Moving to modules. Structural changes.

.gitmodules

@@ -1,4 +1,4 @@
-[submodule "trusted"]
+[submodule "config/trusted"]
-	path = trusted
+	path = config/trusted
 	branch = main
 	url = "https://git.kittywit.ch/kat/nixfiles-trusted.git"

README.md

@@ -8,10 +8,9 @@ The public section of my NixOS configuration, using [arcnmx/tf-nix](https://gith
 
 ### Deployment
 
-* `nix run -f . deploy.target.<targetName>.run.apply`
+* `<targetName>-deploy`
-
+* `<targetName>-tf`
-* `nix run -f . deploy.target.<targetName>.run -c terraform destroy`
 
 ### Host Building
 
-* `nix build -f . hosts.<hostName>.config.system.build.toplevel`
+* `nix build -f . network.nodes.<hostName>.deploy.system`

ci/hosts.nix

@@ -16,7 +16,7 @@
 
   jobs = let hostnames = [ "samhain" "yule" "athame" ];
   in mapAttrs' (k: nameValuePair "host-${k}") (genAttrs hostnames (host: {
-      tasks.${host}.inputs = channels.nixfiles.hosts.${host}.config.system.build.toplevel;
+      tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.deploy.system;
   }));
 
   ci.gh-actions.checkoutOptions.submodules = false;

ci/niv-cron.nix

@@ -74,8 +74,8 @@ with lib; {
             if git status --porcelain | grep -qF nix/sources.json; then
               git -P diff nix/sources.json
               nix build --no-link -Lf . sourceCache.local
-                echo "checking that hosts still build..." >&2
+                echo "checking that network.nodes.still build..." >&2
-              if nix build -Lf . hosts.athame.config.system.build.toplevel && nix-collect-garbage -d && nix build -Lf . hosts.yule.config.system.build.toplevel && nix-collect-garbage -d && nix build -Lf . hosts.samhain.config.system.build.toplevel; then
+              if nix build -Lf . network.nodes.athame.deploy.system && nix-collect-garbage -d && nix build -Lf . network.nodes.yule.system && nix-collect-garbage -d && nix build -Lf . network.nodes.samhain.system; then
                 if [[ -n $CACHIX_SIGNING_KEY ]]; then
                   nix build --no-link -Lf . sourceCache.all
                   cachix push kittywitch $(nix eval --raw -f . sourceCache.allStr)

config/hosts/athame/meta.nix

@@ -1,25 +1,38 @@
-{ config, hosts, lib, ... }:
+{ lib, config, ... }: with lib; {
-with config.resources; {
+config = {
-  resources.hcloud_ssh_key = {
+    deploy.targets.infra = {
-    provider = "hcloud";
+      tf = {
-    type = "ssh_key";
+        resources.hcloud_ssh_key = {
-    inputs = {
+          provider = "hcloud";
-      name = "yubikey";
+          type = "ssh_key";
-      public_key =
+          inputs = {
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== cardno:000612078454";
+            name = "yubikey";
+            public_key =
+              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== cardno:000612078454";
+          };
+        };
+        resources.athame = {
+          provider = "null";
+          type = "resource";
+          connection = {
+            port = 62954;
+            host = "athame.kittywit.ch";
+          };
+        };
+      };
+    };
+    network.nodes.athame = {
+      imports = lib.hostImport "athame";
+      networking = {
+        hostName = "athame";
+      };
     };
   };
+}
 
-  resources.athame = {
+# For the eventual migration
-    provider = "null";
-    type = "resource";
-    connection = {
-      port = 62954;
-      host = "athame.kittywit.ch";
-    };
-  };
 
-  #resources.athame = {
+#resources.athame = {
   #provider = "hcloud";
   #  type = "server";
   #  inputs = {
@@ -105,4 +118,3 @@ with config.resources; {
   #    SRV = record.out.resource.refAttr "id";
   #  }.${record.out.type}) config.dns.records;
 
-}

config/hosts/athame/nixos/default.nix

@@ -20,7 +20,7 @@ with lib;
     ../../../services/gitea
     ../../../services/syncplay.nix
     ../../../services/weechat.nix
-    ../../../services/bitwarden.nix
+    ../../../services/vaultwarden.nix
     ../../../services/taskserver.nix
     ../../../services/murmur.nix
     ../../../services/matrix.nix
@@ -38,8 +38,6 @@ with lib;
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
 
-  deploy.target = "infra";
-
   networking = {
     hostName = "athame";
     domain = "kittywit.ch";

config/hosts/mabon/nixos/default.nix

@@ -9,8 +9,6 @@
     users.kairi.guiFull
   ];
 
