kinda work for sterni

nixos/components/network/tinc/default.nix

@@ -1,14 +1,35 @@
+{ lib, config, ... }:
+with lib;
 {
 
-  imports = [
-    #./private.nix
-    #./retiolum.nix
-    #./secret.nix
+  options.tinc = {
+    private = {
+      enable = mkEnableOption "private tinc setup";
+      ipv4 = mkOption {
+        type = types.str;
+      };
+    };
+    secret = {
+      enable = mkEnableOption "secret tinc setup";
+      ipv4 = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf config.tinc.private.enable (import ./private.nix {
+      ipv4 = config.tinc.private.ipv4;
+      ipv6 = null;
+      inherit (lib) optionalString concatStringsSep mapAttrsToList;
+      inherit config;
+    }))
+    (mkIf config.tinc.secret.enable (import ./secret.nix {
+      ipv4 = config.tinc.secret.ipv4;
+      ipv6 = null;
+      inherit (lib) optionalString concatStringsSep mapAttrsToList;
+      inherit config;
+    }))
   ];
-
-  # keys for secret and private tinc network
-  sops.secrets.tinc_ed25519_key = { };
-  #sops.secrets.tinc_rsa_key = { };
-
 }
 

nixos/components/network/tinc/private.nix

@@ -1,46 +1,90 @@
-{ config, lib, pkgs, ... }:
-
-{
-
-  networking.firewall.trustedInterfaces = [ "tinc.private" ];
-
-  users.groups."tinc.private" = { };
-  users.users."tinc.private" = {
-    group = "tinc.private";
-    isSystemUser = lib.mkDefault true;
+{ ipv4
+, ipv6
+, config
+, optionalString
+, concatStringsSep
+, mapAttrsToList
+, ...
+}:
+let
+  hosts = {
+    mobi = "10.23.42.23";
+    sterni = "10.23.42.24";
+    bobi = "10.23.42.25";
+    pepe = "10.23.42.26";
+    robi = "144.76.13.147";
   };
+  network = "private";
+in
+{
+  sops.secrets.tinc_ed25519_key = { };
 
-  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-  module.cluster.services.tinc."private" = {
-    networkSubnet = "10.23.42.0/24";
-    extraConfig = ''
-      LocalDiscovery = yes
-    '';
-    privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
-    privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
-    hosts = {
-      pepe = {
-        tincIp = "10.23.42.26";
-        publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
-      };
-      sterni = {
-        tincIp = "10.23.42.24";
-        publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
-      };
-      mobi = {
-        tincIp = "10.23.42.23";
-        publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
-      };
-      bobi = {
-        tincIp = "10.23.42.25";
-        publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
-      };
-      robi = {
-        realAddress = [ "144.76.13.147" ];
-        tincIp = "10.23.42.111";
-        publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
+  services.tinc.networks = {
+    ${network} = {
+      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      hostSettings = {
+        mobi = {
+          subnets = [{ address = hosts.mobi; }];
+          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
+        };
+        sterni = {
+          subnets = [{ address = hosts.sterni; }];
+          settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
+        };
+        bobi = {
+          subnets = [{ address = hosts.bobi; }];
+          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
+        };
+        pepe = {
+          subnets = [{ address = hosts.pepe; }];
+          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
+        };
+        robi = {
+          addresses = [{ address = "144.76.13.147"; }];
+          subnets = [{ address = hosts.robi; }];
+          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
+        };
       };
     };
   };
 
+  systemd.network.enable = true;
+  systemd.network.networks.${network}.extraConfig = ''
+    [Match]
+    Name = tinc.${network}
+    [Link]
+    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
+    MTUBytes=1377
+    [Network]
+    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
+    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
+    RequiredForOnline = no
+    LinkLocalAddressing = no
+  '';
+
+  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
+
+  services.openssh.knownHosts = {
+    "robi" = {
+      hostNames = [ "robi.${network}" hosts.robi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
+    };
+    "sterni.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    };
+    "pepe.${network}" = {
+      hostNames = [ "pepe.${network}" hosts.pepe ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
+    };
+    "bobi.${network}" = {
+      hostNames = [ "bobi.${network}" hosts.bobi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
+    };
+    "mobi.${network}" = {
+      hostNames = [ "mobi.${network}" hosts.mobi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
+    };
+  };
+
 }

nixos/components/network/tinc/secret.nix

@@ -1,33 +1,78 @@
-{ config, pkgs, lib, ... }:
+{ ipv4
+, ipv6
+, config
+, optionalString
+, concatStringsSep
+, mapAttrsToList
+, ...
+}:
+let
+  port = 721;
+  hosts = {
+    sternchen = "10.123.42.25";
+    sterni = "10.123.42.24";
+    robi = "10.123.42.123";
+  };
+  network = "secret";
+in
 {
+  sops.secrets.tinc_ed25519_key = { };
 
