Initial, broken

config/hardware/atom.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   system.stateVersion = "20.03";
 
   boot = {

config/hardware/clunk.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     initrd = {
       availableKernelModules =

config/hardware/france.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     initrd = {
       availableKernelModules =
@@ -21,12 +19,6 @@
     };
   };
 
-  boot.initrd.availableKernelModules =
-    [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "floppy" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
   fileSystems = {
     "/boot" = {
       device = "/dev/disk/by-label/france-boot";

config/hardware/lambda.nix

@@ -4,8 +4,6 @@ with lib;
 let
 
 in {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   system.stateVersion = "21.05";
 
   boot = {

config/hardware/limina.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 with lib; {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   system.stateVersion = "20.09";
 
   boot = {

config/hardware/nostromo.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     initrd = {
       availableKernelModules = [

config/hardware/plato.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 with lib; {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     initrd = {
       availableKernelModules =

config/hardware/procul.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     initrd.availableKernelModules = [
       "uhci_hcd"

config/hardware/socrates.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   config = {
 
     boot = {

config/hardware/spark.nix

@@ -1,10 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
   system.stateVersion = "20.03";
 
   boot = {

config/hardware/system3.nix

@@ -4,8 +4,6 @@ with lib;
 let
 
 in {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   system.stateVersion = "21.05";
 
   boot = {

config/hardware/zbox.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
   boot = {
     loader = {
       systemd-boot.enable = true;

config/host-config/france.nix

@@ -2,6 +2,7 @@
 
 let
   primary-ip = "208.81.3.117";
+  git-server-ip = "208.81.3.118";
   hostname = config.instance.hostname;
   domain-name = config.fudo.hosts.${hostname}.domain;
   domain = config.fudo.domains.${domain-name};

config/hosts/atom.nix

@@ -7,4 +7,5 @@
   site = "seattle";
   profile = "laptop";
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/clunk.nix

@@ -15,4 +15,5 @@
   ssh-pubkey =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/france.nix

@@ -15,4 +15,6 @@
   ssh-pubkey =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
   arch = "x86_64-linux";
+  # Just to stop this evaluating for now
+  nixos-system = false;
 }

config/hosts/lambda.nix

@@ -16,4 +16,5 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
   enable-gui = false;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/limina.nix

@@ -15,4 +15,5 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/nostromo.nix

@@ -15,4 +15,5 @@
   ssh-pubkey =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/plato.nix

@@ -18,4 +18,5 @@
   ];
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/procul.nix

@@ -17,4 +17,5 @@
   tmp-on-tmpfs = false;
   enable-gui = false;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/socrates.nix

@@ -15,4 +15,5 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/spark.nix

@@ -16,4 +16,5 @@
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/system3.nix

@@ -16,4 +16,5 @@
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/hosts/zbox.nix

@@ -16,4 +16,5 @@
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
+  nixos-system = true;
 }

config/profile-config/common.nix

@@ -33,13 +33,9 @@ in {
     '';
   };
 
-  # TODO: remove?
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssh-with-gssapi-8.4p1" # CVE-2021-28041
-  ];
-
   nixpkgs.config.allowUnfree = true;
   security.acme.acceptTerms = true;
+  hardware.enableRedistributableFirmware = true;
 
   krb5 = {
     enable = true;

flake.lock

@@ -1,5 +1,60 @@
 {
   "nodes": {
+    "backplane-passwords": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=",
+        "path": "./backplane-passwords",
+        "type": "path"
+      },
+      "original": {
+        "path": "./backplane-passwords",
+        "type": "path"
+      }
+    },
+    "build-keypairs": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=",
+        "path": "./build-keypairs",
+        "type": "path"
+      },
+      "original": {
+        "path": "./build-keypairs",
+        "type": "path"
+      }
+    },
+    "filesystem-keys": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=",
+        "path": "./filesystem-keys",
+        "type": "path"
+      },
+      "original": {
+        "path": "./filesystem-keys",
+        "type": "path"
+      }
+    },
+    "fudo-secrets": {
+      "inputs": {
+        "backplane-passwords": "backplane-passwords",
+        "build-keypairs": "build-keypairs",
+        "filesystem-keys": "filesystem-keys",
+        "host-keytabs": "host-keytabs",
+        "service-passwords": "service-passwords",
+        "ssh-keypairs": "ssh-keypairs"
+      },
+      "locked": {
+        "narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=",
+        "path": "/state/secrets",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/secrets",
+        "type": "path"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +76,18 @@
         "type": "github"
       }
     },
+    "host-keytabs": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=",
+        "path": "./kerberos/host-keytabs",
+        "type": "path"
+      },
+      "original": {
+        "path": "./kerberos/host-keytabs",
+        "type": "path"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1632291606,
@@ -38,9 +105,34 @@
     },
     "root": {
       "inputs": {
+        "fudo-secrets": "fudo-secrets",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "service-passwords": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=",
+        "path": "./service-passwords",
+        "type": "path"
+      },
+      "original": {
+        "path": "./service-passwords",
+        "type": "path"
+      }
+    },
+    "ssh-keypairs": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=",
+        "path": "./ssh-keypairs",
+        "type": "path"
+      },
+      "original": {
+        "path": "./ssh-keypairs",
+        "type": "path"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,17 +3,27 @@
 
