gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(systems): pull out inline modules

Browse source
This commit is contained in:
arcnmx 2024-02-19 17:34:39 -08:00
parent 35177ce911
commit b339ef65f6
20 changed files with 296 additions and 218 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ci/fmt.nix
View file

@ -10,6 +10,7 @@
"tree.nix" "tree.nix"
]; ];
whitelistDirs = [ whitelistDirs = [
"modules/system"
"systems" "systems"
]; ];
blacklistDirs = [ blacklistDirs = [

3
lib.nix
View file

@ -1,6 +1,7 @@
{ {
inputs, inputs,
tree, tree,
systems,
}: let }: let
nixlib = inputs.nixpkgs.lib; nixlib = inputs.nixpkgs.lib;
inherit (nixlib.strings) splitString toLower; inherit (nixlib.strings) splitString toLower;
@ -33,7 +34,7 @@
mkWinPath = replaceStrings ["/"] ["\\"]; mkWinPath = replaceStrings ["/"] ["\\"];
in { in {
inherit tree nixlib inputs; inherit tree nixlib inputs systems;
meta = tree.impure; meta = tree.impure;
std = inputs.self.lib.Std.Std.compat; std = inputs.self.lib.Std.Std.compat;
Std = inputs.std-fl.lib; Std = inputs.std-fl.lib;

32
modules/meta/access.nix
View file

@ -1,32 +0,0 @@
{
config,
access,
...
}: let
nixosModule = {
config,
...
}: {
config = {
_module.args.access = access // {
systemFor = hostName: if hostName == config.networking.hostName
then config
else access.systemFor hostName;
systemForOrNull = hostName: if hostName == config.networking.hostName
then config
else access.systemForOrNull hostName;
};
};
};
in {
config = {
network.nixos.extraModules = [
nixosModule
];
_module.args.access = {
systemFor = hostName: config.network.nodes.${hostName};
systemForOrNull = hostName: config.network.nodes.${hostName} or null;
};
};
}

40
modules/nixos/access.nix
View file

@ -1,17 +1,15 @@
{ {
pkgs, pkgs,
inputs,
config, config,
lib, lib,
... ...
}: let }: let
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault;
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.lists) optionals; inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep optionalString; inherit (lib.strings) concatStringsSep optionalString;
inherit (config.services) tailscale avahi; inherit (config.services) tailscale;
inherit (config) networking; inherit (config) networking;
inherit (networking) hostName;
cfg = config.networking.access; cfg = config.networking.access;
cidrModule = { config, ... }: { cidrModule = { config, ... }: {
options = with lib.types; { options = with lib.types; {
@ -35,10 +33,6 @@
}; };
in { in {
options.networking.access = with lib.types; { options.networking.access = with lib.types; {
hostnameForNetwork = mkOption {
type = attrsOf str;
default = { };
};
cidrForNetwork = mkOption { cidrForNetwork = mkOption {
type = attrsOf (submodule cidrModule); type = attrsOf (submodule cidrModule);
default = { }; default = { };
@ -63,18 +57,6 @@ in {
}; };
config.networking.access = { config.networking.access = {
hostnameForNetwork = {
local = let
eth0 = config.systemd.network.networks.eth0 or { };
hasStaticAddress = eth0.address or [ ] != [ ] || eth0.addresses or [ ] != [ ];
hasSLAAC = eth0.slaac.enable or false;
in mkMerge [
(mkIf (hasStaticAddress || hasSLAAC) (mkDefault "${hostName}.local.${networking.domain}"))
(mkIf (avahi.enable && avahi.publish.enable) (mkOptionDefault "${hostName}.local"))
];
tail = mkIf tailscale.enable "${hostName}.tail.${networking.domain}";
global = mkIf (networking.enableIPv6 && networking.tempAddresses == "disabled") "${hostName}.${networking.domain}";
};
cidrForNetwork = { cidrForNetwork = {
loopback = { loopback = {
v4 = [ v4 = [
@ -117,6 +99,10 @@ in {
''; '';
in "${localaddrs-reload}"; in "${localaddrs-reload}";
}; };
moduleArgAttrs = {
inherit (cfg) cidrForNetwork localaddrs;
mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix { };
};
}; };
config.networking = { config.networking = {
@ -219,18 +205,4 @@ in {
}; };
}; };
}; };
config._module.args.access = let
systemFor = hostName: inputs.self.nixosConfigurations.${hostName}.config;
systemForOrNull = hostName: inputs.self.nixosConfigurations.${hostName}.config or null;
in {
inherit (cfg) hostnameForNetwork cidrForNetwork localaddrs;
systemFor = hostName: if hostName == networking.hostName
then config
else systemFor hostName;
systemForOrNull = hostName: if hostName == networking.hostName
then config
else systemForOrNull hostName;
};
config.lib.access.mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix { };
} }

