185 lines
6.6 KiB
Nix
185 lines
6.6 KiB
Nix
{self, ...} @ inputs: let
|
|
nixpkgs = inputs.nixpkgs-unstable;
|
|
lib = nixpkgs.lib;
|
|
|
|
inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
|
|
inherit (lib.lists) foldl' forEach filter;
|
|
|
|
hosts = import ./hosts inputs;
|
|
in
|
|
{
|
|
nixosConfigurations = hosts.nixosConfigurations;
|
|
}
|
|
// (inputs.flake-utils.lib.eachDefaultSystem (
|
|
system: let
|
|
pkgs = import nixpkgs {
|
|
inherit system;
|
|
config.allowUnfree = true;
|
|
overlays = [
|
|
(import ./overlay)
|
|
inputs.piped-flake.overlays.default
|
|
(_prev: final: {
|
|
piped-backend-deps =
|
|
final.piped-backend-deps.overrideAttrs
|
|
{
|
|
# Won't build due to this; added a native-arm64 to all builders on arm64
|
|
# https://github.com/NixOS/nixpkgs/issues/255780
|
|
requiredSystemFeatures = ["native-arm64"];
|
|
};
|
|
piped-backend =
|
|
final.piped-backend.overrideAttrs
|
|
{
|
|
# Won't build due to this; added a native-arm64 to all builders on arm64
|
|
# https://github.com/NixOS/nixpkgs/issues/255780
|
|
requiredSystemFeatures = ["native-arm64"];
|
|
};
|
|
})
|
|
];
|
|
};
|
|
in
|
|
foldl' recursiveUpdate {} [
|
|
{
|
|
# we expose nixpkgs.${system} so that we can nix run/build stuff
|
|
# from nixpkgs from flake's input versions
|
|
nixpkgs = pkgs;
|
|
|
|
formatter = pkgs.alejandra;
|
|
|
|
devShell = pkgs.mkShell {
|
|
VAULT_ADDR = "https://vault.owo.monster";
|
|
packages =
|
|
(with pkgs; [
|
|
git
|
|
nano
|
|
bat
|
|
nix
|
|
vault-bin
|
|
])
|
|
++ (with self.packages."${system}"; [
|
|
mk-enc-usb
|
|
mk-encrypted-drive
|
|
mk-raspberry-ext-drive
|
|
]);
|
|
};
|
|
|
|
packages = {
|
|
inherit (pkgs) comic-code comic-sans;
|
|
inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive;
|
|
inherit (pkgs) gotosocial;
|
|
inherit (pkgs) piped-backend piped-frontend piped-proxy;
|
|
inherit (pkgs) kitty-terminfo;
|
|
};
|
|
}
|
|
|
|
# internal wireguard scripts
|
|
(let
|
|
internalWireGuardLib = import ./lib/internalWireGuardLib.nix {
|
|
inherit (nixpkgs) lib;
|
|
inherit pkgs;
|
|
};
|
|
|
|
wireguardData = import ./data/wireguard/chaosInternalWireGuard.nix;
|
|
hostsWithWireGuard = builtins.attrNames wireguardData.hosts;
|
|
in {
|
|
packages = mergeAttrsList [
|
|
(mergeAttrsList (
|
|
forEach hostsWithWireGuard (hostName: {
|
|
"wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName;
|
|
"wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName;
|
|
})
|
|
))
|
|
{
|
|
"wg-keys-init-all" = internalWireGuardLib.initAllScript;
|
|
}
|
|
];
|
|
})
|
|
|
|
# secrets-init, secrets-check and vault-policy for machines and containers
|
|
(let
|
|
secretsLib = import ./modules/nixos/secretsLib/lib.nix {
|
|
inherit (nixpkgs) lib;
|
|
inherit pkgs;
|
|
};
|
|
|
|
systemConfigForSystem = systemName: self.nixosConfigurations.${systemName}.config;
|
|
|
|
secretsConfigForSystem = systemName: let
|
|
systemConfig = systemConfigForSystem systemName;
|
|
in
|
|
systemConfig.services.secrets;
|
|
|
|
systemConfigForContainer = systemName: containerName: let
|
|
systemConfig = systemConfigForSystem systemName;
|
|
in
|
|
systemConfig.containers.${containerName}.config;
|
|
|
|
secretsConfigForContainer = systemName: containerName: let
|
|
systemConfig = systemConfigForContainer systemName containerName;
|
|
in
|
|
systemConfig.services.secrets;
|
|
|
|
secretsInitScriptForSystem = systemName: let
|
|
secretsConfig = secretsConfigForSystem systemName;
|
|
in
|
|
secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}";
|
|
|
|
secretsInitScriptForContainer = systemName: containerName: let
|
|
secretsConfig = secretsConfigForContainer systemName containerName;
|
|
in
|
|
secretsLib.mkSecretsInitScriptWithName secretsConfig "${systemName}-container-${containerName}";
|
|
|
|
vaultPolicyForSystem = systemName: let
|
|
secretsConfig = secretsConfigForSystem systemName;
|
|
in
|
|
secretsLib.genVaultPolicy secretsConfig "${systemName}";
|
|
|
|
vaultPolicyForContainer = systemName: containerName: let
|
|
secretsConfig = secretsConfigForContainer systemName containerName;
|
|
in
|
|
secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
|
|
|
|
# All machines/containers with secrets.nix
|
|
machines = rec {
|
|
"hetzner-arm" = {
|
|
containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo" "caldav"];
|
|
sshAddress = "hetzner-arm.servers.genderfucked.monster";
|
|
};
|
|
"vault" = {
|
|
sshAddress = "vault.servers.genderfucked.monster";
|
|
};
|
|
"raspberry" = {
|
|
containers = ["piped-uk"];
|
|
sshAddress = "raspberry.servers.genderfucked.monster";
|
|
};
|
|
"lappy-t495" = {};
|
|
"tablet" = {};
|
|
};
|
|
|
|
machinesWithHostSecrets = filter (
|
|
machine: (machines.${machine}.hasHostSecrets or true)
|
|
) (builtins.attrNames machines);
|
|
|
|
machinesWithContainers = filter (
|
|
machine: machines.${machine} ? "containers"
|
|
) (builtins.attrNames machines);
|
|
in {
|
|
packages = mergeAttrsList [
|
|
(mergeAttrsList (
|
|
forEach machinesWithHostSecrets (machineName: {
|
|
"secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
|
|
"vault-policy-${machineName}" = vaultPolicyForSystem machineName;
|
|
})
|
|
))
|
|
|
|
(mergeAttrsList (forEach machinesWithContainers (machineName: let
|
|
machine = machines.${machineName};
|
|
containers = machine.containers;
|
|
in (mergeAttrsList (forEach containers (containerName: {
|
|
"secrets-init-${machineName}-container-${containerName}" = secretsInitScriptForContainer machineName containerName;
|
|
"vault-policy-${machineName}-container-${containerName}" = vaultPolicyForContainer machineName containerName;
|
|
}))))))
|
|
];
|
|
})
|
|
]
|
|
))
|