refactor: split apps into own files

2025-10-11 07:10:39 +02:00 · 2023-04-10 01:13:40 +02:00 · 2023-04-10 01:13:40 +02:00 · 83a543b266
commit 83a543b266
parent 9c3142aa71
14 changed files with 193 additions and 81 deletions
--- a/README.md
+++ b/README.md
@ -26,7 +26,12 @@ This is my personal nix config.
  - not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/)
 - `modules/` additional NixOS modules that are not yet upstreamed.
 - `nix/` library functions and plumbing
-  - `apps.nix` Additional runnable actions for this flake (**WIP:** infrastructure graph renderer)
+  - `apps/` Additional runnable actions for this flake
+    - `default.nix` Collects all apps and generates a definition for a specified system
+    - `draw-graph.nix` (**WIP:** infrastructure graph renderer)
+    - `format-secrets.nix` Runs the code formatter on the secret .nix files
+    - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup)
+    - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair
  - `checks.nix` pre-commit-hooks for this repository
  - `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts)
  - `dev-shell.nix` Environment setup for `nix develop` for using this flake
@ -48,6 +53,12 @@ This is my personal nix config.

 ...

+- add hosts/<name>
+- fill meta.nix
+- fill net.nix
+- todo: hostid (move to nodeSecrets)
+- generate-initrd-keys
+
 #### New secret

 ...
--- a/flake.nix
+++ b/flake.nix
@ -75,7 +75,7 @@

      apps =
        agenix-rekey.defineApps self pkgs self.nodes
-        // import ./nix/apps.nix inputs system;
+        // import ./nix/apps inputs system;
      checks = import ./nix/checks.nix inputs system;
      devShells.default = import ./nix/dev-shell.nix inputs system;
      formatter = pkgs.alejandra;
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@ -87,9 +87,10 @@ in {
    stateVersion = "23.05";
  };

-  systemd = {
-    enableUnifiedCgroupHierarchy = true;
-    network.wait-online.anyInterface = true;
+  systemd.enableUnifiedCgroupHierarchy = true;
+  systemd.network = {
+    enable = true;
+    wait-online.anyInterface = true;
  };

  users.mutableUsers = false;
--- a/hosts/ward/grafana.nix
+++ b/hosts/ward/grafana.nix
@ -0,0 +1 @@
+{}
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -1,4 +1,7 @@
-{nodeSecrets, ...}: {
+{nodeSecrets, ...}: let
+  wgName = "wg-vms";
+  wgPort = 51820;
+in {
  networking.hostId = "49ce3b71";

