refactor: clean up flake outputs

.envrc

@@ -9,4 +9,5 @@ source_env_if_exists .envrc.conf
 use flake "${FLAKE_ARGS[@]}"
 export FLAKE_OPTS=${FLAKE_OPTS:-"${FLAKE_ARGS[*]}"}
 
-watch_file devShell.nix
+watch_file outputs.nix
+watch_file devShells.nix

ci/fmt.nix

@@ -1,7 +1,25 @@
 {
   nix = {
     whitelist = [
+      "systems/default.nix"
+      "systems/ct/default.nix"
+      "systems/ct/nixos.nix"
+      "systems/hakurei/default.nix"
+      "systems/kuwubernetes/default.nix"
+      "systems/kuwubernetes/nixos.nix"
+      "systems/mediabox/default.nix"
       "systems/mediabox/nixos.nix"
+      "systems/reimu/default.nix"
+      "systems/tei/default.nix"
+      "systems/tei/nixos.nix"
+      "systems/tei/cloudflared.nix"
+      "systems/tewi/default.nix"
+      "systems/tewi/nixos.nix"
+      "overlays/default.nix"
+      "devShells.nix"
+      "shell.nix"
+      "outputs.nix"
+      "tree.nix"
     ];
     blacklistDirs = [
       "overlays"

devShell.nix

@@ -1,116 +0,0 @@
-{
-  inputs,
-  system,
-}: let
-  inherit (inputs.self.legacyPackages.${system}) pkgs;
-  nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
-    NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix)
-    for f in "''${NF_CONFIG_FILES[@]}"; do
-      echo $f
-      nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate
-    done
-  '';
-  nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
-    set -eu
-    for host in hakurei reimu tei mediabox ct; do
-      nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
-    done
-  '';
-  nf-update = pkgs.writeShellScriptBin "nf-update" ''
-    exec nix flake update "$@"
-  '';
-  nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@"
-  '';
-  nf-setup-node = pkgs.writeShellScriptBin "nf-setup-node" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-node" -- "$@"
-  '';
-  nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-sops-keyscan" -- "$@"
-  '';
-  nf-ssh = pkgs.writeShellScriptBin "nf-ssh" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-ssh" -- "$@"
-  '';
-  nf-build = pkgs.writeShellScriptBin "nf-build" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-build" -- "$@"
-  '';
-  nf-tarball = pkgs.writeShellScriptBin "nf-tarball" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-tarball" -- "$@"
-  '';
-  nf-tf = pkgs.writeShellScriptBin "nf-tf" ''
-    cd "$NF_CONFIG_ROOT/tf"
-    if [[ $# -eq 0 ]]; then
-      exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -c bash -c "terraform init && terraform plan"
-    else
-      exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -- "$@"
-    fi
-  '';
-  nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" ''
-    cd "$NF_CONFIG_ROOT/tf"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-tf" -- "$@"
-  '';
-  nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-nix" -- "$@"
-  '';
-  nf-fmt-nix = pkgs.writeShellScriptBin "nf-fmt-nix" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-fmt-nix" -- "$@"
-  '';
-  nf-alejandra = pkgs.writeShellScriptBin "alejandra" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-alejandra" -- "$@"
-  '';
-  nf-statix = pkgs.writeShellScriptBin "statix" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-statix" -- "$@"
-  '';
-  nf-deadnix = pkgs.writeShellScriptBin "deadnix" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deadnix" -- "$@"
-  '';
-  nf-kustomize = pkgs.writeShellScriptBin "kustomize" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#pkgs.kustomize" -- "$@"
-  '';
-  nf-argocd = pkgs.writeShellScriptBin "argocd" ''
-    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#pkgs.argocd" -- "$@"
-  '';
-  nf-deploy-rs = pkgs.writeShellScriptBin "deploy" ''
-    cd "$NF_CONFIG_ROOT"
-    exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#deploy-rs" -c deploy "$@"
-  '';
-in
-  pkgs.mkShell {
-    nativeBuildInputs = with pkgs; [
-      inetutils
-      sops
-      nf-actions
-      nf-actions-test
-      nf-update
-      nf-deploy
-      nf-setup-node
-      nf-sops-keyscan
-      nf-ssh
-      nf-build
-      nf-tarball
-      nf-tf
-      nf-lint-tf
-      nf-lint-nix
-      nf-fmt-nix
-      nf-alejandra
-      nf-statix
-      nf-deadnix
-      nf-kustomize
-      nf-argocd
-      nf-deploy-rs
-    ];
-    shellHook = ''
-      export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix)))
-      export HOME_UID=$(id -u)
-      export HOME_USER=$(id -un)
-      export CI_PLATFORM="impure"
-      export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ./.}}
-      export NIX_PATH="$NIX_PATH:home=$NF_CONFIG_ROOT"
-      export NIX_SSHOPTS="''${NIX_SSHOPTS--p62954}"
-    '';
-  }

