auto-update-daily-20260202
1{ lib }:
2let
3 /**
4 Check if the given name matches the current hostname.
5
6 @param hostname The current hostname to compare against
7 @param n The name to check
8 @return true if n equals hostname, false otherwise
9 */
10 isCurrentHost = hostname: n: n == hostname;
11
12 /**
13 Check if a host has a VPN public key configured.
14
15 @param host The host configuration to check
16 @return true if host has a non-empty VPN public key, false otherwise
17 */
18 hasVPNPublicKey = host: (lib.attrsets.attrByPath [ "net" "vpn" "pubkey" ] "" host) != "";
19
20 /**
21 Check if a host has VPN IP addresses configured.
22
23 @param host The host configuration to check
24 @return true if host has at least one VPN IP address, false otherwise
25 */
26 hasVPNips = host: (builtins.length (lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] host)) > 0;
27
28 /**
29 Check if a host has network IP addresses configured.
30
31 @param host The host configuration to check
32 @return true if host has at least one VPN IP address, false otherwise
33 */
34 hasIps = host: (builtins.length (lib.attrsets.attrByPath [ "net" "ips" ] [ ] host)) > 0;
35
36 /**
37 Return true if the given host has a list of Syncthing folder configured.
38
39 @param host The host configuration to check
40 @return true if host has syncthing folders configured, false otherwise
41 */
42 hasSyncthingFolders =
43 host:
44 builtins.hasAttr "syncthing" host
45 && builtins.hasAttr "folders" host.syncthing
46 && (builtins.length (lib.attrsets.attrValues host.syncthing.folders)) > 0;
47
48 /**
49 Check if a host has SSH host keys configured.
50
51 @param host The host configuration to check
52 @return true if host has SSH host keys, false otherwise
53 */
54 hasSSHHostKeys = host: builtins.hasAttr "ssh" host && builtins.hasAttr "hostKey" host.ssh;
55
56 /**
57 Get the path for the given folder, either using the host specified path or the default one.
58
59 @param name The folder name
60 @param folder The folder configuration
61 @param folders The complete folders configuration
62 @return The path for the folder
63 */
64 syncthingFolderPath =
65 name: folder: folders:
66 lib.attrsets.attrByPath [ "path" ] folders."${name}".path folder;
67
68 /**
69 Filter machines with the given syncthing folder.
70
71 @param hostname The current hostname to exclude from results
72 @param folderName The folder name to filter by
73 @param machines The set of all machines
74 @return Filtered set of machines that have the specified folder and are not the current host
75 */
76 syncthingMachinesWithFolder =
77 hostname: folderName: machines:
78 lib.attrsets.filterAttrs (
79 name: value:
80 hasSyncthingFolders value
81 && !(isCurrentHost hostname name)
82 && (builtins.hasAttr folderName value.syncthing.folders)
83 ) machines;
84
85 /**
86 Generate Syncthing addresses for a machine from its network configuration.
87
88 @param machine The machine configuration
89 @return List of TCP addresses (ips, vpn ips, and names) prefixed with "tcp://"
90 */
91 generateSyncthingAdresses =
92 machine:
93 builtins.map (x: "tcp://${x}") (
94 lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
95 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine
96 ++ lib.attrsets.attrByPath [ "net" "names" ] [ ] machine
97 );
98
99 /**
100 Get SSH host identifiers for a machine (names, IPs, and VPN IPs).
101
102 @param machine The machine configuration
103 @return List of all network identifiers for the machine
104 */
105 sshHostIdentifier =
106 machine:
107 lib.attrsets.attrByPath [ "net" "names" ] [ ] machine
108 ++ lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
109 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine;
110
111 /**
112 Generate host configuration mapping IPs to appropriate hostnames.
113
114 @param machine The machine configuration
115 @return Attribute set mapping IP addresses to corresponding hostnames
116 */
117 hostConfig =
118 machine:
119 builtins.listToAttrs (
120 map
121 (x: {
122 name = x;
123 value =
124 if (lib.strings.hasPrefix "10.100" x) then
125 builtins.filter (n: lib.strings.hasSuffix ".vpn" n) machine.net.names
126 else if (lib.strings.hasPrefix "192.168" x) then
127 builtins.filter (n: lib.strings.hasSuffix ".home" n) machine.net.names
128 else
129 [ ];
130 })
131 (
132 lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
133 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine
134 )
135 );
136
137 /**
138 Generate SSH configuration for a machine.
139
140 @param machine The machine configuration
141 @return Attribute set of SSH host configurations with hostnames, identity settings, etc.
