From b339ef65f64b0d7f2cde73b2a8e043324b70ccc5 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 19 Feb 2024 17:34:39 -0800 Subject: [PATCH] refactor(systems): pull out inline modules --- ci/fmt.nix | 1 + lib.nix | 3 +- modules/meta/access.nix | 32 -------- modules/nixos/access.nix | 40 ++-------- modules/system/access.nix | 101 ++++++++++++++++++++++++ modules/system/deploy.nix | 41 ++++++++++ modules/system/host.nix | 105 +++++++++++++++++++++++++ nixos/access/global.nix | 1 + nixos/access/kanidm.nix | 4 +- nixos/k8s.nix | 2 - nixos/nfs.nix | 2 +- outputs.nix | 5 +- systems/aya/default.nix | 1 + systems/default.nix | 143 +++------------------------------- systems/hakurei/default.nix | 4 + systems/hakurei/nixos.nix | 12 +-- systems/litterbox/default.nix | 1 + systems/reimu/default.nix | 1 + systems/tei/cloudflared.nix | 14 ++-- systems/tei/default.nix | 1 + 20 files changed, 296 insertions(+), 218 deletions(-) delete mode 100644 modules/meta/access.nix create mode 100644 modules/system/access.nix create mode 100644 modules/system/deploy.nix create mode 100644 modules/system/host.nix diff --git a/ci/fmt.nix b/ci/fmt.nix index 3e282a82..0d1fd8fa 100644 --- a/ci/fmt.nix +++ b/ci/fmt.nix @@ -10,6 +10,7 @@ "tree.nix" ]; whitelistDirs = [ + "modules/system" "systems" ]; blacklistDirs = [ diff --git a/lib.nix b/lib.nix index 84396194..c9f60547 100644 --- a/lib.nix +++ b/lib.nix @@ -1,6 +1,7 @@ { inputs, tree, + systems, }: let nixlib = inputs.nixpkgs.lib; inherit (nixlib.strings) splitString toLower; @@ -33,7 +34,7 @@ mkWinPath = replaceStrings ["/"] ["\\"]; in { - inherit tree nixlib inputs; + inherit tree nixlib inputs systems; meta = tree.impure; std = inputs.self.lib.Std.Std.compat; Std = inputs.std-fl.lib; diff --git a/modules/meta/access.nix b/modules/meta/access.nix deleted file mode 100644 index 4e2e1051..00000000 --- a/modules/meta/access.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - config, - access, - ... -}: let - nixosModule = { - config, - ... - }: { - config = { - _module.args.access = access // { - systemFor = hostName: if hostName == config.networking.hostName - then config - else access.systemFor hostName; - systemForOrNull = hostName: if hostName == config.networking.hostName - then config - else access.systemForOrNull hostName; - }; - }; - }; -in { - config = { - network.nixos.extraModules = [ - nixosModule - ]; - - _module.args.access = { - systemFor = hostName: config.network.nodes.${hostName}; - systemForOrNull = hostName: config.network.nodes.${hostName} or null; - }; - }; -} diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index c5b8dc4f..c107080d 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -1,17 +1,15 @@ { pkgs, - inputs, config, lib, ... }: let - inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault; inherit (lib.options) mkOption mkEnableOption; inherit (lib.lists) optionals; inherit (lib.strings) concatStringsSep optionalString; - inherit (config.services) tailscale avahi; + inherit (config.services) tailscale; inherit (config) networking; - inherit (networking) hostName; cfg = config.networking.access; cidrModule = { config, ... }: { options = with lib.types; { @@ -35,10 +33,6 @@ }; in { options.networking.access = with lib.types; { - hostnameForNetwork = mkOption { - type = attrsOf str; - default = { }; - }; cidrForNetwork = mkOption { type = attrsOf (submodule cidrModule); default = { }; @@ -63,18 +57,6 @@ in { }; config.networking.access = { - hostnameForNetwork = { - local = let - eth0 = config.systemd.network.networks.eth0 or { }; - hasStaticAddress = eth0.address or [ ] != [ ] || eth0.addresses or [ ] != [ ]; - hasSLAAC = eth0.slaac.enable or false; - in mkMerge [ - (mkIf (hasStaticAddress || hasSLAAC) (mkDefault "${hostName}.local.${networking.domain}")) - (mkIf (avahi.enable && avahi.publish.enable) (mkOptionDefault "${hostName}.local")) - ]; - tail = mkIf tailscale.enable "${hostName}.tail.${networking.domain}"; - global = mkIf (networking.enableIPv6 && networking.tempAddresses == "disabled") "${hostName}.