devShells.nix

@@ -0,0 +1,98 @@
+{
+  inputs,
+  system,
+}: let
+  inherit (inputs.self.legacyPackages.${system}) pkgs;
+  inherit (inputs.self.lib.nixlib) optionalString;
+  mkWrapper = {
+    name,
+    attr ? name,
+    subdir ? null,
+  }:
+    pkgs.writeShellScriptBin name ''
+      ${optionalString (subdir != null) ''cd "$NF_CONFIG_ROOT${subdir}"''}
+      exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#${attr}" -- "$@"
+    '';
+  nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
+    NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix)
+    for f in "''${NF_CONFIG_FILES[@]}"; do
+      echo $f
+      nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate
+    done
+  '';
+  nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
+    set -eu
+    for host in hakurei reimu tei mediabox ct; do
+      nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
+    done
+  '';
+  nf-update = pkgs.writeShellScriptBin "nf-update" ''
+    exec nix flake update "$@"
+  '';
+  nf-tf = pkgs.writeShellScriptBin "nf-tf" ''
+    cd "$NF_CONFIG_ROOT/tf"
+    if [[ $# -eq 0 ]]; then
+      exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -c bash -c "terraform init && terraform plan"
+    else
+      exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -- "$@"
+    fi
+  '';
+  default = pkgs.mkShell {
+    nativeBuildInputs = with pkgs; [
+      inetutils
+      sops
+      nf-actions
+      nf-actions-test
+      nf-update
+      nf-tf
+      (mkWrapper {name = "nf-deploy";})
+      (mkWrapper {name = "nf-setup-node";})
+      (mkWrapper {name = "nf-sops-keyscan";})
+      (mkWrapper {name = "nf-ssh";})
+      (mkWrapper {name = "nf-build";})
+      (mkWrapper {name = "nf-tarball";})
+      (mkWrapper {
+        name = "nf-lint-tf";
+        subdir = "/tf";
+      })
+      (mkWrapper {
+        name = "nf-lint-nix";
+        subdir = "";
+      })
+      (mkWrapper {
+        name = "nf-fmt-nix";
+        subdir = "";
+      })
+      (mkWrapper {name = "nf-alejandra";})
+      (mkWrapper {
+        name = "statix";
+        attr = "nf-statix";
+      })
+      (mkWrapper {
+        name = "deadnix";
+        attr = "nf-deadnix";
+      })
+      (mkWrapper {
+        name = "kustomize";
+        attr = "pkgs.kustomize";
+      })
+      (mkWrapper {
+        name = "argocd";
+        attr = "pkgs.argocd";
+      })
+      (mkWrapper {
+        name = "deploy";
+        attr = "deploy-rs";
+      })
+    ];
+    shellHook = ''
+      export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix)))
+      export HOME_UID=$(id -u)
+      export HOME_USER=$(id -un)
+      export CI_PLATFORM="impure"
+      export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ./.}}
+    '';
+  };
+in {
+  inherit default;
+}

flake.lock

@@ -152,6 +152,18 @@
         "type": "github"
       }
     },
+    "nixpkgs-patch-k8s-pki": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Qz3TV1Z/pdKxLqOoV/bmprlmlAfJpTsHUCiWXVgoukw=",
+        "type": "file",
+        "url": "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1705957679,
@@ -193,6 +205,7 @@
         "flake-utils": "flake-utils",
         "flakelib": "flakelib",
         "nixpkgs": "nixpkgs",
+        "nixpkgs-patch-k8s-pki": "nixpkgs-patch-k8s-pki",
         "nur": "nur",
         "sops-nix": "sops-nix",
         "std": "std",

flake.nix

@@ -2,6 +2,11 @@
   description = "kat's nixfiles";
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-patch-k8s-pki = {
+      # https://github.com/NixOS/nixpkgs/pull/275896
+      url = "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch";
+      flake = false;
+    };
     arcexprs = {
       url = "github:arcnmx/nixexprs/master";
       inputs.nixpkgs.follows = "nixpkgs";

