refactor: split apps into own files

2023-04-10 01:13:40 +02:00 · 2023-04-10 01:13:40 +02:00 · 83a543b266
commit 83a543b266
parent 9c3142aa71
14 changed files with 193 additions and 81 deletions
--- a/README.md
+++ b/README.md
@ -26,7 +26,12 @@ This is my personal nix config.
  - not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/)
 - `modules/` additional NixOS modules that are not yet upstreamed.
 - `nix/` library functions and plumbing
-  - `apps.nix` Additional runnable actions for this flake (**WIP:** infrastructure graph renderer)
+  - `apps/` Additional runnable actions for this flake
    - `default.nix` Collects all apps and generates a definition for a specified system
    - `draw-graph.nix` (**WIP:** infrastructure graph renderer)
    - `format-secrets.nix` Runs the code formatter on the secret .nix files
    - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup)
    - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair
  - `checks.nix` pre-commit-hooks for this repository
  - `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts)
  - `dev-shell.nix` Environment setup for `nix develop` for using this flake
@ -48,6 +53,12 @@ This is my personal nix config.
 ...
 - add hosts/<name>
 - fill meta.nix
 - fill net.nix
 - todo: hostid (move to nodeSecrets)
 - generate-initrd-keys
 #### New secret
 ...
--- a/flake.nix
+++ b/flake.nix
@ -75,7 +75,7 @@
      apps =
        agenix-rekey.defineApps self pkgs self.nodes
-        // import ./nix/apps.nix inputs system;
+        // import ./nix/apps inputs system;
      checks = import ./nix/checks.nix inputs system;
      devShells.default = import ./nix/dev-shell.nix inputs system;
      formatter = pkgs.alejandra;
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@ -87,9 +87,10 @@ in {
    stateVersion = "23.05";
  };
-  systemd = {
+  systemd.enableUnifiedCgroupHierarchy = true;
-    enableUnifiedCgroupHierarchy = true;
+  systemd.network = {
-    network.wait-online.anyInterface = true;
+    enable = true;
    wait-online.anyInterface = true;
  };
  users.mutableUsers = false;
--- a/hosts/ward/grafana.nix
+++ b/hosts/ward/grafana.nix
@ -0,0 +1 @@
 {}
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -1,4 +1,7 @@
-{nodeSecrets, ...}: {
+{nodeSecrets, ...}: let
  wgName = "wg-vms";
  wgPort = 51820;
 in {
  networking.hostId = "49ce3b71";
  systemd.network.networks = {
@ -17,4 +20,42 @@
      dhcpV6Config.RouteMetric = 20;
    };
  };
  #systemd.network.netdevs."20-${wgName}" = {
  #  netdevConfig = {
  #    Kind = "wireguard";
  #    Name = "${wgName}";
  #    Description = "Wireguard network ${wgName}";
  #  };
  #  wireguardConfig = {
  #    PrivateKeyFile = wireguardPrivateKey wgName nodeMeta.name;
  #    ListenPort = wgPort;
  #  };
  #  wireguardPeers = [
  #  {
  #    wireguardPeerConfig = {
  #      PublicKey = wireguardPublicKey wgName nodeMeta.name;;
  #      PresharedKey = wireguardPresharedKey wgName nodeMeta.name;;
  #      AllowedIPs = [ "10.66.66.10/32" ];
  #      PersistentKeepalive = 25;
  #    };
  #  }
  #  {
  #    wireguardPeerConfig = {
  #      AllowedIPs = [ "10.66.66.100/32" ];
  #      PersistentKeepalive = 25;
  #    };
  #  }
  #  ];
  #};
  #networks."20-${wgName}" = {
  #  matchConfig.Name = wgName;
  #  networkConfig = {
  #    Address = "10.66.66.1/24";
  #    IPForward = "ipv4";
  #  };
  #};
  #extra.wireguard.servers.home = {
  #};
 }
--- a/hosts/ward/node_exporter.nix
+++ b/hosts/ward/node_exporter.nix
@ -0,0 +1 @@
 {}
--- a/hosts/ward/prometheus.nix
+++ b/hosts/ward/prometheus.nix
@ -0,0 +1 @@
 {}
--- a/hosts/ward/samba.nix
+++ b/hosts/ward/samba.nix
@ -0,0 +1 @@
 {}
--- a/nix/apps.nix
+++ b/nix/apps.nix
@ -1,75 +0,0 @@
 {self, ...}: system: let
  mkApp = drv: {
    type = "app";
    program = "${drv}";
  };
  pkgs = self.pkgs.${system};
  mapAttrsToLines = f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f attrs);
  filterMapAttrsToLines = filter: f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f (pkgs.lib.filterAttrs filter attrs));
 in
  with pkgs.lib; {
    draw-graph = let
      renderNode = nodeName: node: let
        renderNic = nicName: nic: ''
          nic_${nicName}: ${
            if hasInfix "wlan" nicName
            then "📶"
            else "🖧"
          } ${self.hosts.${nodeName}.physical_connections.${nicName}} {
            shape: sql_table
            MAC: ${nic.matchConfig.MACAddress}
          }
        '';
      in ''
        ${nodeName}: {
          ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
        }
      '';
      graph = ''
        ${mapAttrsToLines renderNode self.nodes}
      '';
    in
      mkApp (pkgs.writeShellScript "draw-graph" ''
        set -euo pipefail
        echo "${graph}"
      '');
    generate-initrd-keys = let
      generateHostKey = node: ''
        if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
          ssh-keygen -t ed25519 -N "" -f /tmp/1
          TODO
        fi
      '';
    in
      mkApp (pkgs.writeShellScript "generate-initrd-keys" ''
        set -euo pipefail
        ${mapAttrsToLines generateHostKey self.nodes}
      '');
    format-secrets = let
      isAbsolutePath = x: substring 0 1 x == "/";
      masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
      extraEncryptionPubkeys =
        concatMapStrings (
          x:
            if isAbsolutePath x
            then ''-R ${escapeShellArg x} ''
            else ''-r ${escapeShellArg x} ''
        )
        self.secrets.extraEncryptionPubkeys;
      formatSecret = path: ''
      '';
    in
      mkApp (pkgs.writeShellScript "format-secrets" ''
         set -euo pipefail
        [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
        for f in $(find . -type f -name '*.nix.age'); do
          echo "Formatting $f ..."
          decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
             || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
          formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
             || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
        	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
             || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
        done
      '');
  }
--- a/nix/apps/default.nix
+++ b/nix/apps/default.nix
@ -0,0 +1,20 @@
 {self, ...} @ inputs: system: let
  pkgs = self.pkgs.${system};
  inherit
    (pkgs.lib)
    nameValuePair
    removeSuffix
    ;
  mkApp = drv: {
    type = "app";
    program = "${drv}";
  };
  args = inputs // {inherit pkgs;};
  apps = [
    ./draw-graph.nix
    ./format-secrets.nix
    ./generate-initrd-keys.nix
    ./generate-wireguard-keys.nix
  ];
 in
  builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps)
--- a/nix/apps/draw-graph.nix
+++ b/nix/apps/draw-graph.nix
@ -0,0 +1,38 @@
 {
  self,
  pkgs,
  ...
 }: let
  inherit
    (pkgs.lib)
    concatStringsSep
    filterAttrs
    hasInfix
    mapAttrsToList
    ;
  mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
  filterMapAttrsToLines = filter: f: attrs: concatStringsSep "\n" (mapAttrsToList f (filterAttrs filter attrs));
  renderNode = nodeName: node: let
    renderNic = nicName: nic: ''
      nic_${nicName}: ${
        if hasInfix "wlan" nicName
        then "📶"
        else "🖧"
      } ${self.hosts.${nodeName}.physicalConnections.${nicName}} {
        shape: sql_table
        MAC: ${nic.matchConfig.MACAddress}
      }
    '';
  in ''
    ${nodeName}: {
      ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
    }
  '';
  graph = ''
    ${mapAttrsToLines renderNode self.nodes}
  '';
 in
  pkgs.writeShellScript "draw-graph" ''
    set -euo pipefail
    echo "${graph}"
  ''
--- a/nix/apps/format-secrets.nix
+++ b/nix/apps/format-secrets.nix
@ -0,0 +1,36 @@
 {
  self,
  pkgs,
  ...
 }: let
  inherit
    (pkgs.lib)
    concatMapStrings
    concatStringsSep
    escapeShellArg
    substring
    ;
  isAbsolutePath = x: substring 0 1 x == "/";
  masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
  extraEncryptionPubkeys =
    concatMapStrings (
      x:
        if isAbsolutePath x
        then ''-R ${escapeShellArg x} ''
        else ''-r ${escapeShellArg x} ''
    )
    self.secrets.extraEncryptionPubkeys;
 in
  pkgs.writeShellScript "format-secrets" ''
    set -euo pipefail
    [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
    for f in $(find . -type f -name '*.nix.age'); do
      echo "Formatting $f ..."
      decrypted=$(${../rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
          || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
      formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
          || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
      ${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
          || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
    done
  ''
--- a/nix/apps/generate-initrd-keys.nix
+++ b/nix/apps/generate-initrd-keys.nix
@ -0,0 +1,25 @@
 {
  self,
  pkgs,
  ...
 }: let
  inherit
    (pkgs.lib)
    escapeShellArg
    concatStringsSep
    mapAttrsToList
    ;
  mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
  generateHostKey = node: ''
    if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
      echo TODOOOOO
      exit 1
      ssh-keygen -t ed25519 -N "" -f /tmp/1
      TODO
    fi
  '';
 in
  pkgs.writeShellScript "generate-initrd-keys" ''
    set -euo pipefail
    ${mapAttrsToLines generateHostKey self.nodes}
  ''
--- a/nix/apps/generate-wireguard-keys.nix
+++ b/nix/apps/generate-wireguard-keys.nix
@ -0,0 +1,11 @@
 {
  self,
  pkgs,
  ...
 }: let
  inherit (pkgs.lib) escapeShellArg;
 in
  pkgs.writeShellScript "generate-wireguard-keys" ''
    set -euo pipefail
    echo TODO
  ''