refactor

flake.nix

@@ -21,7 +21,15 @@
       lib = nixpkgs.lib;
       lib' = import ./lib.nix { inherit lib; };
       mod = lib'.walk-dir ./mod;
-      specialArgs = { inherit inputs lib' mod; };
+      var = lib'.walk-dir ./var;
+      specialArgs = {
+        inherit
+          inputs
+          lib'
+          mod
+          var
+          ;
+      };
     in
     {
       nixosConfigurations = {
@@ -30,7 +38,8 @@
           inherit specialArgs;
           modules = [
             ./host/solo
-            mod.shared.pc
+            mod.common._nixos_mod
+            mod.pc-common._nixos_mod
           ];
         };
 
@@ -39,7 +48,8 @@
           inherit specialArgs;
           modules = [
             ./host/c2
-            mod.shared.pc
+            mod.common._nixos_mod
+            mod.pc-common._nixos_mod
           ];
         };
       };
@@ -58,7 +68,7 @@
           };
           imports = [
             ./host/roam
-            mod.shared.all
+            mod.common._nixos_mod
           ];
         };
       };

host/roam/modules/networking.nix

@@ -16,13 +16,10 @@
       address = "fe80::1";
       interface = "ens3";
     };
-
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        80
-        443
-      ];
   };
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
   };
 }

host/roam/modules/services.nix

@@ -0,0 +1,47 @@
+{ config, ... }:
+let
+  headscale-domain = "headscale.hdohmen.de";
+in
+{
+  services = {
+    # TODO: maybe just use wireguard...
+    /*
+      headscale = {
+        enable = true;
+        address = "127.0.0.1";
+        port = 8080;
+        settings = {
+          server_url = "https://${headscale-domain}";
+          prefixes.v4 = "100.10.11.0/24";
+          prefixes.v6 = "fd7a:115c:1011::/48";
+          dns = {
+            magic_dns = true;
+            base_domain = "net.hdohmen.de";
+          };
+        };
+      };
+    */
+
+    nginx = {
+      enable = true;
+      /*
+        virtualHosts.${headscale-domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+        };
+      */
+    };
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}

host/roam/modules/wireguard.nix

@@ -0,0 +1,25 @@
+{ ... }:
+let
+  wireguard-port = 51820;
+  wireguard-subnet = "100.10.11.0/24";
+in
+{
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "ens3";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    firewall.allowedUDPPorts = [ wireguard-port ];
+
+    wireguard = {
+      enable = true;
+      interfaces."wg0" = {
+        ips = [ wireguard-subnet ];
+        listenPort = wireguard-port;
+        privateKeyFile = "/var/secrets/wg0.key";
+      };
+    };
+  };
+}

host/roam/services/services.nix

@@ -1,40 +0,0 @@
-{ config, ... }:
-let
-  headscale-domain = "headscale.hdohmen.de";
-in
-{
-  services = {
-    # TODO: maybe just use wireguard...
-    headscale = {
-      enable = true;
-      address = "127.0.0.1";
-      port = 8080;
-      settings = {
-        server_url = "https://${headscale-domain}";
-        prefixes.v4 = "100.10.11.0/24";
-        prefixes.v6 = "fd7a:115c:1011::/48";
-        dns = {
-          magic_dns = true;
-          base_domain = "net.hdohmen.de";
-        };
-      };
-    };
-
-    nginx = {
-      enable = true;
-      virtualHosts.${headscale-domain} = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
-          proxyWebsockets = true;
-        };
-      };
-    };
-
-    openssh = {
-      enable = true;
-      settings.PasswordAuthentication = false;
-    };
-  };
-}

host/solo/default.nix

@@ -1,12 +1,8 @@
-{ mod, ... }:
+{ lib', ... }:
 {
   networking.hostName = "solo";
 
-  imports = with mod; [
+  imports = lib'.import-recursive ./.;
-    software.keyboard
-    nvidia-gpu
-    ./hardware-configuration.nix
-  ];
 
   powerManagement = {
     enable = true;

lib.nix

@@ -1,23 +1,33 @@
 { lib, ... }:
 rec {
-  # TODO make a version that only includes nix paths.
   walk-dir =
     path:
     let
       dir = builtins.readDir path;
-    in
+
-    lib.mapAttrs' (name: value: {
+      subpaths = lib.mapAttrs' (filename: value: {
-      name = lib.removeSuffix ".nix" name;
+        name = lib.removeSuffix ".nix" filename;
         value =
           if value == "regular" then
-          path + "/${name}"
+            path + "/${filename}"
           else if value == "directory" then
-          walk-dir (path + "/${name}")
+            walk-dir (path + "/${filename}")
           else
             builtins.throw "Items of type ${value} are unsupported.";
       }) dir;
+    in
+    subpaths
+    // rec {
+      _files = lib.collect builtins.isPath (subpaths // { default = { }; });
+      _nix_files = builtins.filter (lib.hasSuffix ".nix") _files;
+      _nixos_mod =
+        { ... }:
+        {
+          imports = _nix_files;
+        };
+    };
 
-  # Takes a path `p` and returns a flattened lists of all files in that
+  # Takes a path `p` and returns a list of all files in that
-  # directory, ignoring `p/default.nix`.
+  # directory recursively, ignoring `p/default.nix`.
-  import-recursive = path: lib.attrsets.collect builtins.isPath (walk-dir path // { default = { }; });
+  import-recursive = path: (walk-dir path)._files;
 }

mod/pc-common/nix.nix

@@ -1,22 +1,5 @@
-{ mod, lib, ... }:
+{ lib, ... }:
 {
-  imports = with mod; [
-    shared.all
-
-    audio
-    fonts
-    gpg
-    home-manager
-    network
-    nix-configuration
-    security
-    services
-    software.development
-    software.editors
-    software.programs
-    software.window-manager
-  ];
-
   nixpkgs.config.allowUnfreePredicate =
     pkg:
     builtins.elem (lib.getName pkg) [
@@ -32,5 +15,4 @@
     ];
 
   programs.nix-ld.enable = true;
-
 }

mod/shared/all.nix

@@ -1,10 +0,0 @@
-{ mod, ... }:
-{
-  imports = with mod; [
-    boot
-    locale
-    nix-configuration
-    shell
-    users
-  ];
-}

var/wireguard-network.nix

@@ -0,0 +1,12 @@
+rec {
+  peers = {
+    "roam" = {
+      publicKey = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
+    };
+    "solo" = {
+      publicKey = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
+    };
+  };
+
+  peersFor = host: { }; # TODO: return peers.
+}