nixfiles/outputs.nix

{self, ...} @ inputs: let
  nixpkgs = inputs.nixpkgs-unstable;
  inherit (nixpkgs) lib;

  inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
  inherit (lib.lists) foldl' forEach filter;

  hosts = import ./hosts inputs;
in
  {
    inherit (hosts) nixosConfigurations homeConfigurations;
  }
  // (inputs.flake-utils.lib.eachDefaultSystem (
    system: let
      pkgs = import nixpkgs {
        inherit system;
        config.allowUnfree = true;
        overlays = [
          (import ./overlay)
        ];
      };
    in
      foldl' recursiveUpdate {} [
        {
          # we expose nixpkgs.${system} so that we can nix run/build stuff
          # from nixpkgs from flake's input versions
          nixpkgs = pkgs;

          formatter = pkgs.alejandra;

          devShell = pkgs.mkShell {
            VAULT_ADDR = "https://vault.owo.monster";
            packages =
              (with pkgs; [
                git
                nano
                nix
                nix-tree
                nix-output-monitor
              ])
              ++ (with self.packages."${system}"; [
                mk-enc-usb
                mk-encrypted-drive
              ]);
          };

          packages = {
            inherit (pkgs) comic-code comic-sans;
            inherit (pkgs) mk-enc-usb mk-encrypted-drive;
            inherit (pkgs) gotosocial mpd-headless;
            inherit (pkgs) kitty-terminfo;
            inherit (pkgs) linux_rpi5 raspberrypifw raspberrypiWirelessFirmware raspberrypi-utils;
            inherit (pkgs) widevine-aarch64-4k widevine-aarch64-16k;
            inherit (inputs.home-manager-unstable.packages."${system}") home-manager;
          };
        }

        # secrets-init, secrets-check and vault-policy for machines and containers
        (let
          secretsLib = import ./modules/nixos/secretsLib/lib.nix {
            inherit (nixpkgs) lib;
            inherit pkgs;
          };

          systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config;

          secretsConfigForSystem = systemName: let
            systemConfig = systemConfigForSystem systemName;
          in
            systemConfig.services.secrets;

          systemConfigForContainer = systemName: containerName: let
            systemConfig = systemConfigForSystem systemName;
          in
            systemConfig.containers.${containerName}.config;

          secretsConfigForContainer = systemName: containerName: let
            systemConfig = systemConfigForContainer systemName containerName;
          in
            systemConfig.services.secrets;

          secretsInitScriptForSystem = systemName: let
            secretsConfig = secretsConfigForSystem systemName;
          in
            secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}";

          secretsInitScriptForContainer = systemName: containerName: let
            secretsConfig = secretsConfigForContainer systemName containerName;
          in
            secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}";

          vaultPolicyForSystem = systemName: let
            secretsConfig = secretsConfigForSystem systemName;
          in
            secretsLib.genVaultPolicy secretsConfig "${systemName}";

          vaultPolicyForContainer = systemName: containerName: let
            secretsConfig = secretsConfigForContainer systemName containerName;
          in
            secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";

          # All machines/containers with secrets.nix
          machines = let
            doesHaveHostSecrets = machineName: let
              hostConfig = self.nixosConfigurations.${machineName}.config;
              secretsConfig = hostConfig.services.secrets;
            in
              secretsConfig.enable && secretsConfig.vaultLogin.enable;

            containersForMachine = machineName: let
              hostConfig = self.nixosConfigurations.${machineName}.config;
            in
              lib.filter (containerName: let
                containerConfig = hostConfig.containers.${containerName}.config;
                secretsConfig = containerConfig.services.secrets;
              in
                secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);

            configForMachine = machineName: {
              hasHostSecrets = doesHaveHostSecrets machineName;
              containers = containersForMachine machineName;
            };
          in {
            "hetzner-arm" =
              configForMachine "hetzner-arm"
              // {
                sshAddress = "hetzner-arm.servers.genderfucked.monster";
              };
            "lappy-t495" = configForMachine "lappy-t495";
          };

          machinesWithHostSecrets = filter (
            machine: machines.${machine}.hasHostSecrets
          ) (builtins.attrNames machines);

          machinesWithContainers = filter (
            machine: (machines.${machine}.containers or []) != []
          ) (builtins.attrNames machines);
        in {
          packages = mergeAttrsList [
            {
              "update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''
                ${lib.concatStringsSep "\n" (map (hostName: let
                    machineContainers = machines.${hostName}.containers;
                  in ''
                    echo "Deploying policy for ${hostName}"
                    vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}

                    ${lib.concatStringsSep "\n" (map (containerName: let
                        policyName = "${hostName}-container-${containerName}";
                      in ''
                        echo "Deploying policy for ${policyName}"
                        vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}
                        echo
                      '')
                      machineContainers)}

                    echo
                  '')
                  machinesWithHostSecrets)}
              '';
            }

            (mergeAttrsList (
              forEach machinesWithHostSecrets (machineName: {
                "secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
                "vault-policy-${machineName}" = vaultPolicyForSystem machineName;
              })
            ))

