flake-update-20260505
1{ lib }:
2let
3 /**
4 Check if the given name matches the current hostname.
5
6 @param hostname The current hostname to compare against
7 @param n The name to check
8 @return true if n equals hostname, false otherwise
9 */
10 isCurrentHost = hostname: n: n == hostname;
11
12 /**
13 Check if a host has a VPN public key configured.
14
15 @param host The host configuration to check
16 @return true if host has a non-empty VPN public key, false otherwise
17 */
18 hasVPNPublicKey = host: (lib.attrsets.attrByPath [ "net" "vpn" "pubkey" ] "" host) != "";
19
20 /**
21 Check if a host has VPN IP addresses configured.
22
23 @param host The host configuration to check
24 @return true if host has at least one VPN IP address, false otherwise
25 */
26 hasVPNips = host: (builtins.length (lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] host)) > 0;
27
28 /**
29 Check if a host has network IP addresses configured.
30
31 @param host The host configuration to check
32 @return true if host has at least one VPN IP address, false otherwise
33 */
34 hasIps = host: (builtins.length (lib.attrsets.attrByPath [ "net" "ips" ] [ ] host)) > 0;
35
36 /**
37 Return true if the given host has a list of Syncthing folder configured.
38
39 @param host The host configuration to check
40 @return true if host has syncthing folders configured, false otherwise
41 */
42 hasSyncthingFolders =
43 host:
44 builtins.hasAttr "syncthing" host
45 && builtins.hasAttr "folders" host.syncthing
46 && (builtins.length (lib.attrsets.attrValues host.syncthing.folders)) > 0;
47
48 /**
49 Check if a host has SSH host keys configured.
50
51 @param host The host configuration to check
52 @return true if host has SSH host keys, false otherwise
53 */
54 hasSSHHostKeys = host: builtins.hasAttr "ssh" host && builtins.hasAttr "hostKey" host.ssh;
55
56 /**
57 Get the path for the given folder, either using the host specified path or the default one.
58
59 @param name The folder name
60 @param folder The folder configuration
61 @param folders The complete folders configuration
62 @return The path for the folder
63 */
64 syncthingFolderPath =
65 name: folder: folders:
66 lib.attrsets.attrByPath [ "path" ] folders."${name}".path folder;
67
68 /**
69 Filter machines with the given syncthing folder.
70
71 @param hostname The current hostname to exclude from results
72 @param folderName The folder name to filter by
73 @param machines The set of all machines
74 @return Filtered set of machines that have the specified folder and are not the current host
75 */
76 syncthingMachinesWithFolder =
77 hostname: folderName: machines:
78 lib.attrsets.filterAttrs (
79 name: value:
80 hasSyncthingFolders value
81 && !(isCurrentHost hostname name)
82 && (builtins.hasAttr folderName value.syncthing.folders)
83 ) machines;
84
85 /**
86 Generate Syncthing addresses for a machine from its network configuration.
87
88 @param machine The machine configuration
89 @return List of TCP addresses (ips, vpn ips, and names) prefixed with "tcp://"
90 */
91 generateSyncthingAdresses =
92 machine:
93 builtins.map (x: "tcp://${x}") (
94 lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
95 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine
96 ++ lib.attrsets.attrByPath [ "net" "names" ] [ ] machine
97 );
98
99 /**
100 Get SSH host identifiers for a machine (names, IPs, and VPN IPs).
101
102 @param machine The machine configuration
103 @return List of all network identifiers for the machine
104 */
105 sshHostIdentifier =
106 machine:
107 lib.attrsets.attrByPath [ "net" "names" ] [ ] machine
108 ++ lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
109 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine;
110
111 /**
112 Generate host configuration mapping IPs to appropriate hostnames.
113
114 @param machine The machine configuration
115 @return Attribute set mapping IP addresses to corresponding hostnames
116 */
117 hostConfig =
118 machine:
119 builtins.listToAttrs (
120 map
121 (x: {
122 name = x;
123 value =
124 if (lib.strings.hasPrefix "10.100" x) then
125 builtins.filter (n: lib.strings.hasSuffix ".vpn" n) machine.net.names
126 else if (lib.strings.hasPrefix "192.168" x) then
127 builtins.filter (n: lib.strings.hasSuffix ".home" n) machine.net.names
128 else
129 [ ];
130 })
131 (
132 lib.attrsets.attrByPath [ "net" "ips" ] [ ] machine
133 ++ lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] machine
134 )
135 );
136
137 /**
138 Generate SSH configuration for a machine.
139
140 @param machine The machine configuration
141 @return Attribute set of SSH host configurations with hostnames, identity settings, etc.
