refactor(ci): scripts

2026-02-09 04:19:19 -08:00 · 2024-02-22 11:46:52 -08:00 · 2024-02-22 11:46:52 -08:00 · 5c73439cad
commit 5c73439cad
parent c4fcb16fef
19 changed files with 288 additions and 207 deletions
--- a/ci/alejandra.sh
+++ b/ci/alejandra.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 set -eu
 for blacklist_dir in "${NF_NIX_BLACKLIST_DIRS[@]}"; do
 	set -- --exclude "$blacklist_dir" "$@"
 done
 exec alejandra "$@"
--- a/ci/build.sh
+++ b/ci/build.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 set -eu
 ARG_NODE=$1
 shift
 exec nix build --no-link --print-out-paths \
 	"${NF_CONFIG_ROOT}#nixosConfigurations.$ARG_NODE.config.system.build.toplevel" \
 	--show-trace "$@"
--- a/ci/deadnix.sh
+++ b/ci/deadnix.sh
@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 set -eu
 NF_NIX_BLACKLIST_FILES=(
 	$(find "${NF_NIX_BLACKLIST_DIRS[@]}" -type f)
 )
 exec deadnix "$@" \
 	--no-lambda-arg \
 	--exclude "${NF_NIX_BLACKLIST_FILES[@]}"
--- a/ci/deploy.sh
+++ b/ci/deploy.sh
@ -1,59 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.}
 NF_HOST=${NF_HOST-tewi}
 NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.toplevel
 NF_ADDR=${NF_ADDR-${NF_HOST}.local}
 if [[ $NF_ADDR = tewi.local ]]; then
 	# work around homekit namespace clash
 	NF_ADDR=tewi.local.gensokyo.zone
 fi
 if [[ $# -eq 0 ]]; then
 	set -- ""
 fi
 if [[ $1 = tarball ]]; then
 	shift
 	set -- build "$@"
 	NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.tarball
 fi
 if [[ $1 = build ]]; then
 	shift
 	exec nix build --no-link --print-out-paths \
 		$NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \
 		"$@"
 elif [[ $1 = switch ]] || [[ $1 = boot ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
 	METHOD=$1
 	shift
 	exec nixos-rebuild $METHOD \
 		--flake $NF_CONFIG_ROOT\#$NF_HOST \
 		--no-build-nix \
 		--target-host $NF_ADDR --use-remote-sudo \
 		"$@"
 elif [[ $1 = check ]]; then
 	EXIT_CODE=0
 	DEFAULT=$(nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
 	FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL)
 	if [[ $DEFAULT != $FLAKE ]]; then
 		echo default.nix: $DEFAULT
 		echo flake.nix: $FLAKE
 		EXIT_CODE=1
 	else
 		echo untrusted ok: $FLAKE
 	fi
 	exit $EXIT_CODE
 elif [[ $1 = ssh ]]; then
 	shift
 	exec ssh $NIX_SSHOPTS $NF_ADDR "$@"
 elif [[ $1 = sops-keyscan ]]; then
 	shift
 	ssh-keyscan $NIX_SSHOPTS $NF_ADDR | nix run nixpkgs#ssh-to-age
 else
 	echo unknown cmd $1 >&2
 	exit 1
 fi
--- a/ci/fmt-nix.sh
+++ b/ci/fmt-nix.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env bash
 set -eu
 exec nf-alejandra "${NF_NIX_WHITELIST_FILES[@]}" "$@"
--- a/ci/fmt-tf.sh
+++ b/ci/fmt-tf.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env bash
 set -eu
 exec terraform fmt -recursive "$@"
--- a/ci/generate.sh
+++ b/ci/generate.sh
@ -0,0 +1,6 @@
 #!/usr/bin/env bash
 set -eu
 for node in reisen; do
 	nix eval --json "${NF_CONFIG_ROOT}#lib.generate.$node.users" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/users.json"
 done
--- a/ci/hostname.sh
+++ b/ci/hostname.sh
@ -0,0 +1,39 @@
 #!/usr/bin/env bash
 set -eu
 DEPLOY_USER=
 if [[ $# -gt 1 ]]; then
 	ARG_NODE=$1
 	ARG_HOSTNAME=$2
 	shift 2
 else
 	ARG_HOSTNAME=$1
 	shift