142 */
143 sshConfig =
144 machine:
145 builtins.listToAttrs (
146 map
147 (x: {
148 name = x;
149 value = {
150 hostname =
151 if (lib.strings.hasSuffix ".vpn" x) then
152 builtins.head machine.net.vpn.ips
153 else if (lib.strings.hasSuffix ".home" x) then
154 builtins.head machine.net.ips
155 else
156 # .sbr.pm uses the hostname directly (DNS resolution)
157 x;
158 forwardAgent = false;
159 # Use FIDO2 homelab key for all homelab hosts
160 identityFile = "~/.ssh/id_homelab_sk";
161 identitiesOnly = true;
162 # Disable IdentityAgent only for aomi.home (prevents yubikey prompts in TRAMP)
163 extraOptions = lib.optionalAttrs (x == "aomi.home") {
164 IdentityAgent = "none";
165 };
166 };
167 })
168 (
169 builtins.filter (
170 x:
171 (lib.strings.hasSuffix ".home" x)
172 || (lib.strings.hasSuffix ".vpn" x)
173 || (lib.strings.hasSuffix ".sbr.pm" x)
174 ) (sshHostIdentifier machine)
175 )
176 );
177
178 /**
179 Return a list of wireguard ips from a list of ips.
180
181 Essentially, it will append /32 to each element of the list.
182
183 @param ips List of IP addresses
184 @return List of IP addresses with /32 suffix for wireguard configuration
185 */
186 wg-ips = ips: builtins.map (x: "${x}/32") ips;
187
188 /**
189 Generate Wireguard peer configurations from a set of machines.
190
191 @param machines The set of all machines
192 @return List of wireguard peer configurations with allowedIPs and publicKey
193 */
194 generateWireguardPeers =
195 machines:
196 lib.attrsets.attrValues (
197 lib.attrsets.mapAttrs
198 (_name: value: {
199 allowedIPs = value.net.vpn.ips;
200 publicKey = value.net.vpn.pubkey;
201 })
202 (
203 lib.attrsets.filterAttrs (
204 name: value: name != "kerkouane" && (hasVPNPublicKey value) && (hasVPNips value)
205 ) machines
206 )
207 );
208
209 /**
210 Generate Syncthing folder configurations for the current machine.
211
212 @param hostname The current hostname
213 @param machine The current machine configuration
214 @param machines The set of all machines
215 @param folders The folder definitions
216 @return Attribute set of syncthing folder configurations
217 */
218 generateSyncthingFolders =
219 hostname: machine: machines: folders:
220 let
221 # Default ignore patterns applied to all folders unless overridden
222 defaultIgnores = [
223 "(?d).DS_Store" # macOS metadata files
224 "(?d).localized" # macOS localized folder names
225 "(?d)Thumbs.db" # Windows thumbnails
226 "(?d)desktop.ini" # Windows folder config
227 "*.tmp" # Temporary files
228 "~*" # Backup files
229 ".~lock.*" # LibreOffice lock files
230 ];
231 in
232 lib.attrsets.mapAttrs' (
233 name: value:
234 lib.attrsets.nameValuePair (syncthingFolderPath name value folders) {
235 inherit (folders."${name}") id;
236 label = name;
237 devices = lib.attrsets.mapAttrsToList (n: _v: n) (
238 syncthingMachinesWithFolder hostname name machines
239 );
240 rescanIntervalS = 3600 * 6; # TODO: make it configurable
241 # Apply default ignores if not specified in globals
242 ignores = folders."${name}".ignores or defaultIgnores;
243 # Pass through versioning configuration if present
244 versioning = folders."${name}".versioning or null;
245 }
246 ) (lib.attrsets.attrByPath [ "syncthing" "folders" ] { } machine);
