{self, ...} @ inputs: let nixpkgs = inputs.nixpkgs-unstable; lib = nixpkgs.lib; inherit (lib.attrsets) mergeAttrsList recursiveUpdate; inherit (lib.lists) foldl' forEach filter; hosts = import ./hosts inputs; in { nixosConfigurations = hosts.nixosConfigurations; } // (inputs.flake-utils.lib.eachDefaultSystem ( system: let pkgs = import nixpkgs { inherit system; config.allowUnfree = true; overlays = [ (import ./overlay) inputs.piped-flake.overlays.default (_prev: final: { piped-backend-deps = final.piped-backend-deps.overrideAttrs { # Won't build due to this; added a native-arm64 to all builders on arm64 # https://github.com/NixOS/nixpkgs/issues/255780 requiredSystemFeatures = ["native-arm64"]; }; piped-backend = final.piped-backend.overrideAttrs { # Won't build due to this; added a native-arm64 to all builders on arm64 # https://github.com/NixOS/nixpkgs/issues/255780 requiredSystemFeatures = ["native-arm64"]; }; }) ]; }; in foldl' recursiveUpdate {} [ { # we expose nixpkgs.${system} so that we can nix run/build stuff # from nixpkgs from flake's input versions nixpkgs = pkgs; formatter = pkgs.alejandra; devShell = pkgs.mkShell { VAULT_ADDR = "https://vault.owo.monster"; packages = (with pkgs; [ git nano bat nix vault-bin ]) ++ (with self.packages."${system}"; [ mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive ]); }; packages = { inherit (pkgs) comic-code comic-sans; inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive; inherit (pkgs) gotosocial; inherit (pkgs) piped-backend piped-frontend piped-proxy; inherit (pkgs) kitty-terminfo; }; } # internal wireguard scripts (let internalWireGuardLib = import ./lib/internalWireGuardLib.nix { inherit (nixpkgs) lib; inherit pkgs; }; wireguardData = import ./data/wireguard/chaosInternalWireGuard.nix; hostsWithWireGuard = builtins.attrNames wireguardData.hosts; in { packages = mergeAttrsList [ (mergeAttrsList ( forEach hostsWithWireGuard (hostName: { "wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName; "wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName; }) )) { "wg-keys-init-all" = internalWireGuardLib.initAllScript; } ]; }) # secrets-init, secrets-check and vault-policy for machines and containers (let secretsLib = import ./modules/nixos/secretsLib/lib.nix { inherit (nixpkgs) lib; inherit pkgs; }; systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config; secretsConfigForSystem = systemName: let systemConfig = systemConfigForSystem systemName; in systemConfig.services.secrets; systemConfigForContainer = systemName: containerName: let systemConfig = systemConfigForSystem systemName; in systemConfig.containers.${containerName}.config; secretsConfigForContainer = systemName: containerName: let systemConfig = systemConfigForContainer systemName containerName; in systemConfig.services.secrets; secretsInitScriptForSystem = systemName: let secretsConfig = secretsConfigForSystem systemName; in secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}"; secretsInitScriptForContainer = systemName: containerName: let secretsConfig = secretsConfigForContainer systemName containerName; in secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}"; vaultPolicyForSystem = systemName: let secretsConfig = secretsConfigForSystem systemName; in secretsLib.genVaultPolicy secretsConfig "${systemName}"; vaultPolicyForContainer = systemName: containerName: let secretsConfig = secretsConfigForContainer systemName containerName; in secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}"; # All machines/containers with secrets.nix machines = rec { "hetzner-arm" = { containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo"]; sshAddress = "hetzner-arm.servers.genderfucked.monster"; }; "vault" = { sshAddress = "vault.servers.genderfucked.monster"; }; "raspberry" = { containers = ["piped-uk"]; sshAddress = "raspberry.servers.genderfucked.monster"; }; "lappy-t495" = {}; "tablet" = {}; }; machinesWithHostSecrets = filter ( machine: (machines.${machine}.hasHostSecrets or true) ) (builtins.attrNames machines); machinesWithContainers = filter ( machine: machines.${machine} ? "containers" ) (builtins.attrNames machines); in { packages = mergeAttrsList [ (mergeAttrsList ( forEach machinesWithHostSecrets (machineName: { "secrets-init-${machineName}" = secretsInitScriptForSystem machineName; "vault-policy-${machineName}" = vaultPolicyForSystem machineName; }) )) (mergeAttrsList (forEach machinesWithContainers (machineName: let machine = machines.${machineName}; containers = machine.containers; in (mergeAttrsList (forEach containers (containerName: { "secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName; "vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName; })))))) ]; }) ] ))