Fediversity/infra/common/resource.nix

{
  inputs,
  lib,
  config,
  ...
}:

let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;

in
{
  imports = [ ./options.nix ];

  config =
    let
      hostPublicKey = keys.systems.${config.procolixVm.name};

    in
    {
      ssh = {
        host = config.procolixVm.host;
        hostPublicKey = hostPublicKey;
      };

      nixpkgs = inputs.nixpkgs;

      nixos.module = {
        imports = [
          inputs.agenix.nixosModules.default
          ./options.nix
          ./nixosConfiguration
        ];

        ## Inject the shared options from the resource's `config` into the NixOS
        ## configuration.
        procolixVm = config.procolixVm;

        ## Read all the secrets, filter the ones that are supposed to be
        ## readable with this host's public key, and add them correctly to the
        ## configuration as `age.secrets.<name>.file`.
        age.secrets = concatMapAttrs (
          name: secret:
          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
            ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
          })
        ) secrets;

        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
        ## provider supports users with password-less sudo.
        users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
      };
    };
}
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00			`{`
			`inputs,`
			`lib,`
			`config,`
			`...`
			`}:`

			`let`
Share options between resource and config 2025-01-31 16:47:33 +01:00			`inherit (lib) attrValues elem;`
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`inherit (lib.attrsets) concatMapAttrs optionalAttrs;`
			`inherit (lib.strings) removeSuffix;`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Get rid of useless `self` and `providers` arguments 2025-01-31 16:34:21 +01:00			`secretsPrefix = ../../secrets;`
			`secrets = import (secretsPrefix + "/secrets.nix");`
			`keys = import ../../keys;`

Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00			`in`
			`{`
Share options between resource and config 2025-01-31 16:47:33 +01:00			`imports = [ ./options.nix ];`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`config =`
			`let`
Get rid of useless `self` and `providers` arguments 2025-01-31 16:34:21 +01:00			`hostPublicKey = keys.systems.${config.procolixVm.name};`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`in`
			`{`
			`ssh = {`
			`host = config.procolixVm.host;`
			`hostPublicKey = hostPublicKey;`
			`};`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`nixpkgs = inputs.nixpkgs;`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`nixos.module = {`
			`imports = [`
			`inputs.agenix.nixosModules.default`
Share options between resource and config 2025-01-31 16:47:33 +01:00			`./options.nix`
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`./nixosConfiguration`
			`];`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00
Share options between resource and config 2025-01-31 16:47:33 +01:00			## Inject the shared options from the resource's `config` into the NixOS
			`## configuration.`
			`procolixVm = config.procolixVm;`

Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`## Read all the secrets, filter the ones that are supposed to be`
			`## readable with this host's public key, and add them correctly to the`
			## configuration as `age.secrets.<name>.file`.
			`age.secrets = concatMapAttrs (`
			`name: secret:`
			`optionalAttrs (elem hostPublicKey secret.publicKeys) ({`
Get rid of useless `self` and `providers` arguments 2025-01-31 16:34:21 +01:00			`${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";`
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`})`
Get rid of useless `self` and `providers` arguments 2025-01-31 16:34:21 +01:00			`) secrets;`
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00
			`## FIXME: Remove direct root authentication once the NixOps4 NixOS`
			`## provider supports users with password-less sudo.`
Get rid of useless `self` and `providers` arguments 2025-01-31 16:34:21 +01:00			`users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;`
Clean up handling of secrets in infra 2025-01-31 16:28:52 +01:00			`};`
Start building a `procolixVm` resource module 2025-01-31 14:59:35 +01:00			`};`
			`}`