            (mergeAttrsList (forEach machinesWithContainers (machineName: let
              machine = machines.${machineName};
              inherit (machine) containers;
            in
              mergeAttrsList (forEach containers (containerName: {
                "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
                "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
              })))))
          ];
        })
      ]
  ))
update piped and update flake outputs to make building overlay packages easier 2023-08-18 20:00:23 +01:00			`{self, ...} @ inputs: let`
			`nixpkgs = inputs.nixpkgs-unstable;`
first pass using statix linter 2024-03-10 17:26:18 +00:00			`inherit (nixpkgs) lib;`
update piped and update flake outputs to make building overlay packages easier 2023-08-18 20:00:23 +01:00
major tidy 2023-09-18 03:56:58 +01:00			`inherit (lib.attrsets) mergeAttrsList recursiveUpdate;`
			`inherit (lib.lists) foldl' forEach filter;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
use tree as a input and rework how tree and inputs are set/used 2022-12-03 16:40:50 +00:00			`hosts = import ./hosts inputs;`
update piped and update flake outputs to make building overlay packages easier 2023-08-18 20:00:23 +01:00			`in`
			`{`
add blahaj hm config 2024-07-24 16:15:46 +01:00			`inherit (hosts) nixosConfigurations homeConfigurations;`
update piped and update flake outputs to make building overlay packages easier 2023-08-18 20:00:23 +01:00			`}`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`// (inputs.flake-utils.lib.eachDefaultSystem (`
			`system: let`
			`pkgs = import nixpkgs {`
			`inherit system;`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`config.allowUnfree = true;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`overlays = [`
			`(import ./overlay)`
			`];`
			`};`
			`in`
major tidy 2023-09-18 03:56:58 +01:00			`foldl' recursiveUpdate {} [`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`{`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`# we expose nixpkgs.${system} so that we can nix run/build stuff`
			`# from nixpkgs from flake's input versions`
			`nixpkgs = pkgs;`

wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`formatter = pkgs.alejandra;`
allow generating secrets init scripts outside of module, run deadnix&formatter, update state versions 2023-09-11 23:22:18 +01:00
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`devShell = pkgs.mkShell {`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`VAULT_ADDR = "https://vault.owo.monster";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`packages =`
			`(with pkgs; [`
			`git`
			`nano`
			`nix`
remove obsidian & session for desktops for now, add some more nix tools, use nom in rebuild 2024-04-11 14:02:04 +01:00			`nix-tree`
add freshrss to hetzner-arm, add nix-output-monitor to default profile 2024-04-02 16:40:20 +01:00			`nix-output-monitor`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`])`
			`++ (with self.packages."${system}"; [`
			`mk-enc-usb`
start work on arm for vault 2023-09-20 15:46:20 +01:00			`mk-encrypted-drive`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`]);`
			`};`
allow generating secrets init scripts outside of module, run deadnix&formatter, update state versions 2023-09-11 23:22:18 +01:00
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`packages = {`
			`inherit (pkgs) comic-code comic-sans;`
remove raspberry ext drive 2024-07-21 20:43:32 +01:00			`inherit (pkgs) mk-enc-usb mk-encrypted-drive;`
remove quassel, update stateVersion, move to new server, some tidying 2024-05-25 21:10:26 +01:00			`inherit (pkgs) gotosocial mpd-headless;`
changes maybe 2023-09-20 18:04:33 +01:00			`inherit (pkgs) kitty-terminfo;`
add raspberrypi-utils 2024-09-04 11:59:59 +01:00			`inherit (pkgs) linux_rpi5 raspberrypifw raspberrypiWirelessFirmware raspberrypi-utils;`
add widevine and move back to pi4 kernel for now 2024-09-04 13:45:56 +01:00			`inherit (pkgs) widevine-aarch64-4k widevine-aarch64-16k;`
add blahaj hm config 2024-07-24 16:15:46 +01:00			`inherit (inputs.home-manager-unstable.packages."${system}") home-manager;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`};`
			`}`
allow generating secrets init scripts outside of module, run deadnix&formatter, update state versions 2023-09-11 23:22:18 +01:00
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`# secrets-init, secrets-check and vault-policy for machines and containers`
			`(let`
major tidy 2023-09-18 03:56:58 +01:00			`secretsLib = import ./modules/nixos/secretsLib/lib.nix {`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`inherit (nixpkgs) lib;`
			`inherit pkgs;`
			`};`
allow generating secrets init scripts outside of module, run deadnix&formatter, update state versions 2023-09-11 23:22:18 +01:00
major tidy 2023-09-18 03:56:58 +01:00			`systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config;`

