nixops/portage/flake.nix

{
  description = "Definition of the Portage NixOps network.";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-21.05";

    fudo-home = {
      url = "git+https://git.fudo.org/niten/nix-home.git?ref=flake";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    fudo-secrets.url = "path:/state/secrets";

    # fudo-pkgs.url = "git+https://git.fudo.org/fudo-public/fudo-pkgs.git";

    fudo-pkgs.url = "path:/state/nixops/fudo-pkgs";

    fudo-nixos = {
      url = "path:/state/nixops/fudo-nixos";
      # url = "git+ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git?ref=nixops-flake";
      # Don't import it as a flake
      flake = false;
    };
  };

  outputs = { self, nixpkgs, fudo-home, fudo-nixos, fudo-pkgs, fudo-secrets, ... }: let
    domain = "fudo.org";
    site = "portage";

    build-timestamp = self.sourceInfo.lastModified;

    hostlib = import (fudo-nixos + /lib/hosts.nix) { lib = nixpkgs.lib; };

    hosts = nixpkgs.lib.filterAttrs (hostname: hostOpts:
      hostOpts.nixos-system && hostOpts.site == site)
      (hostlib.base-host-config (fudo-nixos + /config/hosts));

    network-hosts = (import (fudo-nixos + /config/networks/${domain}.nix)).hosts;

    pkgs-for = system: import nixpkgs {
      inherit system;
      config = {
        allowUnfree = true;
        permittedInsecurePackages = [
          "openssh-with-gssapi-8.4p1"
        ];
      };
      overlays = [
        (import (fudo-pkgs + "/overlay.nix"))
        (import (fudo-nixos + "/lib/overlay.nix"))
      ];
    };

    initialize-host = import (fudo-nixos + /initialize.nix);

  in {
    nixopsConfigurations.default = {
      inherit nixpkgs;

      network = {
        description = "Portage NixOps network.";
        enableRollback = true;
      };
    } // (nixpkgs.lib.mapAttrs (hostname: hostOpts: let
      system = hostOpts.arch;
      profile = hostOpts.profile;
    in { config, ... }: let
      pkgs = pkgs-for system;
      lib = pkgs.lib;
      build-seed = builtins.readFile config.fudo.secrets.files.build-seed;
    in {
      imports = [
        fudo-home.nixosModule
        fudo-secrets.nixosModule
        (initialize-host {
          inherit
            lib
            pkgs
            hostname
            build-timestamp
            build-seed
            site
            domain
            profile; })
      ];

      nixpkgs.pkgs = pkgs-for system;
      nixpkgs.lib = (pkgs-for system).lib;

      deployment = with lib; {
        targetHost = network-hosts.${hostname}.ipv4-address;

        keys = if (hasAttr hostname config.fudo.secrets.files.host-filesystem-keys)
               then
                 mapAttrs (secret: secret-file: {
                   keyFile = secret-file;
                   user = "root";
                   permissions = "0400";
                 }) config.fudo.secrets.files.host-filesystem-keys.${hostname}
               else {};
      };
    }) hosts);
  };
}