nixos-config/lib/fudo/hosts.nix

{ config, lib, pkgs, ... }:

with lib;
let
  mapOptional = f: val: if (val != null) then (f val) else null;

  host = import ../types/host.nix { inherit lib; };

in {
  options.fudo.hosts = with types;
    mkOption {
      type = attrsOf (submodule host.hostOpts);
      description = "Host configurations for all hosts known to the system.";
      default = { };
    };

  config = let
    hostname = config.instance.hostname;
    host-cfg = config.fudo.hosts.${hostname};
    site-name = host-cfg.site;
    site = config.fudo.sites.${site-name};
    domain-name = host-cfg.domain;
    domain = config.fudo.domains.${domain-name};
    has-build-servers = (length (attrNames site.build-servers)) > 0;
    has-build-keys = (length host-cfg.build-pubkeys) > 0;

  in {
    networking = {
      hostName = config.instance.hostname;
      domain = domain-name;
      nameservers = site.nameservers;
      # This will cause a loop on the gateway itself
      #defaultGateway = site.gateway-v4;
      #defaultGateway6 = site.gateway-v6;

      firewall = {
        enable = (length host-cfg.external-interfaces) > 0;
        allowedTCPPorts = [ 22 ];
      };

      hostId = mkIf (host-cfg.machine-id != null)
        (substring 0 8 host-cfg.machine-id);
    };

    # NixOS generates a stupid hosts file, just force it
    environment.etc = {
      hosts = let
        host-entries = mapAttrsToList
          (ip: hostnames: "${ip} ${concatStringsSep " " hostnames}")
          config.fudo.system.hostfile-entries;
      in mkForce {
        text = ''
        127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost
        127.0.0.2 ${hostname} localhost
        ::1 ${hostname}.${domain-name} ${hostname} localhost
        ${concatStringsSep "\n" host-entries}
      '';
        user = "root";
        group = "root";
        mode = "0444";
      };

      machine-id = mkIf (host-cfg.machine-id != null) {
        text = host-cfg.machine-id;
        user = "root";
        group = "root";
        mode = "0444";
      };

      current-system-packages.text = with builtins; let
        packages = map (p: "${p.name}")
          config.environment.systemPackages;
        sorted-unique = sort lessThan (unique packages);
      in concatStringsSep "\n" sorted-unique;
    };

    time.timeZone = site.timezone;

    krb5.libdefaults.default_realm = domain.gssapi-realm;

    services.cron.mailto = domain.admin-email;

    environment.systemPackages = with pkgs;
      mkIf (host-cfg.docker-server) [ docker nix-prefetch-docker ];

    virtualisation.docker = mkIf (host-cfg.docker-server) {
      enable = true;
      enableOnBoot = true;
      autoPrune.enable = true;
    };

    fudo = let
      try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;

      files = config.fudo.secrets.files;

      keytab-file = try-attr hostname files.host-keytabs;

      build-private-key-file =
        mapOptional
          (keypair: keypair.private-key)
          (try-attr hostname files.build-keypairs);

      backplane-passwd-source = try-attr hostname files.backplane-passwords;

      backplane-passwd-target = "/var/run/backplane/passwd";
    in {
      secrets.host-secrets.${hostname} = {
        host-keytab = mkIf (keytab-file != null) {
          source-file = keytab-file;
          target-file = "/etc/krb5.keytab";
          user = "root";
        };

        build-private-key = mkIf (build-private-key-file != null) {
          source-file = build-private-key-file;
          target-file = "/var/run/nix-build/host.key";
          user = "root";
        };

        backplane-passwd = mkIf (backplane-passwd-source != null) {
          source-file = backplane-passwd-source;
          target-file = backplane-passwd-target;
          user = config.fudo.client.dns.user;
        };
      };

      client.dns.password-file = mkIf (backplane-passwd-source != null)
        backplane-passwd-target;
    };

    programs.adb.enable = host-cfg.android-dev;
    users.groups.adbusers = mkIf host-cfg.android-dev {
      members = config.instance.local-admins;
    };

    boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
  };
}
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
Fixed deploy keys and added ssh keys pushed from deploy server 2021-09-22 18:43:23 -07:00			`mapOptional = f: val: if (val != null) then (f val) else null;`

Extract host type to host.nix 2021-10-04 13:23:40 -07:00			`host = import ../types/host.nix { inherit lib; };`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
			`in {`
Seems to be almost working 2021-03-01 14:43:27 -08:00			`options.fudo.hosts = with types;`
			`mkOption {`
Extract host type to host.nix 2021-10-04 13:23:40 -07:00			`type = attrsOf (submodule host.hostOpts);`
Seems to be almost working 2021-03-01 14:43:27 -08:00			`description = "Host configurations for all hosts known to the system.";`
			`default = { };`
			`};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
			`config = let`
			`hostname = config.instance.hostname;`
			`host-cfg = config.fudo.hosts.${hostname};`
			`site-name = host-cfg.site;`
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`site = config.fudo.sites.${site-name};`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`domain-name = host-cfg.domain;`
domain -> domains 2021-03-10 17:23:45 -08:00			`domain = config.fudo.domains.${domain-name};`
Add build servers 2021-04-10 13:25:43 -07:00			`has-build-servers = (length (attrNames site.build-servers)) > 0;`
			`has-build-keys = (length host-cfg.build-pubkeys) > 0;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
			`in {`
			`networking = {`
			`hostName = config.instance.hostname;`
Set the host domain name 2021-04-12 14:41:08 -07:00			`domain = domain-name;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`nameservers = site.nameservers;`
Arg that's frustrating...why no NAT? 2021-03-01 16:08:14 -08:00			`# This will cause a loop on the gateway itself`
			`#defaultGateway = site.gateway-v4;`
			`#defaultGateway6 = site.gateway-v6;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Only enable the firewall if there's an external interface specified 2021-04-12 14:53:55 -07:00			`firewall = {`
			`enable = (length host-cfg.external-interfaces) > 0;`
			`allowedTCPPorts = [ 22 ];`
			`};`
Working flake check 2021-09-30 08:40:47 -07:00
			`hostId = mkIf (host-cfg.machine-id != null)`
			`(substring 0 8 host-cfg.machine-id);`
Force hosts to contain proper localhost 2021-04-12 13:38:56 -07:00			`};`

