Inject sources, secrets and keys via module system - avoid import ../ (#421)

Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
Reviewed-on: Fediversity/Fediversity#421
Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com>
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>

deployment/check/basic/flake-part.nix

@@ -2,6 +2,7 @@
   self,
   inputs,
   lib,
+  sources,
   ...
 }:
 
@@ -27,7 +28,7 @@ in
           ../common/nixosTest.nix
           ./nixosTest.nix
         ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit targetMachines pathToRoot pathFromRoot;
       };
     };
@@ -44,7 +45,7 @@ in
           inputs.nixops4-nixos.modules.nixops4Resource.nixos
           ../common/targetResource.nix
         ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit nodeName pathToRoot pathFromRoot;
         nixos.module =
           { pkgs, ... }:

deployment/check/cli/flake-part.nix

@@ -2,6 +2,7 @@
   self,
   inputs,
   lib,
+  sources,
   ...
 }:
 
@@ -30,7 +31,7 @@ in
           ../common/nixosTest.nix
           ./nixosTest.nix
         ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit
           targetMachines
           pathToRoot
@@ -44,7 +45,7 @@ in
     let
       makeTargetResource = nodeName: {
         imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit
           nodeName
           pathToRoot

deployment/check/common/deployerNode.nix

@@ -3,6 +3,7 @@
   lib,
   pkgs,
   config,
+  sources,
   ...
 }:
 
@@ -14,8 +15,6 @@ let
     types
     ;
 
-  sources = import ../../../npins;
-
 in
 {
   _class = "nixos";
@@ -78,7 +77,7 @@ in
               config.system.extraDependenciesFromModule
               {
                 nixpkgs.hostPlatform = "x86_64-linux";
-                _module.args.inputs = inputs;
+                _module.args = { inherit inputs sources; };
                 enableAcme = config.enableAcme;
                 acmeNodeIP = config.acmeNodeIP;
               }

deployment/check/common/nixosTest.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   hostPkgs,
+  sources,
   ...
 }:
 
@@ -61,7 +62,7 @@ in
       {
         deployer = {
           imports = [ ./deployerNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
           enableAcme = config.enableAcme;
           acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
         };
@@ -88,7 +89,7 @@ in
 
         genAttrs config.targetMachines (_: {
           imports = [ ./targetNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
           enableAcme = config.enableAcme;
           acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
         });

deployment/check/common/targetResource.nix

@@ -2,6 +2,7 @@
   inputs,
   lib,
   config,
+  sources,
   ...
 }:
 
@@ -40,7 +41,7 @@ in
         (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
       ];
 
-      _module.args.inputs = inputs;
+      _module.args = { inherit inputs sources; };
       enableAcme = config.enableAcme;
       acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
 

deployment/check/panel/flake-part.nix

@@ -2,6 +2,7 @@
   self,
   inputs,
   lib,
+  sources,
   ...
 }:
 
@@ -33,7 +34,7 @@ in
           ../common/nixosTest.nix
           ./nixosTest.nix
         ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit
           targetMachines
           pathToRoot
@@ -47,7 +48,7 @@ in
     let
       makeTargetResource = nodeName: {
         imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
         inherit
           nodeName
           pathToRoot

flake.nix

@@ -31,6 +31,9 @@
           inherit nixpkgs;
         };
         self = self';
+        specialArgs = {
+          inherit sources;
+        };
       }
       (
         { inputs, ... }:
@@ -48,6 +51,8 @@
 
             ./deployment/flake-part.nix
             ./infra/flake-part.nix
+            ./keys/flake-part.nix
+            ./secrets/flake-part.nix
           ];
 
           perSystem =

infra/common/resource.nix

@@ -2,6 +2,9 @@
   inputs,
   lib,
   config,
+  sources,
+  keys,
+  secrets,
   ...
 }:
 
@@ -9,12 +12,6 @@ let
   inherit (lib) attrValues elem mkDefault;
   inherit (lib.attrsets) concatMapAttrs optionalAttrs;
   inherit (lib.strings) removeSuffix;
-  sources = import ../../npins;
-  inherit (sources) agenix disko;
-
-  secretsPrefix = ../../secrets;
-  secrets = import (secretsPrefix + "/secrets.nix");
-  keys = import ../../keys;
 
 in
 {
@@ -36,8 +33,8 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      "${agenix}/modules/age.nix"
-      "${disko}/module.nix"
+      "${sources.agenix}/modules/age.nix"
+      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
     ];
@@ -46,15 +43,15 @@ in
     ## configuration.
     fediversityVm = config.fediversityVm;
 
-    ## Read all the secrets, filter the ones that are supposed to be readable
-    ## with this host's public key, and add them correctly to the configuration
-    ## as `age.secrets.<name>.file`.
+    ## Read all the secrets, filter the ones that are supposed to be readable with
+    ## public key, and create a mapping from `<name>.file` to the absolute path of
+    ## the secret's file.
     age.secrets = concatMapAttrs (
       name: secret:
       optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
       })
-    ) secrets;
+    ) secrets.mapping;
 
     ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
     ## supports users with password-less sudo.

infra/flake-part.nix

@@ -1,6 +1,9 @@
 {
   inputs,
   lib,
+  sources,
+  keys,
+  secrets,
   ...
 }:
 
@@ -13,7 +16,6 @@ let
     filterAttrs
     ;
   inherit (lib.attrsets) genAttrs;
-  sources = import ../../npins;
 
   ## Given a machine's name and whether it is a test VM, make a resource module,
   ## except for its missing provider. (Depending on the use of that resource, we
@@ -22,7 +24,14 @@ let
     { vmName, isTestVm }:
     {
       # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-      _module.args = { inherit inputs; };
+      _module.args = {
+        inherit
+          inputs
+          sources
+          keys
+          secrets
+          ;
+      };
 
       imports =
         [
@@ -35,7 +44,7 @@ let
               {
                 nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                   # allow our panel vm access to the test machines
-                  (import ../keys).panel
+                  keys.panel
                 ];
               }
             ]

keys/flake-part.nix

@@ -0,0 +1 @@
+{ _module.args.keys = import ./.; }

secrets/default.nix

@@ -0,0 +1,4 @@
+{
+  mapping = import ./secrets.nix;
+  rootPath = ./.;
+}

secrets/flake-part.nix

@@ -0,0 +1 @@
+{ _module.args.secrets = import ./.; }