zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Fix invalid import issue.

Browse Source
This commit is contained in:
Zuckerberg 2023-04-21 18:57:06 -06:00
parent 71baa09bd2
commit 03603119e5
3 changed files with 103 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
common/machine-info/default.nix
View File

@ -12,100 +12,110 @@ in
./roles.nix ./roles.nix
]; ];
options.machines.hosts = lib.mkOption { options.machines = {
type = lib.types.attrsOf # For some reason (presumably a bug), using the best value of "../../machines"
(lib.types.submodule { # as the path causes nix to search for invalid paths for flake imports but *not*
options = { # secrets.nix for agenix.
machinesPath = lib.mkOption {
type = lib.types.path;
default = ../..;
};
hostNames = lib.mkOption { hosts = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.attrsOf
description = '' (lib.types.submodule {
List of hostnames for this machine. The first one is the default so it is the target of deployments. options = {
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption { hostNames = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ]; type = lib.types.listOf lib.types.str;
description = '' description = ''
The architecture of this machine. List of hostnames for this machine. The first one is the default so it is the target of deployments.
''; Used for automatically trusting hosts for ssh connections.
}; '';
};
systemRoles = lib.mkOption { arch = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum? type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = '' description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info) The architecture of this machine.
''; '';
}; };
hostKey = lib.mkOption { systemRoles = lib.mkOption {
type = lib.types.str; type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = '' description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
and for decrypting secrets with agenix. '';
''; };
};
remoteUnlock = lib.mkOption { hostKey = lib.mkOption {
default = null; type = lib.types.str;
type = lib.types.nullOr (lib.types.submodule { description = ''
options = { The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
}; };
});
};
clearnetHost = lib.mkOption { userKeys = lib.mkOption {
default = null; default = [ ];
type = lib.types.nullOr lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
'';
};
onionHost = lib.mkOption { TODO: consider auto populating other programs that use ssh keys such as gitea
default = null; '';
type = lib.types.nullOr lib.types.str; };
description = ''
The hostname resolvable over tor used to luks boot unlock this machine deployKeys = lib.mkOption {
''; default = [ ];
}; type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
});
userKeys = lib.mkOption { };
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
config = { config = {
@ -193,6 +203,6 @@ in
in in
lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles; lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles;
in in
properties ../../machines; properties config.machines.machinesPath;
}; };
} }

6
common/machine-info/moduleless.nix
View File

@ -2,6 +2,7 @@
{ nixpkgs ? import <nixpkgs> { } { nixpkgs ? import <nixpkgs> { }
, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix> , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
, machinesPath ? null
}: }:
{ {
@ -10,6 +11,11 @@
modules = [ modules = [
./default.nix ./default.nix
assertionsModule assertionsModule
{
config = nixpkgs.lib.mkIf (machinesPath != null) {
machines.machinesPath = machinesPath;
};
}
]; ];
}).config.machines; }).config.machines;
} }

4
secrets/secrets.nix
View File

@ -1,6 +1,8 @@
let let
lib = (import <nixpkgs> { }).lib; lib = (import <nixpkgs> { }).lib;
sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh; sshKeys = (import ../common/machine-info/moduleless.nix {
machinesPath = ../machines;
}).machines.ssh;
# add userkeys to all roles so that I can r/w the secrets from my personal computers # add userkeys to all roles so that I can r/w the secrets from my personal computers
roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole; roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;