Bumper car bugfixing until it actually works as a flake

release
Matthew Salerno 1 year ago
parent 18b08d06ec
commit ecefdd099a

@ -1,36 +0,0 @@
{ config, lib, ... }@inputs:
with lib;
with import ./lib.nix;
{
options = {
wirenix = {
enable = mkOption {
default = true;
type = with lib.types; bool;
description = ''
Wirenix
'';
};
secretsDir = mkOption {
type = types.path;
description = mdDoc ''
where you want the wireguard secrets stored.
'';
};
};
};
config =
let
configurers = defaultConfigurers // config.modules.wirenix.additionalConfigurers;
parsers = defaultParsers // config.modules.wirenix.additionalParsers;
acl = config.modules.wirenix.aclConfig;
parser = parsers."${acl.version}" inputs;
configurer = configurers."${config.modules.wirenix.configurer}" inputs;
nixosConfigForPeer = peerName: builtins.head (builtins.attrValues (
lib.attrsets.filterAttrs (
name: value: (lib.attrsets.attrByPath ["config" "modules" "wirenix" "peerName"] null value) == peerName
) nixosConfigurations));
in
lib.mkIf (config.modules.wirenix.enable)
configurer (parser acl) config.modules.wirenix.peerName;
}

@ -34,4 +34,4 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig peerName;
};} };}
); );
}; };
} } // getProviderConfig

@ -3,7 +3,6 @@ with import ../lib.nix;
with lib.attrsets; with lib.attrsets;
with builtins; with builtins;
{ {
config = {};
getPeerPubKey = otherPeerName: attrByPath [otherPeerName "publicKey"] null intermediateConfig.peers; getPeerPubKey = otherPeerName: attrByPath [otherPeerName "publicKey"] null intermediateConfig.peers;
getPrivKeyFile = attrByPath [peerName "privateKeyFile"] null intermediateConfig.peers; getPrivKeyFile = attrByPath [peerName "privateKeyFile"] null intermediateConfig.peers;
getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets; getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets;

@ -1,32 +1,28 @@
{config, nixosConfigurations, lib, ...}: intermediateConfig: peerName: {config, lib, ...}: intermediateConfig: peerName:
with (import ../lib.nix); with (import ../lib.nix);
with lib.attrsets; with lib.attrsets;
with builtins; with builtins;
let secretsDir = peerName: (nixosConfigForPeer nixosConfigurations peerName).config.modules.wirenix.secrestsDir; in
{ {
config = { config.age = {
age.generators.wireguard-priv = {pkgs, file, ...}: '' secrets = {
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
age.generators.wireguard-psk = {pkgs, file, ...}: ''
psk=$(${pkgs.wireguard-tools}/bin/wg genpsk)
echo "$psk"
'';
age.secrets = {
age.secrets = {
"wirenix-peer-${peerName}" = { "wirenix-peer-${peerName}" = {
rekeyFile = config.modules.wirenix.secretsDir + /wirenix- + peerName + ".age"; rekeyFile = config.wirenix.secretsDir + /wirenix-peer- + peerName + ".age";
generator.script = "wireguard-priv"; generator.script = {pkgs, file, ...}: ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
}; };
} // mapAttrs' (name: value: nameValuePair ("wirenix-subnet-${name}") { } //
rekeyFile = config.modules.wirenix.subnetSecretsDir + /wirenix-subnet- + name + ".age"; mapAttrs' (name: value: nameValuePair ("wirenix-subnet-${name}") {
generator.script = "wireguard-psk"; rekeyFile = config.wirenix.secretsDir + /wirenix-subnet- + name + ".age";
}) intermediateConfig.peers."${peerName}".subnetConnections; generator.script = {pkgs, ...}: ''
psk=$(${pkgs.wireguard-tools}/bin/wg genpsk)
}; echo "$psk"
getPeerPubKey = otherPeerName: lib.removeSuffix ".age" ((secretsDir otherPeerName).config.secrets."wirenix-peer-${peerName}".path) + ".pub"; '';
}) intermediateConfig.peers."${peerName}".subnetConnections;
};
getPeerPubKey = otherPeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${peerName}.pub);
getPrivKeyFile = config.age.secrets."wirenix-peer-${peerName}".path; getPrivKeyFile = config.age.secrets."wirenix-peer-${peerName}".path;
getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path; getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path;
} }

@ -19,8 +19,7 @@ rec {
v1 = import ./parsers/v1.nix; v1 = import ./parsers/v1.nix;
}; };
/** Builtin configurers */ /** Builtin configurers */
defaultConfigurers = rec { defaultConfigurers = {
auto = static; # TODO: make smart
static = import ./configurers/static.nix; static = import ./configurers/static.nix;
networkd = import ./configurers/networkd.nix; networkd = import ./configurers/networkd.nix;
network-manager = import ./configurers/networkmanager.nix; network-manager = import ./configurers/networkmanager.nix;
@ -120,6 +119,7 @@ rec {
(map (provider: provider.getPrivKeyFile) keyProviders); (map (provider: provider.getPrivKeyFile) keyProviders);
getSubnetPSKFile = subnetName: findFirst (x: x != null) (null) getSubnetPSKFile = subnetName: findFirst (x: x != null) (null)
(map (provider: provider.getSubnetPSKFile subnetName) keyProviders); (map (provider: provider.getSubnetPSKFile subnetName) keyProviders);
getProviderConfig = foldl' (x: y: x // y) {} (map (provider: if provider ? config then provider.config else {}) keyProviders);
}; };
mergeIf = attr: key: if builtins.hasAttr key attr then {"${key}" = attr."${key}";} else {}; mergeIf = attr: key: if builtins.hasAttr key attr then {"${key}" = attr."${key}";} else {};

