Refactors for usability

Using ./home.nix and ./nixos.nix as entrypoints for hosts.
Using hardware profiles.
Using new entrypoints (profiles/base/profiles.nix + profiles/base/home.nix).
New modules (for DNS handling, for themeing, ...).
Split up deploy-tf.nix into several modules.
Renamed common profile to base profile.

config/modules/home/default.nix

@@ -4,7 +4,9 @@
   disabledModules = [ "programs/vim.nix" ];
   imports = with (import (sources.nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [
     ./vim.nix
-    ./deploy-tf.nix
+    ./fvwm.nix
+    ./deploy.nix
+    ./theme.nix
     (sources.tf-nix + "/modules/home/secrets.nix")
   ];
 }

config/modules/home/deploy.nix

@@ -1,5 +1,10 @@
 { config, lib, ... }:
 
+/*
+This module:
+  * Provides in-scope TF config for home-manager.
+*/
+
 with lib;
 
 let

config/modules/home/fvwm.nix

@@ -0,0 +1,9 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.programs.fvwm = {
+    enable = mkEnableOption "Enable FVWM";
+  };
+}

config/modules/home/theme.nix

@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+
+/*
+This module:
+  * provides a central way to change the font my system uses.
+*/
+
+with lib;
+
+let cfg = config.kw; in {
+  options.kw = {
+    wallpapers = mkOption {
+      type = types.listOf types.path;
+    };
+
+    font = {
+      name = mkOption {
+        type = types.str;
+        default = "Cozette";
+      };
+      size = mkOption {
+        type = types.float;
+        default = 9.0;
+      };
+      size_css = mkOption {
+        type = types.str;
+        default = "${toString (cfg.font.size + 3)}px";
+      };
+    };
+  };
+}

config/modules/home/vim.nix

@@ -1,5 +1,12 @@
 { config, lib, pkgs, ... }:
 
+/*
+This module:
+  * is from an unmerged PR from home-manager.
+
+See: https://github.com/nix-community/home-manager/pull/1745
+*/
+
 with lib;
 
 let

config/modules/meta/deploy.nix

@@ -1,4 +1,16 @@
-{ sources, config, pkgs, lib, ... }: with lib; let
+{ sources, config, pkgs, lib, ... }:
+
+/*
+This module:
+  * makes tf-nix a part of the meta config
+  * handles the trusted import for tf-nix
+  * provides the target interface
+  * imports the per-host TF config for each target
+*/
+
+with lib;
+
+let
   cfg = config.deploy;
   meta = config;
   tfModule = { lib, ... }: with lib; {

config/modules/meta/network.nix

@@ -1,4 +1,13 @@
-{ pkgs, sources, users, profiles, lib, config, ... }: with lib; 
+{ pkgs, sources, users, profiles, hardware, lib, config, ... }:
+
+/*
+This module:
+  * Makes hosts nixosModules.
+  * Manages module imports and specialArgs.
+  * Builds network.nodes.
+*/
+
+with lib;
 
 {
   options.network = {
@@ -22,7 +31,6 @@
           nixpkgs = {
             system = mkDefault pkgs.system;
             pkgs = mkDefault pkgs;
-            #inherit (pkgs) config;
           };
         };
       };

config/modules/nixos/default.nix

@@ -3,18 +3,22 @@
 {
   imports = with (import (sources.nixexprs + "/modules")).nixos; [ base16 base16-shared ] ++ [
     ./nftables.nix
-    ./fw-abstraction.nix
-    ./deploy-tf.nix
+    ./firewall.nix
+    ./deploy.nix
+    ./dns.nix
+    ./dyndns.nix
+    ./yggdrasil.nix
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
     (sources.hexchen + "/modules/network/yggdrasil")
   ];
 
-  # stubs for hexchens modules, until more generalized
   options.hexchen.dns = lib.mkOption { };
   options.hexchen.deploy = lib.mkOption { };
 
-  # shim
+  /*
+  This maps hosts to network.nodes from the meta config. This is required for hexchen's yggdrasil network module.
+  */
   config = {
     _module.args.hosts = lib.mapAttrs (_: config: { inherit config; } ) meta.network.nodes;
   };

config/modules/nixos/deploy.nix

@@ -1,5 +1,14 @@
 { tf, target, name, meta, config, lib, ... }:
+
+/*
+This module:
+  * aliases <hostname>.system.build.toplevel to <hostname>.deploy.system for ease of use.
+  * marries meta config to NixOS configs for each host.
+  * provides in-scope TF config in NixOS and home-manager, instead of only as a part of meta config.
+*/
+
 with lib;
+
 let
   cfg = config.deploy;
   unmergedValues = types.mkOptionType {
@@ -65,26 +74,11 @@ in
             triggers.secrets.${config.networking.hostName} =
               tf.resources.${config.networking.hostName}.refAttr "id";
           };
-
-        dns.records."kittywitch_net_${config.networking.hostName}" =
-          mkIf (config.network.yggdrasil.enable) {
-            tld = "kittywit.ch.";
-            domain = "${config.networking.hostName}.net";
-            aaaa.address = config.network.yggdrasil.address;
-          };
-
       } ++ mapAttrsToList
       (_: user:
         mapAttrs (_: mkMerge) user.deploy.tf.out.set)
       config.home-manager.users);
 