inputs.nix

@@ -1,10 +0,0 @@
-let
-  lock = builtins.fromJSON (builtins.readFile ./flake.lock);
-  flakeCompat = fetchTarball {
-    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-    sha256 = lock.nodes.flake-compat.locked.narHash;
-  };
-  nixfiles = import flakeCompat {
-    src = ./.;
-  };
-in nixfiles.defaultNix.inputs

nixos/k8s.nix

@@ -1,4 +1,6 @@
 {
+  inputs,
+  system,
   config,
   pkgs,
   lib,
@@ -10,6 +12,21 @@
   kubeMasterHostname = "k8s.gensokyo.zone";
   kubeMasterAPIServerPort = 6443;
 in {
+  # apply fix: https://github.com/NixOS/nixpkgs/pull/275896
+  imports = let
+    pkiModulePath = "services/cluster/kubernetes/pki.nix";
+    inherit (inputs.self.legacyPackages.${system}) patchedNixpkgs;
+  in [
+    (_: {
+      imports = [
+        (patchedNixpkgs + "/nixos/modules/${pkiModulePath}")
+      ];
+      disabledModules = [
+        pkiModulePath
+      ];
+    })
+  ];
+
   # packages for administration tasks
   environment.systemPackages = with pkgs; [
     kompose

outputs.nix

@@ -1,34 +1,58 @@
 {inputs}: let
-  patchedInputs = import ./patchedInputs.nix {inherit inputs;};
-  inherit
-    (import ./overlays {
-      inputs = patchedInputs;
-    })
-    pkgs
-    ;
-  inherit (inputs.nixpkgs) lib;
   tree = import ./tree.nix {
-    inherit pkgs;
-    inputs = patchedInputs;
+    inherit inputs;
   };
   systems = import ./systems {
-    inherit inputs lib std pkgs;
+    inherit inputs;
     tree = tree.impure;
   };
   outputs =
     inputs.flake-utils.lib.eachDefaultSystem
-    (system: rec {
-      devShells.default = import ./devShell.nix {inherit system inputs;};
-      packages = import ./packages {inherit system inputs lib;};
-      legacyPackages.pkgs = pkgs.${system};
+    (system: let
+      legacyPackages = inputs.self.legacyPackages.${system};
+      inherit (legacyPackages) pkgs;
+    in {
+      devShells = import ./devShells.nix {inherit system inputs;};
+      packages = import ./packages {inherit system inputs;};
+      legacyPackages = {
+        inherit (import ./overlays {inherit system inputs;}) pkgs;
+        patchedNixpkgs = pkgs.applyPatches {
+          name = "nixpkgs";
+          src = inputs.nixpkgs;
+          patches = [
+            inputs.nixpkgs-patch-k8s-pki
+          ];
+        };
+        deploy-rs = let
+          deployLib =
+            inputs.deploy-rs.lib.${system}
+            or rec {
+              activate = throw "deploy-rs.lib.${system} unsupported";
+              setActivate = activate;
+              deployChecks = _: {};
+            };
+          deploy-rs =
+            inputs.deploy-rs.packages.${system}.default
+            or pkgs.${system}.deploy-rs.deploy-rs
+            or pkgs.${system}.deploy-rs
+            or {
+              name = "deploy-rs";
+              outPath = throw "deploy-rs.packages.${system} unsupported";
+              meta = {};
+            };
+        in {
+          inherit (deploy-rs) name outPath meta;
+          inherit (deployLib) activate setActivate deployChecks;
+        };
+      };
+      checks = legacyPackages.deploy-rs.deployChecks inputs.self.deploy;
     });
-  std = import ./std.nix {inherit inputs;};
-  inherit (std) set;
-  checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib;
-in
-  {
-    inherit tree std lib checks;
-    inputs = patchedInputs;
-  }
-  // systems
-  // outputs
+in {
+  inherit (outputs) devShells legacyPackages packages checks;
+  inherit (systems) deploy nixosConfigurations;
+  lib = {
+    std = import ./std.nix {inherit inputs;};
+    nixlib = inputs.nixpkgs.lib;
+    inherit tree;
+  };
+}

overlays/default.nix

@@ -1,5 +1,4 @@
-{inputs, ...} @ args:
-inputs.flake-utils.lib.eachDefaultSystem (system: {
+{inputs, system}: {
   pkgs = import inputs.nixpkgs {
     inherit system;
     overlays =
@@ -27,4 +26,4 @@ inputs.flake-utils.lib.eachDefaultSystem (system: {
       ];
     };
   };
-})
+}

