refactor(access): common ranges

2026-02-09 12:29:19 -08:00 · 2024-01-22 14:13:20 -08:00 · 2024-01-22 14:13:20 -08:00 · a0bd07f898
commit a0bd07f898
parent a0b5ed1458
5 changed files with 114 additions and 46 deletions
--- a/modules/nixos/access.nix
+++ b/modules/nixos/access.nix
@ -3,22 +3,84 @@
  lib,
  ...
 }: let
-  inherit (lib.modules) mkIf;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
  inherit (lib.options) mkOption;
-  inherit (config.networking) hostName;
+  inherit (lib.lists) optionals;
+  inherit (config.services) tailscale avahi;
+  inherit (config) networking;
+  inherit (networking) hostName;
+  cidrModule = { config, ... }: {
+    options = with lib.types; {
+      all = mkOption {
+        type = listOf str;
+        readOnly = true;
+      };
+      v4 = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+      v6 = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+    };
+    config.all = mkOptionDefault (
+      config.v4
+      ++ optionals networking.enableIPv6 config.v6
+    );
+  };
 in {
  options.networking.access = with lib.types; {
    hostnameForNetwork = mkOption {
      type = attrsOf str;
      default = { };
    };
+    cidrForNetwork = mkOption {
+      type = attrsOf (submodule cidrModule);
+      default = { };
+    };
  };

  config.networking.access = {
    hostnameForNetwork = {
-      local = mkIf config.services.avahi.enable "${hostName}.local.gensokyo.zone";
-      tail = mkIf config.services.tailscale.enable "${hostName}.tail.gensokyo.zone";
-      global = mkIf config.networking.enableIPv6 "${hostName}.gensokyo.zone";
+      local = let
+        eth0 = config.systemd.network.networks.eth0 or { };
+        hasStaticAddress = eth0.address or [ ] != [ ] || eth0.addresses or [ ] != [ ];
+        hasSLAAC = eth0.slaac.enable or false;
+      in mkMerge [
+        (mkIf (hasStaticAddress || hasSLAAC) (mkDefault "${hostName}.local.${config.networking.domain}"))
+        (mkIf (avahi.enable && avahi.publish.enable) (mkOptionDefault "${hostName}.local"))
+      ];
+      tail = mkIf tailscale.enable "${hostName}.tail.${config.networking.domain}";
+      global = mkIf (networking.enableIPv6 && networking.tempAddresses == "disabled") "${hostName}.${config.networking.domain}";
+    };
+    cidrForNetwork = {
+      loopback = {
+        v4 = [
+          "127.0.0.0/8"
+        ];
+        v6 = [
+          "::1"
+        ];
+      };
+      local = {
+        v4 = [
+          "10.1.1.0/24"
+        ];
+        v6 = [
+          "fd0a::/64"
+          "fe80::/64"
+        ];
+      };
+      tail = mkIf tailscale.enable {
+        v4 = [
+          "100.64.0.0/10"
+        ];
+        v6 = [
+          "fd7a:115c:a1e0::/96"
+          "fd7a:115c:a1e0:ab12::/64"
+        ];
+      };
    };
  };
 }
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@ -7,7 +7,7 @@
  cfg = config.services.home-assistant;
  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.lists) optional elem;
+  inherit (lib.lists) optional optionals elem;
  inherit (lib.strings) toLower;
 in {
  options.services.home-assistant = with lib.types; {
@ -83,15 +83,13 @@ in {
            "https://www.home-assistant.io"
          ];
          use_x_forwarded_for = "true";
-          trusted_proxies = [
-            "127.0.0.0/24"
+          trusted_proxies = let
+            inherit (config.networking.access) cidrForNetwork;
+          in cidrForNetwork.loopback.all
+          ++ cidrForNetwork.local.all
+          ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all
+          ++ [
            "200::/7"
-            "100.64.0.0/10"
-            "fd7a:115c:a1e0:ab12::/64"
-            "fd7a:115c:a1e0::/96"
-            "10.1.1.0/24"
-            "fd0a::/64"
-            "::1"
          ];
        };
        recorder = {
--- a/modules/nixos/nginx-local.nix
+++ b/modules/nixos/nginx-local.nix