 	ARG_NODE=${ARG_HOSTNAME%%.*}
 	if [[ $ARG_HOSTNAME = $ARG_NODE ]]; then
 		if DEPLOY_HOSTNAME=$(nix eval --raw "${NF_CONFIG_ROOT}#deploy.nodes.$ARG_HOSTNAME.hostname" 2>/dev/null); then
 			DEPLOY_USER=$(nix eval --raw "${NF_CONFIG_ROOT}#deploy.nodes.$ARG_HOSTNAME.sshUser" 2>/dev/null || true)
 			ARG_HOSTNAME=$DEPLOY_HOSTNAME
 			if ! ping -w2 -c1 "$DEPLOY_HOSTNAME" >/dev/null 2>&1; then
 				ARG_HOSTNAME="$ARG_NODE.local"
 			fi
 		else
 			ARG_HOSTNAME="$ARG_NODE.local"
 		fi
 	fi
 fi
 if ! ping -w2 -c1 "$ARG_HOSTNAME" >/dev/null 2>&1; then
 	LOCAL_HOSTNAME=$ARG_NODE.local.gensokyo.zone
 	TAIL_HOSTNAME=$ARG_NODE.tail.gensokyo.zone
 	GLOBAL_HOSTNAME=$ARG_NODE.gensokyo.zone
 	if ping -w2 -c1 "$LOCAL_HOSTNAME" >/dev/null 2>&1; then
 		ARG_HOSTNAME=$LOCAL_HOSTNAME
 	elif ping -w2 -c1 "$TAIL_HOSTNAME" >/dev/null 2>&1; then
 		ARG_HOSTNAME=$TAIL_HOSTNAME
 	elif ping -w2 -c1 "$GLOBAL_HOSTNAME" >/dev/null 2>&1; then
 		ARG_HOSTNAME=$GLOBAL_HOSTNAME
 	fi
 fi
 echo "${DEPLOY_USER-}${DEPLOY_USER+@}$ARG_HOSTNAME"
--- a/ci/lint-nix.sh
+++ b/ci/lint-nix.sh
@ -0,0 +1,5 @@
 #!/usr/bin/env bash
 set -eu
 nf-statix check "$@" &&
 	nf-deadnix -f "$@"
--- a/ci/lint-tf.sh
+++ b/ci/lint-tf.sh
@ -0,0 +1,4 @@
 #!/usr/bin/env bash
 set -eu
 exec tflint "$@"
--- a/ci/setup.sh
+++ b/ci/setup.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 set -eu
 SETUP_HOSTNAME=''${1-reisen}
 exec ssh root@$SETUP_HOSTNAME env \
 	"${NF_SETUP_INPUTS[@]}" \
 	"bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
--- a/ci/sops-keyscan.sh
+++ b/ci/sops-keyscan.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 set -eu
 ARG_NODE=$1
 shift
 ARG_HOSTNAME=$(nf-hostname "$ARG_NODE")
 ssh-keyscan ''${NIX_SSHOPTS--p62954} "''${ARG_HOSTNAME#*@}" "$@" | ssh-to-age
--- a/ci/ssh.sh
+++ b/ci/ssh.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 set -eu
 ARG_NODE=$1
 shift
 ARG_HOSTNAME=$(nf-hostname "$ARG_NODE")
 NIX_SSHOPTS=$(nf-sshopts "$ARG_NODE")
 exec ssh $NIX_SSHOPTS "$ARG_HOSTNAME" "$@"
--- a/ci/sshopts.sh
+++ b/ci/sshopts.sh
@ -0,0 +1,21 @@
 #!/usr/bin/env bash
 set -eu
 ARG_HOSTNAME=$1
 ARG_NODE=${ARG_HOSTNAME%%.*}
 if DEPLOY_SSHOPTS=$(nix eval --json "${NF_CONFIG_ROOT}#deploy.nodes.$ARG_HOSTNAME.sshOpts" 2>/dev/null); then
 	SSHOPTS=($(jq -r '.[]' <<<"$DEPLOY_SSHOPTS"))
 	echo "${SSHOPTS[*]}"
 elif [[ $ARG_NODE = reisen ]]; then
 	SSHOPTS=()
 else
 	SSHOPTS=(${NIX_SSHOPTS--p62954})
 fi
 if [[ $ARG_NODE = ct || $ARG_NODE = reisen-ct ]]; then
 	SSHOPTS+=(-oUpdateHostKeys=no -oStrictHostKeyChecking=off)
 else
 	SSHOPTS+=(-oHostKeyAlias=$ARG_NODE.gensokyo.zone)
 fi
 echo "${SSHOPTS[*]}"
--- a/ci/statix.sh
+++ b/ci/statix.sh
@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 set -eu
 if [[ $# -eq 0 ]]; then
 	set -- check
 fi
 if [[ ${1-} = check ]]; then
 	shift
 	set -- check --config "$NF_CONFIG_ROOT/ci/statix.toml" "$@"
 fi
 exec statix "$@"
--- a/ci/switch.sh
+++ b/ci/switch.sh
@ -0,0 +1,23 @@
 #!/usr/bin/env bash
 set -eu
 ARG_NODE=$1
 shift
 ARG_HOSTNAME=$(nf-hostname "$ARG_NODE")
 NIX_SSHOPTS=$(nf-sshopts "$ARG_NODE")
 if [[ $# -gt 0 ]]; then
 	ARG_METHOD=$1
 	shift
 else
 	ARG_METHOD=switch
 fi
 if [[ $ARG_HOSTNAME != root@ ]]; then
 	set -- --use-remote-sudo "$@"