101
modules/system/access.nix Normal file
View file

@ -0,0 +1,101 @@
{
name,
config,
lib,
access,
inputs,
...
}: let
inherit (inputs.self.lib) systems;
inherit (inputs.self.lib.lib) domain;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.access;
systemConfig = config;
systemAccess = access;
nixosModule = {
config,
system,
...
}: let
cfg = config.networking.access;
in {
options.networking.access = with lib.types; {
global.enable =
mkEnableOption "global access"
// {
default = system.access.global.enable;
};
moduleArgAttrs = mkOption {
type = lazyAttrsOf unspecified;
internal = true;
};
};
config = {
networking.access = {
moduleArgAttrs = {
inherit (systemAccess) hostnameForNetwork;
systemFor = hostName:
if hostName == config.networking.hostName
then systemConfig
else systemAccess.systemFor hostName;
systemForOrNull = hostName:
if hostName == config.networking.hostName
then systemConfig
else systemAccess.systemForOrNull hostName;
nixosFor = hostName:
if hostName == config.networking.hostName
then config
else systemAccess.nixosFor hostName;
nixosForOrNull = hostName:
if hostName == config.networking.hostName
then config
else systemAccess.nixosForOrNull hostName;
};
};
networking.tempAddresses = mkIf cfg.global.enable (
mkDefault "disabled"
);
_module.args.access = config.networking.access.moduleArgAttrs;
lib.access = config.networking.access.moduleArgAttrs;
};
};
in {
options.access = with lib.types; {
hostName = mkOption {
type = str;
default = name;
};
domain = mkOption {
type = str;
default = domain;
};
tailscale.enable = mkEnableOption "tailscale access";
global.enable = mkEnableOption "globally routeable";
hostnameForNetwork = mkOption {
type = attrsOf str;
default = {};
};
};
config = {
modules = [
nixosModule
];
access = {
hostnameForNetwork = {
local = mkOptionDefault "${cfg.hostName}.local.${cfg.domain}";
tail = mkIf cfg.tailscale.enable (mkOptionDefault "${cfg.hostName}.tail.${cfg.domain}");
global = mkIf cfg.global.enable (mkOptionDefault "${cfg.hostName}.${cfg.domain}");
};
};
_module.args.access = {
inherit (cfg) hostnameForNetwork;
systemFor = hostName: systems.${hostName}.config;
systemForOrNull = hostName: systems.${hostName}.config or null;
nixosFor = hostName: (access.systemFor hostName).built.config;
nixosForOrNull = hostName: (access.systemForOrNull hostName).built.config or null;
};
};
}

41
modules/system/deploy.nix Normal file
View file

@ -0,0 +1,41 @@
{
name,
config,
lib,
inputs,
...
}: let
inherit (lib.modules) mkIf mkOptionDefault;
in {
options = let
inherit (inputs.self.lib.lib) json;
inherit (lib.types) nullOr;
inherit (lib.options) mkOption;
in {
deploy = mkOption {
type = nullOr json.types.attrs;
};
};
config = {
deploy = let
nixos = config.built;
in {
sshUser = mkOptionDefault "root";
user = mkOptionDefault "root";
sshOpts = mkIf (config.type == "NixOS") (
mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"]
);
autoRollback = mkOptionDefault true;
magicRollback = mkOptionDefault true;
fastConnection = mkOptionDefault false;
hostname = mkOptionDefault "${name}.local.gensokyo.zone";
profiles.system = {
user = "root";
path = let
inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate;
in
activate.nixos nixos;
};
};
};
}

