Initial, broken

2021-09-29 17:55:13 -07:00 · 2021-09-29 17:55:13 -07:00 · 3dc5986134
commit 3dc5986134
parent b072fed747
38 changed files with 302 additions and 95 deletions
--- a/config/hardware/atom.nix
+++ b/config/hardware/atom.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  system.stateVersion = "20.03";
  boot = {
--- a/config/hardware/clunk.nix
+++ b/config/hardware/clunk.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    initrd = {
      availableKernelModules =
--- a/config/hardware/france.nix
+++ b/config/hardware/france.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    initrd = {
      availableKernelModules =
@ -21,12 +19,6 @@
    };
  };
  boot.initrd.availableKernelModules =
    [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "floppy" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems = {
    "/boot" = {
      device = "/dev/disk/by-label/france-boot";
--- a/config/hardware/lambda.nix
+++ b/config/hardware/lambda.nix
@ -4,8 +4,6 @@ with lib;
 let
 in {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  system.stateVersion = "21.05";
  boot = {
--- a/config/hardware/limina.nix
+++ b/config/hardware/limina.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 with lib; {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  system.stateVersion = "20.09";
  boot = {
--- a/config/hardware/nostromo.nix
+++ b/config/hardware/nostromo.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    initrd = {
      availableKernelModules = [
--- a/config/hardware/plato.nix
+++ b/config/hardware/plato.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 with lib; {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    initrd = {
      availableKernelModules =
--- a/config/hardware/procul.nix
+++ b/config/hardware/procul.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    initrd.availableKernelModules = [
      "uhci_hcd"
--- a/config/hardware/socrates.nix
+++ b/config/hardware/socrates.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  config = {
    boot = {
--- a/config/hardware/spark.nix
+++ b/config/hardware/spark.nix
@ -1,10 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  system.stateVersion = "20.03";
  boot = {
--- a/config/hardware/system3.nix
+++ b/config/hardware/system3.nix
@ -4,8 +4,6 @@ with lib;
 let
 in {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  system.stateVersion = "21.05";
  boot = {
--- a/config/hardware/zbox.nix
+++ b/config/hardware/zbox.nix
@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  boot = {
    loader = {
      systemd-boot.enable = true;
--- a/config/host-config/france.nix
+++ b/config/host-config/france.nix
@ -2,6 +2,7 @@
 let
  primary-ip = "208.81.3.117";
  git-server-ip = "208.81.3.118";
  hostname = config.instance.hostname;
  domain-name = config.fudo.hosts.${hostname}.domain;
  domain = config.fudo.domains.${domain-name};
--- a/config/hosts/atom.nix
+++ b/config/hosts/atom.nix
@ -7,4 +7,5 @@
  site = "seattle";
  profile = "laptop";
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/clunk.nix
+++ b/config/hosts/clunk.nix
@ -15,4 +15,5 @@
  ssh-pubkey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/france.nix
+++ b/config/hosts/france.nix
@ -15,4 +15,6 @@
  ssh-pubkey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
  arch = "x86_64-linux";
  # Just to stop this evaluating for now
  nixos-system = false;
 }
--- a/config/hosts/lambda.nix
+++ b/config/hosts/lambda.nix
@ -16,4 +16,5 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
  enable-gui = false;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/limina.nix
+++ b/config/hosts/limina.nix
@ -15,4 +15,5 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
  tmp-on-tmpfs = false;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/nostromo.nix
+++ b/config/hosts/nostromo.nix
@ -15,4 +15,5 @@
  ssh-pubkey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/plato.nix
+++ b/config/hosts/plato.nix
@ -18,4 +18,5 @@
  ];
  tmp-on-tmpfs = false;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/procul.nix
+++ b/config/hosts/procul.nix
@ -17,4 +17,5 @@
  tmp-on-tmpfs = false;
  enable-gui = false;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/socrates.nix
+++ b/config/hosts/socrates.nix
@ -15,4 +15,5 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
  tmp-on-tmpfs = false;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/spark.nix
+++ b/config/hosts/spark.nix
@ -16,4 +16,5 @@
  site = "seattle";
  android-dev = true;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/system3.nix
+++ b/config/hosts/system3.nix
@ -16,4 +16,5 @@
  site = "seattle";
  android-dev = true;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/hosts/zbox.nix
+++ b/config/hosts/zbox.nix
@ -16,4 +16,5 @@
  site = "seattle";
  android-dev = true;
  arch = "x86_64-linux";
  nixos-system = true;
 }
--- a/config/profile-config/common.nix
+++ b/config/profile-config/common.nix
@ -33,13 +33,9 @@ in {
    '';
  };
