TODO


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

# manage secrets

files that should be managed somehow:
 - jormungand: /var/spool/nginx/mpd.htpasswd
 - gaia: (notasecret) /etc/ppp/ip-up
 - gaia: /etc/ppp/options (contains ppp password)
 - ssh host keys?

Other kludged secrets:
 - gaia: hostapd wpa_password, final config is written to nix store.

Add /secrets dir with something like git-crypt instead of gitignore

# wireguard
ideally something like
https://discourse.nixos.org/t/morph-nix-based-deployment-tool/1276/7
{ config, pkgs, ... }:
let
  nodes = {
    alpha = {
      peerInfo = {
        allowedIPs = ["192.168.65.3/32"];
        publicKey = "....";
      };
      ips = ["192.168.65.3/24"];
    };
    beta = {
      peerInfo = {
        publicKey = "....";
        allowedIPs = ["192.168.65.0/24"];
      };
      ips = ["192.168.65.1/24"];
    };
  };
  self = nodes."${config.networking.hostName}";
  peers = pkgs.lib.filterAttrs (k: v: k != config.networking.hostName) nodes;
  extraHosts = lib.mapAttrsToList (k: v: "${lib.head (lib.splitString "/" (lib.head v.ips))} ${k}.vpn.local") nodes;

in {
 networking = {
    wireguard.interfaces.wg0 = {
      ips = self.ips;
      listenPort = 43642;
      privateKeyFile = "/secrets/wg.private";
      peers = pkgs.lib.mapAttrs (k: v: v.peerInfo) peers;
    };
    extraHosts = pkgs.lib.concatStringsSep "\n" extraHosts;
  };
}