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-21.05";
+
     home-manager.url = "github:nix-community/home-manager/release-21.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    fudo-secrets.url = "path:/state/secrets";
   };
 
-  outputs = { self, nixpkgs, home-manager, ... }: {
+  outputs = { self, nixpkgs, home-manager, fudo-secrets, ... }: {
 
     nixosConfigurations = let
-      hostlib = import ./lib/hosts.nix { lib = nixpkgs.lib; };
-      hosts = hostlib.base-host-config ./config/hosts;
-    in nixpkgs.lib.mapAttrs (hostname: hostOpts: let
+      lib = nixpkgs.lib;
+
+      hostlib = import ./lib/hosts.nix { inherit lib; };
+
+      hosts = lib.filterAttrs (hostname: hostOpts:
+        hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts);
+
+      build-timestamp = self.sourceInfo.lastModified;
+    in lib.mapAttrs (hostname: hostOpts: let
       pkgs = import nixpkgs {
+        system = hostOpts.arch;
         config = {
           allowUnfree = true;
           permittedInsecurePackages = [
@@ -24,10 +34,15 @@
           (import ./fudo-pkgs/overlay.nix)
         ];
       };
-      in import ./initialize.nix {
-        inherit hostname pkgs;
-        home-manager-module = import "${home-manager}/nixos";
-        include-secrets = true;
-      }) hosts;
+    in lib.nixosSystem {
+      system = hostOpts.arch;
+
+      modules = [
+        "${home-manager}/nixos"
+        (import ./initialize.nix {
+          inherit hostname pkgs build-timestamp fudo-secrets;
+        })
+      ];
+    }) hosts;
   };
 }

initialize.nix

@@ -1,4 +1,4 @@
-{ hostname, home-manager-module, pkgs, include-secrets ? true, ... }:
+{ hostname, pkgs, build-timestamp, fudo-secrets ? null, ... }:
 
 let
   # Get info on this host so we know what to load
@@ -9,7 +9,7 @@ in {
     ./lib
     ./config
       
-    home-manager-module
+    #home-manager-module
 
     (./. + "/config/hardware/${hostname}.nix")
     (./. + "/config/host-config/${hostname}.nix")
@@ -19,10 +19,12 @@ in {
   ];
 
   config = {
+    fudo.local-network.timestamp = build-timestamp;
+
     instance = { hostname = hostname; };
 
     nixpkgs.pkgs = pkgs;
 
-    fudo.secrets.enable = include-secrets;
+    fudo.secrets.enable = fudo-secrets != null;
   };
 }

lib/default.nix

@@ -11,6 +11,7 @@ with lib; {
     ./fudo/backplane
     ./fudo/chat.nix
     ./fudo/client/dns.nix
+    ./fudo/distributed-builds.nix
     ./fudo/dns.nix
     ./fudo/domains.nix
     ./fudo/garbage-collector.nix
@@ -35,6 +36,7 @@ with lib; {
     ./fudo/secure-dns-proxy.nix
     ./fudo/sites.nix
     ./fudo/slynk.nix
+    ./fudo/ssh.nix
     ./fudo/system.nix
     ./fudo/system-networking.nix
     ./fudo/users.nix

lib/fudo/deploy.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  sys = callPackage ./system.nix {};
+
+  site-cfg = config.fudo.sites.${sys.local-site};
+
+in {
+  config = {
+    users.usersroot.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkeys != null)
+      site-cfg.deploy-pubkeys;
+  };
+}

