refactor + syncthing

2025-12-20 23:37:05 +01:00 · 2025-12-20 23:37:05 +01:00 · 20472f8d1b
commit 20472f8d1b
parent 0f3e917ba7
7 changed files with 43 additions and 24 deletions
--- a/common/users.nix
+++ b/common/users.nix
@ -22,7 +22,7 @@
      extraGroups = [ "wheel" ];
      shell = pkgs.fish;
      packages = [ ];
-      openssh.authorizedKeys.keys = var.ssh-keys.hd;
+      openssh.authorizedKeys.keys = var.ssh-keys.trusted;
      hashedPasswordFile = config.age.secrets.hd-password.path;
    };
    users.root = {
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@ -13,6 +13,7 @@
    ./hardware-configuration.nix
    ./networking.nix
    ./services.nix
+    ./syncthing.nix
  ];

  boot = {
--- a/host/roam/syncthing.nix
+++ b/host/roam/syncthing.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.syncthing = {
+    enable = false; # TODO
+  };
+}
--- a/var/default.nix
+++ b/var/default.nix
@ -1,11 +1,13 @@
-{ lib, ... }@inp:
+{ lib, ... }@inputs:
 let
-  files = [
-    "lan-dns"
-    "ssh-keys"
-    "wg"
-  ];
-  import_file = name: { ${name} = import ./${name}.nix (inp // { inherit var; }); };
-  var = lib.foldl' (a: b: a // b) { } (map import_file files);
+  inputs' = inputs // {
+    var = outputs;
+  };
+  # watch out for cycles
+  outputs = {
+    "lan-dns" = import ./lan-dns.nix inputs';
+    "ssh-keys" = import ./ssh-keys.nix inputs';
+    "wg" = import ./wg.nix inputs';
+  };
 in
-var
+outputs
--- a/var/lan-dns.nix
+++ b/var/lan-dns.nix
@ -1,3 +1,4 @@
+# Wireguard peers hardcoded in /etc/hosts until I have a nice dns solution
 { lib, var, ... }:
 let
  lan-hosts = lib.mapAttrs' (name: value: {
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -1,19 +1,27 @@
 { lib, ... }:
 let
  mkKeys = k: { by-host = k; } // builtins.mapAttrs (_: lib.attrValues) k;
+  keys = {
+    hd = {
+      "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
+      "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
+      "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
+      "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL";
+    };
+    root = {
+      "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
+      "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
+      "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
+      "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j";
+    };
+  };
+  keys' = mkKeys keys;
 in
-
-mkKeys {
-  hd = {
-    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
-    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
-    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
-    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL";
-  };
-  root = {
-    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
-    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
-    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
-    "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j";
-  };
+keys'
+// {
+  trusted = with keys'.by-host.hd; [
+    solo
+    c2
+    fw
+  ];
 }
--- a/var/wg.nix
+++ b/var/wg.nix
@ -35,6 +35,7 @@ rec {
  };
  keyFile = "/var/secrets/wg.key";

+  # Helper method: `peers-for x` filters out `x` from wireguard-network
  peers-for =
    host:
    map (lib.filterAttrs (n: _: n != "ips")) (