pinpox
diff --git a/‎clan-service-modules/wireguard.nix‎
Lines changed: 53 additions & 89 deletions b/‎clan-service-modules/wireguard.nix‎
Lines changed: 53 additions & 89 deletions
diff --git a/‎flake.nix‎
Lines changed: 8 additions & 4 deletions b/‎flake.nix‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎machines/birne/configuration.nix‎
Lines changed: 0 additions & 5 deletions b/‎machines/birne/configuration.nix‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎machines/kartoffel/README.md‎
Lines changed: 0 additions & 60 deletions b/‎machines/kartoffel/README.md‎
Lines changed: 0 additions & 60 deletions
diff --git a/‎machines/kartoffel/configuration.nix‎
Lines changed: 0 additions & 1 deletion b/‎machines/kartoffel/configuration.nix‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎machines/kfbox/configuration.nix‎
Lines changed: 0 additions & 5 deletions b/‎machines/kfbox/configuration.nix‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎machines/limette/configuration.nix‎
Lines changed: 0 additions & 1 deletion b/‎machines/limette/configuration.nix‎
Lines changed: 0 additions & 1 deletion
@@ -1,47 +1,35 @@
-# TODO add assertions like this:
-# perMachine = { instances }:
-#     # ...
-#            instanceNames = builtins.attrNames instances;
-#    # .....
-#            assertions =
-#             [
-#               {
-#                 assertion = builtins.length instanceNames == 1;
-#                 message = "The zerotier module currently only supports one instance per machine, but found ${builtins.toString instanceNames} on machine ${config.clan.core.settings.machine.name}";
-#               }
-#             ]
-#             # TODO: remove this assertion once we start verifying constraints again
-#             ++ (lib.mapAttrsToList (_instanceName: instance: {
-#               assertion = builtins.length (lib.attrNames instance.roles.controller.machines) == 1;
-#               message = "ZeroTier only supports one controller per network";
-#             }) instances);
-
 { lib, ... }:
 {
   _class = "clan.service";
   manifest.name = "wireguard";
 
-  # Define what roles exist
+  # Peer options and configuration
   roles.peer = {
+
     interface = {
 
-      # These options can be set via 'roles.client.settings'
       options.ip = lib.mkOption {
         type = lib.types.str;
-        # default = "0.0.0.0";
         example = "192.168.8.1";
         description = ''
           IP address of the host.
         '';
       };
+
+      options.extraIPs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [];
+        example = [ "192.168.2.0/24" ];
+        description = ''
+          IP address of the host.
+        '';
+      };
     };
 
-    # Maps over all instances and produces one result per instance.
     perInstance =
       {
         instanceName,
         settings,
-        machine,
         roles,
         ...
       }:
@@ -51,50 +39,37 @@
         nixosModule =
           { config, ... }:
           {
-
-            networking.wireguard.interfaces =
-              let
-                # Get all controller names:
-                allControllerNames = (lib.attrNames roles.controller.machines);
-              in
-              {
-
-                "${instanceName}" = {
-
-                  ips = [ "${settings.ip}/24" ];
-
-                  peers = map (name: {
-
-                    # Public key of the server (not a file path).
-                    publicKey = (
-                      builtins.readFile (
-                        config.clan.core.settings.directory
-                        + "/vars/per-machine/${name}/wireguard-${instanceName}/publickey/value"
-                      )
-                    );
-
-                    # Don't forward all the traffic via VPN, only particular subnets
-                    allowedIPs = [ "192.168.8.0/24" ];
-
-                    # Server IP and port.
-                    endpoint = roles.controller.machines."${name}".settings.endpoint;
-
-                    # Send keepalives every 25 seconds. Important to keep NAT tables
-                    # alive.
-                    persistentKeepalive = 25;
-
-                  }) allControllerNames;
-                };
+            networking.wireguard.interfaces = {
+              "${instanceName}" = {
+                ips = [ "${settings.ip}/24" ];
+                peers = map (name: {
+                  # Public key of the server
+                  publicKey = (
+                    builtins.readFile (
+                      config.clan.core.settings.directory
+                      + "/vars/per-machine/${name}/wireguard-${instanceName}/publickey/value"
+                    )
+                  );
+
+                  # Don't forward all the traffic via VPN, only particular subnets
+                  allowedIPs = [ "192.168.8.0/24" ];
+
+                  # Server IP and port
+                  endpoint = roles.controller.machines."${name}".settings.endpoint;
+
+                  # Send keepalives every 25 seconds to keep NAT tables alive
+                  persistentKeepalive = 25;
+
+                }) (lib.attrNames roles.controller.machines);
               };
+            };
           };
       };
   };
 