${networking.domain}"; - }; cidrForNetwork = { loopback = { v4 = [ @@ -117,6 +99,10 @@ in { ''; in "${localaddrs-reload}"; }; + moduleArgAttrs = { + inherit (cfg) cidrForNetwork localaddrs; + mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix { }; + }; }; config.networking = { @@ -219,18 +205,4 @@ in { }; }; }; - - config._module.args.access = let - systemFor = hostName: inputs.self.nixosConfigurations.${hostName}.config; - systemForOrNull = hostName: inputs.self.nixosConfigurations.${hostName}.config or null; - in { - inherit (cfg) hostnameForNetwork cidrForNetwork localaddrs; - systemFor = hostName: if hostName == networking.hostName - then config - else systemFor hostName; - systemForOrNull = hostName: if hostName == networking.hostName - then config - else systemForOrNull hostName; - }; - config.lib.access.mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix { }; } diff --git a/modules/system/access.nix b/modules/system/access.nix new file mode 100644 index 00000000..6bf7fad9 --- /dev/null +++ b/modules/system/access.nix @@ -0,0 +1,101 @@ +{ + name, + config, + lib, + access, + inputs, + ... +}: let + inherit (inputs.self.lib) systems; + inherit (inputs.self.lib.lib) domain; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; + cfg = config.access; + systemConfig = config; + systemAccess = access; + nixosModule = { + config, + system, + ... + }: let + cfg = config.networking.access; + in { + options.networking.access = with lib.types; { + global.enable = + mkEnableOption "global access" + // { + default = system.access.global.enable; + }; + moduleArgAttrs = mkOption { + type = lazyAttrsOf unspecified; + internal = true; + }; + }; + config = { + networking.access = { + moduleArgAttrs = { + inherit (systemAccess) hostnameForNetwork; + systemFor = hostName: + if hostName == config.networking.hostName + then systemConfig + else systemAccess.systemFor hostName; + systemForOrNull = hostName: + if hostName == config.networking.hostName + then systemConfig + else systemAccess.systemForOrNull hostName; + nixosFor = hostName: + if hostName == config.networking.hostName + then config + else systemAccess.nixosFor hostName; + nixosForOrNull = hostName: + if hostName == config.networking.hostName + then config + else systemAccess.nixosForOrNull hostName; + }; + }; + networking.tempAddresses = mkIf cfg.global.enable ( + mkDefault "disabled" + ); + _module.args.access = config.networking.access.moduleArgAttrs; + lib.access = config.networking.access.moduleArgAttrs; + }; + }; +in { + options.access = with lib.types; { + hostName = mkOption { + type = str; + default = name; + }; + domain = mkOption { + type = str; + default = domain; + }; + tailscale.enable = mkEnableOption "tailscale access"; + global.enable = mkEnableOption "globally routeable"; + hostnameForNetwork = mkOption { + type = attrsOf str; + default = {}; + }; + }; + config = { + modules = [ + nixosModule + ]; + + access = { + hostnameForNetwork = { + local = mkOptionDefault "${cfg.hostName}.local.${cfg.domain}"; + tail = mkIf cfg.tailscale.enable (mkOptionDefault "${cfg.hostName}.tail.${cfg.domain}"); + global = mkIf cfg.global.enable (mkOptionDefault "${cfg.hostName}.${cfg.domain}"); + }; + }; + + _module.args.access = { + inherit (cfg) hostnameForNetwork; + systemFor = hostName: systems.${hostName}.config; + systemForOrNull = hostName: systems.${hostName}.config or null; + nixosFor = hostName: (access.systemFor hostName).built.config; + nixosForOrNull = hostName: (access.systemForOrNull hostName).built.config or null; + }; + }; +} diff --git a/modules/system/deploy.nix b/modules/system/deploy.nix new file mode 100644 index 00000000..16dacb9e --- /dev/null +++ b/modules/system/deploy.nix @@ -0,0 +1,41 @@ +{ + name, + config, + lib, + inputs, + ... +}: let + inherit (lib.modules) mkIf mkOptionDefault; +in { + options = let + inherit (inputs.self.lib.lib) json; + inherit (lib.types) nullOr; + inherit (lib.options) mkOption; + in { + deploy = mkOption { + type = nullOr json.types.attrs; + }; + }; + config = { + deploy = let + nixos = config.built; + in { + sshUser = mkOptionDefault "root"; + user = mkOptionDefault "root"; + sshOpts = mkIf (config.type == "NixOS") ( + mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"] + ); + autoRollback = mkOptionDefault true; + magicRollback = mkOptionDefault true; + fastConnection = mkOptionDefault false; + hostname = mkOptionDefault "${name}.local.gensokyo.zone"; + profiles.system = { + user = "root"; + path = let + inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate; + in + activate.nixos nixos; + }; + }; + }; +} diff --git a/modules/system/host.nix b/modules/system/host.nix new file mode 100644 index 00000000..cf7050dd --- /dev/null +++ b/modules/system/host.nix @@ -0,0 +1,105 @@ +{ + name, + config, + meta, + std, + lib, + inputs, + ... +}: let + inherit (lib.modules) mkOptionDefault; + inherit (std) string; +in { + options = let + inherit (lib.types) str listOf attrs unspecified enum nullOr; + inherit (lib.options) mkOption; + in { + arch = mkOption { + description = "Processor architecture of the host"; + type = str; + default = "x86_64"; + }; + type = mkOption { + description = "Operating system type of the host"; + type = nullOr (enum ["NixOS" "MacOS" "Darwin" "Linux"]); + default = "NixOS"; + }; + folder = mkOption { + type = str; + internal = true; + }; + system = mkOption { + type = str; + internal = true; + }; + modules = mkOption { + type = listOf unspecified; + }; + specialArgs = mkOption { + type = attrs; + internal = true; + }; + builder = mkOption { + type = unspecified; + internal = true; + }; + built = mkOption { + type = unspecified; + internal = true; + }; + }; + config = { + system = let + kernel = + { + nixos = "linux"; + macos = "darwin"; + darwin = "darwin"; + linux = "linux"; + } + .${string.toLower config.type}; + in "${config.arch}-${kernel}"; + folder = + { + nixos = "nixos"; + macos = "darwin"; + darwin = "darwin"; + linux = "linux"; + } + .${string.toLower config.type}; + modules = [ + # per-OS modules + meta.modules.${config.folder} + # per-OS configuration + meta.${config.folder}.base + ]; + builder = + { + nixos = let + lib = inputs.nixpkgs.lib.extend (self: super: + import (inputs.arcexprs + "/lib") { + inherit super; + lib = self; + isOverlayLib = true; + }); + sys = args: + lib.nixosSystem ({ + inherit lib; + } + // args); + in + sys; + darwin = inputs.darwin.lib.darwinSystem; + macos = inputs.darwin.lib.darwinSystem; + } + .${string.toLower config.type}; + built = mkOptionDefault (config.builder { + inherit (config) system modules specialArgs; + }); + specialArgs = { + inherit name inputs std meta; + systemType = config.folder; + system = config; + }; + }; +} diff --git a/nixos/access/global.nix b/nixos/access/global.nix index 2a88b76a..4c46d415 100644 --- a/nixos/access/global.nix +++ b/nixos/access/global.nix @@ -5,6 +5,7 @@ inherit (lib.modules) mkDefault; in { networking = { + access.global.enable = mkDefault true; tempAddresses = mkDefault "disabled"; }; } diff --git a/nixos/access/kanidm.nix b/nixos/access/kanidm.nix index d3a19b2a..43c2919d 100644 --- a/nixos/access/kanidm.nix +++ b/nixos/access/kanidm.nix @@ -112,11 +112,11 @@ in { [ access.localDomain config.networking.fqdn - config.networking.access.hostnameForNetwork.local + config.lib.access.hostnameForNetwork.local ] (mkIf tailscale.enable [ "id.tail.${config.networking.domain}" - config.networking.access.hostnameForNetwork.tail + config.lib.access.hostnameForNetwork.tail ]) ]; diff --git a/nixos/k8s.nix b/nixos/k8s.nix index 6f9af72d..2e223802 100644 --- a/nixos/k8s.nix +++ b/nixos/k8s.nix @@ -1,6 +1,4 @@ { - inputs, - system, config, pkgs, lib, diff --git a/nixos/nfs.nix b/nixos/nfs.nix index c9869781..4d4c9694 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -16,7 +16,7 @@ (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort) ]; enableLdap = false; - system = access.systemFor "tei"; + system = access.nixosFor "tei"; inherit (system.services) kanidm; in { services.nfs = { diff --git a/outputs.nix b/outputs.nix index 25cf9258..53553e68 100644 --- a/outputs.nix +++ b/outputs.nix @@ -48,5 +48,8 @@ in { inherit (outputs) devShells legacyPackages packages checks; inherit (systems) deploy nixosConfigurations; - lib = import ./lib.nix {inherit tree inputs;}; + lib = import ./lib.nix { + inherit tree inputs; + inherit (systems) systems; + }; } diff --git a/systems/aya/default.nix b/systems/aya/default.nix index ea396fa3..78928c62 100644 --- a/systems/aya/default.nix +++ b/systems/aya/default.nix @@ -4,4 +4,5 @@ _: { modules = [ ./nixos.nix ]; + access.tailscale.enable = true; } diff --git a/systems/default.nix b/systems/default.nix index 68b90723..1d155284 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -2,139 +2,17 @@ # The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain. lib = inputs.self.lib.nixlib; inherit (inputs.self.lib) meta std; - inherit (lib.modules) evalModules mkOptionDefault; - inherit (std) string set; - defaultSpecialArgs = { - inherit inputs std meta; - }; - hostModule = { - config, - machine, - ... - }: { - options = let - inherit (inputs.self.lib.lib) json; - inherit (lib.types) str listOf attrs unspecified attrsOf nullOr; - inherit (lib.options) mkOption; - in { - arch = mkOption { - description = "Processor architecture of the host"; - type = str; - default = "x86_64"; - }; - type = mkOption { - description = "Operating system type of the host"; - type = nullOr str; - default = "NixOS"; - }; - folder = mkOption { - type = str; - internal = true; - }; - system = mkOption { - type = str; - internal = true; - }; - modules = mkOption { - type = listOf unspecified; - }; - specialArgs = mkOption { - type = attrs; - internal = true; - }; - builder = mkOption { - type = unspecified; - internal = true; - }; - deploy = mkOption { - type = nullOr json.types.attrs; - }; - }; - config = { - deploy = let - nixos = inputs.self.nixosConfigurations.${machine}; - in { - sshUser = mkOptionDefault "root"; - user = mkOptionDefault "root"; - sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"]; - autoRollback = mkOptionDefault true; - magicRollback = mkOptionDefault true; - fastConnection = mkOptionDefault false; - hostname = mkOptionDefault "${machine}.local.gensokyo.zone"; - profiles.system = { - user = "root"; - path = let - inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate; - in - activate.nixos nixos; - }; - }; - system = let - kernel = - { - nixos = "linux"; - macos = "darwin"; - darwin = "darwin"; - linux = "linux"; - } - .${string.toLower config.type}; - in "${config.arch}-${kernel}"; - folder = - { - nixos = "nixos"; - macos = "darwin"; - darwin = "darwin"; - linux = "linux"; - } - .${string.toLower config.type}; - modules = [ - # per-OS modules - meta.modules.${config.folder} - # per-OS configuration - meta.${config.folder}.base - ]; - builder = - { - nixos = let - lib = inputs.nixpkgs.lib.extend (self: super: - import (inputs.arcexprs + "/lib") { - inherit super; - lib = self; - isOverlayLib = true; - }); - sys = args: - lib.nixosSystem ({ - inherit lib; - } - // args); - in - sys; - darwin = inputs.darwin.lib.darwinSystem; - macos = inputs.darwin.lib.darwinSystem; - } - .${string.toLower config.type}; - specialArgs = - { - name = machine; - inherit machine; - systemType = config.folder; - inherit (config) system; - } - // defaultSpecialArgs; - }; - }; + inherit (lib.modules) evalModules; + inherit (std) set; hostConfigs = set.map (name: path: evalModules { modules = [ - hostModule path + meta.modules.system ]; - specialArgs = - defaultSpecialArgs - // { - inherit name; - machine = name; - }; + specialArgs = { + inherit name inputs std meta; + }; }) (set.map (_: c: c) meta.systems); processHost = name: cfg: let @@ -143,9 +21,10 @@ set.optional (host.type != null) { deploy.nodes.${name} = host.deploy; - "${host.folder}Configurations".${name} = host.builder { - inherit (host) system modules specialArgs; - }; + "${host.folder}Configurations".