142 */
143 sshConfig =
144 machine:
145 builtins.listToAttrs (
146 map
147 (x: {
148 name = x;
149 value = {
150 hostname =
151 if (lib.strings.hasSuffix ".vpn" x) then
152 builtins.head machine.net.vpn.ips
153 else if (lib.strings.hasSuffix ".home" x) then
154 builtins.head machine.net.ips
155 else
156 # .sbr.pm uses the hostname directly (DNS resolution)
157 x;
158 forwardAgent = false;
159 # Use FIDO2 homelab key for all homelab hosts
160 identityFile = "~/.ssh/id_homelab_sk";
161 identitiesOnly = true;
162 # Disable IdentityAgent only for aomi.home (prevents yubikey prompts in TRAMP)
163 extraOptions = lib.optionalAttrs (x == "aomi.home") {
164 IdentityAgent = "none";
165 };
166 };
167 })
168 (
169 builtins.filter (
170 x:
171 (lib.strings.hasSuffix ".home" x)
172 || (lib.strings.hasSuffix ".vpn" x)
173 || (lib.strings.hasSuffix ".sbr.pm" x)
174 ) (sshHostIdentifier machine)
175 )
176 );
177
178 /**
179 Return a list of wireguard ips from a list of ips.
180
181 Essentially, it will append /32 to each element of the list.
182
183 @param ips List of IP addresses
184 @return List of IP addresses with /32 suffix for wireguard configuration
185 */
186 wg-ips = ips: builtins.map (x: "${x}/32") ips;
187
188 /**
189 Generate Wireguard peer configurations from a set of machines.
190
191 @param machines The set of all machines
192 @return List of wireguard peer configurations with allowedIPs and publicKey
193 */
194 generateWireguardPeers =
195 machines:
196 lib.attrsets.attrValues (
197 lib.attrsets.mapAttrs
198 (_name: value: {
199 allowedIPs = value.net.vpn.ips;
200 publicKey = value.net.vpn.pubkey;
201 })
202 (
203 lib.attrsets.filterAttrs (
204 name: value:
205 name != "kerkouane" && name != "carthage" && (hasVPNPublicKey value) && (hasVPNips value)
206 ) machines
207 )
208 );
209
210 /**
211 Generate Syncthing folder configurations for the current machine.
212
213 @param hostname The current hostname
214 @param machine The current machine configuration
215 @param machines The set of all machines
216 @param folders The folder definitions
217 @return Attribute set of syncthing folder configurations
218 */
219 generateSyncthingFolders =
220 hostname: machine: machines: folders:
221 let
222 # Default ignore patterns applied to all folders unless overridden
223 defaultIgnores = [
224 "(?d).DS_Store" # macOS metadata files
225 "(?d).localized" # macOS localized folder names
226 "(?d)Thumbs.db" # Windows thumbnails
227 "(?d)desktop.ini" # Windows folder config
228 "*.tmp" # Temporary files
229 "~*" # Backup files
230 ".~lock.*" # LibreOffice lock files
231 ];
232 in
233 lib.attrsets.mapAttrs' (
234 name: value:
235 lib.attrsets.nameValuePair (syncthingFolderPath name value folders) {
236 inherit (folders."${name}") id;
237 label = name;
238 devices = lib.attrsets.mapAttrsToList (n: _v: n) (
239 syncthingMachinesWithFolder hostname name machines
240 );
241 rescanIntervalS = 3600 * 6; # TODO: make it configurable
242 # Apply default ignores if not specified in globals
243 ignores = folders."${name}".ignores or defaultIgnores;
244 # Pass through versioning configuration if present
245 versioning = folders."${name}".versioning or null;
246 }
247 ) (lib.attrsets.attrByPath [ "syncthing" "folders" ] { } machine);
