Cleaner resource definition

2025-01-31 16:57:21 +01:00 · 2025-01-31 16:57:21 +01:00 · eaad4daa39
commit eaad4daa39
parent e0b4dd4d5b
1 changed files with 31 additions and 34 deletions
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -13,48 +13,45 @@ let
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
+  hostPublicKey = keys.systems.${config.procolixVm.name};

 in
 {
  imports = [ ./options.nix ];

-  config =
-    let
-      hostPublicKey = keys.systems.${config.procolixVm.name};
+  ssh = {
+    host = config.procolixVm.host;
+    hostPublicKey = hostPublicKey;
+  };

-    in
-    {
-      ssh = {
-        host = config.procolixVm.host;
-        hostPublicKey = hostPublicKey;
-      };
+  nixpkgs = inputs.nixpkgs;

-      nixpkgs = inputs.nixpkgs;
+  ## The configuration of the machine. We strive to keep in this file only the
+  ## options that really need to be injected from the resource. Everything else
+  ## should go into the `./nixos` subdirectory.
+  nixos.module = {
+    imports = [
+      inputs.agenix.nixosModules.default
+      ./options.nix
+      ./nixos
+    ];

-      nixos.module = {
-        imports = [
-          inputs.agenix.nixosModules.default
-          ./options.nix
-          ./nixos
-        ];
+    ## Inject the shared options from the resource's `config` into the NixOS
+    ## configuration.
+    procolixVm = config.procolixVm;

-        ## Inject the shared options from the resource's `config` into the NixOS
-        ## configuration.
-        procolixVm = config.procolixVm;
+    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## with this host's public key, and add them correctly to the configuration
+    ## as `age.secrets.<name>.file`.
+    age.secrets = concatMapAttrs (
+      name: secret:
+      optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+      })
+    ) secrets;

-        ## Read all the secrets, filter the ones that are supposed to be
-        ## readable with this host's public key, and add them correctly to the
-        ## configuration as `age.secrets.<name>.file`.
-        age.secrets = concatMapAttrs (
-          name: secret:
-          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
-            ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
-          })
-        ) secrets;
-
-        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
-        ## provider supports users with password-less sudo.
-        users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
-      };
-    };
+    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+    ## supports users with password-less sudo.
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  };
 }