105
modules/system/host.nix Normal file
View file

@ -0,0 +1,105 @@
{
name,
config,
meta,
std,
lib,
inputs,
...
}: let
inherit (lib.modules) mkOptionDefault;
inherit (std) string;
in {
options = let
inherit (lib.types) str listOf attrs unspecified enum nullOr;
inherit (lib.options) mkOption;
in {
arch = mkOption {
description = "Processor architecture of the host";
type = str;
default = "x86_64";
};
type = mkOption {
description = "Operating system type of the host";
type = nullOr (enum ["NixOS" "MacOS" "Darwin" "Linux"]);
default = "NixOS";
};
folder = mkOption {
type = str;
internal = true;
};
system = mkOption {
type = str;
internal = true;
};
modules = mkOption {
type = listOf unspecified;
};
specialArgs = mkOption {
type = attrs;
internal = true;
};
builder = mkOption {
type = unspecified;
internal = true;
};
built = mkOption {
type = unspecified;
internal = true;
};
};
config = {
system = let
kernel =
{
nixos = "linux";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
in "${config.arch}-${kernel}";
folder =
{
nixos = "nixos";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
modules = [
# per-OS modules
meta.modules.${config.folder}
# per-OS configuration
meta.${config.folder}.base
];
builder =
{
nixos = let
lib = inputs.nixpkgs.lib.extend (self: super:
import (inputs.arcexprs + "/lib") {
inherit super;
lib = self;
isOverlayLib = true;
});
sys = args:
lib.nixosSystem ({
inherit lib;
}
// args);
in
sys;
darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem;
}
.${string.toLower config.type};
built = mkOptionDefault (config.builder {
inherit (config) system modules specialArgs;
});
specialArgs = {
inherit name inputs std meta;
systemType = config.folder;
system = config;
};
};
}

1
nixos/access/global.nix
View file

@ -5,6 +5,7 @@
inherit (lib.modules) mkDefault; inherit (lib.modules) mkDefault;
in { in {
networking = { networking = {
access.global.enable = mkDefault true;
tempAddresses = mkDefault "disabled"; tempAddresses = mkDefault "disabled";
}; };
} }

4
nixos/access/kanidm.nix
View file

@ -112,11 +112,11 @@ in {
[ [
access.localDomain access.localDomain
config.networking.fqdn config.networking.fqdn
config.networking.access.hostnameForNetwork.local config.lib.access.hostnameForNetwork.local
] ]
(mkIf tailscale.enable [ (mkIf tailscale.enable [
"id.tail.${config.networking.domain}" "id.tail.${config.networking.domain}"
config.networking.access.hostnameForNetwork.tail config.lib.access.hostnameForNetwork.tail
]) ])
]; ];

2
nixos/k8s.nix
View file

@ -1,6 +1,4 @@
{ {
inputs,
system,
config, config,
pkgs, pkgs,
lib, lib,

2
nixos/nfs.nix
View file

@ -16,7 +16,7 @@
(mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort) (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort)
]; ];
enableLdap = false; enableLdap = false;
system = access.systemFor "tei"; system = access.nixosFor "tei";
inherit (system.services) kanidm; inherit (system.services) kanidm;
in { in {
services.nfs = { services.nfs = {

5
outputs.nix
View file

@ -48,5 +48,8 @@
in { in {
inherit (outputs) devShells legacyPackages packages checks; inherit (outputs) devShells legacyPackages packages checks;
inherit (systems) deploy nixosConfigurations; inherit (systems) deploy nixosConfigurations;
lib = import ./lib.nix {inherit tree inputs;}; lib = import ./lib.nix {
inherit tree inputs;
inherit (systems) systems;
};
} }

1
systems/aya/default.nix
View file

@ -4,4 +4,5 @@ _: {
modules = [ modules = [
./nixos.nix ./nixos.nix
]; ];
access.tailscale.enable = true;
} }

