Commit 3efd043b508d

Vincent Demeester <vincent@sbr.pm>
2020-06-03 15:33:52
systems: fix wireguard configuration…
Using optional(s) function is awesome 💃 Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent ea23657
Changed files (2)
systems
hokkaido.nix
wakasu.nix
systems/hokkaido.nix
@@ -1,31 +1,37 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 
+with lib;
+let
+  hostname = "hokkaido";
+  secretPath = ../secrets/machines.nix;
+  secretCondition = (builtins.pathExists secretPath);
+
+  ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+  ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+  endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+  endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+  endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+in
 {
   imports = [
-    # hardware
     ../hardware/thinkpad-x220.nix
-    # modules
     ../modules
-    # users
     (import ../users).vincent
     (import ../users).root
   ];
 
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb";
-      fsType = "ext4";
-    };
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/C036-34B9";
-      fsType = "vfat";
-    };
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/884a3d57-f652-49b2-9c8b-f6eebd5edbeb";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/C036-34B9";
+    fsType = "vfat";
+  };
+  swapDevices = [{ device = "/dev/disk/by-uuid/e1833693-77ac-4d52-bcc7-54d082788639"; }];
 
   networking = {
-    hostName = "hokkaido";
+    hostName = hostname;
   };
 
   profiles = {
@@ -34,11 +40,21 @@
     git.enable = true;
     ssh.enable = true;
     dev.enable = true;
-    users.enable = false;
     yubikey.enable = true;
+    # FIXME remove the need for it
+    users.enable = false;
   };
 
-  services.fprintd.enable = true;
+  services = {
+    fprintd.enable = true;
+    wireguard = {
+      enable = true;
+      ips = ips;
+      endpoint = endpointIP;
+      endpointPort = endpointPort;
+      endpointPublicKey = endpointPublicKey;
+    };
+  };
 
   virtualisation.containers = {
     enable = true;
systems/wakasu.nix
@@ -1,21 +1,27 @@
 { lib, pkgs, ... }:
+
+with lib;
 let
-  inCi = builtins.pathExists /home/build;
-  enableHome = !inCi;
+  hostname = "wakasu";
+  secretPath = ../secrets/machines.nix;
+  secretCondition = (builtins.pathExists secretPath);
+
+  ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+  ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+  endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+  endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+  endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
 in
 {
   imports = [
-    # hardware
     ../hardware/lenovo-p50.nix
-    # modules
     ../modules
-    # users
     (import ../users).vincent
     (import ../users).root
   ];
 
   networking = {
-    hostName = "wakasu";
+    hostName = hostname;
   };
 
   boot.initrd.luks.devices = {
@@ -30,23 +36,16 @@ in
     };
   };
 
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a";
-      fsType = "ext4";
-      options = [ "noatime" "discard" ];
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/E974-AB5D";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [
-      { device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; }
-    ];
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/c44cdfec-b567-4059-8e66-1be8fec6342a";
+    fsType = "ext4";
+    options = [ "noatime" "discard" ];
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/E974-AB5D";
+    fsType = "vfat";
+  };
+  swapDevices = [{ device = "/dev/disk/by-uuid/c8c3308a-6ca6-4669-bad3-37a225af4083"; }];
 
   profiles = {
     dev.enable = true;
@@ -56,6 +55,8 @@ in
     ssh = { enable = true; forwardX11 = true; };
     virtualization = { enable = true; nested = true; listenTCP = true; };
     yubikey.enable = true;
+    # FIXME remove the need for it
+    users.enable = false;
   };
   programs = {
     podman.enable = true;
@@ -79,16 +80,13 @@ in
       enable = true;
       devices = [{ device = "/dev/nvme0n1"; }];
     };
-    # FIXME handle secrets
-    /*
     wireguard = {
       enable = true;
-      ips = [ "${wireguard.ips.wakasu}/24" ];
-      endpoint = wg.endpointIP;
-      endpointPort = wg.listenPort;
-      endpointPublicKey = wireguard.kerkouane.publicKey;
+      ips = ips;
+      endpoint = endpointIP;
+      endpointPort = endpointPort;
+      endpointPublicKey = endpointPublicKey;
     };
-    */
     xserver = {
       videoDrivers = [ "nvidia" ];
       dpi = 96;