diff --git a/flake-parts/hosts.nix b/flake-parts/hosts.nix index 3101dfc..c950cba 100644 --- a/flake-parts/hosts.nix +++ b/flake-parts/hosts.nix @@ -8,10 +8,7 @@ let mkHost = hostDir: inputs.nixpkgs.lib.nixosSystem { - specialArgs = { - inherit inputs self; - inherit (self) allHosts; - }; + specialArgs = { inherit inputs self; }; modules = (lib.singleton { networking.hostName = hostDir |> lib.baseNameOf |> lib.unsafeDiscardStringContext; diff --git a/flake-parts/tests.nix b/flake-parts/tests.nix deleted file mode 100644 index 221d65b..0000000 --- a/flake-parts/tests.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ inputs, self, ... }: -{ - perSystem = - { pkgs, lib, ... }: - { - checks = - "${self}/tests" - |> builtins.readDir - |> lib.attrNames - |> lib.map (name: { - name = "${name}-test"; - value = pkgs.testers.runNixOSTest ( - { - name = "${name}-test"; - } - // import "${self}/tests/${name}" { - inherit - inputs - self - pkgs - lib - ; - } - ); - }) - |> lib.listToAttrs; - }; -} diff --git a/justfile b/justfile index e0b05a0..20e4e8b 100644 --- a/justfile +++ b/justfile @@ -10,9 +10,6 @@ fmt: nix fmt check: - nix flake check - -check-lite: nix flake check --no-build repair: diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix index 24f8ac3..5b790a4 100644 --- a/modules/system/networking/default.nix +++ b/modules/system/networking/default.nix @@ -1,7 +1,7 @@ { config, + self, lib, - allHosts, ... }: let @@ -18,7 +18,7 @@ in nodes = lib.mkOption { type = lib.types.anything; default = - allHosts + self.allHosts |> lib.attrValues |> lib.map (host: host.config.custom.networking) |> lib.map ( diff --git a/modules/system/networking/overlay.nix b/modules/system/networking/overlay.nix index 243e558..910f3aa 100644 --- a/modules/system/networking/overlay.nix +++ b/modules/system/networking/overlay.nix @@ -1,7 +1,7 @@ { config, + self, lib, - allHosts, ... }: let @@ -27,10 +27,6 @@ in type = lib.types.nonEmptyStr; default = ""; }; - fqdn = lib.mkOption { - type = lib.types.nonEmptyStr; - default = "${config.custom.networking.hostName}.${cfg.domain}"; - }; address = lib.mkOption { type = lib.types.nonEmptyStr; @@ -61,7 +57,7 @@ in dnsServers = lib.mkOption { type = lib.types.anything; default = - allHosts + self.allHosts |> lib.attrValues |> lib.filter (host: host.config.custom.services.dns.enable) |> lib.map (host: host.config.custom.networking.overlay.address); diff --git a/modules/system/networking/underlay.nix b/modules/system/networking/underlay.nix index 125cc75..30e0b65 100644 --- a/modules/system/networking/underlay.nix +++ b/modules/system/networking/underlay.nix @@ -40,11 +40,7 @@ in config = lib.mkMerge [ { - networking = { - useNetworkd = true; - useDHCP = false; - }; - + networking.useNetworkd = true; systemd.network = { enable = true; networks."10-${cfg.interface}" = { diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix index f70e840..f4c204f 100644 --- a/modules/system/services/dns.nix +++ b/modules/system/services/dns.nix @@ -2,7 +2,6 @@ config, self, lib, - allHosts, ... }: let @@ -24,9 +23,11 @@ in local-zone = "\"${netCfg.overlay.domain}.\" static"; local-data = let - nodeRecords = netCfg.nodes |> lib.map (node: "\"${node.overlay.fqdn}. A ${node.overlay.address}\""); + nodeRecords = + netCfg.nodes + |> lib.map (node: "\"${node.hostName}.