143
systems/default.nix
View file

@ -2,139 +2,17 @@
# The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain. # The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain.
lib = inputs.self.lib.nixlib; lib = inputs.self.lib.nixlib;
inherit (inputs.self.lib) meta std; inherit (inputs.self.lib) meta std;
inherit (lib.modules) evalModules mkOptionDefault; inherit (lib.modules) evalModules;
inherit (std) string set; inherit (std) set;
defaultSpecialArgs = {
inherit inputs std meta;
};
hostModule = {
config,
machine,
...
}: {
options = let
inherit (inputs.self.lib.lib) json;
inherit (lib.types) str listOf attrs unspecified attrsOf nullOr;
inherit (lib.options) mkOption;
in {
arch = mkOption {
description = "Processor architecture of the host";
type = str;
default = "x86_64";
};
type = mkOption {
description = "Operating system type of the host";
type = nullOr str;
default = "NixOS";
};
folder = mkOption {
type = str;
internal = true;
};
system = mkOption {
type = str;
internal = true;
};
modules = mkOption {
type = listOf unspecified;
};
specialArgs = mkOption {
type = attrs;
internal = true;
};
builder = mkOption {
type = unspecified;
internal = true;
};
deploy = mkOption {
type = nullOr json.types.attrs;
};
};
config = {
deploy = let
nixos = inputs.self.nixosConfigurations.${machine};
in {
sshUser = mkOptionDefault "root";
user = mkOptionDefault "root";
sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"];
autoRollback = mkOptionDefault true;
magicRollback = mkOptionDefault true;
fastConnection = mkOptionDefault false;
hostname = mkOptionDefault "${machine}.local.gensokyo.zone";
profiles.system = {
user = "root";
path = let
inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate;
in
activate.nixos nixos;
};
};
system = let
kernel =
{
nixos = "linux";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
in "${config.arch}-${kernel}";
folder =
{
nixos = "nixos";
macos = "darwin";
darwin = "darwin";
linux = "linux";
}
.${string.toLower config.type};
modules = [
# per-OS modules
meta.modules.${config.folder}
# per-OS configuration
meta.${config.folder}.base
];
builder =
{
nixos = let
lib = inputs.nixpkgs.lib.extend (self: super:
import (inputs.arcexprs + "/lib") {
inherit super;
lib = self;
isOverlayLib = true;
});
sys = args:
lib.nixosSystem ({
inherit lib;
}
// args);
in
sys;
darwin = inputs.darwin.lib.darwinSystem;
macos = inputs.darwin.lib.darwinSystem;
}
.${string.toLower config.type};
specialArgs =
{
name = machine;
inherit machine;
systemType = config.folder;
inherit (config) system;
}
// defaultSpecialArgs;
};
};
hostConfigs = set.map (name: path: hostConfigs = set.map (name: path:
evalModules { evalModules {
modules = [ modules = [
hostModule
path path
meta.modules.system
]; ];
specialArgs = specialArgs = {
defaultSpecialArgs inherit name inputs std meta;
// { };
inherit name;
machine = name;
};
}) })
(set.map (_: c: c) meta.systems); (set.map (_: c: c) meta.systems);
processHost = name: cfg: let processHost = name: cfg: let
@ -143,9 +21,10 @@
set.optional (host.type != null) { set.optional (host.type != null) {
deploy.nodes.${name} = host.deploy; deploy.nodes.${name} = host.deploy;
"${host.folder}Configurations".${name} = host.builder { "${host.folder}Configurations".${name} = host.built;
inherit (host) system modules specialArgs;
};
}; };
in in
set.merge (set.mapToValues processHost hostConfigs) {
systems = hostConfigs;
}
// set.merge (set.mapToValues processHost hostConfigs)

4
systems/hakurei/default.nix
View file

@ -4,4 +4,8 @@ _: {
modules = [ modules = [
./nixos.nix ./nixos.nix
]; ];
access = {
tailscale.enable = true;
global.enable = true;
};
} }