@ -1,16 +1,32 @@
{ config, lib, ... }@inputs: { config, lib, ... }@inputs:
with lib; with lib;
with import ./lib.nix; with import ./lib.nix;
with builtins;
let
cfg = config.wirenix;
parsers = defaultParsers // cfg.additionalParsers;
configurers = defaultConfigurers // cfg.additionalConfigurers;
availableKeyProviders = defaultKeyProviders // cfg.additionalKeyProviders;
acl = cfg.aclConfig;
parser = parsers."${acl.version}" inputs;
configurer = (getAttr cfg.configurer configurers) inputs; #config.wirenix.configurer inputs;
keyProviders = map (providerName: getAttr providerName availableKeyProviders) cfg.keyProviders; # config.wirenix.keyProviders;
mkMergeTopLevel = names: attrs: attrsets.getAttrs names (
mapAttrs (k: v: mkMerge v) (attrsets.foldAttrs (n: a: [n] ++ a) [] attrs)
);
/**
* We can merge if we want to
* We can leave your friends behind
* 'Cause your friends don't merge and if they don't merge
* Well they're, no friends of mine.
*/
safetyMerge = possibleTopLevelKeys: attrs:
(mkMergeTopLevel possibleTopLevelKeys ((lists.singleton (attrsets.genAttrs possibleTopLevelKeys (name: {})))++attrs));
in
{ {
options = { options = {
wirenix = { wirenix = {
enable = mkOption { enable = mkEnableOption "wirenix";
default = true;
type = with lib.types; bool;
description = ''
Wirenix
'';
};
peerName = mkOption { peerName = mkOption {
default = config.networking.hostName; default = config.networking.hostName;
defaultText = literalExpression "hostName"; defaultText = literalExpression "hostName";
@ -22,21 +38,18 @@ with import ./lib.nix;
''; '';
}; };
configurer = mkOption { configurer = mkOption {
default = defaultConfigurers.static; default = "static";
defaultText = literalExpression "wirenix.lib.defaultConfigurers.static"; type = types.str;
type = with types; functionTo (functionTo (functionTo (functionTo attrset)));
description = mdDoc '' description = mdDoc ''
Configurer to use. Builtin values can be Configurer to use. Builtin values can be
`wirenix.lib.defaultConfigurers.static` "static" "networkd" or "network-manager"
`wirenix.lib.defaultConfigurers.networkd` or
`wirenix.lib.defaultConfigurers.network-manager`
Or you can put your own configurer here. Or you can put your own configurer here.
''; '';
}; };
keyProviders = mkOption { keyProviders = mkOption {
default = [defaultKeyProviders.acl]; default = ["acl"];
type = with types; listOf (functionTo attrset); type = with types; listOf str;
defaultText = literalExpression "[ wirenix.lib.defaultKeyProviders.acl ]"; defaultText = literalExpression "[ "acl" ]";
description = mdDoc '' description = mdDoc ''
List of key providers. Key providers will be queried in order. List of key providers. Key providers will be queried in order.
Builtin providers are `wirenix.lib.defaultKeyProviders.acl` Builtin providers are `wirenix.lib.defaultKeyProviders.acl`
@ -44,46 +57,53 @@ with import ./lib.nix;
requires the agenix-rekey flake. requires the agenix-rekey flake.
''; '';
}; };
additionalKeyProviders = mkOption {
default = {};
type = with types; attrsOf (functionTo attrs);
description = mdDoc ''
Additional key providers to load, with their names being used to select them in the
`keyProviders` option
'';
};
additionalParsers = mkOption { additionalParsers = mkOption {
type = with types; attrsOf (functionTo attrset); default = {};
type = with types; attrsOf (functionTo attrs);
description = mdDoc '' description = mdDoc ''
Additional parsers to load, with their names being used to compare to the acl's Additional parsers to load, with their names being used to compare to the acl's
"version" field. "version" field.
''; '';
}; };
aclConfig = mkOption { additionalConfigurers = mkOption {
default = {}; default = {};
type = types.attrset; type = with types; attrsOf (functionTo attrs);
description = mdDoc ''
Additional configurers to load, with their names being used to select them in the
`configurer` option.
'';
};
aclConfig = mkOption {
type = types.attrs;
description = '' description = ''
Shared configuration file that describes all clients Shared configuration file that describes all clients
''; '';
}; };
secretsDir = mkOption { secretsDir = mkOption {
type = types.path; default = null;
type = with types; nullOr path;
description = mdDoc '' description = mdDoc ''
If using a secrets manager, where you have wireguard secrets stored for the client. If using a secrets manager, where you have wirenix secrets stored. Must be
''; the same on all peers that need to connect to eachother
};
subnetSecretsDir = mkOption {
type = types.path;
description = mdDoc ''
If using a secrets manager, where you have wireguard secrets stored for subnets.
Needs to be the same on all clients.
''; '';
}; };
}; };
}; };
# --------------------------------------------------------------- # # --------------------------------------------------------------- #
# Due to merge weirdness, I have to define what configuration keys
config = # we're touching upfront, and make sure they exist
let config = (safetyMerge ["networking" "sops" "age" "systemd" "services" "environment"]
parsers = defaultParsers // config.modules.wirenix.additionalParsers; [
acl = config.modules.wirenix.aclConfig; (configurer keyProviders (parser acl) cfg.peerName)
parser = parsers."${acl.version}" inputs; ]
configurer = config.modules.wirenix.configurer inputs; );
keyProviders = config.modules.wirenix.keyProviders;
in
lib.mkIf (config.modules.wirenix.enable)
configurer (parser acl) keyProviders config.modules.wirenix.peerName;
} }
Loading…
Cancel
Save