247
248 /**
249 Generate Syncthing device configurations for all machines except the current one.
250
251 @param hostname The current hostname to exclude
252 @param machines The set of all machines
253 @return Attribute set of syncthing device configurations with IDs and addresses
254 */
255 generateSyncthingDevices =
256 hostname: machines:
257 lib.attrsets.mapAttrs
258 (_name: value: {
259 inherit (value.syncthing) id;
260 addresses = generateSyncthingAdresses value;
261 })
262 (
263 lib.attrsets.filterAttrs (
264 name: value: hasSyncthingFolders value && !(isCurrentHost hostname name)
265 ) machines
266 );
267
268 /**
269 Generate Syncthing GUI address for a machine.
270
271 @param machine The machine configuration
272 @return String in format "IP:8384" for accessing Syncthing GUI
273 */
274 syncthingGuiAddress =
275 machine:
276 (builtins.head (lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ "127.0.0.1" ] machine)) + ":8384";
277
278 /**
279 Generate SSH known_hosts entries for all machines with SSH host keys.
280
281 @param machines The set of all machines
282 @return String containing SSH known_hosts entries
283 */
284 sshKnownHosts =
285 machines:
286 lib.strings.concatStringsSep "\n" (
287 lib.attrsets.mapAttrsToList (
288 _name: value: "${lib.strings.concatStringsSep "," (sshHostIdentifier value)} ${value.ssh.hostKey}"
289 ) (lib.attrsets.filterAttrs (_name: hasSSHHostKeys) machines)
290 );
291
292 /**
293 Merge host configurations from all machines.
294
295 @param machines The set of all machines
296 @return Merged attribute set of all host configurations
297 */
298 hostConfigs =
299 machines: lib.attrsets.mergeAttrsList (lib.attrsets.mapAttrsToList (_name: hostConfig) machines);
300
301 /**
302 Generate and merge SSH configurations from all machines.
303
304 @param machines The set of all machines
305 @return Merged attribute set of all SSH configurations
306 */
307 sshConfigs =
308 machines:
309 lib.attrsets.mergeAttrsList (
310 lib.attrsets.mapAttrsToList (_name: sshConfig) (
311 lib.attrsets.filterAttrs (_name: _value: true) machines
312 )
313 );
314
315 /**
316 Create service defaults for media/homelab services.
317
318 Common pattern for services that run as a specific user/group with firewall access.
319
320 @param user The user to run the service as (default: "vincent")
321 @param group The group to run the service as (default: "users")
322 @param openFirewall Whether to open firewall for the service (default: true)
323 @return Attribute set with user, group, and openFirewall settings
324 */
325 mkServiceDefaults =
326 {
327 user ? "vincent",
328 group ? "users",
329 openFirewall ? true,
330 }:
331 {
332 inherit user group openFirewall;
333 };
334
335 /**
336 Create a Samba share configuration with common defaults.
337
338 Standard configuration for public, writable shares with guest access.
339
340 @param name The name of the share
341 @param path The filesystem path to share
342 @param user The user for force user/group (default: "vincent")
343 @param group The group for force user/group (default: "users")
344 @param readOnly Make the share read-only (default: false)
345 @return Attribute set with complete Samba share configuration
346 */
347 mkSambaShare =
348 {
349 name,
350 path,
351 user ? "vincent",
352 group ? "users",
353 readOnly ? false,
354 }:
355 {
356 inherit path;
357 public = "yes";
358 browseable = "yes";
359 "read only" = if readOnly then "yes" else "no";
360 "guest ok" = "yes";
361 writable = if readOnly then "no" else "yes";
362 comment = if readOnly then "${name} (read-only)" else name;
363 "create mask" = "0644";
364 "directory mask" = "0755";
365 "force user" = user;
366 "force group" = group;
367 };
368in
369{
370 inherit
371 syncthingFolderPath
372 hasSyncthingFolders
373 syncthingMachinesWithFolder
374 generateSyncthingAdresses
375 isCurrentHost
376 hasVPNPublicKey
377 hasVPNips
378 hasIps
379 hasSSHHostKeys
380 sshHostIdentifier
381 sshConfig
382 hostConfig
383 wg-ips
384 generateWireguardPeers
385 generateSyncthingFolders
386 generateSyncthingDevices
387 syncthingGuiAddress
388 sshKnownHosts
389 hostConfigs
390 sshConfigs
391 mkServiceDefaults
392 mkSambaShare
393 ;
394}