diff --git a/flake.nix b/flake.nix index 37217d6..b32cc24 100644 --- a/flake.nix +++ b/flake.nix @@ -36,6 +36,18 @@ getNixpkgs = ver: if ver == "25.05" then nixpkgs-25-05 else nixpkgs-unstable; nodes = import ./nodes.nix; + mapping = import ./mapping.nix; + + findRolesForHost = hostName: builtins.filter + (roleName: builtins.elem hostName mapping.${roleName}.hosts) + (builtins.attrNames mapping); + + getModulesForHost = hostName: let + roles = findRolesForHost hostName; + modulesList = builtins.map + (role: mapping.${role}._inherit or []) + roles; + in builtins.concatLists modulesList; defaultModules = [ agenix.nixosModules.default @@ -47,7 +59,7 @@ nixosConfigurations = builtins.mapAttrs (name: config: (getNixpkgs config.ver).lib.nixosSystem { system = config.system; - modules = config.modules ++ defaultModules ++ [{ hostName = "${name}"; }]; + modules = getModulesForHost "${name}" ++ defaultModules ++ [{ hostName = "${name}"; }]; } ) nodes; diff --git a/mapping.nix b/mapping.nix index 1f925d7..915a6af 100644 --- a/mapping.nix +++ b/mapping.nix @@ -3,18 +3,27 @@ # If some "hostvars" are needed they should # be declared here { - bastion = [ - "bastion-mtz-lasuite-federez" - "bastion-ren-lasuite-federez" - "bastion-aur-lasuite-federez" - ]; + bastion = { + hosts = [ + "bastion-mtz-lasuite-federez" + "bastion-ren-lasuite-federez" + "bastion-aur-lasuite-federez" + ]; + _inherit = [ + ./shared/bastion.nix + ]; + }; # For instance: - # psql = { + # psql = rec { # master = "some-node-1"; # slaves = [ # "some-node-2" # "some-node-3" # ]; + # hosts = [ master ] ++ slaves; + # _inherit = [ + # "./shared/psql.nix" + # ]; # }; } \ No newline at end of file diff --git a/nodes.nix b/nodes.nix index 920c59a..4a9f2f5 100644 --- a/nodes.nix +++ b/nodes.nix @@ -8,9 +8,6 @@ id = 1; system = "x86_64-linux"; ver = "25.05"; - modules = [ - ./shared/bastion.nix - ]; ip4 = "193.48.225.150/24"; gIp4 = "193.48.225.254"; @@ -31,9 +28,6 @@ id = 2; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.151/24"; gIp4 = "193.48.225.254"; @@ -54,9 +48,6 @@ id = 3; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.152/24"; gIp4 = "193.48.225.254"; @@ -77,9 +68,6 @@ id = 4; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.153/24"; gIp4 = "193.48.225.254"; @@ -100,9 +88,6 @@ id = 5; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.154/24"; gIp4 = "193.48.225.254"; @@ -123,9 +108,6 @@ id = 6; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.155/24"; gIp4 = "193.48.225.254"; @@ -146,9 +128,6 @@ id = 7; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.156/24"; gIp4 = "193.48.225.254"; @@ -169,9 +148,6 @@ id = 8; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.157/24"; gIp4 = "193.48.225.254"; @@ -192,9 +168,6 @@ id = 9; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.158/24"; gIp4 = "193.48.225.254"; @@ -215,9 +188,6 @@ id = 10; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.159/24"; gIp4 = "193.48.225.254"; @@ -238,9 +208,6 @@ id = 11; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.160/24"; gIp4 = "193.48.225.254"; @@ -261,9 +228,6 @@ id = 12; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.161/24"; gIp4 = "193.48.225.254"; @@ -284,9 +248,6 @@ id = 13; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.48.225.162/24"; gIp4 = "193.48.225.254"; @@ -311,9 +272,6 @@ id = 1; system = "x86_64-linux"; ver = "25.05"; - modules = [ - ./shared/bastion.nix - ]; ip4 = "193.54.193.176/24"; gIp4 = "193.54.193.254"; @@ -334,9 +292,6 @@ id = 2; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.177/24"; gIp4 = "193.54.193.254"; @@ -357,9 +312,6 @@ id = 3; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.178/24"; gIp4 = "193.54.193.254"; @@ -380,9 +332,6 @@ id = 4; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.179/24"; gIp4 = "193.54.193.254"; @@ -403,9 +352,6 @@ id = 5; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.180/24"; gIp4 = "193.54.193.254"; @@ -426,9 +372,6 @@ id = 6; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.181/24"; gIp4 = "193.54.193.254"; @@ -449,9 +392,6 @@ id = 7; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.182/24"; gIp4 = "193.54.193.254"; @@ -472,9 +412,6 @@ id = 8; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.183/24"; gIp4 = "193.54.193.254"; @@ -495,9 +432,6 @@ id = 9; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.184/24"; gIp4 = "193.54.193.254"; @@ -518,9 +452,6 @@ id = 10; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.185/24"; gIp4 = "193.54.193.254"; @@ -541,9 +472,6 @@ id = 11; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.186/24"; gIp4 = "193.54.193.254"; @@ -564,9 +492,6 @@ id = 12; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "193.54.193.187/24"; gIp4 = "193.54.193.254"; @@ -591,9 +516,6 @@ id = 1; system = "x86_64-linux"; ver = "25.05"; - modules = [ - ./shared/bastion.nix - ]; ip4 = "45.66.111.188/24"; gIp4 = "45.66.111.254"; @@ -618,9 +540,6 @@ id = 2; system = "x86_64-linux"; ver = "25.05"; - modules = [ - # TODO - ]; ip4 = "45.66.111.189/24"; gIp4 = "45.66.111.254"; diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix index 1438044..57503ac 100644 --- a/shared/commons/mesh.nix +++ b/shared/commons/mesh.nix @@ -28,7 +28,7 @@ let AllowedIPs = [ "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32" "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128" - ] ++ lib.optionals (lib.elem peerName mapping.bastion) [ + ] ++ lib.optionals (lib.elem peerName mapping.bastion.hosts) [ "172.19.${toString (peerConfig.zone + 127)}.0/24" "fc00:f::${toString (peerConfig.zone + 127)}:0/112" ]; @@ -42,7 +42,7 @@ let }; # Return route for mgmt traffic - bastionConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.bastion) peerConfigs; + bastionConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.bastion.hosts) peerConfigs; rtwg4 = map (node: { Gateway = "172.19.${toString node.zone}.${toString node.id}"; diff --git a/shared/commons/nftables.nix b/shared/commons/nftables.nix index 120ee2b..8585f9e 100644 --- a/shared/commons/nftables.nix +++ b/shared/commons/nftables.nix @@ -48,7 +48,7 @@ in # Mesh udp dport 51820 accept - ${if lib.elem myName mapping.bastion then '' + ${if lib.elem myName mapping.bastion.hosts then '' # Mgmt udp dport 51920 accept '' else ""} @@ -64,7 +64,7 @@ in ct state related,established accept ct state invalid counter drop - ${if lib.elem myName mapping.bastion then '' + ${if lib.elem myName mapping.bastion.hosts then '' iifname mgmt oifname mesh* accept '' else ""}