lib/fudo/distributed-builds.nix

@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  sys = callPackage ../system.nix {};
+
+  site-cfg = config.fudo.sites.${sys.local-site};
+
+  has-build-servers = (length (attrNames site-cfg.build-servers)) > 0;
+
+  build-keypair = config.fudo.secrets.host-secrets.${hostname}.build-keypair;
+
+  enable-distributed-builds =
+    site-cfg.enable-distributed-builds && has-build-servers && build-keypair != null;
+
+  local-build-cfg =
+    mkIf (hasKey site-cfg.build-servers hostname)
+      site-cfg.build-servers.hostname;
+
+in {
+  config = {
+    nix = mkIf enable-distributed-builds {
+      buildMachines = mapAttrsToList (hostname: buildOpts: {
+        hostName = "${hostname}.${domain-name}";
+        maxJobs = buildOpts.max-jobs;
+        speedFactor = buildOpts.speed-factor;
+        supportedFeatures = buildOpts.supportedFeatures;
+        sshKey = build-keypair.private-key;
+        sshUser = buildOpts.user;
+      }) site-cfg.build-servers;
+      distributedBuilds = true;
+
+      trustedUsers = mkIf (local-build-cfg != null) [
+        local-build-host.build-user
+      ];
+    };
+
+    users.users = mkIf (local-build-cfg != null) {
+      ${local-build-cfg.build-user} = {
+        isSystemUser = true;
+        openssh.authorizedKeys.keyFiles =
+          foldr (a: b: a ++ b) []
+            mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts;
+      };
+    };
+  };
+}

lib/fudo/hosts.nix

@@ -39,8 +39,7 @@ let
       };
 
       profile = mkOption {
-        # FIXME: get this list from profiles directly
-        type = listof (enum "desktop" "laptop" "server");
+        type = listOf (enumOf (attrNames config.fudo.profiles));
         description =
           "The profile to be applied to the host, determining what software is included.";
       };
@@ -109,11 +108,11 @@ let
         default = [ "ssh" "host" ];
       };
 
-      ssh-pubkey = mkOption {
-        type = nullOr str;
+      ssh-pubkeys = mkOption {
+        type = listOf str;
         description =
-          "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
-        default = null;
+          "SSH keys of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
+        default = [];
       };
 
       build-pubkeys = mkOption {
@@ -207,22 +206,22 @@ in {
       mode = "0444";
     };
 
-    fudo.hosts.${hostname}.build-pubkeys =
-      map builtins.readFile
-        (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
-          (optional (site.build-key-path != null) site.build-key-path));
+    # fudo.hosts.${hostname}.build-pubkeys =
+    #   map builtins.readFile
+    #     (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
+    #       (optional (site.build-key-path != null) site.build-key-path));
 
-    nix = mkIf
-      (has-build-servers && has-build-keys && site.enable-distributed-builds) {
-        buildMachines = mapAttrsToList (hostname: buildOpts: {
-          hostName = "${hostname}.${domain-name}";
-          maxJobs = buildOpts.max-jobs;
-          speedFactor = buildOpts.speed-factor;
-          supportedFeatures = buildOpts.supported-features;
-          sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
-        }) site.build-servers;
-        distributedBuilds = true;
-      };
+    # nix = mkIf
+    #   (has-build-servers && has-build-keys && site.enable-distributed-builds) {
+    #     buildMachines = mapAttrsToList (hostname: buildOpts: {
+    #       hostName = "${hostname}.${domain-name}";
+    #       maxJobs = buildOpts.max-jobs;
+    #       speedFactor = buildOpts.speed-factor;
+    #       supportedFeatures = buildOpts.supported-features;
+    #       sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
+    #     }) site.build-servers;
+    #     distributedBuilds = true;
+    #   };
 
     time.timeZone = site.timezone;
 
@@ -242,26 +241,14 @@ in {
     boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
 
     fudo.secrets.host-secrets.${hostname} = {
-      host-keytab = let
-        keytab-file = mapOptional (keytab-path:
-          if (pathExists keytab-path) then
-            /. + builtins.toPath keytab-path
-          else
-            null) (mapOptional (keytab-dir: "${keytab-dir}/${hostname}.keytab")
-              site.keytab-path);
-      in mkIf (keytab-file != null) {
-        source-file = /. + builtins.toPath keytab-file;
+      host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) {
+        source-file = fudo.secrets.files.host-keytabs.${hostname};
         target-file = "/etc/krb5.keytab";
         user = "root";
       };
 
