Apparently, depot could be stopped. Who knew?

config/modules/meta/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./imports.nix
+    ./deploy.nix
+    ./network.nix
+  ];
+}

config/modules/meta/deploy.nix

@@ -0,0 +1,122 @@
+{ sources, config, pkgs, lib, ... }:
+
+/*
+This module:
+  * makes tf-nix a part of the meta config
+  * handles the trusted import for tf-nix
+  * provides the target interface
+  * imports the per-host TF config for each target
+*/
+
+with lib;
+
+let
+  cfg = config.deploy;
+  meta = config;
+  tfModule = { lib, ... }: with lib; {
+    config._module.args = {
+      pkgs = mkDefault pkgs;
+    };
+  };
+  tfType = types.submoduleWith {
+    modules = [
+      tfModule
+      "${toString sources.tf-nix}/modules"
+      ./secrets.nix
+    ];
+  };
+in {
+  imports = [
+    (toString (sources.tf-nix + "/modules/run.nix"))
+  ] ++ (optional (builtins.pathExists ../../trusted/tf/tf.nix) (../../trusted/tf/tf.nix));
+  options = {
+    deploy = {
+      dataDir = mkOption {
+        type = types.path;
+      };
+      local = {
+        isRoot = mkOption {
+          type = types.bool;
+          default = builtins.getEnv "HOME_UID" == "0";
+        };
+        hostName = mkOption {
+          type = types.nullOr types.str;
+          default = let
+            hostName = builtins.getEnv "HOME_HOSTNAME";
+          in if hostName == "" then null else hostName;
+        };
+      };
+      targets = let
+        type = types.submodule ({ config, name, ... }: {
+          options = {
+            enable = mkEnableOption "Enable the target" // { default = true; };
+            name = mkOption {
+              type = types.str;
+              default = name;
+            };
+            nodeNames = mkOption {
+              type = types.listOf types.str;
+              default = [ ];
+            };
+            tf = mkOption {
+              type = tfType;
+              default = { };
+            };
+          };
+          config.tf = mkMerge (singleton {
+            imports = [
+              ../../targets/common
+            ];
+            deps = {
+              select.allProviders = true;
+              enable = true;
+            };
+            terraform = {
+              version = "1.0";
+              logPath = cfg.dataDir + "/terraform-${config.name}.log";
+              dataDir = cfg.dataDir + "/tfdata/${config.name}";
+              environment.TF_CLI_ARGS_apply = "-backup=-";
+              environment.TF_CLI_ARGS_taint = "-backup=-";
+            };
+            state = {
+              file = cfg.dataDir + "/terraform-${config.name}.tfstate";
+            };
+            runners = {
+              lazy = {
+                inherit (meta.runners.lazy) file args;
+                attrPrefix = "deploy.targets.${name}.tf.runners.run.";
+              };
+              run = {
+                apply.name = "${name}-apply";
+                terraform.name = "${name}-tf";
+              };
+            };
+            continue.envVar = "TF_NIX_CONTINUE_${replaceStrings [ "-" ] [ "_" ] config.name}";
+          } ++ map (nodeName: mapAttrs (_: mkMerge) meta.network.nodes.${nodeName}.deploy.tf.out.set) config.nodeNames);
+        });
+      in mkOption {
+        type = types.attrsOf type;
+        default = { };
+      };
+    };
+  };
+  config = {
+    deploy.targets = let
+      nodeNames = attrNames config.network.nodes;
+      targets = config.deploy.targets;
+      explicitlyDefinedHosts = concatLists (mapAttrsToList (targetName: target: remove targetName target.nodeNames) config.deploy.targets);
+    in genAttrs nodeNames ( nodeName: {
+      enable = mkDefault (! elem nodeName explicitlyDefinedHosts);
+      nodeNames = singleton nodeName;
+    });
+
+    runners = {
+      run = mkMerge (mapAttrsToList (targetName: target: mapAttrs' (k: run:
+      nameValuePair run.name run.set
+      ) target.tf.runners.run) (filterAttrs (_: v: v.enable) cfg.targets));
+      lazy.run = mkMerge (mapAttrsToList (targetName: target: mapAttrs' (k: run:
+      nameValuePair run.name run.set
+      ) target.tf.runners.lazy.run) (filterAttrs (_: v: v.enable) cfg.targets));
+    };
+  };
+}

