more more things into registry

flake.nix

@@ -212,7 +212,7 @@
 
         staging-data-hoarder = {
           system = "x86_64-linux";
-          specialArgs = { inherit inputs self; registry = registry.data-hoarder; };
+          specialArgs = { inherit inputs self; registry = registry.staging-data-hoarder; };
           modules = [
             ./hosts/staging-data-hoarder
             microvm.nixosModules.microvm
@@ -221,7 +221,7 @@
 
         notice-me-senpai = {
           system = "x86_64-linux";
-          specialArgs = { inherit inputs self; };
+          specialArgs = { inherit inputs self; registry = registry.notice-me-senpai; };
           modules = [
             sops-nix.nixosModules.sops
             ./modules/TLMS
@@ -231,7 +231,7 @@
 
         tram-borzoi = {
           system = "x86_64-linux";
-          specialArgs = { inherit inputs self; };
+          specialArgs = { inherit inputs self; registry = registry.tram-borzoi; };
           modules = [
             sops-nix.nixosModules.sops
             microvm.nixosModules.microvm
@@ -246,14 +246,13 @@
 
         uranus = {
           system = "x86_64-linux";
-          specialArgs = { inherit inputs self; };
+          specialArgs = { inherit inputs self; registry = registry.uranus; };
           modules = [
             sops-nix.nixosModules.sops
             microvm.nixosModules.microvm
 
             ./modules/TLMS
             ./hosts/uranus
-            { deployment-TLMS.monitoring.enable = true; }
           ];
         };
       };

hosts/data-hoarder/wireguard_server.nix

@@ -1,19 +1,12 @@
-{ config, ... }:
-let
-  port = 51820;
-in
+{ config, registry, ... }:
 {
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 
-  networking.firewall.allowedUDPPorts = [ port ];
+  networking.firewall.allowedUDPPorts = [ registry.publicWireguardEndpoint.port ];
 
   deployment-TLMS.net.wg = {
-    ownEndpoint.host = "endpoint.tlm.solutions";
-    ownEndpoint.port = port;
-    addr4 = "10.13.37.1";
     prefix4 = 24;
     privateKeyFile = config.sops.secrets.wg-seckey.path;
-    publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
     extraPeers = [
       {
         # Tassilo

hosts/notice-me-senpai/configuration.nix

@@ -1,8 +1,6 @@
 { self, pkgs, lib, ... }: {
   sops.defaultSopsFile = self + /secrets/notice-me-senpai/secrets.yaml;
 
-  networking.hostName = "notice-me-senpai";
-
   boot = {
     tmp.cleanOnBoot = true;
     kernelPackages = pkgs.linuxPackages_latest;

hosts/notice-me-senpai/grafana.nix

@@ -1,4 +1,4 @@
-{ config, lib, self, ... }:
+{ config, lib, self, registry, ... }:
 let
   grafana_host = "grafana.tlm.solutions";
 in
@@ -18,15 +18,15 @@ in
       {
         enable = true;
         port = 9501;
-        listenAddress = config.deployment-TLMS.net.wg.addr4;
+        listenAddress = registry.wgAddr4;
         globalConfig = {
           scrape_interval = "131s";
         };
         scrapeConfigs =
           let
             ### Autogenerate prometheus scraper config
             # currently only wireguard-connected machines are getting scraped.
-            filterWgHosts = k: v: !(builtins.isNull v.config.deployment-TLMS.net.wg.addr4);
+            filterWgHosts = k: v: !(builtins.isNull v._module.specialArgs.registry.wgAddr4);
             wgHosts = lib.filterAttrs filterWgHosts self.nixosConfigurations;
 
             # collect active prometheus exporters
@@ -38,7 +38,7 @@ in
               job_name = "${hostname}_${exporter}";
               static_configs =
                 let
-                  ip = wgHosts."${hostname}".config.deployment-TLMS.net.wg.addr4;
+                  ip = wgHosts."${hostname}"._module.specialArgs.registry.wgAddr4;
                 in
                 [{
                   targets = [ "${ip}:${toString exporter-cfg.port}" ];

hosts/notice-me-senpai/wg.nix

@@ -5,9 +5,7 @@
   networking.wireguard.enable = true;
 
   deployment-TLMS.net.wg = {
-    addr4 = "10.13.37.200";
     prefix4 = 24;
     privateKeyFile = config.sops.secrets.wg-seckey.path;
-    publicKey = "z2E9TjL9nn0uuLmyQexqddE6g8peB5ENyf0LxpMolD4=";
   };
 }

hosts/staging-data-hoarder/configuration.nix

@@ -42,8 +42,6 @@ in
       }];
   };
 
