refactor wireguard with clan facts

flake.lock

@@ -151,11 +151,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1717742034,
+        "lastModified": 1717742737,
-        "narHash": "sha256-RUkjSjGHLMPmAAGewe4NoBt+CcHQI+NaGuJoz3neu1w=",
+        "narHash": "sha256-PApHCrcFq7s9AXQDiCeMl/5w0IYqkjIeASZtmBkx9C8=",
         "owner": "mrvandalo",
         "repo": "clan-fact-generators",
-        "rev": "7301a98cefa9b8573c203d645ebabc7c103452d7",
+        "rev": "631b3981260e18a54cf0e03f4a7bdf5c1c4bac1a",
         "type": "github"
       },
       "original": {

nixos/machines/cherry/configuration.nix

@@ -9,10 +9,10 @@
     ./hardware-configuration
 
     ./syncthing.nix
-    ./tinc.nix
-
     ./qemu.nix
-    ./wireguard.nix
+
+    ./network-tinc.nix
+    ./network-wireguard.nix
 
     ./37c3.nix
 

nixos/machines/cherry/network-wireguard.nix

@@ -1,24 +1,31 @@
-{ config, factsGenerator, ... }:
+{ config, factsGenerator, clanLib, ... }:
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
+  clanCore.facts.services.wireguard_ip = factsGenerator.public {
+    "wireguard.wg0.cidr" = "10.100.0.7/32";
+    "wireguard.wg0.ip" = "10.100.0.7";
+  };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
     # Hub and Spoke Setup
     # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
     wg0 = {
-      address = [ "10.100.0.7/32" ];
+      address = [
+        config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
+      ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       peers = [
         {
-          publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
+          publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
-          allowedIPs = [ "10.100.0.1/24" ];
+          allowedIPs = [
-          #endpoint = "ingolf-wagner.de:51820";
+            (clanLib.readFact "wireguard.wg0.cidr" "orbi")
-          endpoint = "95.216.66.212:51820";
+          ];
+          endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
         }
       ];
     };

nixos/machines/cherry/tinc_retiolum.nix

@@ -1,28 +0,0 @@
-{ config, factsGenerator, ... }:
-{
-
-  clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
-
-  networking.retiolum.port = 720;
-  networking.retiolum.nodename = "sol";
-
-  services.tinc.networks.retiolum = {
-    ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
-    rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
-  };
-
-  #fileSystems."/retiolum/sicily" = {
-  #  device = "//sicily.r/tonne";
-  #  fsType = "cifs";
-  #  options = [
-  #    "guest"
-  #    "nofail"
-  #    "noauto"
-  #    "ro"
-  #    "rsize=16777216"
-  #    "cache=loose"
-  #    "x-systemd.after=network.target"
-  #  ];
-  #};
-
-}

nixos/machines/chungus/network-wireguard.nix

@@ -1,24 +1,31 @@
-{ pkgs, config, factsGenerator, ... }:
+{ config, factsGenerator, clanLib, ... }:
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
+  clanCore.facts.services.wireguard_ip = factsGenerator.public {
+    "wireguard.wg0.cidr" = "10.100.0.2/32";
+    "wireguard.wg0.ip" = "10.100.0.2";
+  };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
     # Hub and Spoke Setup
     # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
     wg0 = {
-      address = [ "10.100.0.2/32" ];
+      address = [
+        config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
+      ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       peers = [
         {
-          publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
+          publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
-          allowedIPs = [ "10.100.0.1/24" ];
+          allowedIPs = [
-          #endpoint = "ingolf-wagner.de:51820";
+            (clanLib.readFact "wireguard.wg0.cidr" "orbi")
-          endpoint = "95.216.66.212:51820";
+          ];
+          endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
           persistentKeepalive = 25;
         }
       ];

nixos/machines/cream/configuration.nix

@@ -9,11 +9,11 @@
     ./hardware-configuration.nix
 
     ./syncthing.nix
-    ./tinc.nix
-    ./tinc_retiolum.nix
-
     ./qemu.nix
-    ./wireguard.nix
+
+    ./network-tinc.nix
+    ./network-tinc_retiolum.nix
+    ./network-wireguard.nix
 
     #./borg.nix
 

nixos/machines/cream/network-wireguard.nix

@@ -1,24 +1,31 @@
-{ config, factsGenerator, ... }:
+{ config, factsGenerator, clanLib, ... }:
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
+  clanCore.facts.services.wireguard_ip = factsGenerator.public {
+    "wireguard.wg0.cidr" = "10.100.0.6/32";
+    "wireguard.wg0.ip" = "10.100.0.6";
+  };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
     # Hub and Spoke Setup
     # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
     wg0 = {
-      address = [ "10.100.0.6/32" ];
+      address = [
+        config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
+      ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       peers = [
         {
-          publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
+          publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
-          allowedIPs = [ "10.100.0.1/24" ];
+          allowedIPs = [
-          #endpoint = "ingolf-wagner.de:51820";
+            (clanLib.readFact "wireguard.wg0.cidr" "orbi")
-          endpoint = "95.216.66.212:51820";
+          ];
+          endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
         }
       ];
     };

nixos/machines/orbi/network-wireguard.nix

@@ -1,16 +1,24 @@
-{ pkgs, config, factsGenerator, ... }:
+{ pkgs, config, factsGenerator, clanLib, lib, ... }:
 let
-  publicKey = machine: (builtins.readFile "${config.clanCore.clanDir}/machines/${machine}/facts/wireguard.wg0.pub");
+  otherMachines = lib.filterAttrs (name: _value: name != "orbi") (clanLib.readFactsFromAllMachines [ "wireguard.wg0.pub" "wireguard.wg0.cidr" ]);
+  peers =
+    lib.mapAttrsToList
+      (_machine: facts:
+        {
+          publicKey = facts."wireguard.wg0.pub";
+          allowedIPs = [ facts."wireguard.wg0.cidr" ];
+        }
+      )
+      otherMachines;
 in
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
   clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
   clanCore.facts.services.wireguard_ip = factsGenerator.public {
-   "wireguard.wg0.endpoint" = "95.216.66.212:51820";
+    "wireguard.wg0.endpoint" = "95.216.66.212:51820";
-   "wireguard.wg0.cidr" = "10.100.0.1/24";
+    "wireguard.wg0.cidr" = "10.100.0.1/24";
-   "wireguard.wg0.ip" = "10.100.0.1";
+    "wireguard.wg0.ip" = "10.100.0.1";
-   };
+  };
-
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 
@@ -31,28 +39,7 @@ in
         ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
       '';
 
-      peers = [
+      peers = peers ++ [
-        # server
-        # ------
-        # start at 1
-        {
-          # chungus
-          publicKey = publicKey "chungus";
-          allowedIPs = [ "10.100.0.2/32" ];
-        }
-        # desktops
-        # --------
-        # start at 10
-        {
-          # cream
-          publicKey = publicKey "cream";
-          allowedIPs = [ "10.100.0.6/32" ]; # todo : change ip
-        }
-        {
-          # cherry
-          publicKey = publicKey "cherry";
-          allowedIPs = [ "10.100.0.7/32" ]; # todo : change ip
-        }
         # mobil devices
         # -------------
         # start at 100