-
-  # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-  module.cluster.services.tinc."secret" = {
-    networkSubnet = "10.123.42.0/24";
-    port = 721;
-    extraConfig = ''
-      LocalDiscovery = yes
-      AutoConnect = yes
-    '';
-    privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
-    privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
-    hosts = {
-      sternchen = {
-        tincIp = "10.123.42.25";
-        publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file;
-      };
-      sterni = {
-        tincIp = "10.123.42.24";
-        publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
-      };
-      robi = {
-        realAddress = [ "144.76.13.147" ];
-        tincIp = "10.123.42.123";
-        publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
+  services.tinc.networks = {
+    ${network} = {
+      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      extraConfig = ''
+        LocalDiscovery = yes
+        AutoConnect = yes
+        Port = ${toString port}
+      '';
+      hostSettings = {
+        sternchen = {
+          subnets = [{ address = hosts.sterni; }];
+          settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
+        };
+        sterni = {
+          subnets = [{ address = hosts.sterni; }];
+          settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
+        };
+        robi = {
+          addresses = [{ address = "144.76.13.147"; port = port; }];
+          subnets = [{ address = hosts.robi; }];
+          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
+        };
       };
     };
   };
 
-}
+  systemd.network.enable = true;
+  systemd.network.networks.${network}.extraConfig = ''
+    [Match]
+    Name = tinc.${network}
+    [Link]
+    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
+    MTUBytes=1377
+    [Network]
+    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
+    ${optionalString (ipv6 != null) "Address=${ipv6}/28"}
+    RequiredForOnline = no
+    LinkLocalAddressing = no
+  '';
 
+  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
+
+  services.openssh.knownHosts = {
+    "sternchen.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
+    };
+    "sterni.${network}" = {
+      hostNames = [ "sterni.${network}" hosts.sterni ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    };
+    "robi" = {
+      hostNames = [ "robi.${network}" hosts.robi ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
+    };
+  };
+
+}

nixos/machines/sterni/tinc.nix

@@ -1,78 +1,10 @@
 { config, lib, pkgs, ... }:
-
-with lib;
-let ipv4 = "10.23.42.24";
-in
-
 {
 
-  # module.cluster.services.tinc = {
-  #   "private" = {
-  #     enable = true;
-  #     openPort = true;
-  #     connectTo = [ "robi" ];
-  #   };
-  #   "retiolum" = {
-  #     enable = true;
-  #     openPort = true;
-  #   };
-  #   "secret" = {
-  #     enable = true;
-  #     openPort = true;
-  #     connectTo = [ "robi" ];
-  #   };
-  # };
+  tinc.private.enable = true;
+  tinc.private.ipv4 = "10.23.42.24";
 
-  #sops.secrets.tinc_retiolum_ed25519_key = { };
-  #sops.secrets.tinc_retiolum_rsa_key = { };
+  tinc.secret.enable = true;
+  tinc.secret.ipv4 = "10.123.42.24";
 
-  #users.users."tinc.retiolum".group = "tinc.retiolum";
-  #users.groups."tinc.retiolum" = { };
-
-  #users.users."tinc.secret".group = "tinc.secret";
-  #users.groups."tinc.secret" = { };
-
-
-  services.tinc.networks = {
-    "private" = {
-      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
-      hostSettings = {
-        mobi = {
-          subnets = [{ address = "10.23.42.23"; }];
-          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
-        };
-        sterni = {
-          subnets = [{ address = "10.23.42.24"; }];
-          settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
-        };
-        bobi = {
-          subnets = [{ address = "10.23.42.25"; }];
-          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
-        };
-        pepe = {
-          subnets = [{ address = "10.23.42.26"; }];
-          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
-        };
-        robi = {
-          addresses = [{ address = "144.76.13.147"; }];
-          subnets = [{ address = "10.23.42.111"; }];
-          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
-        };
-      };
-    };
-  };
-
-
-  systemd.network.enable = true;
-  systemd.network.networks."private".extraConfig = ''
-    [Match]
-    Name = tinc.private
-    [Link]
-    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
-    MTUBytes=1377
-    [Network]
-    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
-    RequiredForOnline = no
-    LinkLocalAddressing = no
-  '';
 }