-  deploy.target = "mbp";
-
   networking.wireless.interfaces = [ "wlp3s0" ];
 
   boot.loader.systemd-boot.enable = true;

config/hosts/ostara/meta.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }: with lib; {
+  config = {
+    deploy.targets.personal = {
+      tf = {
+        resources.ostara = {
+          provider = "null";
+          type = "resource";
+          connection = {
+            port = 62954;
+            host = "192.168.1.245";
+          };
+        };
+      };
+      network.nodes.samhain = {
+        imports = lib.hostImport "samhain";
+        networking = {
+          hostName = "samhain";
+        };
+      };
+    };
+  };
+}

config/hosts/ostara/nixos/default.nix

@@ -5,8 +5,6 @@ with lib;
 {
   imports = [ ./hw.nix profiles.laptop ];
 
-  deploy.target = "slow";
-
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/sda";

config/hosts/samhain/meta.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }: with lib; {
+  config = {
+    deploy.targets.personal = {
+      tf = {
+        resources.samhain = {
+          provider = "null";
+          type = "resource";
+          connection = {
+            port = 62954;
+            host = "192.168.1.135";
+          };
+        };
+      };
+    };
+    network.nodes.samhain = {
+      imports = lib.hostImport "samhain";
+      networking = {
+        hostName = "samhain";
+      };
+    };
+  };
+}

config/hosts/samhain/nixos/default.nix

@@ -24,7 +24,11 @@ in
     ./virtualhosts.nix
   ];
 
-  deploy.target = "personal";
+  home-manager.users.kat = {
+    imports = [
+      ../home
+    ];
+  };
 
   deploy.tf.variables.dyn_username = {
     type = "string";

config/hosts/yule/meta.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }: with lib; {
+  config = {
+    deploy.targets.personal = {
+      tf = {
+        resources.yule = {
+          provider = "null";
+          type = "resource";
+          connection = {
+            port = 62954;
+            host = "192.168.1.92";
+          };
+        };
+      };
+    };
+    network.nodes.yule = {
+      imports = lib.hostImport "yule";
+      networking = {
+        hostName = "yule";
+      };
+    };
+  };
+}

config/hosts/yule/nixos/default.nix

@@ -17,9 +17,13 @@ with lib;
     users.kat.guiFull
   ];
 
-  networking.wireless.interfaces = [ "wlp2s0" ];
+  home-manager.users.kat = {
+    imports = [
+      ../home
+    ];
+  };
 
-  deploy.target = "personal";
+  networking.wireless.interfaces = [ "wlp2s0" ];
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

config/modules/meta/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  imports = [
+    ./deploy.nix
+    ./network.nix
+  ];
+}

config/modules/meta/deploy.nix

@@ -0,0 +1,99 @@
+{ sources, config, pkgs, lib, ... }: with lib; let
+  cfg = config.deploy;
+  meta = config;
+  tfModule = { lib, ... }: with lib; {
+    config._module.args = {
+      pkgs = mkDefault pkgs;
+    };
+  };
+  tfType = types.submoduleWith {
+    modules = [
+      tfModule
+      "${toString sources.tf-nix}/modules"
+    ];
+  };
+in {
+  imports = [
+    (toString (sources.tf-nix + "/modules/run.nix"))
+  ] ++ (optional (builtins.pathExists ../../trusted/tf/tf.nix) (../../trusted/tf/tf.nix));
+  options = {
+    deploy = {
+      dataDir = mkOption {
+        type = types.path;
+      };
+      local = {
+        isRoot = mkOption {
+          type = types.bool;
+          default = builtins.getEnv "HOME_UID" == "0";
+        };
+        hostName = mkOption {
+          type = types.nullOr types.str;
+          default = let
+            hostName = builtins.getEnv "HOME_HOSTNAME";
+          in if hostName == "" then null else hostName;
+        };
+      };
+      targets = let
+        type = types.submodule ({ config, name, ... }: {
+          options = {
+            name = mkOption {
+              type = types.str;
+              default = name;
+            };
+            nodeNames = mkOption {
+              type = types.listOf types.str;
+              default = [ ];
+            };
+            tf = mkOption {
+              type = tfType;
+              default = { };
+            };
+          };
+          config.tf = mkMerge (singleton {
+            imports = [
+              ../../targets/common
+            ];
+            deps = {
+              select.allProviders = true;
+              enable = true;
+            };
+            terraform = {
+              version = "1.0";
+              logPath = cfg.dataDir + "/terraform-${config.name}.log";
+              dataDir = cfg.dataDir + "/tfdata/${config.name}";
+              environment.TF_CLI_ARGS_apply = "-backup=-";
+              environment.TF_CLI_ARGS_taint = "-backup=-";
+            };
+            state = {
+              file = cfg.dataDir + "/terraform-${config.name}.tfstate";
+            };
+            runners = {
+              lazy = {
+                inherit (meta.runners.lazy) file args;
+                attrPrefix = "deploy.targets.${name}.tf.runners.run.";
+              };
+              run = {
+                apply.name = "${name}-apply";
+                terraform.name = "${name}-tf";
+              };
+            };
+            continue.envVar = "TF_NIX_CONTINUE_${replaceStrings [ "-" ] [ "_" ] config.name}";
+          } ++ map (nodeName: mapAttrs (_: mkMerge) meta.network.nodes.${nodeName}.deploy.tf.out.set) config.nodeNames);
+        });
+      in mkOption {
+        type = types.attrsOf type;
+        default = { };
+      };
+    };
+  };
+  config = {
+    runners = {
+      run = mkMerge (mapAttrsToList (targetName: target: mapAttrs' (k: run:
+      nameValuePair run.name run.set
+      ) target.tf.runners.run) cfg.targets);
+      lazy.run = mkMerge (mapAttrsToList (targetName: target: mapAttrs' (k: run:
+      nameValuePair run.name run.set
+      ) target.tf.runners.lazy.run) cfg.targets);
+    };
+  };
+}

