diff --git a/flake.lock b/flake.lock index 85e397e..97e2db8 100644 --- a/flake.lock +++ b/flake.lock @@ -223,7 +223,7 @@ "niten-doom-config": "niten-doom-config" }, "locked": { - "narHash": "sha256-LwOAmTxY+qMr6iLedi+ZOOjDQPoALkYOa6fqt6Oz/ew=", + "narHash": "sha256-bUeeulkb1X9oZu8fOM35ABq/ib/aJMOoRLJkJ3ww0wM=", "path": "./nix-home", "type": "path" }, @@ -242,7 +242,7 @@ "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-p257NrEQFyj3GYNy+F9NBzEtOqMdyOsrpwMtnGnrOYc=", + "narHash": "sha256-WK+CxCQwHe1o90s0VLiYRQ62KPiDVf3HSpvt8MOBW8o=", "path": "/state/secrets", "type": "path" }, @@ -332,11 +332,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1633366555, - "narHash": "sha256-xWgLN0MwTbf+mJgbj313KZOoUFvXxo3FNZgXJtUaXeE=", + "lastModified": 1633372662, + "narHash": "sha256-/SNblv/N9m+We6/GSyu2KU+U+5Ze5FsLkjJEE9lnhaA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2ba20b2080e9a0f79e1ba55780cfb5dd61c147ce", + "rev": "0699530f08290f34c532beedd66046825d9756fa", "type": "github" }, "original": { diff --git a/lib/fudo/dns.nix b/lib/fudo/dns.nix index 4e4f53e..39c8bb9 100644 --- a/lib/fudo/dns.nix +++ b/lib/fudo/dns.nix @@ -1,7 +1,6 @@ { lib, config, pkgs, ... }: with lib; - let cfg = config.fudo.dns; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 6e68b90..c9cc321 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -4,186 +4,12 @@ with lib; let mapOptional = f: val: if (val != null) then (f val) else null; - masterKeyOpts = { ... }: { - options = with types; { - key-path = mkOption { - type = str; - description = "Path of the host master key file, used to decrypt secrets."; - }; - - public-key = mkOption { - type = str; - description = "Public key used during deployment to decrypt secrets for the host."; - }; - }; - }; - - hostOpts = { hostname, ... }: { - options = with types; { - master-key = mkOption { - type = nullOr (submodule masterKeyOpts); - description = "Public key for the host master key, used by the host to decrypt secrets."; - default = null; - }; - - domain = mkOption { - type = str; - description = - "Primary domain to which the host belongs, in the form of a domain name."; - default = "fudo.org"; - }; - - extra-domains = mkOption { - type = listOf str; - description = "Extra domain in which this host is reachable."; - default = [ ]; - }; - - aliases = mkOption { - type = listOf str; - description = - "Host aliases used by the current host. Note this will be multiplied with extra-domains."; - default = [ ]; - }; - - site = mkOption { - type = str; - description = "Site at which the host is located."; - }; - - local-networks = mkOption { - type = listof str; - description = - "A list of networks to be considered trusted by this host."; - default = [ "127.0.0.0/8" ]; - }; - - profile = mkOption { - type = listOf (enumOf (attrNames config.fudo.profiles)); - description = - "The profile to be applied to the host, determining what software is included."; - }; - - admin-email = mkOption { - type = nullOr str; - description = "Email for the administrator of this host."; - default = null; - }; - - local-users = mkOption { - type = listOf str; - description = - "List of users who should have local (i.e. login) access to the host."; - default = [ ]; - }; - - description = mkOption { - type = str; - description = "Description of this host."; - default = "Another Fudo Host."; - }; - - local-admins = mkOption { - type = listOf str; - description = - "A list of users who should have admin access to this host."; - default = [ ]; - }; - - local-groups = mkOption { - type = listOf str; - description = "List of groups which should exist on this host."; - default = [ ]; - }; - - ssh-fingerprints = mkOption { - type = listOf str; - description = '' - A list of DNS SSHFP records for this host. Get with `ssh-keygen -r ` - ''; - default = [ ]; - }; - - rp = mkOption { - type = nullOr str; - description = "Responsible person."; - default = null; - }; - - tmp-on-tmpfs = mkOption { - type = bool; - description = - "Use tmpfs for /tmp. Great if you've got enough (>16G) RAM."; - default = true; - }; - - enable-gui = mkEnableOption "Install desktop GUI software."; - - docker-server = mkEnableOption "Enable Docker on the current host."; - - kerberos-services = mkOption { - type = listOf str; - description = - "List of services which should exist for this host, if it belongs to a realm."; - default = [ "ssh" "host" ]; - }; - - ssh-pubkeys = mkOption { - type = listOf path; - description = - "SSH key files of the host."; - default = []; - }; - - build-pubkeys = mkOption { - type = listOf str; - description = "SSH public keys used to access the build server."; - default = [ ]; - }; - - external-interfaces = mkOption { - type = listOf str; - description = "A list of interfaces on which to enable the firewall."; - default = [ ]; - }; - - keytab-secret-file = mkOption { - type = nullOr str; - description = "Keytab from which to create a keytab secret."; - default = null; - }; - - keep-cool = mkOption { - type = bool; - description = "A host that tends to overheat. Try to keep it cooler."; - default = false; - }; - - nixos-system = mkOption { - type = bool; - description = "Whether the host is a NixOS system."; - default = true; - }; - - arch = mkOption { - type = str; - description = "System architecture of the system."; - }; - - machine-id = mkOption { - type = nullOr str; - description = "Machine id of the system. See: man machine-id."; - default = null; - }; - - android-dev = mkEnableOption "Enable ADB on the host."; - }; - }; + host = import ../types/host.nix { inherit lib; }; in { options.fudo.hosts = with types; mkOption { - type = attrsOf (submodule hostOpts); + type = attrsOf (submodule host.hostOpts); description = "Host configurations for all hosts known to the system."; default = { }; }; diff --git a/lib/fudo/local-network.nix b/lib/fudo/local-network.nix index 931536d..55421b9 100644 --- a/lib/fudo/local-network.nix +++ b/lib/fudo/local-network.nix @@ -108,20 +108,20 @@ in { interfaces = cfg.dhcp-interfaces; extraConfig = '' - subnet ${lib.fudo.ip.getNetworkBase cfg.network} netmask ${ - lib.fudo.ip.maskFromV32Network cfg.network + subnet ${pkgs.lib.fudo.ip.getNetworkBase cfg.network} netmask ${ + pkgs.lib.fudo.ip.maskFromV32Network cfg.network } { authoritative; - option subnet-mask ${lib.fudo.ip.maskFromV32Network cfg.network}; - option broadcast-address ${lib.fudo.ip.networkMaxIp cfg.network}; + option subnet-mask ${pkgs.lib.fudo.ip.maskFromV32Network cfg.network}; + option broadcast-address ${pkgs.lib.fudo.ip.networkMaxIp cfg.network}; option routers ${cfg.gateway}; option domain-name-servers ${concatStringsSep " " cfg.dns-servers}; option domain-name "${cfg.domain}"; option domain-search "${ concatStringsSep " " ([ cfg.domain ] ++ cfg.search-domains) }"; - range ${lib.fudo.ip.networkMinIp cfg.dhcp-dynamic-network} ${ - lib.fudo.ip.networkMaxButOneIp cfg.dhcp-dynamic-network + range ${pkgs.lib.fudo.ip.networkMinIp cfg.dhcp-dynamic-network} ${ + pkgs.lib.fudo.ip.networkMaxButOneIp cfg.dhcp-dynamic-network }; } ''; @@ -223,7 +223,7 @@ in { ${join-lines (mapAttrsToList hostSshFpRecords network.hosts)} ${join-lines (mapAttrsToList cnameRecord network.aliases)} ${join-lines network.verbatim-dns-records} - ${lib.fudo.dns.srvRecordsToBindZone network.srv-records} + ${pkgs.lib.fudo.dns.srvRecordsToBindZone network.srv-records} ''; }] ++ blockZones; }; diff --git a/lib/instance.nix b/lib/instance.nix index aff0b7b..03e2a22 100644 --- a/lib/instance.nix +++ b/lib/instance.nix @@ -3,6 +3,7 @@ with lib; let user = import ./types/user.nix { inherit lib; }; + host = import ./types/host.nix { inherit lib; }; in { options.instance = with types; { @@ -37,7 +38,7 @@ in { }; local-hosts = mkOption { - type = listOf str; + type = listOf (submodule host.hostOpts); description = "List of hosts that should be considered local to the current host."; }; diff --git a/lib/ip.nix b/lib/ip.nix index 0fd7881..0b7667b 100644 --- a/lib/ip.nix +++ b/lib/ip.nix @@ -2,8 +2,6 @@ with lib; let - joinString = concatStringsSep; - pow = x: e: if (e == 0) then 1 else x * (pow x (e - 1)); generateNBits = n: @@ -17,7 +15,7 @@ let rightPadBits = int: bits: bitOr int (generateNBits bits); - reverseIpv4 = ip: joinString "." (reverseList (splitString "." ip)); + reverseIpv4 = ip: concatStringsSep "." (reverseList (splitString "." ip)); intToBinaryList = int: let @@ -41,7 +39,7 @@ in rec { in foldr (a: b: a + b) 0 (imap0 (i: el: (leftShift el (i * 8))) els); intToIpv4 = int: - joinString "." + concatStringsSep "." (map (i: toString (bitAnd (rightShift int (i * 8)) 255)) [ 3 2 1 0 ]); maskFromV32Network = network: diff --git a/lib/overlay.nix b/lib/overlay.nix index 4f3cf47..ab20609 100644 --- a/lib/overlay.nix +++ b/lib/overlay.nix @@ -1,6 +1,6 @@ (final: prev: let - ip = import ./lib/ip.nix { lib = prev; }; - dns = import ./lib/dns.nix { lib = prev; }; + ip = import ./ip.nix { lib = prev.lib; }; + dns = import ./dns.nix { lib = prev.lib; }; in { lib = prev.lib // { fudo = { diff --git a/lib/types/host.nix b/lib/types/host.nix new file mode 100644 index 0000000..3a2435c --- /dev/null +++ b/lib/types/host.nix @@ -0,0 +1,180 @@ +{ lib, ... }: + +with lib; +rec { + masterKeyOpts = { ... }: { + options = with types; { + key-path = mkOption { + type = str; + description = "Path of the host master key file, used to decrypt secrets."; + }; + + public-key = mkOption { + type = str; + description = "Public key used during deployment to decrypt secrets for the host."; + }; + }; + }; + + hostOpts = { hostname, ... }: { + options = with types; { + master-key = mkOption { + type = nullOr (submodule masterKeyOpts); + description = "Public key for the host master key, used by the host to decrypt secrets."; + default = null; + }; + + domain = mkOption { + type = str; + description = + "Primary domain to which the host belongs, in the form of a domain name."; + default = "fudo.org"; + }; + + extra-domains = mkOption { + type = listOf str; + description = "Extra domain in which this host is reachable."; + default = [ ]; + }; + + aliases = mkOption { + type = listOf str; + description = + "Host aliases used by the current host. Note this will be multiplied with extra-domains."; + default = [ ]; + }; + + site = mkOption { + type = str; + description = "Site at which the host is located."; + }; + + local-networks = mkOption { + type = listOf str; + description = + "A list of networks to be considered trusted by this host."; + default = [ "127.0.0.0/8" ]; + }; + + profile = mkOption { + type = listOf (enum ["desktop" "server" "laptop"]); + description = + "The profile to be applied to the host, determining what software is included."; + }; + + admin-email = mkOption { + type = nullOr str; + description = "Email for the administrator of this host."; + default = null; + }; + + local-users = mkOption { + type = listOf str; + description = + "List of users who should have local (i.e. login) access to the host."; + default = [ ]; + }; + + description = mkOption { + type = str; + description = "Description of this host."; + default = "Another Fudo Host."; + }; + + local-admins = mkOption { + type = listOf str; + description = + "A list of users who should have admin access to this host."; + default = [ ]; + }; + + local-groups = mkOption { + type = listOf str; + description = "List of groups which should exist on this host."; + default = [ ]; + }; + + ssh-fingerprints = mkOption { + type = listOf str; + description = '' + A list of DNS SSHFP records for this host. Get with `ssh-keygen -r ` + ''; + default = [ ]; + }; + + rp = mkOption { + type = nullOr str; + description = "Responsible person."; + default = null; + }; + + tmp-on-tmpfs = mkOption { + type = bool; + description = + "Use tmpfs for /tmp. Great if you've got enough (>16G) RAM."; + default = true; + }; + + enable-gui = mkEnableOption "Install desktop GUI software."; + + docker-server = mkEnableOption "Enable Docker on the current host."; + + kerberos-services = mkOption { + type = listOf str; + description = + "List of services which should exist for this host, if it belongs to a realm."; + default = [ "ssh" "host" ]; + }; + + ssh-pubkeys = mkOption { + type = listOf path; + description = + "SSH key files of the host."; + default = []; + }; + + build-pubkeys = mkOption { + type = listOf str; + description = "SSH public keys used to access the build server."; + default = [ ]; + }; + + external-interfaces = mkOption { + type = listOf str; + description = "A list of interfaces on which to enable the firewall."; + default = [ ]; + }; + + keytab-secret-file = mkOption { + type = nullOr str; + description = "Keytab from which to create a keytab secret."; + default = null; + }; + + keep-cool = mkOption { + type = bool; + description = "A host that tends to overheat. Try to keep it cooler."; + default = false; + }; + + nixos-system = mkOption { + type = bool; + description = "Whether the host is a NixOS system."; + default = true; + }; + + arch = mkOption { + type = str; + description = "System architecture of the system."; + }; + + machine-id = mkOption { + type = nullOr str; + description = "Machine id of the system. See: man machine-id."; + default = null; + }; + + android-dev = mkEnableOption "Enable ADB on the host."; + }; + }; +} diff --git a/nix-home b/nix-home index e47f7bf..d40a3ae 160000 --- a/nix-home +++ b/nix-home @@ -1 +1 @@ -Subproject commit e47f7bf571ffb300427c3d6855a57b2feb913b4f +Subproject commit d40a3ae2c6790afbea81a921b15f465ee63b66d7