  # TODO: remove?
  nixpkgs.config.permittedInsecurePackages = [
    "openssh-with-gssapi-8.4p1" # CVE-2021-28041
  ];
  nixpkgs.config.allowUnfree = true;
  security.acme.acceptTerms = true;
  hardware.enableRedistributableFirmware = true;
  krb5 = {
    enable = true;
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,60 @@
 {
  "nodes": {
    "backplane-passwords": {
      "flake": false,
      "locked": {
        "narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=",
        "path": "./backplane-passwords",
        "type": "path"
      },
      "original": {
        "path": "./backplane-passwords",
        "type": "path"
      }
    },
    "build-keypairs": {
      "flake": false,
      "locked": {
        "narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=",
        "path": "./build-keypairs",
        "type": "path"
      },
      "original": {
        "path": "./build-keypairs",
        "type": "path"
      }
    },
    "filesystem-keys": {
      "flake": false,
      "locked": {
        "narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=",
        "path": "./filesystem-keys",
        "type": "path"
      },
      "original": {
        "path": "./filesystem-keys",
        "type": "path"
      }
    },
    "fudo-secrets": {
      "inputs": {
        "backplane-passwords": "backplane-passwords",
        "build-keypairs": "build-keypairs",
        "filesystem-keys": "filesystem-keys",
        "host-keytabs": "host-keytabs",
        "service-passwords": "service-passwords",
        "ssh-keypairs": "ssh-keypairs"
      },
      "locked": {
        "narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=",
        "path": "/state/secrets",
        "type": "path"
      },
      "original": {
        "path": "/state/secrets",
        "type": "path"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -21,6 +76,18 @@
        "type": "github"
      }
    },
    "host-keytabs": {
      "flake": false,
      "locked": {
        "narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=",
        "path": "./kerberos/host-keytabs",
        "type": "path"
      },
      "original": {
        "path": "./kerberos/host-keytabs",
        "type": "path"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1632291606,
@ -38,9 +105,34 @@
    },
    "root": {
      "inputs": {
        "fudo-secrets": "fudo-secrets",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
    },
    "service-passwords": {
      "flake": false,
      "locked": {
        "narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=",
        "path": "./service-passwords",
        "type": "path"
      },
      "original": {
        "path": "./service-passwords",
        "type": "path"
      }
    },
    "ssh-keypairs": {
      "flake": false,
      "locked": {
        "narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=",
        "path": "./ssh-keypairs",
        "type": "path"
      },
      "original": {
        "path": "./ssh-keypairs",
        "type": "path"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -3,17 +3,27 @@
  inputs = {
    nixpkgs.url = "nixpkgs/nixos-21.05";
    home-manager.url = "github:nix-community/home-manager/release-21.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    fudo-secrets.url = "path:/state/secrets";
  };
-  outputs = { self, nixpkgs, home-manager, ... }: {
+  outputs = { self, nixpkgs, home-manager, fudo-secrets, ... }: {
    nixosConfigurations = let
-      hostlib = import ./lib/hosts.nix { lib = nixpkgs.lib; };
+      lib = nixpkgs.lib;
-      hosts = hostlib.base-host-config ./config/hosts;
+
-    in nixpkgs.lib.mapAttrs (hostname: hostOpts: let
+      hostlib = import ./lib/hosts.nix { inherit lib; };
      hosts = lib.filterAttrs (hostname: hostOpts:
        hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts);
      build-timestamp = self.sourceInfo.lastModified;
    in lib.mapAttrs (hostname: hostOpts: let
      pkgs = import nixpkgs {
        system = hostOpts.arch;