${name} = host.built; }; in - set.merge (set.mapToValues processHost hostConfigs) + { + systems = hostConfigs; + } + // set.merge (set.mapToValues processHost hostConfigs) diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix index ea396fa3..dc0ea17c 100644 --- a/systems/hakurei/default.nix +++ b/systems/hakurei/default.nix @@ -4,4 +4,8 @@ _: { modules = [ ./nixos.nix ]; + access = { + tailscale.enable = true; + global.enable = true; + }; } diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index cc65948d..57a245fd 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -6,8 +6,8 @@ ... }: let inherit (lib.modules) mkIf mkMerge; - mediabox = access.systemFor "mediabox"; - tei = access.systemFor "tei"; + mediabox = access.nixosFor "mediabox"; + tei = access.nixosFor "tei"; inherit (mediabox.services) plex; inherit (tei.services) kanidm vouch-proxy; in { @@ -139,16 +139,16 @@ in { inherit (config.services.nginx) access; in { access.plex = assert plex.enable; { - url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${toString plex.port}"; + url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}"; externalPort = 41324; }; access.vouch = assert vouch-proxy.enable; { - url = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}"; + url = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}"; useACMEHost = access.vouch.localDomain; }; access.kanidm = assert kanidm.enableServer; { inherit (kanidm.server.frontend) domain port; - host = tei.networking.access.hostnameForNetwork.local; + host = tei.lib.access.hostnameForNetwork.local; ldapEnable = false; }; access.freeipa = { @@ -159,7 +159,7 @@ in { useACMEHost = access.kitchencam.domain; }; access.invidious = { - url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}"; + url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}"; }; virtualHosts = { ${access.kanidm.domain} = { diff --git a/systems/litterbox/default.nix b/systems/litterbox/default.nix index ea396fa3..78928c62 100644 --- a/systems/litterbox/default.nix +++ b/systems/litterbox/default.nix @@ -4,4 +4,5 @@ _: { modules = [ ./nixos.nix ]; + access.tailscale.enable = true; } diff --git a/systems/reimu/default.nix b/systems/reimu/default.nix index ea396fa3..78928c62 100644 --- a/systems/reimu/default.nix +++ b/systems/reimu/default.nix @@ -4,4 +4,5 @@ _: { modules = [ ./nixos.nix ]; + access.tailscale.enable = true; } diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index a85ee302..8d32673e 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -6,17 +6,17 @@ }: let inherit (lib.modules) mkIf; inherit (lib.attrsets) listToAttrs nameValuePair; - inherit (access) systemFor; + inherit (access) nixosFor; inherit (config.networking) hostName; cfg = config.services.cloudflared; apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543"; accessHostFor = { hostName, - system ? systemFor hostName, + system ? nixosFor hostName, access ? "local", ... }: let - host = system.networking.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}"); + host = system.lib.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}"); in if hostName == config.networking.hostName then "localhost" @@ -25,7 +25,7 @@ host ? system.networking.fqdn, port ? 80, hostName, - system ? systemFor hostName, + system ? nixosFor hostName, } @ args: nameValuePair host { service = "http://${accessHostFor args}:${toString port}"; @@ -34,7 +34,7 @@ host ? system.services.home-assistant.domain, port ? system.services.home-assistant.config.http.server_port, hostName, - system ? systemFor hostName, + system ? nixosFor hostName, ... } @ args: nameValuePair host { @@ -44,7 +44,7 @@ host ? system.services.vouch-proxy.domain, port ? system.services.vouch-proxy.settings.vouch.port, hostName, - system ? systemFor hostName, + system ? nixosFor hostName, ... } @ args: nameValuePair host { @@ -54,7 +54,7 @@ host ? system.services.kanidm.server.frontend.domain, port ? system.services.kanidm.server.frontend.port, hostName, - system ? systemFor hostName, + system ? nixosFor hostName, ... } @ args: nameValuePair host { diff --git a/systems/tei/default.nix b/systems/tei/default.nix index ea396fa3..78928c62 100644 --- a/systems/tei/default.nix +++ b/systems/tei/default.nix @@ -4,4 +4,5 @@ _: { modules = [ ./nixos.nix ]; + access.tailscale.enable = true; }