birdsong/hosts.nix

{ config, lib, pkgs, ... }:

with lib;
{
  options.birdsong.hosts = mkOption {
    description = "List of hosts in the birdsong network";
    type = types.attrsOf
      (types.submodule {
        options = {
          hostKey = mkOption {
            default = null;
            description = "SSH public key of the host, for use in known_hosts files";
            type = with types; nullOr str;
          };
          subnet = mkOption {
            default = "internet";
            example = "roaming";
            description = ''
              Identifier representing a LAN the host belongs to. Hosts in the
              same LAN will peer with each other.

              The special value `internet` (the default) will accept peering
              from all other hosts. This is to be used for servers that are
              accessible from the public internet.

              The special value `roaming` will not peer with other `roaming`
              hosts, but will still peer with `internet` hosts. This is to be
              used for portable devices like laptops that regularly move between
              networks. Also use this for non-NixOS devices that can't use the
              NixOS module and therefore only peer with the subnet router.
            '';
            type = types.str;
          };
          endpoint = mkOption {
            default = null;
            example = "example.com";
            description = ''
              Address (e.g. IP or domain name) by which the host is reachable
              within its LAN.

              If {option}`birdsong.hosts.<name>.subnet` is set to `internet`,
              the host must be reachable at this address from the public
              internet.
          
              If {option}`birdsong.hosts.<name>.subnet` is set to `roaming`,
              this option is not used.
            '';
            type = with types; nullOr str;
          };
          ipv4 = mkOption {
            example = "10.127.1.1";
            description = ''
              IPv4 address of this peer within the network.

              We are currently using the range 10.127.0.0/16, divided into /24
              subnets. Please try to keep this consistent.
            '';
            type = types.str;
          };
          ipv6 = mkOption {
            example = "fd70:81ca:0f8f:1::1";
            description = ''
              IPv6 address of this peer within the network.

              We are currently using the range fd70:81ca:0f8f::/48, divided
              into /64 subnets. Please try to keep this consistent.
            '';
            type = types.str;
          };
          port = mkOption {
            default = 51820;
            example = 51821;
            description = ''
              Which port to expose WireGuard on. Change this for peers behind
              NAT, to a port not used by another peer in the same LAN.
            '';
            type = types.port;
          };
          wireguardKey = mkOption {
            example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
            description = "WireGuard public key for this peer, as generated by `wg pubkey`";
            type = types.str;
          };
          isRouter = mkOption {
            default = false;
            description = ''
              The host with this flag set is the subnet router. It forwards
              packets between WireGuard peers that can't connect directly to
              each other. WireGuard's scope doesn't (yet) include full mesh
              networking with load-balancing between routers, so only one peer
              can hold this status. It should be peered with all other hosts
              (i.e., {option}`birdsong.hosts.<name>.subnet` set to `internet`).
            '';
            type = types.bool;
          };
        };
      });
  };

  config.birdsong.hosts = {
    yevaud = {
      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud";
      endpoint = "yevaud.birdsong.network";
      ipv4 = "10.127.1.1";
      ipv6 = "fd70:81ca:0f8f:1::1";
      wireguardKey = "YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw=";
      isRouter = true;
    };

    orm = {
      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm";
      endpoint = "orm.birdsong.network";
      ipv4 = "10.127.1.2";
      ipv6 = "fd70:81ca:0f8f:1::2";
      wireguardKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=";
    };

    # kalessin = {
    #   # hostKey = "";
    #   endpoint = "kalessin.birdsong.network";
    #   ipv4 = "10.127.1.3";
    #   ipv6 = "fd70:81ca:0f8f:1::3";
    #   # wireguardKey = "";
    # };

    tohru = {
      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru";
      subnet = "roaming";
      ipv4 = "10.127.2.1";
      ipv6 = "fd70:81ca:0f8f:2::1";
      port = 51821;
      wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18=";
    };

    # kilgharrah = {
    #   # hostKey = "";
    #   subnet = "weyrhold";
    #   endpoint = "192.168.2.1";
    #   ipv4 = "10.127.3.1";
    #   ipv6 = "fd70:81ca:0f8f:3::1";
    #   # wireguardKey = "";
    # };

    shaw = {
      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw";
      subnet = "library";
      # endpoint = "";
      ipv4 = "10.127.4.1";
      ipv6 = "fd70:81ca:0f8f:4::1";
      wireguardKey = "eD79pROC2zjhKz4tGRS43O95gcFRqO+SFb2XDnTr0zc=";
    };
  };
}