config/modules/meta/imports.nix

@@ -0,0 +1,41 @@
+{ config, lib, profiles, root, ... }:
+
+with lib;
+
+{
+  options = {
+    lib = mkOption {
+      type = types.attrsOf (types.attrsOf types.unspecified);
+    };
+    network.importing = {
+      nixosImports = mkOption {
+        type = types.listOf types.str;
+      };
+      homeImports = mkOption {
+        type = types.listOf types.str;
+      };
+      users = mkOption {
+        type = types.listOf types.str;
+      };
+    };
+  };
+  config = {
+    network.importing = {
+      nixosImports = mkDefault (map (path: toString path) [
+        (root + "/config/hosts/HN/nixos.nix")
+        (root + "/config/trusted/hosts/HN/nixos.nix")
+      ]);
+      homeImports = mkDefault (map (path: toString path) [
+        (root + "/config/hosts/HN/home.nix")
+        (root + "/config/trusted/hosts/HN/home.nix")
+      ]);
+      users = mkDefault (singleton "kat");
+    };
+    lib.kw.nodeImport = hostName: lib.nodeImport {
+      inherit (config.network.importing) nixosImports homeImports users;
+      inherit profiles hostName;
+    };
+
+    _module.args = { inherit (config.lib) kw; };
+  };
+}

config/modules/meta/network.nix

@@ -0,0 +1,66 @@
+{ pkgs, sources, lib, meta, config, ... }:
+
+/*
+This module:
+  * Makes hosts nixosModules.
+  * Manages module imports and specialArgs.
+  * Builds network.nodes.
+*/
+
+with lib;
+
+{
+  options.network = {
+    nixos = {
+      extraModules = mkOption {
+        type = types.listOf types.unspecified;
+        default = [ ];
+      };
+      specialArgs = mkOption {
+        type = types.attrsOf types.unspecified;
+        default = { };
+      };
+      modulesPath = mkOption {
+        type = types.path;
+        default = toString (pkgs.path + "/nixos/modules");
+      };
+    };
+    nodes = let
+      nixosModule = { name, config, meta, modulesPath, lib, ... }: with lib; {
+        config = {
+          nixpkgs = {
+            system = mkDefault pkgs.system;
+            pkgs = mkDefault pkgs;
+          };
+        };
+      };
+      nixosType = let
+        baseModules = import (config.network.nixos.modulesPath + "/module-list.nix");
+      in types.submoduleWith {
+        modules = baseModules
+        ++ singleton nixosModule
+        ++ config.network.nixos.extraModules;
+
+        specialArgs = {
+          inherit baseModules;
+          inherit (config.network.nixos) modulesPath;
+        } // config.network.nixos.specialArgs;
+      };
+    in mkOption {
+      type = types.attrsOf nixosType;
+      default = { };
+    };
+  };
+  config.network = {
+    nixos = {
+      extraModules = [
+        "${toString sources.home-manager}/nixos"
+        ../../modules/nixos
+      ];
+      specialArgs = {
+        inherit (config.network) nodes;
+        inherit sources meta;
+      };
+    };
+  };
+}

config/modules/meta/secrets.nix

@@ -0,0 +1,30 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = let tf = config; in {
+    variables = mkOption {
+      type = types.attrsOf (types.submodule ({ name, config, ... }: {
+        options.externalSecret = mkEnableOption "Is ths secret to be templated into a command provided?";
+        config = mkIf config.externalSecret {
+          type = "string";
+          value.shellCommand = "${tf.commandPrefix} ${tf.folderPrefix}${tf.folderDivider}${escapeShellArg name}";
+          sensitive = true;
+        };
+      }));
+    };
+    commandPrefix = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+    folderPrefix = mkOption {
+      type = types.str;
+      default = "";
+    };
+    folderDivider = mkOption {
+      type = types.str;
+      default = "";
+    };
+  };
+}