refactor(access): common ranges

modules/nixos/access.nix

@@ -3,22 +3,84 @@
   lib,
   ...
 }: let
-  inherit (lib.modules) mkIf;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
   inherit (lib.options) mkOption;
-  inherit (config.networking) hostName;
+  inherit (lib.lists) optionals;
+  inherit (config.services) tailscale avahi;
+  inherit (config) networking;
+  inherit (networking) hostName;
+  cidrModule = { config, ... }: {
+    options = with lib.types; {
+      all = mkOption {
+        type = listOf str;
+        readOnly = true;
+      };
+      v4 = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+      v6 = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+    };
+    config.all = mkOptionDefault (
+      config.v4
+      ++ optionals networking.enableIPv6 config.v6
+    );
+  };
 in {
   options.networking.access = with lib.types; {
     hostnameForNetwork = mkOption {
       type = attrsOf str;
       default = { };
     };
+    cidrForNetwork = mkOption {
+      type = attrsOf (submodule cidrModule);
+      default = { };
+    };
   };
 
   config.networking.access = {
     hostnameForNetwork = {
-      local = mkIf config.services.avahi.enable "${hostName}.local.gensokyo.zone";
+      local = let
-      tail = mkIf config.services.tailscale.enable "${hostName}.tail.gensokyo.zone";
+        eth0 = config.systemd.network.networks.eth0 or { };
-      global = mkIf config.networking.enableIPv6 "${hostName}.gensokyo.zone";
+        hasStaticAddress = eth0.address or [ ] != [ ] || eth0.addresses or [ ] != [ ];
+        hasSLAAC = eth0.slaac.enable or false;
+      in mkMerge [
+        (mkIf (hasStaticAddress || hasSLAAC) (mkDefault "${hostName}.local.${config.networking.domain}"))
+        (mkIf (avahi.enable && avahi.publish.enable) (mkOptionDefault "${hostName}.local"))
+      ];
+      tail = mkIf tailscale.enable "${hostName}.tail.${config.networking.domain}";
+      global = mkIf (networking.enableIPv6 && networking.tempAddresses == "disabled") "${hostName}.${config.networking.domain}";
+    };
+    cidrForNetwork = {
+      loopback = {
+        v4 = [
+          "127.0.0.0/8"
+        ];
+        v6 = [
+          "::1"
+        ];
+      };
+      local = {
+        v4 = [
+          "10.1.1.0/24"
+        ];
+        v6 = [
+          "fd0a::/64"
+          "fe80::/64"
+        ];
+      };
+      tail = mkIf tailscale.enable {
+        v4 = [
+          "100.64.0.0/10"
+        ];
+        v6 = [
+          "fd7a:115c:a1e0::/96"
+          "fd7a:115c:a1e0:ab12::/64"
+        ];
+      };
     };
   };
 }

modules/nixos/home-assistant.nix

@@ -7,7 +7,7 @@
   cfg = config.services.home-assistant;
   inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.lists) optional elem;
+  inherit (lib.lists) optional optionals elem;
   inherit (lib.strings) toLower;
 in {
   options.services.home-assistant = with lib.types; {
@@ -83,15 +83,13 @@ in {
             "https://www.home-assistant.io"
           ];
           use_x_forwarded_for = "true";
-          trusted_proxies = [
+          trusted_proxies = let
-            "127.0.0.0/24"
+            inherit (config.networking.access) cidrForNetwork;
+          in cidrForNetwork.loopback.all
+          ++ cidrForNetwork.local.all
+          ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all
+          ++ [
             "200::/7"
-            "100.64.0.0/10"
-            "fd7a:115c:a1e0:ab12::/64"
-            "fd7a:115c:a1e0::/96"
-            "10.1.1.0/24"
-            "fd0a::/64"
-            "::1"
           ];
         };
         recorder = {

