nixfiles/outputs.nix

184 lines
6.9 KiB
Nix
Raw Normal View History

{self, ...} @ inputs: let
nixpkgs = inputs.nixpkgs-unstable;
2024-03-10 17:26:18 +00:00
inherit (nixpkgs) lib;
2023-09-18 03:56:58 +01:00
inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
inherit (lib.lists) foldl' forEach filter;
hosts = import ./hosts inputs;
in
{
2024-07-24 16:15:46 +01:00
inherit (hosts) nixosConfigurations homeConfigurations;
}
// (inputs.flake-utils.lib.eachDefaultSystem (
system: let
pkgs = import nixpkgs {
inherit system;
2023-09-14 19:44:27 +01:00
config.allowUnfree = true;
overlays = [
(import ./overlay)
];
};
in
2023-09-18 03:56:58 +01:00
foldl' recursiveUpdate {} [
{
2023-09-14 19:44:27 +01:00
# we expose nixpkgs.${system} so that we can nix run/build stuff
# from nixpkgs from flake's input versions
nixpkgs = pkgs;
formatter = pkgs.alejandra;
devShell = pkgs.mkShell {
2023-09-20 15:46:20 +01:00
VAULT_ADDR = "https://vault.owo.monster";
packages =
(with pkgs; [
git
nano
nix
nix-tree
nix-output-monitor
])
++ (with self.packages."${system}"; [
mk-enc-usb
2023-09-20 15:46:20 +01:00
mk-encrypted-drive
]);
};
packages = {
inherit (pkgs) comic-code comic-sans;
2024-07-21 20:43:32 +01:00
inherit (pkgs) mk-enc-usb mk-encrypted-drive;
inherit (pkgs) gotosocial mpd-headless;
2023-09-20 18:04:33 +01:00
inherit (pkgs) kitty-terminfo;
2024-09-04 11:59:59 +01:00
inherit (pkgs) linux_rpi5 raspberrypifw raspberrypiWirelessFirmware raspberrypi-utils;
inherit (pkgs) widevine-aarch64-4k widevine-aarch64-16k;
2024-09-04 21:44:25 +01:00
2024-07-24 16:15:46 +01:00
inherit (inputs.home-manager-unstable.packages."${system}") home-manager;
};
}
# secrets-init, secrets-check and vault-policy for machines and containers
(let
2023-09-18 03:56:58 +01:00
secretsLib = import ./modules/nixos/secretsLib/lib.nix {
inherit (nixpkgs) lib;
inherit pkgs;
};
2023-09-18 03:56:58 +01:00
systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config;
secretsConfigForSystem = systemName: let
systemConfig = systemConfigForSystem systemName;
in
systemConfig.services.secrets;
2023-09-18 03:56:58 +01:00
systemConfigForContainer = systemName: containerName: let
systemConfig = systemConfigForSystem systemName;
in
2023-09-18 03:56:58 +01:00
systemConfig.containers.${containerName}.config;
2022-03-02 17:55:44 +00:00
2023-09-18 03:56:58 +01:00
secretsConfigForContainer = systemName: containerName: let
systemConfig = systemConfigForContainer systemName containerName;
in
systemConfig.services.secrets;
2023-09-18 03:56:58 +01:00
secretsInitScriptForSystem = systemName: let
secretsConfig = secretsConfigForSystem systemName;
in
2023-09-18 03:56:58 +01:00
secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}";
2023-09-18 03:56:58 +01:00
secretsInitScriptForContainer = systemName: containerName: let
secretsConfig = secretsConfigForContainer systemName containerName;
in
2023-09-18 03:56:58 +01:00
secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}";
2023-09-18 03:56:58 +01:00
vaultPolicyForSystem = systemName: let
secretsConfig = secretsConfigForSystem systemName;
in
2023-09-18 03:56:58 +01:00
secretsLib.genVaultPolicy secretsConfig "${systemName}";
2023-09-18 03:56:58 +01:00
vaultPolicyForContainer = systemName: containerName: let
secretsConfig = secretsConfigForContainer systemName containerName;
in
2023-09-18 03:56:58 +01:00
secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
# All machines/containers with secrets.nix
2023-10-27 17:28:06 +01:00
machines = let
doesHaveHostSecrets = machineName: let
hostConfig = self.nixosConfigurations.${machineName}.config;
secretsConfig = hostConfig.services.secrets;
in
secretsConfig.enable && secretsConfig.vaultLogin.enable;
containersForMachine = machineName: let
hostConfig = self.nixosConfigurations.${machineName}.config;
in
lib.filter (containerName: let
containerConfig = hostConfig.containers.${containerName}.config;
secretsConfig = containerConfig.services.secrets;
in
secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);
configForMachine = machineName: {
hasHostSecrets = doesHaveHostSecrets machineName;
containers = containersForMachine machineName;
2023-09-20 18:44:24 +01:00
};
2023-10-27 17:28:06 +01:00
in {
"hetzner-arm" =
configForMachine "hetzner-arm"
// {
sshAddress = "hetzner-arm.servers.genderfucked.monster";
};
"lappy-t495" = configForMachine "lappy-t495";
};
2023-09-18 03:56:58 +01:00
machinesWithHostSecrets = filter (
2024-03-10 17:26:18 +00:00
machine: machines.${machine}.hasHostSecrets
2023-09-18 03:56:58 +01:00
) (builtins.attrNames machines);
machinesWithContainers = filter (
2023-10-27 17:28:06 +01:00
machine: (machines.${machine}.containers or []) != []
2023-09-18 03:56:58 +01:00
) (builtins.attrNames machines);
in {
packages = mergeAttrsList [
2023-10-27 17:28:06 +01:00
{
"update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''
${lib.concatStringsSep "\n" (map (hostName: let
machineContainers = machines.${hostName}.containers;
in ''
echo "Deploying policy for ${hostName}"
vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}
${lib.concatStringsSep "\n" (map (containerName: let
policyName = "${hostName}-container-${containerName}";
in ''
echo "Deploying policy for ${policyName}"
vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}
echo
'')
machineContainers)}
echo
'')
machinesWithHostSecrets)}
'';
}
(mergeAttrsList (
2023-09-18 03:56:58 +01:00
forEach machinesWithHostSecrets (machineName: {
"secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
"vault-policy-${machineName}" = vaultPolicyForSystem machineName;
})
))
2023-09-18 03:56:58 +01:00
(mergeAttrsList (forEach machinesWithContainers (machineName: let
machine = machines.${machineName};
2024-03-10 17:26:18 +00:00
inherit (machine) containers;
2024-03-10 18:29:49 +00:00
in
mergeAttrsList (forEach containers (containerName: {
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
})))))
];
})
]
))