			`secretsConfigForSystem = systemName: let`
			`systemConfig = systemConfigForSystem systemName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
			`systemConfig.services.secrets;`
start work on allowing use of deploy-rs 2021-12-26 15:43:53 +00:00
major tidy 2023-09-18 03:56:58 +01:00			`systemConfigForContainer = systemName: containerName: let`
			`systemConfig = systemConfigForSystem systemName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
major tidy 2023-09-18 03:56:58 +01:00			`systemConfig.containers.${containerName}.config;`
move deployNodes into own file 2022-03-02 17:55:44 +00:00
major tidy 2023-09-18 03:56:58 +01:00			`secretsConfigForContainer = systemName: containerName: let`
			`systemConfig = systemConfigForContainer systemName containerName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
			`systemConfig.services.secrets;`

major tidy 2023-09-18 03:56:58 +01:00			`secretsInitScriptForSystem = systemName: let`
			`secretsConfig = secretsConfigForSystem systemName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
major tidy 2023-09-18 03:56:58 +01:00			`secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
major tidy 2023-09-18 03:56:58 +01:00			`secretsInitScriptForContainer = systemName: containerName: let`
			`secretsConfig = secretsConfigForContainer systemName containerName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
major tidy 2023-09-18 03:56:58 +01:00			`secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
major tidy 2023-09-18 03:56:58 +01:00			`vaultPolicyForSystem = systemName: let`
			`secretsConfig = secretsConfigForSystem systemName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
major tidy 2023-09-18 03:56:58 +01:00			`secretsLib.genVaultPolicy secretsConfig "${systemName}";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
major tidy 2023-09-18 03:56:58 +01:00			`vaultPolicyForContainer = systemName: containerName: let`
			`secretsConfig = secretsConfigForContainer systemName containerName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in`
major tidy 2023-09-18 03:56:58 +01:00			`secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
			`# All machines/containers with secrets.nix`
add update-vault-policies command 2023-10-27 17:28:06 +01:00			`machines = let`
			`doesHaveHostSecrets = machineName: let`
			`hostConfig = self.nixosConfigurations.${machineName}.config;`
			`secretsConfig = hostConfig.services.secrets;`
			`in`
			`secretsConfig.enable && secretsConfig.vaultLogin.enable;`

			`containersForMachine = machineName: let`
			`hostConfig = self.nixosConfigurations.${machineName}.config;`
			`in`
			`lib.filter (containerName: let`
			`containerConfig = hostConfig.containers.${containerName}.config;`
			`secretsConfig = containerConfig.services.secrets;`
			`in`
			`secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);`

			`configForMachine = machineName: {`
			`hasHostSecrets = doesHaveHostSecrets machineName;`
			`containers = containersForMachine machineName;`
start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`};`
add update-vault-policies command 2023-10-27 17:28:06 +01:00			`in {`
			`"hetzner-arm" =`
			`configForMachine "hetzner-arm"`
			`// {`
			`sshAddress = "hetzner-arm.servers.genderfucked.monster";`
			`};`
			`"lappy-t495" = configForMachine "lappy-t495";`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`};`

major tidy 2023-09-18 03:56:58 +01:00			`machinesWithHostSecrets = filter (`
first pass using statix linter 2024-03-10 17:26:18 +00:00			`machine: machines.${machine}.hasHostSecrets`
major tidy 2023-09-18 03:56:58 +01:00			`) (builtins.attrNames machines);`

			`machinesWithContainers = filter (`
add update-vault-policies command 2023-10-27 17:28:06 +01:00			`machine: (machines.${machine}.containers or []) != []`
major tidy 2023-09-18 03:56:58 +01:00			`) (builtins.attrNames machines);`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`in {`
			`packages = mergeAttrsList [`
add update-vault-policies command 2023-10-27 17:28:06 +01:00			`{`
			`"update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''`
			`${lib.concatStringsSep "\n" (map (hostName: let`
			`machineContainers = machines.${hostName}.containers;`
			`in ''`
			`echo "Deploying policy for ${hostName}"`
			`vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}`

			`${lib.concatStringsSep "\n" (map (containerName: let`
			`policyName = "${hostName}-container-${containerName}";`
			`in ''`
			`echo "Deploying policy for ${policyName}"`
			`vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}`
			`echo`
			`'')`
			`machineContainers)}`

			`echo`
			`'')`
			`machinesWithHostSecrets)}`
			`'';`
			`}`

wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`(mergeAttrsList (`
major tidy 2023-09-18 03:56:58 +01:00			`forEach machinesWithHostSecrets (machineName: {`
			`"secrets-init-${machineName}" = secretsInitScriptForSystem machineName;`
			`"vault-policy-${machineName}" = vaultPolicyForSystem machineName;`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`})`
			`))`

major tidy 2023-09-18 03:56:58 +01:00			`(mergeAttrsList (forEach machinesWithContainers (machineName: let`
			`machine = machines.${machineName};`
first pass using statix linter 2024-03-10 17:26:18 +00:00			`inherit (machine) containers;`
run formatter 2024-03-10 18:29:49 +00:00			`in`
			`mergeAttrsList (forEach containers (containerName: {`
			`"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;`
			`"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;`
			`})))))`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`];`
			`})`
			`]`
			`))`