        config = {
          allowUnfree = true;
          permittedInsecurePackages = [
@ -24,10 +34,15 @@
          (import ./fudo-pkgs/overlay.nix)
        ];
      };
-      in import ./initialize.nix {
+    in lib.nixosSystem {
-        inherit hostname pkgs;
+      system = hostOpts.arch;
-        home-manager-module = import "${home-manager}/nixos";
+
-        include-secrets = true;
+      modules = [
-      }) hosts;
+        "${home-manager}/nixos"
        (import ./initialize.nix {
          inherit hostname pkgs build-timestamp fudo-secrets;
        })
      ];
    }) hosts;
  };
 }
--- a/initialize.nix
+++ b/initialize.nix
@ -1,4 +1,4 @@
-{ hostname, home-manager-module, pkgs, include-secrets ? true, ... }:
+{ hostname, pkgs, build-timestamp, fudo-secrets ? null, ... }:
 let
  # Get info on this host so we know what to load
@ -9,7 +9,7 @@ in {
    ./lib
    ./config
-    home-manager-module
+    #home-manager-module
    (./. + "/config/hardware/${hostname}.nix")
    (./. + "/config/host-config/${hostname}.nix")
@ -19,10 +19,12 @@ in {
  ];
  config = {
    fudo.local-network.timestamp = build-timestamp;
    instance = { hostname = hostname; };
    nixpkgs.pkgs = pkgs;
-    fudo.secrets.enable = include-secrets;
+    fudo.secrets.enable = fudo-secrets != null;
  };
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -11,6 +11,7 @@ with lib; {
    ./fudo/backplane
    ./fudo/chat.nix
    ./fudo/client/dns.nix
    ./fudo/distributed-builds.nix
    ./fudo/dns.nix
    ./fudo/domains.nix
    ./fudo/garbage-collector.nix
@ -35,6 +36,7 @@ with lib; {
    ./fudo/secure-dns-proxy.nix
    ./fudo/sites.nix
    ./fudo/slynk.nix
    ./fudo/ssh.nix
    ./fudo/system.nix
    ./fudo/system-networking.nix
    ./fudo/users.nix
--- a/lib/fudo/deploy.nix
+++ b/lib/fudo/deploy.nix
@ -0,0 +1,14 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  sys = callPackage ./system.nix {};
  site-cfg = config.fudo.sites.${sys.local-site};
 in {
  config = {
    users.usersroot.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkeys != null)
      site-cfg.deploy-pubkeys;
  };
 }
--- a/lib/fudo/distributed-builds.nix
+++ b/lib/fudo/distributed-builds.nix
@ -0,0 +1,47 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  sys = callPackage ../system.nix {};
  site-cfg = config.fudo.sites.${sys.local-site};
  has-build-servers = (length (attrNames site-cfg.build-servers)) > 0;
  build-keypair = config.fudo.secrets.host-secrets.${hostname}.build-keypair;
  enable-distributed-builds =
    site-cfg.enable-distributed-builds && has-build-servers && build-keypair != null;
  local-build-cfg =
    mkIf (hasKey site-cfg.build-servers hostname)
      site-cfg.build-servers.hostname;
 in {
  config = {
    nix = mkIf enable-distributed-builds {
      buildMachines = mapAttrsToList (hostname: buildOpts: {
        hostName = "${hostname}.${domain-name}";
        maxJobs = buildOpts.max-jobs;
        speedFactor = buildOpts.speed-factor;
        supportedFeatures = buildOpts.supportedFeatures;
        sshKey = build-keypair.private-key;
        sshUser = buildOpts.user;
      }) site-cfg.build-servers;
      distributedBuilds = true;
      trustedUsers = mkIf (local-build-cfg != null) [
        local-build-host.build-user
      ];
    };
    users.users = mkIf (local-build-cfg != null) {
      ${local-build-cfg.build-user} = {
        isSystemUser = true;
        openssh.authorizedKeys.keyFiles =
          foldr (a: b: a ++ b) []
            mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts;
      };
    };
  };
 }
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@ -39,8 +39,7 @@ let
      };
      profile = mkOption {
-        # FIXME: get this list from profiles directly
+        type = listOf (enumOf (attrNames config.fudo.profiles));
        type = listof (enum "desktop" "laptop" "server");
        description =
          "The profile to be applied to the host, determining what software is included.";
      };
@ -109,11 +108,11 @@ let