-      build-private-key = let
-        build-key-file = mapOptional
-          (build-key-file: if (pathExists build-key-file) then (/. + builtins.toPath build-key-file) else null)
-          (mapOptional (build-key-path: "${build-key-path}/${hostname}.key")
-            site.build-key-path);
-      in mkIf (build-key-file != null) {
-        source-file = build-key-file;
+      build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) {
+        source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key;
         target-file = "/var/run/nix-build/host.key";
         user = "root";
       };

lib/fudo/local-network.nix

@@ -83,6 +83,11 @@ in {
         description = "Definition of network to be served by local server.";
         default = { };
       };
+
+    timestamp = mkOption {
+      type = int;
+      description = "Timestamp of build, to be used as a serial.";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -144,7 +149,7 @@ in {
           $TTL 1h
 
           @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString builtins.currentTime}
+            ${toString cfg.timestamp}
             1800
             900
             604800
@@ -201,7 +206,7 @@ in {
         name = cfg.domain;
         file = pkgs.writeText "${cfg.domain}-zone" ''
           @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString builtins.currentTime}
+            ${toString cfg.timestamp}
             5m
             2m
             6w

lib/fudo/sites.nix

@@ -108,7 +108,7 @@ let
 
       dropbear-ssh-port = mkOption {
         type = port;
-        description = "Port to be used for the deploy SSH server.";
+        description = "Port to be used for the backup SSH server.";
         default = 2112;
       };
 
@@ -206,16 +206,13 @@ in {
 
   config = {
     users.users = {
-      root.openssh.authorizedKeys.keys =
-        mkIf (site-cfg.deploy-pubkeys != null) site-cfg.deploy-pubkeys;
-
       ${site-cfg.build-user} = mkIf
         (any (build-host: build-host == config.instance.hostname)
           (attrNames site-cfg.build-servers)) {
             isSystemUser = true;
             openssh.authorizedKeys.keys =
               concatMap (hostOpts: hostOpts.build-pubkeys)
-              (attrValues site-hosts);
+                (attrValues site-hosts);
             shell = pkgs.bash;
           };
     };

lib/fudo/ssh.nix

@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  hostname = config.fudo.instance.hostname;
+  has-attrs = set: length (attrNames set) > 0;
+  host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname};
+
+  sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
+
+  dns-sshfp-records = host: keypair: let
+    filename = sshfp-filename host keypair;
+  in mkDerivation {
+    buildInputs = with pkgs; [ openssh ];
+
+    buildPhase = ''
+      ssh-keygen -r REMOVEME -f ${keypair.public-key} | sed 's/^REMOVEME IN SSHFP //' > ${filename}
+    '';
+
+    installPhase = ''
+      mv ${filename} $out/${filename}
+    '';
+  };
+
+in {
+  config = {
+    fudo = {
+      secrets.host-secrets.${hostname} = mkIf (host-keypairs != [])
+        map (keypair: {
+          "host-${keypair.key-type}-private-key" = {
+            source-file = keypair.private-key;
+            target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
+            user = "root";
+          };
+        });
+
+      hosts = mapAttrs (hostname: keypairs: {
+        ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
+        ssh-fingerprints = map (keypair:
+          let
+            fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
+            filename = sshfp-filename hostname keypair;
+          in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
+      } config.fudo.secrets.files.host-ssh-keypairs);
+
+
+    };
+
+    services.openssh.hostKeys = mkIf (host-keypairs != [])
+      (map (keypair: {
+        path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
+        type = keypair.key-type;
+      }) host-keypairs);
+
+    programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
+      publicKeyFile = keypairs.public-key;
+      hostNames = let
+        host-cfg = config.fudo.hosts.${hostname};
+        domains = [host-cfg.domain] ++ host-cfg.extra-domains;
+      in [ hostname ] ++
+         (map (domain: "${hostname}.${domain}") domains);
+    });
+  };
+}

lib/hosts.nix

@@ -11,6 +11,6 @@ with lib;
     host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir host-path)));
     hosts = map hostname-from-file host-files;
 
-    load-host-file = hostname: import (./. + "/hosts/${hostname}.nix");
+    load-host-file = hostname: import (host-path + "/${hostname}.nix");
   in genAttrs hosts (hostname: load-host-file hostname);
 }

lib/system.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 with lib;
 let
@@ -24,6 +24,9 @@ let
     getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
       config.fudo.groups;
 
+  local-hosts =
+    filterAttrs (host: hostOpts: hostOpts.site == local-site) config.fudo.hosts;
+
 in {
   local-host = local-host;
   local-domain = local-domain;
@@ -31,4 +34,5 @@ in {
   local-users = local-users;
   local-admins = local-admins;
   local-groups = local-groups;
+  local-hosts = local-hosts;
 }