packages/default.nix

@@ -1,8 +1,8 @@
 {
   system,
   inputs,
-  lib,
 }: let
+  lib = inputs.self.lib.nixlib;
   inherit (lib.meta) getExe;
   inherit (inputs.std.lib) string list;
   packages = inputs.self.packages.${system};

patchedInputs.nix

@@ -1,26 +0,0 @@
-{
-  inputs,
-  system ? builtins.currentSystem or "x86_64-linux",
-  ...
-}: let
-  pkgs = import inputs.nixpkgs {
-    inherit system;
-    config.allowUnfree = true;
-  };
-in
-  inputs
-  // {
-    nixpkgs = pkgs.applyPatches {
-      name = "nixpkgs";
-      src = inputs.nixpkgs;
-      patches = [
-        # https://github.com/NixOS/nixpkgs/pull/275896
-        (pkgs.fetchpatch {
-          url = "https://github.com/NixOS/nixpkgs/pull/275896.patch";
-          sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg=";
-        })
-      ];
-    } // {
-      inherit (inputs.nixpkgs) sourceInfo;
-    };
-  }

shell.nix

@@ -1 +1 @@
-import ./devShell.nix { inputs = import ./inputs.nix; system = builtins.currentSystem; }
+(import ./.).devShells.${builtins.currentSystem or "x86_64-linux"}.default

systems/default.nix

@@ -1,15 +1,12 @@
 {
   inputs,
   tree,
-  pkgs,
-  lib,
-  std,
-  system ? builtins.currentSystem or "x86_64-linux",
-  ...
 }: let
   # The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain.
+  lib = inputs.self.lib.nixlib;
   inherit (lib.modules) evalModules mkOptionDefault;
-  inherit (std) string types optional set list;
+  inherit (inputs.self.lib) std;
+  inherit (std) string set;
   defaultSpecialArgs = {
     inherit inputs std;
     meta = tree;
@@ -21,7 +18,7 @@
   }: {
     options = let
       inherit (lib.types) str listOf attrs unspecified attrsOf nullOr;
-      jsonType = (pkgs.${system}.formats.json {}).type;
+      jsonAttrsType = inputs.arcexprs.lib.json.types.attrs;
       inherit (lib.options) mkOption;
     in {
       arch = mkOption {
@@ -54,21 +51,26 @@
         internal = true;
       };
       deploy = mkOption {
-        type = nullOr jsonType;
+        type = nullOr jsonAttrsType;
       };
     };
     config = {
-      deploy = {
+      deploy = let
+        nixos = inputs.self.nixosConfigurations.${machine};
+      in {
         sshUser = mkOptionDefault "root";
         user = mkOptionDefault "root";
-        sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${machine}.config.services.openssh.ports)}"];
+        sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"];
         autoRollback = mkOptionDefault true;
         magicRollback = mkOptionDefault true;
         fastConnection = mkOptionDefault false;
         hostname = mkOptionDefault "${machine}.local.gensokyo.zone";
         profiles.system = {
           user = "root";
-          path = inputs.deploy-rs.lib.${system}.activate.nixos inputs.self.nixosConfigurations.${machine};
+          path = let
+            inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate;
+          in
+            activate.nixos nixos;
         };
       };
       system = let
@@ -141,12 +143,13 @@
   (set.map (_: c: c) tree.systems);
   processHost = name: cfg: let
     host = cfg.config;
-  in set.optional (host.type != null) {
-    deploy.nodes.${name} = host.deploy;
+  in
+    set.optional (host.type != null) {
+      deploy.nodes.${name} = host.deploy;
 
-    "${host.folder}Configurations".${name} = host.builder {
-      inherit (host) system modules specialArgs;
+      "${host.folder}Configurations".${name} = host.builder {
+        inherit (host) system modules specialArgs;
+      };
     };
-  };
 in
   set.merge (set.mapToValues processHost hostConfigs)

tree.nix

@@ -1,20 +1,24 @@
-{inputs, ...}: (inputs.tree.tree {
+{inputs}: (inputs.tree.tree {
   inherit inputs;
   folder = ./.;
   config = {
     "/" = {
       excludes = [
         "tf"
-        "inputs"
         "default"
-        "patchedInputs"
+        "devShells"
         "outputs"
         "tree"
         "flake"
-        "meta"
+        "std"
         "inputs"
       ];
     };
+    packages = {
+      excludes = [
+        "default"
+      ];
+    };
     systems = {
       excludes = [
         "default"