${node.overlay.domain}. A ${node.overlay.address}\""); serviceRecords = - allHosts + self.allHosts |> lib.attrValues |> lib.concatMap ( host: diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index d34e286..02cd028 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -27,10 +27,6 @@ in ++ lib.optional config.custom.services.syncthing.enable "syncthing"; }; - caCertificatePath = lib.mkOption { - type = lib.types.path; - default = ./ca.crt; - }; publicKeyPath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${netCfg.hostName}/keys/nebula.pub"; @@ -39,10 +35,6 @@ in type = lib.types.path; default = "${self}/hosts/${netCfg.hostName}/keys/nebula.crt"; }; - privateKeyPath = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - }; }; config = lib.mkIf cfg.enable { @@ -58,14 +50,14 @@ in systemdUnit = "nebula@mesh.service"; }; - sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyPath == null) { + sops.secrets."nebula/host-key" = { owner = config.users.users.nebula-mesh.name; restartUnits = [ "nebula@mesh.service" ]; }; environment.etc = { "nebula/ca.crt" = { - source = cfg.caCertificatePath; + source = ./ca.crt; mode = "0440"; user = config.systemd.services."nebula@mesh".serviceConfig.User; }; @@ -81,11 +73,7 @@ in ca = "/etc/nebula/ca.crt"; cert = "/etc/nebula/host.crt"; - key = - if (cfg.privateKeyPath != null) then - cfg.privateKeyPath - else - config.sops.secrets."nebula/host-key".path; + key = config.sops.secrets."nebula/host-key".path; tun.device = netCfg.overlay.interface; listen = { diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix index ca32281..14f35c7 100644 --- a/modules/system/services/sshd.nix +++ b/modules/system/services/sshd.nix @@ -1,7 +1,7 @@ { config, + self, lib, - allHosts, ... }: let @@ -41,7 +41,7 @@ in }; users.users.seb.openssh.authorizedKeys.keyFiles = - allHosts + self.allHosts |> lib.attrValues |> lib.filter (host: host.config.networking.hostName != netCfg.hostName) |> lib.filter (host: host.config |> lib.hasAttr "home-manager") diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix index 72355c5..bdccc4c 100644 --- a/modules/system/services/syncthing.nix +++ b/modules/system/services/syncthing.nix @@ -2,7 +2,6 @@ config, self, lib, - allHosts, ... }: let @@ -88,7 +87,7 @@ in settings = let hosts = - allHosts + self.allHosts |> lib.filterAttrs (_: host: host.config.networking.hostName != config.networking.hostName) |> lib.filterAttrs (_: host: host.config.custom.services.syncthing.enable); in diff --git a/modules/system/web-services/gatus.nix b/modules/system/web-services/gatus.nix index c47da79..aa8d3f4 100644 --- a/modules/system/web-services/gatus.nix +++ b/modules/system/web-services/gatus.nix @@ -1,7 +1,7 @@ { config, + self, lib, - allHosts, ... }: let @@ -173,7 +173,7 @@ in web-services.gatus.endpoints = let defaultEndpoints = - allHosts + self.allHosts |> lib.mapAttrs ( _: host: host.config.custom.services.caddy.virtualHosts |> lib.attrValues |> lib.map (vHost: vHost.domain) diff --git a/profiles/server.nix b/profiles/server.nix index 08c9454..f4b3dcf 100644 --- a/profiles/server.nix +++ b/profiles/server.nix @@ -10,7 +10,7 @@ comin.enable = true; alloy = { enable = true; - domain = "alloy.${config.custom.networking.overlay.fqdn}"; + domain = "alloy.${config.networking.hostName}.${config.custom.networking.overlay.domain}"; }; }; }; diff --git a/tests/infrastructure/default.nix b/tests/infrastructure/default.nix deleted file mode 100644 index e325e25..0000000 --- a/tests/infrastructure/default.