 fi
 exec nixos-rebuild "$ARG_METHOD" \
 	--flake "${NF_CONFIG_ROOT}#${ARG_NODE}" \
 	--no-build-nix \
 	--target-host "$ARG_HOSTNAME" \
 	"$@"
--- a/ci/tarball.sh
+++ b/ci/tarball.sh
@ -0,0 +1,27 @@
 #!/usr/bin/env bash
 set -eu
 if [[ $# -gt 0 ]]; then
 	ARG_NODE=$1
 	shift
 else
 	ARG_NODE=ct
 fi
 ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config
 RESULT=$(nix build --no-link --print-out-paths \
 	"${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball" \
 	--show-trace "$@")
 if [[ $ARG_NODE = ct ]]; then
 	DATESTAMP=$(nix eval --raw "${NF_CONFIG_ROOT}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate")
 	DATENAME=${DATESTAMP:0:4}${DATESTAMP:4:2}${DATESTAMP:6:2}
 	SYSARCH=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.nixpkgs.system")
 	TAREXT=$(nix eval --raw "${NF_CONFIG_ROOT}#$ARG_CONFIG_PATH.system.build.tarball.extension")
 	TARNAME=nixos-system-$SYSARCH.tar$TAREXT
 	OUTNAME="ct-$DATENAME-$TARNAME"
 	ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME"
 	echo $OUTNAME
 	ls -l $OUTNAME
 else
 	echo $RESULT
 fi
--- a/devShells.nix
+++ b/devShells.nix
@ -49,16 +49,20 @@
      nf-update
      nf-tf
      (mkWrapper {name = "nf-generate";})
      (mkWrapper {name = "nf-deploy";})
      (mkWrapper {name = "nf-setup-node";})
      (mkWrapper {name = "nf-sops-keyscan";})
      (mkWrapper {name = "nf-ssh";})
      (mkWrapper {name = "nf-build";})
      (mkWrapper {name = "nf-tarball";})
      (mkWrapper {name = "nf-switch";})
      (mkWrapper {
        name = "nf-lint-tf";
        subdir = "/tf";
      })
      (mkWrapper {
        name = "nf-fmt-tf";
        subdir = "/tf";
      })
      (mkWrapper {
        name = "nf-lint-nix";
        subdir = "";
--- a/packages/default.nix
+++ b/packages/default.nix
@ -3,11 +3,21 @@
  inputs,
 }: let
  lib = inputs.self.lib.nixlib;
-  inherit (lib.meta) getExe;
+  inherit (lib.strings) makeBinPath;
-  inherit (inputs.std.lib) string list;
+  inherit (inputs.std.lib) string list set;
  packages = inputs.self.packages.${system};
  inherit (inputs.self.legacyPackages.${system}) pkgs;
  fmt = import ../ci/fmt.nix;
  exports = ''
    export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ../.}}
  '';
  exportsSsh = ''
    export PATH="${makeBinPath [ packages.nf-hostname packages.nf-sshopts ]}:$PATH"
  '';
  exportsFmtNix = ''
    NF_NIX_BLACKLIST_DIRS=(${string.concatMapSep " " string.escapeShellArg fmt.nix.blacklistDirs})
    NF_NIX_WHITELIST_FILES=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelist})
  '';
  output = {
    inherit (pkgs.buildPackages)
      terraform tflint
@ -16,179 +26,112 @@
    ;
    inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
    nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
      ${exports}
      ${exportsSsh}
      exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@"
    '';
    nf-setup-node = let
      reisen = ../systems/reisen;
-      inherit (inputs.self.nixosConfigurations.hakurei.config.users.users) arc kat;
+      inherit (inputs.self.lib.lib) userIs;
-      authorizedKeys = string.intercalate "\n" (arc.openssh.authorizedKeys.keys ++ kat.openssh.authorizedKeys.keys);
+      inherit (inputs.self.nixosConfigurations.hakurei.config) users;