modules/nixos/nginx-local.nix

@@ -5,8 +5,10 @@
 }: let
   inherit (lib.modules) mkIf mkBefore;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.strings) optionalString;
+  inherit (lib.strings) concatMapStringsSep;
+  inherit (lib.lists) optionals;
   inherit (config.services) tailscale;
+  inherit (config.networking.access) cidrForNetwork;
   localModule = { config, ... }: {
     options = with lib.types; {
       local = {
@@ -15,26 +17,31 @@
     };
     config = mkIf config.local.enable {
       extraConfig = let
-        tailscaleAllow = ''
+        mkAllow = cidr: "allow ${cidr};";
-          allow fd7a:115c:a1e0::/96;
+        allowAddresses =
-          allow fd7a:115c:a1e0:ab12::/64;
+          cidrForNetwork.loopback.all
-          allow 100.64.0.0/10;
+          ++ cidrForNetwork.local.all
-        '';
+          ++ optionals tailscale.enable cidrForNetwork.tail.all;
+        allows = concatMapStringsSep "\n" mkAllow allowAddresses;
       in mkBefore ''
-        allow 127.0.0.0/8;
+        ${allows}
-        allow ::1;
-        allow 10.1.1.0/24;
-        allow fd0a::/64;
-        allow fe80::/64;
-        ${optionalString tailscale.enable tailscaleAllow}
         deny all;
       '';
     };
   };
+  hostModule = { config, ... }: {
+    imports = [ localModule ];
+
+    options = with lib.types; {
+      locations = mkOption {
+        type = attrsOf (submodule localModule);
+      };
+    };
+  };
 in {
   options = with lib.types; {
     services.nginx.virtualHosts = mkOption {
-      type = attrsOf (submodule localModule);
+      type = attrsOf (submodule hostModule);
     };
   };
 }

modules/nixos/postgres.nix

@@ -6,6 +6,7 @@
   inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault;
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.lists) any;
+  inherit (config) networking;
   cfg = config.services.postgresql;
   ensureUserModule = { config, ... }: {
     options = with lib.types; {
@@ -38,16 +39,11 @@
     };
     config = {
       authentication = {
-        hosts = mkMerge [
+        hosts = let
-          (mkIf config.authentication.tailscale.allow [
+          inherit (networking.access) cidrForNetwork;
-            "fd7a:115c:a1e0::/96"
+        in mkMerge [
-            "fd7a:115c:a1e0:ab12::/64"
+          (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all)
-            "100.64.0.0/10"
+          (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all))
-          ])
-          (mkIf config.authentication.local.allow [
-            "10.1.1.0/24"
-            "fd0a::/64"
-          ])
         ];
         authentication = mkMerge (map (host: ''
           host ${config.authentication.database} ${config.name} ${host} ${config.authentication.method}

nixos/access/kanidm.nix

@@ -6,7 +6,10 @@
 let
   inherit (lib.options) mkOption;
   inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.strings) optionalString;
+  inherit (lib.strings) concatMapStringsSep;
+  inherit (lib.lists) optionals;
+  inherit (config.services) tailscale;
+  inherit (config.networking.access) cidrForNetwork;
   cfg = config.services.kanidm;
   access = config.services.nginx.access.kanidm;
   proxyPass = mkDefault "http://${access.host}:${toString access.port}";
@@ -18,13 +21,15 @@ let
       alias = "${cfg.server.unencrypted.package.ca}";
     };
   };
-  allows = optionalString config.services.tailscale.enable ''
+  allows = let
-    allow fd7a:115c:a1e0::/96;
+    mkAllow = cidr: "allow ${cidr};";
-    allow fd7a:115c:a1e0:ab12::/64;
+    allowAddresses =
-    allow 100.64.0.0/10;
+      cidrForNetwork.loopback.all
-  '' + ''
+      ++ cidrForNetwork.local.all
-    allow 10.1.1.0/24;
+      ++ optionals tailscale.enable cidrForNetwork.tail.all;
-    allow fd0a::/64;
+    allows = concatMapStringsSep "\n" mkAllow allowAddresses;
+  in ''
+    ${allows}
     deny all;
   '';
 in {