-  networking.hostName = "staging-data-hoarder";
-
   time.timeZone = "Europe/Berlin";
 
   networking.useNetworkd = true;
@@ -70,10 +68,8 @@ in
     };
 
     wg = {
-      addr4 = "10.13.37.5";
       prefix4 = 24;
       privateKeyFile = config.sops.secrets.wg-seckey.path;
-      publicKey = "48hc7DVnUh2DHYhrxrNtNzj05MRecJO52j2niPImvkU=";
     };
 
   };

hosts/tram-borzoi/default.nix

@@ -46,13 +46,10 @@ in
       }];
   };
 
-  networking.hostName = "tram-borzoi";
-
   time.timeZone = "Europe/Berlin";
 
   networking.useNetworkd = true;
 
-
   sops.defaultSopsFile = ../../secrets/tram-borzoi/secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
@@ -79,10 +76,8 @@ in
     };
 
     wg = {
-      addr4 = "10.13.37.8";
       prefix4 = 24;
       privateKeyFile = config.sops.secrets.wg-seckey.path;
-      publicKey = "wCW+r5kAaIarvZUWf4KsJNetyHobP0nNy5QOhqmsCCs=";
     };
 
   };

hosts/tram-borzoi/postgres.nix

@@ -14,7 +14,7 @@
     port = 5432;
     authentication =
       let
-        senpai-ip = self.nixosConfigurations.notice-me-senpai.config.deployment-TLMS.net.wg.addr4;
+        senpai-ip = self.nixosConfigurations.notice-me-senpai._module.specialArgs.registry.wgAddr4;
         # TODO: fixme
         uranus-ip = "10.13.37.9";
       in

hosts/uranus/default.nix

@@ -49,8 +49,6 @@ in
     ];
   };
 
-  networking.hostName = "uranus";
-
   time.timeZone = "Europe/Berlin";
 
   networking.useNetworkd = true;
@@ -82,10 +80,8 @@ in
     };
 
     wg = {
-      addr4 = "10.13.37.9";
       prefix4 = 24;
       privateKeyFile = config.sops.secrets.wg-seckey.path;
-      publicKey = "KwCG5CWPdNmrjEOYJYD2w0yhzoWpYHrjGbstdT5+pFk=";
     };
 
   };

modules/TLMS/base.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, lib, registry, ... }:
 let
   regMotd = ''
      _._     _,-'""`-._
@@ -31,6 +31,8 @@ in
 
   networking.useNetworkd = true;
 
+  networking.hostName = registry.hostName;
+
   console = {
     font = "Lat2-Terminus16";
     keyMap = "uk";

modules/TLMS/monitoring.nix

@@ -1,7 +1,7 @@
-{ lib, config, self, ... }:
+{ lib, config, self, registry, ... }:
 let
   cfg = config.deployment-TLMS.monitoring;
-  monitoring-host = self.nixosConfigurations.notice-me-senpai.config;
+  monitoring-host = self.nixosConfigurations.notice-me-senpai;
 in
 {
   options.deployment-TLMS.monitoring = with lib; {
@@ -32,15 +32,15 @@ in
 
   config =
     let
-      wg-addr-pred = lib.assertMsg (!(isNull config.deployment-TLMS.net.wg.addr4)) "to add system to monitoring, add it to TLMS wireguard first!";
+      wg-addr-pred = lib.assertMsg (registry ? wgAddr4) "to add system to monitoring, add it to TLMS wireguard first!";
     in
     lib.mkIf (cfg.enable && wg-addr-pred) {
       # prometheus node exporter
       services.prometheus.exporters = {
         node = {
           enable = true;
           port = cfg.node-exporter.port;
-          listenAddress = config.deployment-TLMS.net.wg.addr4;
+          listenAddress = registry.wgAddr4;
           enabledCollectors = [
             "systemd"
           ];
@@ -59,7 +59,7 @@ in
             filename = "/tmp/positions.yaml";
           };
           clients = [{
-            url = "http://${monitoring-host.deployment-TLMS.net.wg.addr4}:${toString monitoring-host.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
+            url = "http://${monitoring-host._module.specialArgs.registry.wgAddr4}:${toString monitoring-host.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
           }];
           scrape_configs = [{
             job_name = "journal";

modules/TLMS/wg.nix

@@ -1,32 +1,13 @@
-{ lib, config, self, ... }:
+{ lib, config, self, registry, ... }:
 let
   cfg = config.deployment-TLMS.net.wg;
 in
 {
   options.deployment-TLMS.net.wg = with lib; {
 
-    ownEndpoint.host = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-    ownEndpoint.port = mkOption {
-      type = types.port;
-      default = 51820;
-    };
-
-    publicKey = mkOption {
-      type = types.str;
-      default = "";
-      description = "own public key";
-    };
     privateKeyFile = mkOption {
       type = types.either types.str types.path;
     };
-    addr4 = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-
     prefix4 = mkOption {
       type = types.int;
       default = 24;
@@ -55,35 +36,35 @@ in
       keepalive = 25;
 