config/modules/meta/network.nix

@@ -0,0 +1,59 @@
+{ pkgs, sources, users, profiles, lib, config, ... }: with lib; 
+
+{
+  options.network = {
+    nixos = {
+      extraModules = mkOption {
+        type = types.listOf types.unspecified;
+        default = [ ];
+      };
+      specialArgs = mkOption {
+        type = types.attrsOf types.unspecified;
+        default = { };
+      };
+      modulesPath = mkOption {
+        type = types.path;
+        default = toString (pkgs.path + "/nixos/modules");
+      };
+    };
+    nodes = let
+      nixosModule = { name, config, meta, modulesPath, lib, ... }: with lib; {
+        config = {
+          nixpkgs = {
+            system = mkDefault pkgs.system;
+            pkgs = mkDefault pkgs;
+            #inherit (pkgs) config;
+          };
+        };
+      };
+      nixosType = let
+        baseModules = import (config.network.nixos.modulesPath + "/module-list.nix");
+      in types.submoduleWith {
+        modules = baseModules
+        ++ singleton nixosModule
+        ++ config.network.nixos.extraModules;
+
+        specialArgs = {
+          inherit baseModules;
+          inherit (config.network.nixos) modulesPath;
+        } // config.network.nixos.specialArgs;
+      };
+    in mkOption {
+      type = types.attrsOf nixosType;
+      default = { };
+    };
+  };
+  config.network = {
+    nixos = {
+      extraModules = [
+        "${toString sources.home-manager}/nixos"
+        ../../modules/nixos
+      ];
+      specialArgs = {
+        inherit (config.network) nodes;
+        inherit sources profiles users;
+        meta = config;
+      };
+    };
+  };
+}

config/modules/nixos/default.nix

@@ -1,10 +1,10 @@
-{ sources, lib, ... }:
+{ meta, sources, lib, ... }:
 
 {
   imports = with (import (sources.nixexprs + "/modules")).nixos; [ base16 base16-shared ] ++ [
-    ./nftables
+    ./nftables.nix
-    ./fw-abstraction
+    ./fw-abstraction.nix
-    ./deploy-tf
+    ./deploy-tf.nix
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
     (sources.hexchen + "/modules/hexnet")
@@ -13,4 +13,9 @@
   # stubs for hexchens modules, until more generalized
   options.hexchen.dns = lib.mkOption { };
   options.hexchen.deploy = lib.mkOption { };
+
+  # shim
+  config = {
+    _module.args.hosts = lib.mapAttrs (_: config: { inherit config; } ) meta.network.nodes;
+  };
 }

