151 lines
5.3 KiB
Nix
151 lines
5.3 KiB
Nix
{self, ...} @ inputs: let
|
|
nixpkgs = inputs.nixpkgs-unstable;
|
|
lib = nixpkgs.lib;
|
|
|
|
inherit (lib.attrsets) mergeAttrsList;
|
|
|
|
hosts = import ./hosts inputs;
|
|
in
|
|
{
|
|
nixosConfigurations = hosts.nixosConfigurations;
|
|
#darwinConfigurations = hosts.darswinConfigurations;
|
|
|
|
deploy.nodes = import ./deployNodes.nix {
|
|
nixosConfigurations = self.nixosConfigurations;
|
|
deploy-rs = inputs.deploy-rs;
|
|
};
|
|
}
|
|
// (inputs.flake-utils.lib.eachDefaultSystem (
|
|
system: let
|
|
pkgs = import nixpkgs {
|
|
inherit system;
|
|
config.allowUnfree = true;
|
|
overlays = [
|
|
(import ./overlay)
|
|
];
|
|
};
|
|
in
|
|
lib.foldl' lib.recursiveUpdate {} [
|
|
{
|
|
# we expose nixpkgs.${system} so that we can nix run/build stuff
|
|
# from nixpkgs from flake's input versions
|
|
nixpkgs = pkgs;
|
|
|
|
formatter = pkgs.alejandra;
|
|
|
|
devShell = pkgs.mkShell {
|
|
VAULT_API_ADDR = "https://vault.owo.monster";
|
|
packages =
|
|
(with pkgs; [
|
|
git
|
|
nano
|
|
bat
|
|
nix
|
|
vault-bin
|
|
])
|
|
++ (with self.packages."${system}"; [
|
|
mk-enc-usb
|
|
mk-normal-enc-ssd
|
|
mk-dual-enc-ssd
|
|
mk-raspberry-ext-drive
|
|
]);
|
|
};
|
|
|
|
packages = {
|
|
inherit (pkgs) comic-code comic-sans;
|
|
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive;
|
|
inherit (pkgs) gotosocial;
|
|
};
|
|
}
|
|
|
|
# secrets-init, secrets-check and vault-policy for machines and containers
|
|
(let
|
|
secretsLib = import ./modules/nixos/secrets-lib/lib.nix {
|
|
inherit (nixpkgs) lib;
|
|
inherit pkgs;
|
|
};
|
|
|
|
systemConfigForSystem = system_name: self.nixosConfigurations.${system_name}.config;
|
|
secretsConfigForSystem = system_name: let
|
|
systemConfig = systemConfigForSystem system_name;
|
|
in
|
|
systemConfig.services.secrets;
|
|
|
|
systemConfigForContainer = system_name: container_name: let
|
|
systemConfig = systemConfigForSystem system_name;
|
|
in
|
|
systemConfig.containers.${container_name}.config;
|
|
|
|
secretsConfigForContainer = system_name: container_name: let
|
|
systemConfig = systemConfigForContainer system_name container_name;
|
|
in
|
|
systemConfig.services.secrets;
|
|
|
|
secretsInitScriptForSystem = system_name: let
|
|
secretsConfig = secretsConfigForSystem system_name;
|
|
in
|
|
secretsLib.mkSecretsInitScript secretsConfig "${system_name}";
|
|
|
|
secretsInitScriptForContainer = system_name: container_name: let
|
|
secretsConfig = secretsConfigForContainer system_name container_name;
|
|
in
|
|
secretsLib.mkSecretsInitScript secretsConfig "${system_name}-container-${container_name}";
|
|
|
|
vaultPolicyForSystem = system_name: let
|
|
secretsConfig = secretsConfigForSystem system_name;
|
|
in
|
|
secretsLib.genVaultPolicy secretsConfig "${system_name}";
|
|
|
|
vaultPolicyForContainer = system_name: container_name: let
|
|
secretsConfig = secretsConfigForContainer system_name container_name;
|
|
in
|
|
secretsLib.genVaultPolicy secretsConfig "${system_name}-container-${container_name}";
|
|
|
|
# All machines/containers with secrets.nix
|
|
machines = let
|
|
defaults = {
|
|
hasHostSecrets = true;
|
|
containers = [];
|
|
};
|
|
in {
|
|
"hetzner-vm" = {
|
|
inherit (defaults) hasHostSecrets;
|
|
containers = ["storage"];
|
|
};
|
|
"vault" = {
|
|
inherit (defaults) hasHostSecrets containers;
|
|
};
|
|
"raspberry" = {
|
|
inherit (defaults) hasHostSecrets containers;
|
|
};
|
|
"lappy-t495" = {
|
|
inherit (defaults) hasHostSecrets containers;
|
|
};
|
|
"tablet" = {
|
|
inherit (defaults) hasHostSecrets containers;
|
|
};
|
|
};
|
|
|
|
machinesWithHostSecrets = lib.filter (machine: machines.${machine}.hasHostSecrets) (builtins.attrNames machines);
|
|
machinesWithContainers = lib.filter (machine: (builtins.length machines.${machine}.containers) != 0) (builtins.attrNames machines);
|
|
in {
|
|
packages = mergeAttrsList [
|
|
(mergeAttrsList (
|
|
lib.forEach machinesWithHostSecrets (machine_name: {
|
|
"secrets-init-${machine_name}" = secretsInitScriptForSystem machine_name;
|
|
"vault-policy-${machine_name}" = vaultPolicyForSystem machine_name;
|
|
})
|
|
))
|
|
|
|
(mergeAttrsList (lib.forEach machinesWithContainers (machine_name: let
|
|
machine = machines.${machine_name};
|
|
containers = machine.containers;
|
|
in (mergeAttrsList (lib.forEach containers (container_name: {
|
|
"secrets-init-${machine_name}-container-${container_name}" = secretsInitScriptForContainer machine_name container_name;
|
|
"vault-policy-${machine_name}-container-${container_name}" = vaultPolicyForContainer machine_name container_name;
|
|
}))))))
|
|
];
|
|
})
|
|
]
|
|
))
|