248
249 /**
250 Generate Syncthing device configurations for all machines except the current one.
251
252 @param hostname The current hostname to exclude
253 @param machines The set of all machines
254 @return Attribute set of syncthing device configurations with IDs and addresses
255 */
256 generateSyncthingDevices =
257 hostname: machines:
258 lib.attrsets.mapAttrs
259 (_name: value: {
260 inherit (value.syncthing) id;
261 addresses = generateSyncthingAdresses value;
262 })
263 (
264 lib.attrsets.filterAttrs (
265 name: value: hasSyncthingFolders value && !(isCurrentHost hostname name)
266 ) machines
267 );
268
269 /**
270 Generate Syncthing GUI address for a machine.
271
272 @param machine The machine configuration
273 @return String in format "IP:8384" for accessing Syncthing GUI
274 */
275 syncthingGuiAddress =
276 machine:
277 (builtins.head (lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ "127.0.0.1" ] machine)) + ":8384";
278
279 /**
280 Generate SSH known_hosts entries for all machines with SSH host keys.
281
282 @param machines The set of all machines
283 @return String containing SSH known_hosts entries
284 */
285 sshKnownHosts =
286 machines:
287 lib.strings.concatStringsSep "\n" (
288 lib.attrsets.mapAttrsToList (
289 _name: value: "${lib.strings.concatStringsSep "," (sshHostIdentifier value)} ${value.ssh.hostKey}"
290 ) (lib.attrsets.filterAttrs (_name: hasSSHHostKeys) machines)
291 );
292
293 /**
294 Merge host configurations from all machines.
295
296 @param machines The set of all machines
297 @return Merged attribute set of all host configurations
298 */
299 hostConfigs =
300 machines: lib.attrsets.mergeAttrsList (lib.attrsets.mapAttrsToList (_name: hostConfig) machines);
301
302 /**
303 Generate and merge SSH configurations from all machines.
304
305 @param machines The set of all machines
306 @return Merged attribute set of all SSH configurations
307 */
308 sshConfigs =
309 machines:
310 lib.attrsets.mergeAttrsList (
311 lib.attrsets.mapAttrsToList (_name: sshConfig) (
312 lib.attrsets.filterAttrs (_name: _value: true) machines
313 )
314 );
315
316 /**
317 Create service defaults for media/homelab services.
318
319 Common pattern for services that run as a specific user/group with firewall access.
320
321 @param user The user to run the service as (default: "vincent")
322 @param group The group to run the service as (default: "users")
323 @param openFirewall Whether to open firewall for the service (default: true)
324 @return Attribute set with user, group, and openFirewall settings
325 */
326 mkServiceDefaults =
327 {
328 user ? "vincent",
329 group ? "users",
330 openFirewall ? true,
331 }:
332 {
333 inherit user group openFirewall;
334 };
335
336 /**
337 Create a Samba share configuration with common defaults.
338
339 Standard configuration for public, writable shares with guest access.
340
341 @param name The name of the share
342 @param path The filesystem path to share
343 @param user The user for force user/group (default: "vincent")
344 @param group The group for force user/group (default: "users")
345 @param readOnly Make the share read-only (default: false)
346 @return Attribute set with complete Samba share configuration
347 */
348 mkSambaShare =
349 {
350 name,
351 path,
352 user ? "vincent",
353 group ? "users",
354 readOnly ? false,
355 }:
356 {
357 inherit path;
358 public = "yes";
359 browseable = "yes";
360 "read only" = if readOnly then "yes" else "no";
361 "guest ok" = "yes";
362 writable = if readOnly then "no" else "yes";
363 comment = if readOnly then "${name} (read-only)" else name;
364 "create mask" = "0644";
365 "directory mask" = "0755";
366 "force user" = user;
367 "force group" = group;
368 };
369in
370{
371 inherit
372 syncthingFolderPath
373 hasSyncthingFolders
374 syncthingMachinesWithFolder
375 generateSyncthingAdresses
376 isCurrentHost
377 hasVPNPublicKey
378 hasVPNips
379 hasIps
380 hasSSHHostKeys
381 sshHostIdentifier
382 sshConfig
383 hostConfig
384 wg-ips
385 generateWireguardPeers
386 generateSyncthingFolders
387 generateSyncthingDevices
388 syncthingGuiAddress
389 sshKnownHosts
390 hostConfigs
391 sshConfigs
392 mkServiceDefaults
393 mkSambaShare
394 ;
395}