From 69c2dcf7f2f2bd169637a46ee90d6913aff1e333 Mon Sep 17 00:00:00 2001
From: kat witch <kat@kittywit.ch>
Date: Mon, 29 Mar 2021 02:49:45 +0100
Subject: [PATCH] project-wide: Moving to tf-nix for traditional hosts

---
 hosts/athame/nixos/default.nix   | 26 ++++++++--------
 hosts/samhain/nixos/default.nix  | 34 --------------------
 hosts/yule/nixos/default.nix     |  1 -
 lib/deploy.nix                   | 33 +++++++++++++++++---
 lib/hosts.nix                    |  4 +--
 modules/nixos/default.nix        |  1 +
 modules/nixos/deploy/default.nix | 53 ++------------------------------
 profiles/common/nixos/ssh.nix    |  2 +-
 8 files changed, 47 insertions(+), 107 deletions(-)

diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix
index 3d72844b..9bd8dcd5 100644
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@@ -6,20 +6,20 @@
     # profiles
     profiles.kat
     # host-specific services 
-    #./postgres.nix
-    #./virtualhosts.nix
-    #./fail2ban.nix
+    ./postgres.nix
+    ./virtualhosts.nix
+    ./fail2ban.nix
     # services 
-    #../../../services/nginx.nix
-    #../../../services/mail.nix
-    #../../../services/asterisk.nix
-    #../../../services/gitea
-    #../../../services/syncplay.nix
-    #../../../services/bitwarden.nix
-    #../../../services/taskserver.nix
-    #../../../services/murmur.nix
-    #../../../services/znc.nix
-    #../../../services/matrix.nix
+    ../../../services/nginx.nix
+    ../../../services/mail.nix
+    ../../../services/asterisk.nix
+    ../../../services/gitea
+    ../../../services/syncplay.nix
+    ../../../services/bitwarden.nix
+    ../../../services/taskserver.nix
+    ../../../services/murmur.nix
+    ../../../services/znc.nix
+    ../../../services/matrix.nix
   ];
 
   boot.loader.grub.enable = true;
diff --git a/hosts/samhain/nixos/default.nix b/hosts/samhain/nixos/default.nix
index a7fa3db8..feb75aa5 100644
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@@ -14,40 +14,6 @@
   ];
 
   deploy.groups = [ "gui" ];
-  deploy.ssh.host = "192.168.1.135";
-
-  secrets.files.kat-glauca-dns = {
-    text = pkgs.lib.deployEmbedFuckery ''
-      user="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f username)"
-      pass="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f password)"
-      hostname="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f hostname)"
-    '';
-    owner = "kat";
-    group = "users";
-  };
-
-  systemd.services.kat-glauca-dns = {
-    serviceConfig = {
-      ExecStart = "${pkgs.kat-glauca-dns}/bin/kat-glauca-dns";
-    };
-    environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
-    wantedBy = [ "default.target" ];
-  };
-
-  systemd.timers.kat-glauca-dns = {
-    timerConfig = {
-      Unit = "kat-glauca-dns.service";
-      OnBootSec = "5m";
-      OnUnitActiveSec = "30m";
-    };
-    wantedBy = [ "default.target" ];
-  };
 
   # graphics tablet
   services.xserver.wacom.enable = true;
diff --git a/hosts/yule/nixos/default.nix b/hosts/yule/nixos/default.nix
index a3847021..177374a1 100644
--- a/hosts/yule/nixos/default.nix
+++ b/hosts/yule/nixos/default.nix
@@ -11,7 +11,6 @@
   ];
 
   deploy.groups = [ "gui" ];
-  deploy.ssh.host = "192.168.1.92";
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
diff --git a/lib/deploy.nix b/lib/deploy.nix
index d18a01db..d3723243 100644
--- a/lib/deploy.nix
+++ b/lib/deploy.nix
@@ -1,4 +1,4 @@
-{ pkgs, hosts, sources, groups }:
+{ pkgs, hosts, sources, groups, group ? "all", host ? null}:
 
 with pkgs.lib;
 
@@ -12,14 +12,17 @@ let
     }).config;
 
   tf = tfEval ({ config, ... }: {
-    deps = { enable = true; };
+    deps = { 
+      enable = true;
+      select.hclPaths = (map (name: config.resources."${name}_system_switch".out.hclPathStr) (if host != null then [ host ] else groups.${group} ));
+    };
 
     state = { file = toString ../private/files/tf/terraform.tfstate; };
 
     runners.lazy = {
       file = ../.;
       args = [ "--show-trace" ];
-      attrPrefix = "deploy.tf.runners.run.";
+      attrPrefix = let attr = if host != null then "host.${host}" else "group.${group}"; in "deploy.${attr}.runners.run.";
     };
 
     terraform = {
@@ -45,7 +48,11 @@ let
         };
       };
 