config/modules/nixos/deploy-tf.nix

@@ -0,0 +1,91 @@
+{ tf, target, name, meta, config, lib, ... }:
+with lib;
+let
+  cfg = config.deploy;
+  unmergedValues = types.mkOptionType {
+    name = "unmergedValues";
+    merge = loc: defs: map (def: def.value) defs;
+  };
+in
+{
+  options.deploy = {
+    targetName = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+    system = mkOption {
+      type = types.unspecified;
+      readOnly = true;
+    };
+  };
+  options.deploy.tf = mkOption {
+    type = types.submodule {
+      freeformType = types.attrsOf unmergedValues;
+
+      options = {
+        import = mkOption {
+          type = types.attrsOf types.unspecified;
+          default = [ ];
+        };
+        imports = mkOption {
+          type = types.listOf types.str;
+          description = "Other targets to depend on";
+          default = [ ];
+        };
+        attrs = mkOption {
+          type = types.listOf types.str;
+          default = [ ];
+        };
+        out.set = mkOption { type = types.unspecified; };
+      };
+    };
+  };
+
+  config = {
+    deploy = {
+      system = config.system.build.toplevel;
+      targetName = if (meta.deploy.targets ? ${name}) then 
+      (mkDefault name)
+      else
+      head (attrNames ((filterAttrs(targetName: target: elem config.networking.hostName target.nodeNames) meta.deploy.targets)));
+    };
+    deploy.tf = mkMerge (singleton
+      {
+        attrs = [ "import" "imports" "out" "attrs" ];
+        import = genAttrs cfg.tf.imports (target: meta.deploy.targets.${target}.tf);
+        out.set = removeAttrs cfg.tf cfg.tf.attrs;
+        deploy.systems.${config.networking.hostName} =
+          with tf.resources; {
+            isRemote =
+              (config.networking.hostName != builtins.getEnv "HOME_HOSTNAME");
+            nixosConfig = config;
+            connection = tf.resources.${config.networking.hostName}.connection.set;
+            triggers.copy.${config.networking.hostName} =
+              tf.resources.${config.networking.hostName}.refAttr "id";
+            triggers.secrets.${config.networking.hostName} =
+              tf.resources.${config.networking.hostName}.refAttr "id";
+          };
+
+        dns.records."kittywitch_net_${config.networking.hostName}" =
+          mkIf (config.hexchen.network.enable) {
+            tld = "kittywit.ch.";
+            domain = "${config.networking.hostName}.net";
+            aaaa.address = config.hexchen.network.address;
+          };
+
+      } ++ mapAttrsToList
+      (_: user:
+        mapAttrs (_: mkMerge) user.deploy.tf.out.set)
+      config.home-manager.users);
+
+    security.acme.certs."${config.networking.hostName}.net.kittywit.ch" =
+      mkIf (config.services.nginx.enable && config.hexchen.network.enable) {
+        domain = "${config.networking.hostName}.net.kittywit.ch";
+        dnsProvider = "rfc2136";
+        credentialsFile = config.secrets.files.dns_creds.path;
+        group = "nginx";
+      };
+    _module.args.target = mapNullable (targetName: meta.deploy.targets.${targetName}) cfg.targetName;
+    _module.args.tf = mapNullable (target: target.tf) target;
+  };
+}

config/modules/nixos/fw-abstraction.nix

@@ -1,4 +1,4 @@
-{ config, hosts, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 

config/nixos.nix

@@ -0,0 +1,52 @@
+{ pkgs, config, lib, tf, sources, options, profiles, ... }:
+
+{
+  imports = [
+    profiles/common
+  ];
+
+  options = {
+    deploy.profile.gui = lib.mkEnableOption "graphical system";
+    deploy.profile.fvwm = lib.mkEnableOption "fvwm";
+    deploy.profile.sway = lib.mkEnableOption "sway wm";
+    deploy.profile.laptop = lib.mkEnableOption "lappytop";
+    home-manager.users = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submoduleWith {
+        modules = [ ./modules/home ];
+        specialArgs = {
+          inherit sources tf;
+          superConfig = config;
+          modulesPath = sources.home-manager + "/modules";
+        };
+      });
+    };
+  };
+
+  config = {
+    home-manager = {
+      useUserPackages = true;
+      useGlobalPkgs = true;
+
+      users = {
+        kat = {
+          imports = lib.optional (builtins.pathExists ./trusted/users/kat) (import ./trusted/users/kat);
+
+          options = {
+            deploy.profile.gui = lib.mkEnableOption "graphical system";
+            deploy.profile.sway = lib.mkEnableOption "sway wm";
+            deploy.profile.laptop = lib.mkEnableOption "lappytop";
+          };
+        };
+        kairi = {
+          imports = lib.optional (builtins.pathExists ./trusted/users/kairi) (import ./trusted/users/kairi);
+
+          options = {
+            deploy.profile.gui = lib.mkEnableOption "graphical system";
+            deploy.profile.fvwm = lib.mkEnableOption "fvwm";
+            deploy.profile.laptop = lib.mkEnableOption "lappytop";
+          };
+        };
+      };
+    };
+  };
+}