      authorizedKeys = list.concatMap (user: user.openssh.authorizedKeys.keys) (
        list.filter (userIs "wheel") users.users
      );
      inputs = {
        INPUT_ROOT_SSH_AUTHORIZEDKEYS = pkgs.writeTextFile "root.authorized_keys" (
          string.intercalate "\n" authorizedKeys
        );
        INPUT_TF_SSH_AUTHORIZEDKEYS = reisen + "/tf.authorized_keys";
        INPUT_SUBUID = reisen + "/subuid";
        INPUT_SUBGID = reisen + "/subgid";
        INPUT_INFRA_SETUP = reisen + "/setup.sh";
        INPUT_INFRA_PUTFILE64 = reisen + "/bin/putfile64.sh";
        INPUT_INFRA_PVE = reisen + "/bin/pve.sh";
        INPUT_INFRA_MKPAM = reisen + "/bin/mkpam.sh";
        INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh";
      };
      inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputs;
    in pkgs.writeShellScriptBin "nf-setup-node" ''
-      set -eu
+      ${exports}
-      SETUP_HOSTNAME=''${1-reisen}
+      NF_SETUP_INPUTS=(
-      export INPUT_ROOT_SSH_AUTHORIZEDKEYS=${string.escapeShellArg authorizedKeys}
+        ${string.intercalate "\n" inputVars}
-      exec ssh root@$SETUP_HOSTNAME env \
+      )
-        INPUT_ROOT_SSH_AUTHORIZEDKEYS="$(base64 -w0 <<<"$INPUT_ROOT_SSH_AUTHORIZEDKEYS")" \
+      source ${../ci/setup.sh}
        INPUT_TF_SSH_AUTHORIZEDKEYS="$(base64 -w0 < ${reisen + "/tf.authorized_keys"})" \
        INPUT_SUBUID="$(base64 -w0 < ${reisen + "/subuid"})" \
        INPUT_SUBGID="$(base64 -w0 < ${reisen + "/subgid"})" \
        INPUT_INFRA_SETUP="$(base64 -w0 < ${reisen + "/setup.sh"})" \
        INPUT_INFRA_PUTFILE64="$(base64 -w0 < ${reisen + "/bin/putfile64.sh"})" \
        INPUT_INFRA_PVE="$(base64 -w0 < ${reisen + "/bin/pve.sh"})" \
        INPUT_INFRA_MKPAM="$(base64 -w0 < ${reisen + "/bin/mkpam.sh"})" \
        INPUT_INFRA_CT_CONFIG="$(base64 -w0 < ${reisen + "/bin/ct-config.sh"})" \
        "bash -c \"eval \\\"\\\$(base64 -d <<<\\\$INPUT_INFRA_SETUP)\\\"\""
    '';
    nf-hostname = pkgs.writeShellScriptBin "nf-hostname" ''
-      set -eu
+      ${exports}
-      DEPLOY_USER=
+      source ${../ci/hostname.sh}
      if [[ $# -gt 1 ]]; then
        ARG_NODE=$1
        ARG_HOSTNAME=$2
        shift 2
      else
        ARG_HOSTNAME=$1
        shift
        ARG_NODE=''${ARG_HOSTNAME%%.*}
        if [[ $ARG_HOSTNAME = $ARG_NODE ]]; then
          if DEPLOY_HOSTNAME=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.hostname" 2>/dev/null); then
            DEPLOY_USER=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshUser" 2>/dev/null || true)
            ARG_HOSTNAME=$DEPLOY_HOSTNAME
            if ! ping -w2 -c1 "$DEPLOY_HOSTNAME" >/dev/null 2>&1; then
              ARG_HOSTNAME="$ARG_NODE.local"
            fi
          else
            ARG_HOSTNAME="$ARG_NODE.local"
          fi
        fi
      fi
      if ! ping -w2 -c1 "$ARG_HOSTNAME" >/dev/null 2>&1; then
        LOCAL_HOSTNAME=$ARG_NODE.local.gensokyo.zone
        TAIL_HOSTNAME=$ARG_NODE.tail.gensokyo.zone
        GLOBAL_HOSTNAME=$ARG_NODE.gensokyo.zone
        if ping -w2 -c1 "$LOCAL_HOSTNAME" >/dev/null 2>&1; then
          ARG_HOSTNAME=$LOCAL_HOSTNAME
        elif ping -w2 -c1 "$TAIL_HOSTNAME" >/dev/null 2>&1; then