-      athame = {
+      athame = { provider = "null"; type = "resource"; connection = { port = 62954; host = "athame.kittywit.ch"; }; };
+      samhain = { provider = "null"; type = "resource"; connection = { port = 62954; host = "192.168.1.135"; }; };
+      yule = { provider = "null"; type = "resource"; connection = { port = 62954; host = "192.168.1.92"; }; };
+
+      athame-testing = {
         provider = "hcloud";
         type = "server";
         inputs = {
@@ -76,5 +83,21 @@ let
       triggers.copy.athame = athame.refAttr "id";
       triggers.secrets.athame = athame.refAttr "id";
     };
+    deploy.systems.samhain = with config.resources; {
+      nixosConfig = hosts.samhain.config;
+      connection = samhain.connection.set;
+      triggers.copy.samhain = athame.refAttr "id";
+      triggers.secrets.samhain = athame.refAttr "id";
+    };
+    deploy.systems.yule = with config.resources; {
+      nixosConfig = hosts.yule.config;
+      connection = yule.connection.set;
+      triggers.copy.yule = athame.refAttr "id";
+      triggers.secrets.yule = athame.refAttr "id";
+    };
   });
-in { inherit tf; }
+in { 
+  inherit tf; 
+  group = genAttrs (attrNames groups) (group: (import ./deploy.nix { inherit pkgs hosts sources groups group; }).tf); 
+  host = genAttrs (attrNames hosts) (host: (import ./deploy.nix { inherit pkgs hosts sources groups host; }).tf);  
+}
diff --git a/lib/hosts.nix b/lib/hosts.nix
index 9486a2f1..e642463e 100644
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@@ -35,6 +35,6 @@ rec {
 
   groups = listToAttrs (map (groupName:
     nameValuePair groupName
-    (filter (host: elem groupName host.config.deploy.groups)
-      (attrValues hosts))) groupNames);
+    (attrNames (filterAttrs (name: host: elem groupName host.config.deploy.groups)
+    hosts))) groupNames);
 }
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 0ef3391c..44b96a6d 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./deploy
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
   ];
diff --git a/modules/nixos/deploy/default.nix b/modules/nixos/deploy/default.nix
index 49aa8529..cd9f97b7 100644
--- a/modules/nixos/deploy/default.nix
+++ b/modules/nixos/deploy/default.nix
@@ -2,42 +2,9 @@
 
 with lib;
 
-let
-  cfg = config.deploy;
-  secretsScript = concatMapStrings (file:
-    ''
-      ssh $NIX_SSHOPTS -T root@${cfg.ssh.host} "mkdir -p ${
-        toString file.out.dir
-      }
-      cat > ${file.path}
-      chmod ${file.mode} ${file.path}
-      chown ${file.owner}:${file.group} ${file.path}"''
-    + (if file.source != null then ''
-      < ${toString file.source}
-    '' else ''
-      <<${if hasPrefix "__FUCKERY__" file.text then "EOF" else "'EOF'"}
-      ${removePrefix "__FUCKERY__" file.text}
-      EOF
-    '')) (attrValues config.secrets.files);
-in {
+{
   options = {
     deploy = {
-      enable = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      ssh.host = mkOption {
-        type = types.str;
-        default = "${config.networking.hostName}.${config.networking.domain}";
-      };
-      ssh.port = mkOption {
-        type = types.int;
-        default = head config.services.openssh.ports;
-      };
-      substitute = mkOption {
-        type = types.bool;
-        default = true;
-      };
       groups = mkOption {
         type = with types; listOf str;
         default = [ ];
@@ -45,23 +12,7 @@ in {
     };
   };
 
-  config = mkIf cfg.enable {
+  config = {
     deploy.groups = [ "all" ];
-
-    system.build.deployScript = ''
-      #!${pkgs.runtimeShell}
-      set -xeo pipefail
-      export PATH=${with pkgs; lib.makeBinPath [ coreutils openssh nix ]}
-      export NIX_SSHOPTS="-p${toString cfg.ssh.port}"
-      nix build ${
-        builtins.unsafeDiscardStringContext config.system.build.toplevel.drvPath
-      } -o result-${config.networking.hostName} 
-      nix copy ${
-        if cfg.substitute then "-s" else ""
-      } --no-check-sigs --to ssh://root@${cfg.ssh.host} ${config.system.build.toplevel}
-      ${secretsScript}
-      ssh $NIX_SSHOPTS root@${cfg.ssh.host} "nix-env -p /nix/var/nix/profiles/system -i ${config.system.build.toplevel}" 
-      ssh $NIX_SSHOPTS root@${cfg.ssh.host} "/nix/var/nix/profiles/system/bin/switch-to-configuration $1" 
-    '';
   };
 }
diff --git a/profiles/common/nixos/ssh.nix b/profiles/common/nixos/ssh.nix
index 17c6c644..5178b613 100644
--- a/profiles/common/nixos/ssh.nix
+++ b/profiles/common/nixos/ssh.nix
@@ -3,7 +3,7 @@
 {
   services.openssh = {
     enable = true;
-    #ports = lib.mkDefault [ 62954 ];
+    ports = lib.mkDefault [ 62954 ];
     passwordAuthentication = false;
     challengeResponseAuthentication = false;
     permitRootLogin = lib.mkDefault "prohibit-password";