       # helpers
-      peer-systems = (lib.filter (x: (x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-TLMS.net.wg.addr4))
-        (lib.attrValues self.nixosConfigurations));
+      registries = builtins.attrValues (builtins.mapAttrs (name: value: value.specialArgs.registry) self.unevaluatedNixosConfigurations);
+
+      # find all other systems registries with wireguard
+      peerSystemRegistries = (lib.filter (x: (x.wgAddr4 != registry.wgAddr4) && (!isNull x.wgAddr4)) registries);
 
-      endpoint =
+      # find all endpoint registries
+      endpointRegistries =
         let
           ep = (lib.filter
-            (x:
-              x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4
-              && (!isNull x.config.deployment-TLMS.net.wg.ownEndpoint.host))
-            (lib.attrValues self.nixosConfigurations));
+            (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) registries);
         in
         assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;
 
       peers = map
         (x: {
           wireguardPeerConfig = {
-            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
-            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/32" ];
+            PublicKey = x.wireguardPublicKey;
+            AllowedIPs = [ "${x.wgAddr4}/32" ];
             PersistentKeepalive = keepalive;
           };
         })
-        peer-systems;
+        peerSystemRegistries;
 
       ep = [{
         wireguardPeerConfig =
-          let x = lib.elemAt endpoint 0; in {
-            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
-            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/${toString cfg.prefix4}" ];
-            Endpoint = with x.config.deployment-TLMS.net.wg.ownEndpoint; "${host}:${toString port}";
+          let x = lib.elemAt endpointRegistries 0; in {
+            PublicKey = x.wireguardPublicKey;
+            AllowedIPs = [ "${x.wgAddr4}/${toString cfg.prefix4}" ];
+            Endpoint = with x.publicWireguardEndpoint; "${host}:${toString port}";
             PersistentKeepalive = keepalive;
           };
       }];
@@ -98,7 +79,7 @@ in
       dvbwg-wireguard = {
         PrivateKeyFile = cfg.privateKeyFile;
       } //
-      (if !isNull cfg.ownEndpoint.host then { ListenPort = cfg.ownEndpoint.port; } else { });
+      (if !isNull registry.publicWireguardEndpoint then { ListenPort = registry.publicWireguardEndpoint.port; } else { });
 
       expeers = map
         (x: {
@@ -110,9 +91,9 @@ in
         })
         cfg.extraPeers;
 
-      peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers);
+      peerconf = if isNull registry.publicWireguardEndpoint then ep else (peers ++ expeers);
     in
-    lib.mkIf (!isNull cfg.addr4) {
+    lib.mkIf (registry ? wgAddr4) {
       networking.wireguard.enable = true;
 
       networking.firewall.trustedInterfaces = [ dvbwg-name ];
@@ -125,7 +106,7 @@ in
       systemd.network.networks."30-${dvbwg-name}" = {
         matchConfig.Name = dvbwg-name;
         networkConfig = {
-          Address = "${cfg.addr4}/${toString cfg.prefix4}";
+          Address = "${registry.wgAddr4}/${toString cfg.prefix4}";
         };
       };
     };

modules/data-hoarder/postgres.nix

@@ -6,7 +6,7 @@
     enableTCPIP = true;
     authentication = let
       senpai-ip =
-        self.nixosConfigurations.notice-me-senpai.config.deployment-TLMS.net.wg.addr4;
+        self.nixosConfigurations.notice-me-senpai._module.specialArgs.registry.wgAddr4;
     in pkgs.lib.mkOverride 10 ''
       local	all	all	trust
       host	all	all	127.0.0.1/32	trust

modules/data-hoarder/socket.nix

@@ -5,7 +5,7 @@
     defaultWebsocket = { inherit (registry.port-funnel) host port; };
     metrics = {
       inherit (registry.port-funnel-metrics) port;
-      host = config.deployment-TLMS.net.wg.addr4;
+      host = registry.wgAddr4;
     };
   };
   services = {

modules/traffic-stop-box/configuration.nix

@@ -3,8 +3,6 @@
 {
   boot.tmp.useTmpfs = true;
 
-  networking.hostName = registry.hostName;
-
   # reboot 60 seconds after kernel panic
   boot.kernel.sysctl."kernel.panic" = 60;
 

modules/traffic-stop-box/wireguard-client.nix

@@ -8,8 +8,6 @@
   };
 
   deployment-TLMS.net.wg = {
-    addr4 = registry.wgAddr4;
-    publicKey = registry.wireguardPublicKey;
     prefix4 = 24;
     privateKeyFile = lib.mkDefault config.sops.secrets.wg-seckey.path;
   };