        default = [ "ssh" "host" ];
      };
-      ssh-pubkey = mkOption {
+      ssh-pubkeys = mkOption {
-        type = nullOr str;
+        type = listOf str;
        description =
-          "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
+          "SSH keys of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
-        default = null;
+        default = [];
      };
      build-pubkeys = mkOption {
@ -207,22 +206,22 @@ in {
      mode = "0444";
    };
-    fudo.hosts.${hostname}.build-pubkeys =
+    # fudo.hosts.${hostname}.build-pubkeys =
-      map builtins.readFile
+    #   map builtins.readFile
-        (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
+    #     (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
-          (optional (site.build-key-path != null) site.build-key-path));
+    #       (optional (site.build-key-path != null) site.build-key-path));
-    nix = mkIf
+    # nix = mkIf
-      (has-build-servers && has-build-keys && site.enable-distributed-builds) {
+    #   (has-build-servers && has-build-keys && site.enable-distributed-builds) {
-        buildMachines = mapAttrsToList (hostname: buildOpts: {
+    #     buildMachines = mapAttrsToList (hostname: buildOpts: {
-          hostName = "${hostname}.${domain-name}";
+    #       hostName = "${hostname}.${domain-name}";
-          maxJobs = buildOpts.max-jobs;
+    #       maxJobs = buildOpts.max-jobs;
-          speedFactor = buildOpts.speed-factor;
+    #       speedFactor = buildOpts.speed-factor;
-          supportedFeatures = buildOpts.supported-features;
+    #       supportedFeatures = buildOpts.supported-features;
-          sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
+    #       sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
-        }) site.build-servers;
+    #     }) site.build-servers;
-        distributedBuilds = true;
+    #     distributedBuilds = true;
-      };
+    #   };
    time.timeZone = site.timezone;
@ -242,26 +241,14 @@ in {
    boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
    fudo.secrets.host-secrets.${hostname} = {
-      host-keytab = let
+      host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) {
-        keytab-file = mapOptional (keytab-path:
+        source-file = fudo.secrets.files.host-keytabs.${hostname};
          if (pathExists keytab-path) then
            /. + builtins.toPath keytab-path
          else
            null) (mapOptional (keytab-dir: "${keytab-dir}/${hostname}.keytab")
              site.keytab-path);
      in mkIf (keytab-file != null) {
        source-file = /. + builtins.toPath keytab-file;
        target-file = "/etc/krb5.keytab";
        user = "root";
      };
-      build-private-key = let
+      build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) {
-        build-key-file = mapOptional
+        source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key;
          (build-key-file: if (pathExists build-key-file) then (/. + builtins.toPath build-key-file) else null)
          (mapOptional (build-key-path: "${build-key-path}/${hostname}.key")
            site.build-key-path);
      in mkIf (build-key-file != null) {
        source-file = build-key-file;
        target-file = "/var/run/nix-build/host.key";
        user = "root";
      };
--- a/lib/fudo/local-network.nix
+++ b/lib/fudo/local-network.nix
@ -83,6 +83,11 @@ in {
        description = "Definition of network to be served by local server.";
        default = { };
      };
    timestamp = mkOption {
      type = int;
      description = "Timestamp of build, to be used as a serial.";
    };
  };
  config = mkIf cfg.enable {
@ -144,7 +149,7 @@ in {
          $TTL 1h
          @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString builtins.currentTime}
+            ${toString cfg.timestamp}
            1800
            900
            604800
@ -201,7 +206,7 @@ in {
        name = cfg.domain;
        file = pkgs.writeText "${cfg.domain}-zone" ''
