diff --git a/common/users.nix b/common/users.nix index df339df..4ddeb79 100644 --- a/common/users.nix +++ b/common/users.nix @@ -22,7 +22,7 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; packages = [ ]; - openssh.authorizedKeys.keys = var.ssh-keys.hd; + openssh.authorizedKeys.keys = var.ssh-keys.trusted; hashedPasswordFile = config.age.secrets.hd-password.path; }; users.root = { diff --git a/host/roam/default.nix b/host/roam/default.nix index 59ef5f2..d0f2e25 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -13,6 +13,7 @@ ./hardware-configuration.nix ./networking.nix ./services.nix + ./syncthing.nix ]; boot = { diff --git a/host/roam/syncthing.nix b/host/roam/syncthing.nix new file mode 100644 index 0000000..06e6acc --- /dev/null +++ b/host/roam/syncthing.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.syncthing = { + enable = false; # TODO + }; +} diff --git a/var/default.nix b/var/default.nix index 0413eb8..9eac5c2 100644 --- a/var/default.nix +++ b/var/default.nix @@ -1,11 +1,13 @@ -{ lib, ... }@inp: +{ lib, ... }@inputs: let - files = [ - "lan-dns" - "ssh-keys" - "wg" - ]; - import_file = name: { ${name} = import ./${name}.nix (inp // { inherit var; }); }; - var = lib.foldl' (a: b: a // b) { } (map import_file files); + inputs' = inputs // { + var = outputs; + }; + # watch out for cycles + outputs = { + "lan-dns" = import ./lan-dns.nix inputs'; + "ssh-keys" = import ./ssh-keys.nix inputs'; + "wg" = import ./wg.nix inputs'; + }; in -var +outputs diff --git a/var/lan-dns.nix b/var/lan-dns.nix index b7aa4d1..2f9e24c 100644 --- a/var/lan-dns.nix +++ b/var/lan-dns.nix @@ -1,3 +1,4 @@ +# Wireguard peers hardcoded in /etc/hosts until I have a nice dns solution { lib, var, ... }: let lan-hosts = lib.mapAttrs' (name: value: { diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix index fd9e3d5..eb5fbc7 100644 --- a/var/ssh-keys.nix +++ b/var/ssh-keys.nix @@ -1,19 +1,27 @@ { lib, ... }: let mkKeys = k: { by-host = k; } // builtins.mapAttrs (_: lib.attrValues) k; + keys = { + hd = { + "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; + "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; + "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL"; + }; + root = { + "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; + "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o"; + "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j"; + }; + }; + keys' = mkKeys keys; in - -mkKeys { - hd = { - "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; - "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; - "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc"; - "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL"; - }; - root = { - "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; - "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o"; - "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ"; - "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j"; - }; +keys' +// { + trusted = with keys'.by-host.hd; [ + solo + c2 + fw + ]; } diff --git a/var/wg.nix b/var/wg.nix index 76d538a..4bd050d 100644 --- a/var/wg.nix +++ b/var/wg.nix @@ -35,6 +35,7 @@ rec { }; keyFile = "/var/secrets/wg.key"; + # Helper method: `peers-for x` filters out `x` from wireguard-network peers-for = host: map (lib.filterAttrs (n: _: n != "ips")) (