diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index 285923f5..9a88d3d5 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -3,22 +3,84 @@ lib, ... }: let - inherit (lib.modules) mkIf; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.options) mkOption; - inherit (config.networking) hostName; + inherit (lib.lists) optionals; + inherit (config.services) tailscale avahi; + inherit (config) networking; + inherit (networking) hostName; + cidrModule = { config, ... }: { + options = with lib.types; { + all = mkOption { + type = listOf str; + readOnly = true; + }; + v4 = mkOption { + type = listOf str; + default = [ ]; + }; + v6 = mkOption { + type = listOf str; + default = [ ]; + }; + }; + config.all = mkOptionDefault ( + config.v4 + ++ optionals networking.enableIPv6 config.v6 + ); + }; in { options.networking.access = with lib.types; { hostnameForNetwork = mkOption { type = attrsOf str; default = { }; }; + cidrForNetwork = mkOption { + type = attrsOf (submodule cidrModule); + default = { }; + }; }; config.networking.access = { hostnameForNetwork = { - local = mkIf config.services.avahi.enable "${hostName}.local.gensokyo.zone"; - tail = mkIf config.services.tailscale.enable "${hostName}.tail.gensokyo.zone"; - global = mkIf config.networking.enableIPv6 "${hostName}.gensokyo.zone"; + local = let + eth0 = config.systemd.network.networks.eth0 or { }; + hasStaticAddress = eth0.address or [ ] != [ ] || eth0.addresses or [ ] != [ ]; + hasSLAAC = eth0.slaac.enable or false; + in mkMerge [ + (mkIf (hasStaticAddress || hasSLAAC) (mkDefault "${hostName}.local.${config.networking.domain}")) + (mkIf (avahi.enable && avahi.publish.enable) (mkOptionDefault "${hostName}.local")) + ]; + tail = mkIf tailscale.enable "${hostName}.tail.${config.networking.domain}"; + global = mkIf (networking.enableIPv6 && networking.tempAddresses == "disabled") "${hostName}.${config.networking.domain}"; + }; + cidrForNetwork = { + loopback = { + v4 = [ + "127.0.0.0/8" + ]; + v6 = [ + "::1" + ]; + }; + local = { + v4 = [ + "10.1.1.0/24" + ]; + v6 = [ + "fd0a::/64" + "fe80::/64" + ]; + }; + tail = mkIf tailscale.enable { + v4 = [ + "100.64.0.0/10" + ]; + v6 = [ + "fd7a:115c:a1e0::/96" + "fd7a:115c:a1e0:ab12::/64" + ]; + }; }; }; } diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index fa1d04db..77f820a2 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -7,7 +7,7 @@ cfg = config.services.home-assistant; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.lists) optional elem; + inherit (lib.lists) optional optionals elem; inherit (lib.strings) toLower; in { options.services.home-assistant = with lib.types; { @@ -83,15 +83,13 @@ in { "https://www.home-assistant.io" ]; use_x_forwarded_for = "true"; - trusted_proxies = [ - "127.0.0.0/24" + trusted_proxies = let + inherit (config.networking.access) cidrForNetwork; + in cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all + ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all + ++ [ "200::/7" - "100.64.0.0/10" - "fd7a:115c:a1e0:ab12::/64" - "fd7a:115c:a1e0::/96" - "10.1.1.0/24" - "fd0a::/64" - "::1" ]; }; recorder = { diff --git a/modules/nixos/nginx-local.nix b/modules/nixos/nginx-local.nix index 3a3d47d3..38981318 100644 --- a/modules/nixos/nginx-local.nix +++ b/modules/nixos/nginx-local.nix @@ -5,8 +5,10 @@ }: let inherit (lib.modules) mkIf mkBefore; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.strings) optionalString; + inherit (lib.strings) concatMapStringsSep; + inherit (lib.lists) optionals; inherit (config.services) tailscale; + inherit (config.networking.access) cidrForNetwork; localModule = { config, ... }: { options = with lib.types; { local = { @@ -15,26 +17,31 @@ }; config = mkIf config.local.enable { extraConfig = let - tailscaleAllow = '' - allow fd7a:115c:a1e0::/96; - allow fd7a:115c:a1e0:ab12::/64; - allow 100.64.0.0/10; - ''; + mkAllow = cidr: "allow ${cidr};"; + allowAddresses = + cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all + ++ optionals tailscale.enable cidrForNetwork.tail.all; + allows = concatMapStringsSep "\n" mkAllow allowAddresses; in mkBefore '' - allow 127.0.0.0/8; - allow ::1; - allow 10.1.1.0/24; - allow fd0a::/64; - allow fe80::/64; - ${optionalString tailscale.enable tailscaleAllow} - deny all; + ${allows} + deny all; ''; }; }; + hostModule = { config, ... }: { + imports = [ localModule ]; + + options = with lib.types; { + locations = mkOption { + type = attrsOf (submodule localModule); + }; + }; + }; in { options = with lib.types; { services.nginx.virtualHosts = mkOption { - type = attrsOf (submodule localModule); + type = attrsOf (submodule hostModule); }; }; } diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix index ed2ac2ae..816465ae 100644 --- a/modules/nixos/postgres.nix +++ b/modules/nixos/postgres.nix @@ -6,6 +6,7 @@ inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault; inherit (lib.options) mkOption mkEnableOption; inherit (lib.lists) any; + inherit (config) networking; cfg = config.services.postgresql; ensureUserModule = { config, ... }: { options = with lib.types; { @@ -38,16 +39,11 @@ }; config = { authentication = { - hosts = mkMerge [ - (mkIf config.authentication.tailscale.allow [ - "fd7a:115c:a1e0::/96" - "fd7a:115c:a1e0:ab12::/64" - "100.64.0.0/10" - ]) - (mkIf config.authentication.local.allow [ - "10.1.1.0/24" - "fd0a::/64" - ]) + hosts = let + inherit (networking.access) cidrForNetwork; + in mkMerge [ + (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all) + (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all)) ]; authentication = mkMerge (map (host: '' host ${config.authentication.database} ${config.name} ${host} ${config.authentication.method} diff --git a/nixos/access/kanidm.nix b/nixos/access/kanidm.nix index dc905471..54c31148 100644 --- a/nixos/access/kanidm.nix +++ b/nixos/access/kanidm.nix @@ -6,7 +6,10 @@ let inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; - inherit (lib.strings) optionalString; + inherit (lib.strings) concatMapStringsSep; + inherit (lib.lists) optionals; + inherit (config.services) tailscale; + inherit (config.networking.access) cidrForNetwork; cfg = config.services.kanidm; access = config.services.nginx.access.kanidm; proxyPass = mkDefault "http://${access.host}:${toString access.port}"; @@ -18,13 +21,15 @@ let alias = "${cfg.server.unencrypted.package.ca}"; }; }; - allows = optionalString config.services.tailscale.enable '' - allow fd7a:115c:a1e0::/96; - allow fd7a:115c:a1e0:ab12::/64; - allow 100.64.0.0/10; - '' + '' - allow 10.1.1.0/24; - allow fd0a::/64; + allows = let + mkAllow = cidr: "allow ${cidr};"; + allowAddresses = + cidrForNetwork.loopback.all + ++ cidrForNetwork.local.all + ++ optionals tailscale.enable cidrForNetwork.tail.all; + allows = concatMapStringsSep "\n" mkAllow allowAddresses; + in '' + ${allows} deny all; ''; in {