          @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString builtins.currentTime}
+            ${toString cfg.timestamp}
            5m
            2m
            6w
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@ -108,7 +108,7 @@ let
      dropbear-ssh-port = mkOption {
        type = port;
-        description = "Port to be used for the deploy SSH server.";
+        description = "Port to be used for the backup SSH server.";
        default = 2112;
      };
@ -206,16 +206,13 @@ in {
  config = {
    users.users = {
      root.openssh.authorizedKeys.keys =
        mkIf (site-cfg.deploy-pubkeys != null) site-cfg.deploy-pubkeys;
      ${site-cfg.build-user} = mkIf
        (any (build-host: build-host == config.instance.hostname)
          (attrNames site-cfg.build-servers)) {
            isSystemUser = true;
            openssh.authorizedKeys.keys =
              concatMap (hostOpts: hostOpts.build-pubkeys)
-              (attrValues site-hosts);
+                (attrValues site-hosts);
            shell = pkgs.bash;
          };
    };
--- a/lib/fudo/ssh.nix
+++ b/lib/fudo/ssh.nix
@ -0,0 +1,64 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  hostname = config.fudo.instance.hostname;
  has-attrs = set: length (attrNames set) > 0;
  host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname};
  sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
  dns-sshfp-records = host: keypair: let
    filename = sshfp-filename host keypair;
  in mkDerivation {
    buildInputs = with pkgs; [ openssh ];
    buildPhase = ''
      ssh-keygen -r REMOVEME -f ${keypair.public-key} | sed 's/^REMOVEME IN SSHFP //' > ${filename}
    '';
    installPhase = ''
      mv ${filename} $out/${filename}
    '';
  };
 in {
  config = {
    fudo = {
      secrets.host-secrets.${hostname} = mkIf (host-keypairs != [])
        map (keypair: {
          "host-${keypair.key-type}-private-key" = {
            source-file = keypair.private-key;
            target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
            user = "root";
          };
        });
      hosts = mapAttrs (hostname: keypairs: {
        ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
        ssh-fingerprints = map (keypair:
          let
            fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
            filename = sshfp-filename hostname keypair;
          in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
      } config.fudo.secrets.files.host-ssh-keypairs);
    };
    services.openssh.hostKeys = mkIf (host-keypairs != [])
      (map (keypair: {
        path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
        type = keypair.key-type;
      }) host-keypairs);
    programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
      publicKeyFile = keypairs.public-key;
      hostNames = let
        host-cfg = config.fudo.hosts.${hostname};
        domains = [host-cfg.domain] ++ host-cfg.extra-domains;
      in [ hostname ] ++
         (map (domain: "${hostname}.${domain}") domains);
    });
  };
 }
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@ -11,6 +11,6 @@ with lib;
    host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir host-path)));
    hosts = map hostname-from-file host-files;
-    load-host-file = hostname: import (./. + "/hosts/${hostname}.nix");
+    load-host-file = hostname: import (host-path + "/${hostname}.nix");
  in genAttrs hosts (hostname: load-host-file hostname);
 }
--- a/lib/system.nix
+++ b/lib/system.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 with lib;
 let
@ -24,6 +24,9 @@ let
    getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
      config.fudo.groups;
  local-hosts =
    filterAttrs (host: hostOpts: hostOpts.site == local-site) config.fudo.hosts;
 in {
  local-host = local-host;
  local-domain = local-domain;
@ -31,4 +34,5 @@ in {
  local-users = local-users;
  local-admins = local-admins;
  local-groups = local-groups;
  local-hosts = local-hosts;
 }