          ARG_HOSTNAME=$TAIL_HOSTNAME
        elif ping -w2 -c1 "$GLOBAL_HOSTNAME" >/dev/null 2>&1; then
          ARG_HOSTNAME=$GLOBAL_HOSTNAME
        fi
      fi
      echo "''${DEPLOY_USER-}''${DEPLOY_USER+@}$ARG_HOSTNAME"
    '';
    nf-sshopts = pkgs.writeShellScriptBin "nf-sshopts" ''
-      set -eu
+      ${exports}
-      ARG_HOSTNAME=$1
+      export PATH="$PATH:${makeBinPath [ pkgs.jq ]}"
-      ARG_NODE=''${ARG_HOSTNAME%%.*}
+      source ${../ci/sshopts.sh}
      if DEPLOY_SSHOPTS=$(nix eval --json "''${NF_CONFIG_ROOT-${toString ../.}}"#"deploy.nodes.$ARG_HOSTNAME.sshOpts" 2>/dev/null); then
        SSHOPTS=($(${getExe packages.jq} -r '.[]' <<<"$DEPLOY_SSHOPTS"))
        echo "''${SSHOPTS[*]}"
      elif [[ $ARG_NODE = reisen ]]; then
        SSHOPTS=()
      else
        SSHOPTS=(''${NIX_SSHOPTS--p62954})
      fi
      if [[ $ARG_NODE = ct || $ARG_NODE = reisen-ct ]]; then
        SSHOPTS+=(-oUpdateHostKeys=no -oStrictHostKeyChecking=off)
      else
        SSHOPTS+=(-oHostKeyAlias=$ARG_NODE.gensokyo.zone)
      fi
      echo "''${SSHOPTS[*]}"
    '';
    nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" ''
-      set -eu
+      ${exports}
-      ARG_NODE=$1
+      ${exportsSsh}
-      shift
+      export PATH="$PATH:${makeBinPath [ pkgs.ssh-to-age ]}"
-      ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE")
+      source ${../ci/sops-keyscan.sh}
      ssh-keyscan ''${NIX_SSHOPTS--p62954} "''${ARG_HOSTNAME#*@}" "$@" | ${getExe packages.ssh-to-age}
    '';
    nf-ssh = pkgs.writeShellScriptBin "nf-ssh" ''
-      set -eu
+      ${exports}
-      ARG_NODE=$1
+      ${exportsSsh}
-      ARG_HOSTNAME=$(${getExe packages.nf-hostname} "$ARG_NODE")
+      source ${../ci/ssh.sh}
      NIX_SSHOPTS=$(${getExe packages.nf-sshopts} "$ARG_NODE")
      exec ssh $NIX_SSHOPTS "$ARG_HOSTNAME"
    '';
    nf-build = pkgs.writeShellScriptBin "nf-build" ''
-      set -eu
+      ${exports}
-      ARG_NODE=$1
+      source ${../ci/build.sh}
      shift
      exec nix build --no-link --print-out-paths \
        "''${NF_CONFIG_ROOT-${toString ../.}}#nixosConfigurations.$ARG_NODE.config.system.build.toplevel" \
        --show-trace "$@"
    '';
    nf-tarball = pkgs.writeShellScriptBin "nf-tarball" ''
-      set -eu
+      ${exports}
-      if [[ $# -gt 0 ]]; then
+      source ${../ci/tarball.sh}
-        ARG_NODE=$1
+    '';
-        shift
+    nf-switch = pkgs.writeShellScriptBin "nf-switch" ''
-      else
+      ${exports}
-        ARG_NODE=ct
+      ${exportsSsh}
-      fi
+      source ${../ci/switch.sh}
      ARG_CONFIG_PATH=nixosConfigurations.$ARG_NODE.config
      RESULT=$(nix build --no-link --print-out-paths \
        "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball" \
        --show-trace "$@")
      if [[ $ARG_NODE = ct ]]; then
        DATESTAMP=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#lib.inputs.nixpkgs.sourceInfo.lastModifiedDate")
        DATENAME=''${DATESTAMP:0:4}''${DATESTAMP:4:2}''${DATESTAMP:6:2}
        SYSARCH=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.nixpkgs.system")
        TAREXT=$(nix eval --raw "''${NF_CONFIG_ROOT-${toString ../.}}#$ARG_CONFIG_PATH.system.build.tarball.extension")
