingWildcardCert auth.domain; - locations."/".proxyPass = "https://kanidm"; - # Allow using self-signed certs to satisfy kanidm's requirement - # for TLS connections. (This is over wireguard anyway) - extraConfig = '' - proxy_ssl_verify off; - ''; - }; + extra.wireguard.proxy-sentinel = { + client.via = "sentinel"; }; networking.nftables.firewall = { @@ -155,7 +104,7 @@ in { enableServer = true; # enablePAM = true; serverSettings = { - inherit (auth) domain; + domain = authDomain; origin = "https://${config.services.kanidm.serverSettings.domain}"; #tls_chain = "/run/credentials/kanidm.service/fullchain.pem"; #tls_key = "/run/credentials/kanidm.service/key.pem"; diff --git a/hosts/ward/secrets/local.nix.age b/hosts/ward/secrets/local.nix.age index 18a02bf..0a172af 100644 Binary files a/hosts/ward/secrets/local.nix.age and b/hosts/ward/secrets/local.nix.age differ diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 8b78587..cdb335d 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -288,9 +288,9 @@ in { default = []; example = ["10.0.0.1/24" "fd00:cafe::/64"]; description = mdDoc '' - Allows defining extra cidr network ranges that shall be reserved for this machine - and its children (i.e. external peers or via clients). Reservation means that those - address spaces will be guaranteed to be included in the spanned network. + Allows defining extra cidr network ranges that shall be reserved for this network. + Reservation means that those address spaces will be guaranteed to be included in + the spanned network, but no rules will be enforced as to who in the network may use them. By default, this module will try to allocate the smallest address space that includes all network peers. If you know that there might be additional external peers added later, @@ -341,12 +341,26 @@ in { ipv4 = mkOption { type = net.types.ipv4; - description = mdDoc "The ipv4 address for this machine."; + default = spannedReservedNetwork.cidrv4; + description = mdDoc '' + The ipv4 address for this machine. If you do not set this explicitly, + a semi-stable ipv4 address will be derived automatically based on the + hostname of this machine. At least one participating server must reserve + a big-enough space of addresses by setting `reservedAddresses`. + See `net.cidr.assignIps` for more information on the algorithm. + ''; }; ipv6 = mkOption { type = net.types.ipv6; - description = mdDoc "The ipv6 address for this machine."; + default = ; + description = mdDoc '' + The ipv6 address for this machine. If you do not set this explicitly, + a semi-stable ipv6 address will be derived automatically based on the + hostname of this machine. At least one participating server must reserve + a big-enough space of addresses by setting `reservedAddresses`. + See `net.cidr.assignIps` for more information on the algorithm. + ''; }; addresses = mkOption { diff --git a/nix/lib.nix b/nix/lib.nix index a551782..f9093b7 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -31,7 +31,6 @@ stringToCharacters substring unique - warnIf ; in rec { # Counts how often each element occurrs in xs @@ -245,6 +244,11 @@ in rec { concatMap (n: (wgCfgOf n).addresses) associatedNodes ++ flatten (concatMap (n: attrValues (wgCfgOf n).server.externalPeers) associatedNodes); + # The cidrv4 and cidrv6 of the network spanned by all reserved addresses only. + # Used to determine automatically assigned addresses first. + spannedReservedNetwork = + net.cidr.merge (concatMap (n: (wgCfgOf n).server.reservedAddresses) associatedServerNodes); + # The cidrv4 and cidrv6 of the network spanned by all participating peer addresses. # This also takes into account any reserved address ranges that should be part of the network. networkAddresses =