Add fudo-pkgs submodule 2021-09-07 15:39:45 -07:00			`# NixOS generates a stupid hosts file, just force it`
Working flake check 2021-09-30 08:40:47 -07:00			`environment.etc = {`
			`hosts = let`
			`host-entries = mapAttrsToList`
			`(ip: hostnames: "${ip} ${concatStringsSep " " hostnames}")`
			`config.fudo.system.hostfile-entries;`
			`in mkForce {`
			`text = ''`
Force hosts to contain proper localhost 2021-04-12 13:38:56 -07:00			`127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost`
			`127.0.0.2 ${hostname} localhost`
			`::1 ${hostname}.${domain-name} ${hostname} localhost`
Add fudo-pkgs submodule 2021-09-07 15:39:45 -07:00			`${concatStringsSep "\n" host-entries}`
Force hosts to contain proper localhost 2021-04-12 13:38:56 -07:00			`'';`
Working flake check 2021-09-30 08:40:47 -07:00			`user = "root";`
			`group = "root";`
			`mode = "0444";`
			`};`

			`machine-id = mkIf (host-cfg.machine-id != null) {`
			`text = host-cfg.machine-id;`
			`user = "root";`
			`group = "root";`
			`mode = "0444";`
			`};`
Include installed package list in /etc 2021-10-12 14:06:34 -07:00
			`current-system-packages.text = with builtins; let`
Version doesn't exist, I guess? 2021-10-12 14:08:05 -07:00			`packages = map (p: "${p.name}")`
Include installed package list in /etc 2021-10-12 14:06:34 -07:00			`config.environment.systemPackages;`
			`sorted-unique = sort lessThan (unique packages);`
			`in concatStringsSep "\n" sorted-unique;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`

'Fix' printer driver, set timezone 2021-04-03 10:15:10 -07:00			`time.timeZone = site.timezone;`

Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`krb5.libdefaults.default_realm = domain.gssapi-realm;`

			`services.cron.mailto = domain.admin-email;`

			`environment.systemPackages = with pkgs;`
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`mkIf (host-cfg.docker-server) [ docker nix-prefetch-docker ];`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`virtualisation.docker = mkIf (host-cfg.docker-server) {`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`enable = true;`
			`enableOnBoot = true;`
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`autoPrune.enable = true;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`
Arg, fucking port forwarding is shit 2021-03-17 12:45:40 -07:00
Working flake-based nixops config 2021-10-08 15:26:19 -07:00			`fudo = let`
			`try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;`

			`files = config.fudo.secrets.files;`

			`keytab-file = try-attr hostname files.host-keytabs;`
Various minor fixes 2021-09-29 18:44:33 -07:00
			`build-private-key-file =`
Working flake-based nixops config 2021-10-08 15:26:19 -07:00			`mapOptional`
			`(keypair: keypair.private-key)`
			`(try-attr hostname files.build-keypairs);`

			`backplane-passwd-source = try-attr hostname files.backplane-passwords;`

			`backplane-passwd-target = "/var/run/backplane/passwd";`
Various minor fixes 2021-09-29 18:44:33 -07:00			`in {`
Working flake-based nixops config 2021-10-08 15:26:19 -07:00			`secrets.host-secrets.${hostname} = {`
			`host-keytab = mkIf (keytab-file != null) {`
			`source-file = keytab-file;`
			`target-file = "/etc/krb5.keytab";`
			`user = "root";`
			`};`

			`build-private-key = mkIf (build-private-key-file != null) {`
			`source-file = build-private-key-file;`
			`target-file = "/var/run/nix-build/host.key";`
			`user = "root";`
			`};`

			`backplane-passwd = mkIf (backplane-passwd-source != null) {`
			`source-file = backplane-passwd-source;`
			`target-file = backplane-passwd-target;`
			`user = config.fudo.client.dns.user;`
			`};`
Fixed deploy keys and added ssh keys pushed from deploy server 2021-09-22 18:43:23 -07:00			`};`

Nonexistent variable: backplane-passwd -> backplane-passwd-source 2021-10-12 14:40:12 -07:00			`client.dns.password-file = mkIf (backplane-passwd-source != null)`
Fix typo: password -> passwd 2021-10-12 14:38:23 -07:00			`backplane-passwd-target;`
Evolution in Seattle 2021-04-29 21:39:21 -07:00			`};`

Fixed for deploy again 2021-08-18 10:00:18 -07:00			`programs.adb.enable = host-cfg.android-dev;`
			`users.groups.adbusers = mkIf host-cfg.android-dev {`
Move user types to a common file 2021-10-01 16:05:56 -07:00			`members = config.instance.local-admins;`
Fixed for deploy again 2021-08-18 10:00:18 -07:00			`};`

Make all hosts' initrd network-accessible First attempt 2021-10-13 17:23:47 -07:00			`boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;`
Still very broken...moving to start testing 2021-02-23 12:58:29 -08:00			`};`
			`}`