-    security.acme.certs."${config.networking.hostName}.net.kittywit.ch" =
-      mkIf (config.services.nginx.enable && config.network.yggdrasil.enable) {
-        domain = "${config.networking.hostName}.net.kittywit.ch";
-        dnsProvider = "rfc2136";
-        credentialsFile = config.secrets.files.dns_creds.path;
-        group = "nginx";
-      };
     _module.args.target = mapNullable (targetName: meta.deploy.targets.${targetName}) cfg.targetName;
     _module.args.tf = mapNullable (target: target.tf) target;
   };

config/modules/nixos/dns.nix

@@ -0,0 +1,49 @@
+{ config, lib, tf, ... }:
+
+/*
+This module:
+* Provides options for setting the domain/tld/... used by default in my service configs.
+*/
+
+with lib;
+
+{
+  options.kw.dns = {
+    email = mkOption {
+      type = types.nullOr types.str;
+      default = "";
+    };
+    tld = mkOption {
+      type = types.nullOr types.str;
+      default = "";
+    };
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = "";
+    };
+    ygg_prefix = mkOption {
+      type = types.nullOr types.str;
+      default = "";
+    };
+    ipv4 = mkOption {
+      type = types.str;
+    };
+    ipv6 = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = {
+    # Set these.
+    kw.dns.email = "kat@kittywit.ch";
+    kw.dns.tld = "kittywit.ch.";
+    kw.dns.ygg_prefix = "net";
+
+    # This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform.
+    kw.dns.ipv4 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address"));
+    kw.dns.ipv6 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address"));
+
+    # This is derived.
+    kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld;
+  };
+}

config/modules/nixos/dyndns.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, lib, tf, ... }:
+
+with lib;
+
+{
+  options = {
+    kw.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
+  };
+
+  config = mkIf (config.kw.dns.dynamic) {
+    deploy.tf.variables.dyn_username = {
+      type = "string";
+      value.shellCommand = "bitw get infra/hexdns-dynamic -f username";
+    };
+
+    deploy.tf.variables.dyn_password = {
+      type = "string";
+      value.shellCommand = "bitw get infra/hexdns-dynamic -f password";
+    };
+
+    deploy.tf.variables.dyn_hostname = {
+      type = "string";
+      value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
+    };
+
+    secrets.files.kat-glauca-dns = {
+      text = ''
+        user="${tf.variables.dyn_username.ref}"
+        pass="${tf.variables.dyn_password.ref}"
+        hostname="${tf.variables.dyn_hostname.ref}"
+      '';
+    };
+
+    systemd.services.kat-glauca-dns =
+      let updater = pkgs.writeShellScriptBin "glauca-dyndns" ''
+          #!/usr/bin/env bash
+          set -eu
+
+          ip4=$(${pkgs.curl}/bin/curl -s --ipv4 https://dns.glauca.digital/checkip)
+          ip6=$(${pkgs.curl}/bin/curl -s --ipv6 https://dns.glauca.digital/checkip)
+          source $passFile
+          echo "$ip4, $ip6"
+            ${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip4}" "https://dns.glauca.digital/nic/update"
+          echo ""
+            ${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip6}" "https://dns.glauca.digital/nic/update"
+      ''; in {
+      serviceConfig = {
+        ExecStart = "${updater}/bin/glauca-dyndns";
+      };
+      environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
+      wantedBy = [ "default.target" ];
+    };
+
+    systemd.timers.kat-glauca-dns = {
+      timerConfig = {
+        Unit = "kat-glauca-dns.service";
+        OnBootSec = "5m";
+        OnUnitActiveSec = "1h";
+      };
+      wantedBy = [ "default.target" ];
+    };
+  };
+}

config/modules/nixos/yggdrasil.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+
+/*
+This module:
+  * Provides AAAA records on a per-host basis for each yggdrasil enabled host.
+  * Provides certificates for those hosts if they run NGINX.
+*/
+
+with lib;
+
+{
+  config = {
+    deploy.tf.dns.records."ygg_${config.networking.hostName}" =
+      mkIf (config.network.yggdrasil.enable) {
+        tld = config.kw.dns.tld;
+        domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}";
+        aaaa.address = config.network.yggdrasil.address;
+      };
+    security.acme.certs."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" =
+      mkIf (config.services.nginx.enable && config.network.yggdrasil.enable) {
+        domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}";
+        dnsProvider = "rfc2136";
+        credentialsFile = config.secrets.files.dns_creds.path;
+        group = "nginx";
+      };
+  };
+}