12
systems/hakurei/nixos.nix
View file

@ -6,8 +6,8 @@
... ...
}: let }: let
inherit (lib.modules) mkIf mkMerge; inherit (lib.modules) mkIf mkMerge;
mediabox = access.systemFor "mediabox"; mediabox = access.nixosFor "mediabox";
tei = access.systemFor "tei"; tei = access.nixosFor "tei";
inherit (mediabox.services) plex; inherit (mediabox.services) plex;
inherit (tei.services) kanidm vouch-proxy; inherit (tei.services) kanidm vouch-proxy;
in { in {
@ -139,16 +139,16 @@ in {
inherit (config.services.nginx) access; inherit (config.services.nginx) access;
in { in {
access.plex = assert plex.enable; { access.plex = assert plex.enable; {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${toString plex.port}"; url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}";
externalPort = 41324; externalPort = 41324;
}; };
access.vouch = assert vouch-proxy.enable; { access.vouch = assert vouch-proxy.enable; {
url = "http://${tei.networking.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}"; url = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
useACMEHost = access.vouch.localDomain; useACMEHost = access.vouch.localDomain;
}; };
access.kanidm = assert kanidm.enableServer; { access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port; inherit (kanidm.server.frontend) domain port;
host = tei.networking.access.hostnameForNetwork.local; host = tei.lib.access.hostnameForNetwork.local;
ldapEnable = false; ldapEnable = false;
}; };
access.freeipa = { access.freeipa = {
@ -159,7 +159,7 @@ in {
useACMEHost = access.kitchencam.domain; useACMEHost = access.kitchencam.domain;
}; };
access.invidious = { access.invidious = {
url = "http://${mediabox.networking.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}"; url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
}; };
virtualHosts = { virtualHosts = {
${access.kanidm.domain} = { ${access.kanidm.domain} = {

1
systems/litterbox/default.nix
View file

@ -4,4 +4,5 @@ _: {
modules = [ modules = [
./nixos.nix ./nixos.nix
]; ];
access.tailscale.enable = true;
} }

1
systems/reimu/default.nix
View file

@ -4,4 +4,5 @@ _: {
modules = [ modules = [
./nixos.nix ./nixos.nix
]; ];
access.tailscale.enable = true;
} }

14
systems/tei/cloudflared.nix
View file

@ -6,17 +6,17 @@
}: let }: let
inherit (lib.modules) mkIf; inherit (lib.modules) mkIf;
inherit (lib.attrsets) listToAttrs nameValuePair; inherit (lib.attrsets) listToAttrs nameValuePair;
inherit (access) systemFor; inherit (access) nixosFor;
inherit (config.networking) hostName; inherit (config.networking) hostName;
cfg = config.services.cloudflared; cfg = config.services.cloudflared;
apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543"; apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543";
accessHostFor = { accessHostFor = {
hostName, hostName,
system ? systemFor hostName, system ? nixosFor hostName,
access ? "local", access ? "local",
... ...
}: let }: let
host = system.networking.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}"); host = system.lib.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}");
in in
if hostName == config.networking.hostName if hostName == config.networking.hostName
then "localhost" then "localhost"
@ -25,7 +25,7 @@
host ? system.networking.fqdn, host ? system.networking.fqdn,
port ? 80, port ? 80,
hostName, hostName,
system ? systemFor hostName, system ? nixosFor hostName,
} @ args: } @ args:
nameValuePair host { nameValuePair host {
service = "http://${accessHostFor args}:${toString port}"; service = "http://${accessHostFor args}:${toString port}";
@ -34,7 +34,7 @@
host ? system.services.home-assistant.domain, host ? system.services.home-assistant.domain,
port ? system.services.home-assistant.config.http.server_port, port ? system.services.home-assistant.config.http.server_port,
hostName, hostName,
system ? systemFor hostName, system ? nixosFor hostName,
... ...
} @ args: } @ args:
nameValuePair host { nameValuePair host {
@ -44,7 +44,7 @@
host ? system.services.vouch-proxy.domain, host ? system.services.vouch-proxy.domain,
port ? system.services.vouch-proxy.settings.vouch.port, port ? system.services.vouch-proxy.settings.vouch.port,
hostName, hostName,
system ? systemFor hostName, system ? nixosFor hostName,
... ...
} @ args: } @ args:
nameValuePair host { nameValuePair host {
@ -54,7 +54,7 @@
host ? system.services.kanidm.server.frontend.domain, host ? system.services.kanidm.server.frontend.domain,
port ? system.services.kanidm.server.frontend.port, port ? system.services.kanidm.server.frontend.port,
hostName, hostName,
system ? systemFor hostName, system ? nixosFor hostName,
... ...
} @ args: } @ args:
nameValuePair host { nameValuePair host {

1
systems/tei/default.nix
View file

@ -4,4 +4,5 @@ _: {
modules = [ modules = [
./nixos.nix ./nixos.nix
]; ];
access.tailscale.enable = true;
} }