@ -5,8 +5,10 @@
 }: let
  inherit (lib.modules) mkIf mkBefore;
  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.strings) optionalString;
+  inherit (lib.strings) concatMapStringsSep;
+  inherit (lib.lists) optionals;
  inherit (config.services) tailscale;
+  inherit (config.networking.access) cidrForNetwork;
  localModule = { config, ... }: {
    options = with lib.types; {
      local = {
@ -15,26 +17,31 @@
    };
    config = mkIf config.local.enable {
      extraConfig = let
-        tailscaleAllow = ''
-          allow fd7a:115c:a1e0::/96;
-          allow fd7a:115c:a1e0:ab12::/64;
-          allow 100.64.0.0/10;
-        '';
+        mkAllow = cidr: "allow ${cidr};";
+        allowAddresses =
+          cidrForNetwork.loopback.all
+          ++ cidrForNetwork.local.all
+          ++ optionals tailscale.enable cidrForNetwork.tail.all;
+        allows = concatMapStringsSep "\n" mkAllow allowAddresses;
      in mkBefore ''
-        allow 127.0.0.0/8;
-        allow ::1;
-        allow 10.1.1.0/24;
-        allow fd0a::/64;
-        allow fe80::/64;
-        ${optionalString tailscale.enable tailscaleAllow}
-          deny all;
+        ${allows}
+        deny all;
      '';
    };
  };
+  hostModule = { config, ... }: {
+    imports = [ localModule ];
+
+    options = with lib.types; {
+      locations = mkOption {
+        type = attrsOf (submodule localModule);
+      };
+    };
+  };
 in {
  options = with lib.types; {
    services.nginx.virtualHosts = mkOption {
-      type = attrsOf (submodule localModule);
+      type = attrsOf (submodule hostModule);
    };
  };
 }
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@ -6,6 +6,7 @@
  inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault;
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.lists) any;
+  inherit (config) networking;
  cfg = config.services.postgresql;
  ensureUserModule = { config, ... }: {
    options = with lib.types; {
@ -38,16 +39,11 @@
    };
    config = {
      authentication = {
-        hosts = mkMerge [
-          (mkIf config.authentication.tailscale.allow [
-            "fd7a:115c:a1e0::/96"
-            "fd7a:115c:a1e0:ab12::/64"
-            "100.64.0.0/10"
-          ])
-          (mkIf config.authentication.local.allow [
-            "10.1.1.0/24"
-            "fd0a::/64"
-          ])
+        hosts = let
+          inherit (networking.access) cidrForNetwork;
+        in mkMerge [
+          (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all)
+          (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all))
        ];
        authentication = mkMerge (map (host: ''
          host ${config.authentication.database} ${config.name} ${host} ${config.authentication.method}
--- a/nixos/access/kanidm.nix
+++ b/nixos/access/kanidm.nix
@ -6,7 +6,10 @@
 let
  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.strings) optionalString;
+  inherit (lib.strings) concatMapStringsSep;
+  inherit (lib.lists) optionals;
+  inherit (config.services) tailscale;
+  inherit (config.networking.access) cidrForNetwork;
  cfg = config.services.kanidm;
  access = config.services.nginx.access.kanidm;
  proxyPass = mkDefault "http://${access.host}:${toString access.port}";
@ -18,13 +21,15 @@ let
      alias = "${cfg.server.unencrypted.package.ca}";
    };
  };
-  allows = optionalString config.services.tailscale.enable ''
-    allow fd7a:115c:a1e0::/96;
-    allow fd7a:115c:a1e0:ab12::/64;
-    allow 100.64.0.0/10;
-  '' + ''
-    allow 10.1.1.0/24;
-    allow fd0a::/64;
+  allows = let
+    mkAllow = cidr: "allow ${cidr};";
+    allowAddresses =
+      cidrForNetwork.loopback.all
+      ++ cidrForNetwork.local.all
+      ++ optionals tailscale.enable cidrForNetwork.tail.all;
+    allows = concatMapStringsSep "\n" mkAllow allowAddresses;
+  in ''
+    ${allows}
    deny all;
  '';
 in {