+  # Controller options and configuration
   roles.controller = {
     interface = {
-      # These options can be set via 'roles.server.settings'
-      # options.dynamicIp.enable =with lib; mkOption { type = bool; };
-
       options.endpoint = lib.mkOption {
         type = lib.types.str;
         example = "vpn.pablo.tools:51820";
@@ -143,7 +118,7 @@
                 allowedIPs = [
                   # TODO we might want to add extra ip's here, e.g. for birne?
                   roles.peer.machines."${peer}".settings.ip
-                ];
+                ] ++ roles.peer.machines."${peer}".settings.extraIPs;
 
                 persistentKeepalive = 25;
               }) (lib.attrNames roles.peer.machines);
@@ -153,43 +128,32 @@
       };
   };
 
-  # Maps over all machines and produces one result per machine.
+  # Maps over all machines and produces one result per machine, regardless of role
   perMachine =
+    { instances, ... }:
     {
-      instances,
-      machine,
-      # instanceName,
-      ...
-    }:
-    {
-      # Analog to 'perSystem' of flake-parts.
-      # For every machine of this service we will add exactly one nixosModule to a machine
       nixosModule =
         { config, pkgs, ... }:
         {
 
+          # Generate keys for each instance of the host
+          clan.core.vars.generators = lib.mapAttrs' (
+            name: value:
+            lib.nameValuePair ("wireguard-" + name) {
+              files.publickey.secret = false;
+              files.privatekey = { };
+              runtimeInputs = with pkgs; [ wireguard-tools ];
+              script = ''
+                wg genkey > $out/privatekey
+                wg pubkey < $out/privatekey > $out/publickey
+              '';
+            }
+          ) instances;
+
+          # Set the private key for each instance
           networking.wireguard.interfaces = builtins.mapAttrs (name: _: {
             privateKeyFile = "${config.clan.core.vars.generators."wireguard-${name}".files."privatekey".path}";
           }) instances;
-
-          clan.core.vars.generators =
-
-            # mapAttrs' (name: value: nameValuePair ("foo_" + name) ("bar-" + value))
-            #    { x = "a"; y = "b"; }
-            # => { foo_x = "bar-a"; foo_y = "bar-b"; }
-
-            lib.mapAttrs' (
-              name: value:
-              lib.nameValuePair ("wireguard-" + name) {
-                files.publickey.secret = false;
-                files.privatekey = { };
-                runtimeInputs = with pkgs; [ wireguard-tools ];
-                script = ''
-                  wg genkey > $out/privatekey
-                  wg pubkey < $out/privatekey > $out/publickey
-                '';
-              }
-            ) instances;
         };
     };
 }
@@ -185,12 +185,16 @@
                 endpoint = "vpn.pablo.tools:51820";
               };
 
-              roles.peer.machines.kartoffel.settings.ip = "192.168.8.3";
-              roles.peer.machines.limette.settings.ip = "192.168.8.8";
-              roles.peer.machines.porree.settings.ip = "192.168.8.1";
+              roles.peer.machines = {
+                kartoffel.settings.ip = "192.168.8.3";
+                limette.settings.ip = "192.168.8.8";
+                # porree.settings.ip = "192.168.8.1";
+                kfbox.settings.ip = "192.168.8.5";
+                birne.settings.ip = "192.168.8.4";
+                birne.settings.extraIPs = [ "192.168.2.0/24" ];
+              };
 
               # roles.peer.tags.all = { };
-              # roles.peer.settings.peerFileText = "CLIENT";
             };
           };
 
 
@@ -34,11 +34,6 @@
       home-assistant.enable = true;
     };
 
-    wg-client = {
-      enable = true;
-      clientIp = "192.168.7.4";
-    };
-
     defaults = {
       lvm-grub.enable = true;
       environment.enable = true;
 
@@ -11,7 +11,6 @@
 
   pinpox.desktop = {
     enable = true;
-    wireguardIp = "192.168.7.3";
     hostname = "kartoffel";
   };
 
 
@@ -87,11 +87,6 @@ in
       stateVersion = "22.05";
     };
 
-    wg-client = {
-      enable = true;
-      clientIp = "192.168.7.5";
-    };
-
     services = {
       # TODO Add miniflux and vikunja to dex
       # TODO Remove gitea apps
 
@@ -32,7 +32,6 @@
 
   pinpox.desktop = {
     enable = true;
-    wireguardIp = "192.168.7.8";
     hostname = "limette";
   };