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ - inputs, - self, - lib, - ... -}: -{ - defaults = - { nodes, config, ... }: - { - imports = [ self.nixosModules.default ]; - - _module.args.allHosts = nodes |> lib.mapAttrs (_: node: { config = node; }); - - users = { - mutableUsers = false; - users.seb = { - isNormalUser = true; - password = "seb"; - extraGroups = [ "wheel" ]; - }; - }; - - custom = { - networking.overlay.networkCidr = lib.mkForce "10.10.10.0/24"; - services.nebula = { - caCertificatePath = ./keys/ca.crt; - certificatePath = ./keys/${config.networking.hostName}.crt; - privateKeyPath = ./keys/${config.networking.hostName}.key; - }; - }; - - services.resolved.dnssec = lib.mkForce "false"; - }; - - node.specialArgs = { inherit inputs self; }; - - nodes = { - lighthouse = { - custom = { - networking = { - overlay = { - address = "10.10.10.1"; - isLighthouse = true; - role = "server"; - }; - underlay = { - interface = "eth1"; - cidr = "192.168.0.1/16"; - isPublic = true; - }; - }; - - services.dns.enable = true; - }; - }; - - server = { - custom = { - networking = { - overlay = { - address = "10.10.10.2"; - role = "server"; - }; - underlay = { - interface = "eth1"; - cidr = "192.168.0.2/16"; - isPublic = true; - }; - }; - - services.sshd.enable = true; - }; - - users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/client-ssh.pub ]; - environment.etc."ssh-key" = { - source = ./keys/server-ssh; - mode = "0600"; - }; - }; - - client = { - custom.networking = { - overlay = { - address = "10.10.10.3"; - role = "client"; - }; - underlay = { - interface = "eth1"; - cidr = "192.168.0.3/16"; - }; - }; - - users.users.seb.openssh.authorizedKeys.keyFiles = [ ./keys/server-ssh.pub ]; - environment.etc."ssh-key" = { - source = ./keys/client-ssh; - mode = "0600"; - }; - }; - }; - - testScript = - { nodes, ... }: - let - lighthouseNetCfg = nodes.lighthouse.custom.networking.overlay; - serverNetCfg = nodes.server.custom.networking.overlay; - clientNetCfg = nodes.client.custom.networking.overlay; - - sshOptions = "-i /etc/ssh-key -o BatchMode=yes -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; - in - '' - start_all() - - lighthouse.wait_for_unit("${lighthouseNetCfg.systemdUnit}") - server.wait_for_unit("${serverNetCfg.systemdUnit}") - client.wait_for_unit("${clientNetCfg.systemdUnit}") - lighthouse.wait_for_unit("unbound.service") - server.wait_for_unit("sshd.service") - - with subtest("Overlay connectivity between nodes"): - client.succeed("ping -c 1 ${serverNetCfg.address}") - server.succeed("ping -c 1 ${clientNetCfg.address}") - - with subtest("DNS resolution of overlay hostnames"): - client.succeed("ping -c 1 ${serverNetCfg.fqdn}") - server.succeed("ping -c 1 ${clientNetCfg.fqdn}") - - with subtest("SSH access restricted by role"): - client.succeed("ssh ${sshOptions} seb@${serverNetCfg.fqdn} 'echo Hello'") - server.fail("ssh ${sshOptions} seb@${clientNetCfg.fqdn} 'echo Hello'") - ''; -} diff --git a/tests/infrastructure/keys/ca.crt b/tests/infrastructure/keys/ca.crt deleted file mode 100644 index 5b6272b..0000000 --- a/tests/infrastructure/keys/ca.crt +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MHygFoAEdGVzdIQB/4UEaY8shIYFASWHSoSCIM0af4sq7VnPAySG5h9fwiq/XHvD -a0Ssbk1+KVWFpR71g0DaZP8qR35Zut2z9i9D2bCDuagQNvvxCrkZ3JcF0gMvWu3u -uzKQMKzJSqipppgL/n3iQwwsBAoHYrx1XAY6zXgE ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/ca.key b/tests/infrastructure/keys/ca.key deleted file mode 100644 index 4a22aa1..0000000 --- a/tests/infrastructure/keys/ca.key +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN NEBULA ED25519 PRIVATE KEY----- -8kwpb4GZIphJmamXx0ZrLm5TxPZ7G88L44mrdT2dQp3NGn+LKu1ZzwMkhuYfX8Iq -v1x7w2tErG5NfilVhaUe9Q== ------END NEBULA ED25519 PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client-ssh b/tests/infrastructure/keys/client-ssh deleted file mode 100644 index 125085e..0000000 --- a/tests/infrastructure/keys/client-ssh +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQAAAJCrUHOSq1Bz -kgAAAAtzc2gtZWQyNTUxOQAAACAlgMZnmVp3UFMSm/8Q/rhtOw3ioF7mpaBUyvXFwmBkMQ -AAAEB7OMxyFWm+GuvQA/GCdLPPXwkqC9rhPKdrLQU5PRt1fiWAxmeZWndQUxKb/xD+uG07 -DeKgXualoFTK9cXCYGQxAAAACnNlYkBsYXB0b3ABAgM= ------END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/client-ssh.pub b/tests/infrastructure/keys/client-ssh.pub deleted file mode 100644 index 7cedc52..0000000 --- a/tests/infrastructure/keys/client-ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWAxmeZWndQUxKb/xD+uG07DeKgXualoFTK9cXCYGQx seb@laptop diff --git a/tests/infrastructure/keys/client.crt b/tests/infrastructure/keys/client.crt deleted file mode 100644 index 008e6f1..0000000 --- a/tests/infrastructure/keys/client.crt +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIGwoEqABmNsaWVudKEHBAUKCgoDGKMIDAZjbGllbnSFBGmPLfCGBQElh0qDhyA8 -ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIg+h9fWh7oVaJEMJmmfCcC -zmFUQuPen59PiEE0+AKBbCyDQAIqxF7cIf5fL+z3zimUASA4hB5qFUCGEH+Er/Z6 -vFXe0jHV4HYRBMaXgrM8JYnsGZgTtdyt+mlJR+uBWpH+pwg= ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/client.key b/tests/infrastructure/keys/client.key deleted file mode 100644 index 978cb32..0000000 --- a/tests/infrastructure/keys/client.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN NEBULA X25519 PRIVATE KEY----- -qURs9kzi3rsW8GLnOtzEV11M9TWs+0XSQxpEFN9Ab1Y= ------END NEBULA X25519 PRIVATE KEY----- diff --git a/tests/infrastructure/keys/lighthouse.crt b/tests/infrastructure/keys/lighthouse.crt deleted file mode 100644 index cae3a07..0000000 --- a/tests/infrastructure/keys/lighthouse.crt +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIG0oE6ACmxpZ2h0aG91c2WhBwQFCgoKARijCAwGc2VydmVyhQRpjy1MhgUBJYdK -g4cgPHJHgTFNnzzjBXvHBEKAGVt2tf8XfoT7iYJEabSWJCCCIOfG1wz7tFj9GCvc -nth3Wm4oGYfK/iR7hbSXts8uAOwhg0DRuHJ6mGgi2deJIDz7aI6KmhMiWkdEnoxA -X8Eo5lZ4iIqyIiC8yAwYOMK1yHOVbfMplsUmhPgLw8Fu7wxSaiML ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/lighthouse.key b/tests/infrastructure/keys/lighthouse.key deleted file mode 100644 index 49c7fe2..0000000 --- a/tests/infrastructure/keys/lighthouse.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN NEBULA X25519 PRIVATE KEY----- -fR7KPdR2nDOZtR/gEI+qwKQXI9JSAdi/j7PjYTAJShE= ------END NEBULA X25519 PRIVATE KEY----- diff --git a/tests/infrastructure/keys/server-ssh b/tests/infrastructure/keys/server-ssh deleted file mode 100644 index ced4abf..0000000 --- a/tests/infrastructure/keys/server-ssh +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWgAAAJCyC2p+sgtq -fgAAAAtzc2gtZWQyNTUxOQAAACBJ2fq1Q0oa5oZsEZuznAiux5ODES6fAvtqmOiiEBkxWg -AAAED6j1Y/BoQsyvxtApUWipiCHCT1SiVyXf3NgmSsAjHAZknZ+rVDShrmhmwRm7OcCK7H -k4MRLp8C+2qY6KIQGTFaAAAACnNlYkBsYXB0b3ABAgM= ------END OPENSSH PRIVATE KEY----- diff --git a/tests/infrastructure/keys/server-ssh.pub b/tests/infrastructure/keys/server-ssh.pub deleted file mode 100644 index b591f07..0000000 --- a/tests/infrastructure/keys/server-ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnZ+rVDShrmhmwRm7OcCK7Hk4MRLp8C+2qY6KIQGTFa seb@laptop diff --git a/tests/infrastructure/keys/server.crt b/tests/infrastructure/keys/server.crt deleted file mode 100644 index aad9f69..0000000 --- a/tests/infrastructure/keys/server.crt +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIGwoEqABnNlcnZlcqEHBAUKCgoCGKMIDAZzZXJ2ZXKFBGmPLYyGBQElh0qDhyA8 -ckeBMU2fPOMFe8cEQoAZW3a1/xd+hPuJgkRptJYkIIIgWaZqtu8FVy/2REaZAVFo -BIOUaKrBSyrZuiLcBcFneR+DQOlv7S1H9Elhzl/8IhCCpiyamhkm4SL0eYV1N+S9 -lAsj3ga9dga/N5QqNZtWUs8RGgPzttNF8GOy0Evf10lZKwY= ------END NEBULA CERTIFICATE V2----- diff --git a/tests/infrastructure/keys/server.key b/tests/infrastructure/keys/server.key deleted file mode 100644 index 517eb56..0000000 --- a/tests/infrastructure/keys/server.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN NEBULA X25519 PRIVATE KEY----- -ug2E1t5D3hFNSwivf+sz0S9Xb4k44F0WM0lYyfw3X8I= ------END NEBULA X25519 PRIVATE KEY-----