fix: propagate influxdb token secrets properly and simplify distributed configuration implementation (repo.nodes)

modules/meta/influxdb.nix

@@ -43,6 +43,13 @@
       }' main.go
     '';
     vendorHash = "sha256-zBZk7JbNILX18g9+2ukiESnFtnIVWhdN/J/MBhIITh8=";
+
+    meta = with lib; {
+      description = "Utility program to manipulate influxdb api tokens for declarative setups";
+      mainProgram = "influx-token-manipulator";
+      license = with licenses; [mit];
+      maintainers = with maintainers; [oddlama];
+    };
   };
 in {
   options.services.influxdb2.provision = {

modules/meta/microvms.nix

@@ -88,10 +88,6 @@
         };
       };
 
-    # Propagate node expansions, since doing this directly in the
-    # distributed-config module would cause infinite recursion.
-    nodes = mkMerge config.microvm.vms.${vmName}.config.options.nodes.definitions;
-
     microvm.vms.${vmName} = let
       node = import ../../nix/generate-node.nix inputs {
         name = vmCfg.nodeName;
@@ -369,6 +365,6 @@ in {
         };
       };
     }
-    // mergeToplevelConfigs ["nodes" "disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
+    // mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
   );
 }

modules/meta/telegraf.nix

@@ -57,16 +57,25 @@ in {
   };
 
   config = mkIf cfg.enable {
-    nodes.${cfg.influxdb2.node}.services.influxdb2.provision.ensureApiTokens = [
-      {
-        name = "telegraf (${config.node.name})";
-        org = "servers";
-        user = "admin";
-        readBuckets = ["telegraf"];
-        writeBuckets = ["telegraf"];
-        tokenFile = config.age.secrets.telegraf-influxdb-token.path;
-      }
-    ];
+    nodes.${cfg.influxdb2.node} = {
+      # Mirror the original secret on the influx host
+      age.secrets."telegraf-influxdb-token-${config.node.name}" = {
+        inherit (config.age.secrets.telegraf-influxdb-token) rekeyFile;
+        mode = "440";
+        group = "influxdb2";
+      };
+
+      services.influxdb2.provision.ensureApiTokens = [
+        {
+          name = "telegraf (${config.node.name})";
+          org = "servers";
+          user = "admin";
+          readBuckets = ["telegraf"];
+          writeBuckets = ["telegraf"];
+          tokenFile = nodes.${cfg.influxdb2.node}.config.age.secrets."telegraf-influxdb-token-${config.node.name}".path;
+        }
+      ];
+    };
 
     age.secrets.telegraf-influxdb-token = {
       generator.script = "alnum";

modules/repo/distributed-config.nix

@@ -3,6 +3,7 @@
   inputs,
   lib,
   options,
+  nodes,
   ...
 }: let
   inherit
@@ -35,23 +36,17 @@ in {
   };
 
   config = let
-    allNodes = attrNames inputs.self.colmenaNodes;
-    isColmenaNode = elem nodeName allNodes;
-    foreignConfigs = concatMap (n: inputs.self.colmenaNodes.${n}.config.nodes.${nodeName} or []) allNodes;
-    relevantConfigs = foreignConfigs ++ [config.nodes.${nodeName} or {}];
+    allNodes = attrNames nodes;
+    foreignConfigs = concatMap (n: nodes.${n}.config.nodes.${nodeName} or []) allNodes;
     mergeFromOthers = path:
       mkMerge (map
-        (x: mkIf (hasAttrByPath path x) (getAttrFromPath path x))
-        relevantConfigs);
-    pathsToMerge = [
-      ["age" "secrets"]
-      ["networking" "providedDomains"]
-      ["services" "nginx" "upstreams"]
-      ["services" "nginx" "virtualHosts"]
-    ];
-  in
-    mkIf isColmenaNode (foldl'
-      (acc: path: recursiveUpdate acc (setAttrByPath path (mergeFromOthers path)))
-      {}
-      pathsToMerge);
+        (x: (getAttrFromPath path x))
+        (lib.filter (x: (hasAttrByPath path x)) foreignConfigs));
+  in {
+    age.secrets = mergeFromOthers ["age" "secrets"];
+    networking.providedDomains = mergeFromOthers ["networking" "providedDomains"];
+    services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"];
+    services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"];
+    services.influxdb2.provision.ensureApiTokens = mergeFromOthers ["services" "influxdb2" "provision" "ensureApiTokens"];
+  };
 }