  systemd.network.networks = {
@ -17,4 +20,42 @@
      dhcpV6Config.RouteMetric = 20;
    };
  };
+
+  #systemd.network.netdevs."20-${wgName}" = {
+  #  netdevConfig = {
+  #    Kind = "wireguard";
+  #    Name = "${wgName}";
+  #    Description = "Wireguard network ${wgName}";
+  #  };
+  #  wireguardConfig = {
+  #    PrivateKeyFile = wireguardPrivateKey wgName nodeMeta.name;
+  #    ListenPort = wgPort;
+  #  };
+  #  wireguardPeers = [
+  #  {
+  #    wireguardPeerConfig = {
+  #      PublicKey = wireguardPublicKey wgName nodeMeta.name;;
+  #      PresharedKey = wireguardPresharedKey wgName nodeMeta.name;;
+  #      AllowedIPs = [ "10.66.66.10/32" ];
+  #      PersistentKeepalive = 25;
+  #    };
+  #  }
+  #  {
+  #    wireguardPeerConfig = {
+  #      AllowedIPs = [ "10.66.66.100/32" ];
+  #      PersistentKeepalive = 25;
+  #    };
+  #  }
+  #  ];
+  #};
+  #networks."20-${wgName}" = {
+  #  matchConfig.Name = wgName;
+  #  networkConfig = {
+  #    Address = "10.66.66.1/24";
+  #    IPForward = "ipv4";
+  #  };
+  #};
+
+  #extra.wireguard.servers.home = {
+  #};
 }
--- a/hosts/ward/node_exporter.nix
+++ b/hosts/ward/node_exporter.nix
@ -0,0 +1 @@
+{}
--- a/hosts/ward/prometheus.nix
+++ b/hosts/ward/prometheus.nix
@ -0,0 +1 @@
+{}
--- a/hosts/ward/samba.nix
+++ b/hosts/ward/samba.nix
@ -0,0 +1 @@
+{}
--- a/nix/apps.nix
+++ b/nix/apps.nix
@ -1,75 +0,0 @@
-{self, ...}: system: let
-  mkApp = drv: {
-    type = "app";
-    program = "${drv}";
-  };
-  pkgs = self.pkgs.${system};
-  mapAttrsToLines = f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f attrs);
-  filterMapAttrsToLines = filter: f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f (pkgs.lib.filterAttrs filter attrs));
-in
-  with pkgs.lib; {
-    draw-graph = let
-      renderNode = nodeName: node: let
-        renderNic = nicName: nic: ''
-          nic_${nicName}: ${
-            if hasInfix "wlan" nicName
-            then "📶"
-            else "🖧"
-          } ${self.hosts.${nodeName}.physical_connections.${nicName}} {
-            shape: sql_table
-            MAC: ${nic.matchConfig.MACAddress}
-          }
-        '';
-      in ''
-        ${nodeName}: {
-          ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
-        }
-      '';
-      graph = ''
-        ${mapAttrsToLines renderNode self.nodes}
-      '';
-    in
-      mkApp (pkgs.writeShellScript "draw-graph" ''
-        set -euo pipefail
-        echo "${graph}"
-      '');
-    generate-initrd-keys = let
-      generateHostKey = node: ''
-        if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
-          ssh-keygen -t ed25519 -N "" -f /tmp/1
-          TODO
-        fi
-      '';
-    in
-      mkApp (pkgs.writeShellScript "generate-initrd-keys" ''
-        set -euo pipefail
-        ${mapAttrsToLines generateHostKey self.nodes}
-      '');
-    format-secrets = let
-      isAbsolutePath = x: substring 0 1 x == "/";
-      masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
-      extraEncryptionPubkeys =
-        concatMapStrings (
-          x:
-            if isAbsolutePath x
-            then ''-R ${escapeShellArg x} ''
-            else ''-r ${escapeShellArg x} ''
-        )
-        self.secrets.extraEncryptionPubkeys;
-      formatSecret = path: ''
-      '';
-    in
-      mkApp (pkgs.writeShellScript "format-secrets" ''
-         set -euo pipefail
-        [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
-        for f in $(find . -type f -name '*.nix.age'); do
-          echo "Formatting $f ..."
-          decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
-             || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
-          formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
-             || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
-        	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
-             || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
-        done
-      '');
-  }
--- a/nix/apps/default.nix
+++ b/nix/apps/default.nix
@ -0,0 +1,20 @@
+{self, ...} @ inputs: system: let
+  pkgs = self.pkgs.${system};
+  inherit
+    (pkgs.lib)
+    nameValuePair
+    removeSuffix
+    ;
+  mkApp = drv: {
+    type = "app";
+    program = "${drv}";
+  };
+  args = inputs // {inherit pkgs;};
+  apps = [
+    ./draw-graph.nix
+    ./format-secrets.nix
+    ./generate-initrd-keys.nix
+    ./generate-wireguard-keys.nix
+  ];
+in
+  builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps)
--- a/nix/apps/draw-graph.nix
+++ b/nix/apps/draw-graph.nix
@ -0,0 +1,38 @@
+{
+  self,
+  pkgs,
+  ...
+}: let
+  inherit
+    (pkgs.lib)
+    concatStringsSep
+    filterAttrs
+    hasInfix
+    mapAttrsToList
+    ;
+  mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
+  filterMapAttrsToLines = filter: f: attrs: concatStringsSep "\n" (mapAttrsToList f (filterAttrs filter attrs));
+  renderNode = nodeName: node: let
+    renderNic = nicName: nic: ''
+      nic_${nicName}: ${
+        if hasInfix "wlan" nicName
+        then "📶"
+        else "🖧"
+      } ${self.hosts.${nodeName}.physicalConnections.${nicName}} {
+        shape: sql_table
+        MAC: ${nic.matchConfig.MACAddress}
+      }
+    '';
+  in ''
+    ${nodeName}: {
+      ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
+    }
+  '';
+  graph = ''
+    ${mapAttrsToLines renderNode self.nodes}
+  '';
+in
+  pkgs.writeShellScript "draw-graph" ''
+    set -euo pipefail
+    echo "${graph}"
+  ''
--- a/nix/apps/format-secrets.nix
+++ b/nix/apps/format-secrets.nix
@ -0,0 +1,36 @@
+{
+  self,
+  pkgs,
+  ...
+}: let
+  inherit
+    (pkgs.lib)
+    concatMapStrings
+    concatStringsSep
+    escapeShellArg
+    substring
+    ;
+  isAbsolutePath = x: substring 0 1 x == "/";
+  masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
+  extraEncryptionPubkeys =
+    concatMapStrings (
+      x:
+        if isAbsolutePath x
+        then ''-R ${escapeShellArg x} ''
+        else ''-r ${escapeShellArg x} ''
+    )
+    self.secrets.extraEncryptionPubkeys;
+in
+  pkgs.writeShellScript "format-secrets" ''
+    set -euo pipefail
+    [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
+    for f in $(find . -type f -name '*.nix.age'); do
+      echo "Formatting $f ..."
+      decrypted=$(${../rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
+          || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+      formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
+          || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
+      ${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
+          || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
+    done
+  ''
--- a/nix/apps/generate-initrd-keys.nix
+++ b/nix/apps/generate-initrd-keys.nix
@ -0,0 +1,25 @@
+{
+  self,
+  pkgs,
+  ...
+}: let
+  inherit
+    (pkgs.lib)
+    escapeShellArg
+    concatStringsSep
+    mapAttrsToList
+    ;
+  mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
+  generateHostKey = node: ''
+    if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
+      echo TODOOOOO
+      exit 1
+      ssh-keygen -t ed25519 -N "" -f /tmp/1
+      TODO
+    fi
+  '';
+in
+  pkgs.writeShellScript "generate-initrd-keys" ''
+    set -euo pipefail
+    ${mapAttrsToLines generateHostKey self.nodes}
+  ''
--- a/nix/apps/generate-wireguard-keys.nix
+++ b/nix/apps/generate-wireguard-keys.nix
@ -0,0 +1,11 @@
+{
+  self,
+  pkgs,
+  ...
+}: let
+  inherit (pkgs.lib) escapeShellArg;
+in
+  pkgs.writeShellScript "generate-wireguard-keys" ''
+    set -euo pipefail
+    echo TODO
+  ''