        TARNAME=nixos-system-$SYSARCH.tar$TAREXT
        OUTNAME="ct-$DATENAME-$TARNAME"
        ln -sf "$RESULT/tarball/$TARNAME" "$OUTNAME"
        echo $OUTNAME
        ls -l $OUTNAME
      fi
    '';
    nf-generate = pkgs.writeShellScriptBin "nf-generate" ''
-      set -eu
+      ${exports}
-
+      export PATH="$PATH:${makeBinPath [ pkgs.jq ]}"
-      for node in reisen; do
+      source ${../ci/generate.sh}
        nix eval --json "''${NF_CONFIG_ROOT-${toString ../.}}"#"lib.generate.$node.users" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/users.json"
      done
    '';
    nf-statix = pkgs.writeShellScriptBin "nf-statix" ''
-      set -eu
+      ${exports}
-      if [[ $# -eq 0 ]]; then
+      export PATH="${makeBinPath [ packages.statix ]}:$PATH"
-        set -- check
+      source ${../ci/statix.sh}
      fi
      if [[ ''${1-} = check ]]; then
        shift
        set -- check --config ${../ci/statix.toml} "$@"
      fi
      exec ${getExe packages.statix} "$@"
    '';
-    nf-deadnix = let
+    nf-deadnix = pkgs.writeShellScriptBin "nf-deadnix" ''
-      inherit (fmt.nix) blacklistDirs;
+      ${exports}
-      excludes = "${getExe pkgs.buildPackages.findutils} ${string.intercalate " " blacklistDirs} -type f";
+      ${exportsFmtNix}
-    in pkgs.writeShellScriptBin "nf-deadnix" ''
+      export PATH="${makeBinPath [ packages.deadnix pkgs.findutils ]}:$PATH"
-      exec ${getExe packages.deadnix} "$@" \
+      source ${../ci/deadnix.sh}
        --no-lambda-arg \
        --exclude $(${excludes})
    '';
-    nf-alejandra = let
+    nf-alejandra = pkgs.writeShellScriptBin "nf-alejandra" ''
-      inherit (fmt.nix) blacklistDirs;
+      ${exports}
-      excludes = string.intercalate " " (list.map (dir: "--exclude ${dir}") blacklistDirs);
+      ${exportsFmtNix}
-    in pkgs.writeShellScriptBin "nf-alejandra" ''
+      source ${../ci/alejandra.sh}
      exec ${getExe packages.alejandra} \
        ${excludes} \
        "$@"
    '';
    nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" ''
-      ${getExe packages.terraform} fmt "$@" &&
+      ${exports}
-      ${packages.tflint}/bin/tflint
+      export PATH="$PATH:${makeBinPath [ packages.tflint ]}"
      source ${../ci/lint-tf.sh}
    '';
    nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" ''
-      ${getExe packages.nf-statix} check "$@" &&
+      ${exports}
-      ${getExe packages.nf-deadnix} -f "$@"
+      export PATH="${makeBinPath [ packages.nf-statix packages.nf-deadnix ]}:$PATH"
      source ${../ci/lint-nix.sh}
    '';
-    nf-fmt-nix = let
+    nf-fmt-tf = pkgs.writeShellScriptBin "nf-fmt-tf" ''
-      inherit (fmt.nix) whitelist;
+      ${exports}
-      includes = string.intercalate " " whitelist;
+      export PATH="${makeBinPath [ packages.terraform ]}:$PATH"
-    in pkgs.writeShellScriptBin "nf-fmt-nix" ''
+      source ${../ci/fmt-tf.sh}
-      exec ${getExe packages.nf-alejandra} ${includes} "$@"
+    '';
    nf-fmt-nix = pkgs.writeShellScriptBin "nf-fmt-nix" ''
      ${exports}
      ${exportsFmtNix}
      export PATH=":{makeBinPath [ packages.nf-alejandra ]}:$PATH"
      source ${../ci/fmt-nix.sh}
    '';
  };
 in output