{ config, lib, pkgs, ... }: with lib; { options.birdsong.hosts = mkOption { description = "List of hosts in the birdsong network"; type = types.attrsOf (types.submodule { options = { hostKey = mkOption { default = null; description = "SSH public key of the host, for use in known_hosts files"; type = with types; nullOr str; }; subnet = mkOption { default = "internet"; example = "roaming"; description = '' Identifier representing a LAN the host belongs to. Hosts in the same LAN will peer with each other. The special value `internet` (the default) will accept peering from all other hosts. This is to be used for servers that are accessible from the public internet. The special value `roaming` will not peer with other `roaming` hosts, but will still peer with `internet` hosts. This is to be used for portable devices like laptops that regularly move between networks. Also use this for non-NixOS devices that can't use the NixOS module and therefore only peer with the subnet router. ''; type = types.str; }; endpoint = mkOption { default = null; example = "example.com"; description = '' Address (e.g. IP or domain name) by which the host is reachable within its LAN. If {option}`birdsong.hosts..subnet` is set to `internet`, the host must be reachable at this address from the public internet. If {option}`birdsong.hosts..subnet` is set to `roaming`, this option is not used. ''; type = with types; nullOr str; }; ipv4 = mkOption { example = "10.127.1.1"; description = '' IPv4 address of this peer within the network. We are currently using the range 10.127.0.0/16, divided into /24 subnets. Please try to keep this consistent. ''; type = types.str; }; ipv6 = mkOption { example = "fd70:81ca:0f8f:1::1"; description = '' IPv6 address of this peer within the network. We are currently using the range fd70:81ca:0f8f::/48, divided into /64 subnets. Please try to keep this consistent. ''; type = types.str; }; port = mkOption { default = 51820; example = 51821; description = '' Which port to expose WireGuard on. Change this for peers behind NAT, to a port not used by another peer in the same LAN. ''; type = types.port; }; wireguardKey = mkOption { example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; description = "WireGuard public key for this peer, as generated by `wg pubkey`"; type = types.str; }; isRouter = mkOption { default = false; description = '' The host with this flag set is the subnet router. It forwards packets between WireGuard peers that can't connect directly to each other. WireGuard's scope doesn't (yet) include full mesh networking with load-balancing between routers, so only one peer can hold this status. It should be peered with all other hosts (i.e., {option}`birdsong.hosts..subnet` set to `internet`). ''; type = types.bool; }; }; }); }; config.birdsong.hosts = { yevaud = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; endpoint = "yevaud.birdsong.network"; ipv4 = "10.127.1.1"; ipv6 = "fd70:81ca:0f8f:1::1"; wireguardKey = "YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw="; isRouter = true; }; orm = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; endpoint = "orm.birdsong.network"; ipv4 = "10.127.1.2"; ipv6 = "fd70:81ca:0f8f:1::2"; wireguardKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA="; }; kalessin = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; endpoint = "kalessin.birdsong.network"; ipv4 = "10.127.1.3"; ipv6 = "fd70:81ca:0f8f:1::3"; wireguardKey = "9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ="; }; reese = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; endpoint = "reese.internetcat.org"; ipv4 = "10.127.1.5"; ipv6 = "fd70:81ca:0f8f:1::5"; wireguardKey = "K/wArdwedMwjQULPOjOrPoEwsevaRhBZ3rUrH7pNWHM="; }; bear = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; endpoint = "bear.internetcat.org"; ipv4 = "10.127.1.6"; ipv6 = "fd70:81ca:0f8f:1::6"; wireguardKey = "mXWQo1Vn2YFr7OhFNc3g7Zbcf/qnwuLx8HHCn6HKwBc="; }; tohru = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; subnet = "roaming"; ipv4 = "10.127.2.1"; ipv6 = "fd70:81ca:0f8f:2::1"; port = 51821; wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18="; }; groves = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; subnet = "roaming"; ipv4 = "10.127.2.2"; ipv6 = "fd70:81ca:0f8f:2::2"; wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY="; }; kilgharrah = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; subnet = "weyrhold"; endpoint = "192.168.2.1"; ipv4 = "10.127.3.1"; ipv6 = "fd70:81ca:0f8f:3::1"; wireguardKey = "LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA="; }; elucredassa = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; subnet = "weyrhold"; endpoint = "192.168.2.2"; ipv4 = "10.127.3.2"; ipv6 = "fd70:81ca:0f8f:3::2"; wireguardKey = "hwgf4efFNOtQwCDMpZI4uyPDjzPzHF056pWgobGaxRY="; }; shaw = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; subnet = "library"; # endpoint = ""; ipv4 = "10.127.4.1"; ipv6 = "fd70:81ca:0f8f:4::1"; wireguardKey = "eD79pROC2zjhKz4tGRS43O95gcFRqO+SFb2XDnTr0zc="; }; }; }