Make s0 easier to unlock

Improve usage of roles. It should be much easier to read and use now.
2025-03-29 22:52:00 -07:00 · 2025-03-29 22:48:14 -07:00
9 changed files with 155 additions and 128 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -100,7 +100,5 @@
  security.acme.defaults.email = "zuckerberg@neet.dev";
  # Enable Desktop Environment if this is a PC (machine role is "personal")
-  de.enable = (
+  de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
    builtins.elem config.networking.hostName config.machines.roles.personal
  );
 }
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@ -5,20 +5,9 @@
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
-  options.machines = {
+  hostOptionsSubmoduleType = lib.types.submodule {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
    options = {
      hostNames = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = ''
@ -26,21 +15,18 @@ in
          Used for automatically trusting hosts for ssh connections.
        '';
      };
      arch = lib.mkOption {
        type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
        description = ''
          The architecture of this machine.
        '';
      };
      systemRoles = lib.mkOption {
        type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
        description = ''
          The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
        '';
      };
      hostKey = lib.mkOption {
        type = lib.types.str;
        description = ''
@ -48,7 +34,6 @@ in
          and for decrypting secrets with agenix.
        '';
      };
      remoteUnlock = lib.mkOption {
        default = null;
        type = lib.types.nullOr (lib.types.submodule {
@ -80,7 +65,6 @@ in
          };
        });
      };
      userKeys = lib.mkOption {
        default = [ ];
        type = lib.types.listOf lib.types.str;
@ -90,7 +74,6 @@ in
          TODO: consider auto populating other programs that use ssh keys such as gitea
        '';
      };
      deployKeys = lib.mkOption {
        default = [ ];
        type = lib.types.listOf lib.types.str;
@ -98,17 +81,30 @@ in
          The list of deployment keys. Each key here can be used to log into all other systems as `root`.
        '';
      };
      configurationPath = lib.mkOption {
        type = lib.types.path;
        description = ''
          The path to this machine's configuration directory.
        '';
      };
    };
  };
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf hostOptionsSubmoduleType;
    };
        });
  };
  options.thisMachine.config = lib.mkOption {
    # For ease of use, a direct copy of the host config from machines.hosts.${hostName}
    type = hostOptionsSubmoduleType;
  };
  config = {
@ -196,5 +192,12 @@ in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
    # Don't try to evaluate "thisMachine" when reflecting using moduleless.nix.
    # When evaluated by moduleless.nix this will fail due to networking.hostName not
    # existing. This is because moduleless.nix is not intended for reflection from the
    # perspective of a perticular machine but is instead intended for reflecting on
    # the properties of all machines as a whole system.
    thisMachine.config = config.machines.hosts.${config.networking.hostName};
  };
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@ -1,19 +1,55 @@
 { config, lib, ... }:
-# Maps roles to their hosts
+# Maps roles to their hosts.
 # machines.withRole = {
 #   personal = [
 #     "machine1" "machine3"
 #   ];
 #   cache = [
 #     "machine2"
 #   ];
 # };
 #
 # A list of all possible roles
 # machines.allRoles = [
 #   "personal"
 #   "cache"
 # ];
 #
 # For each role has true or false if the current machine has that role
 # thisMachine.hasRole = {
 #   personal = true;
 #   cache = false;
 # };
 {
-  options.machines.roles = lib.mkOption {
+  options.machines.withRole = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  options.machines.allRoles = lib.mkOption {
    type = lib.types.listOf lib.types.str;
  };
  options.thisMachine.hasRole = lib.mkOption {
    type = lib.types.attrsOf lib.types.bool;
  };
  config = {
-    machines.roles = lib.zipAttrs
+    machines.withRole = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
    machines.allRoles = lib.attrNames config.machines.withRole;
    thisMachine.hasRole = lib.mapAttrs
      (role: cfg:
        builtins.elem config.networking.hostName config.machines.withRole.${role}
      )
      config.machines.withRole;
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@ -39,6 +39,6 @@ in
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
-      machines.roles;
+      machines.withRole;
  };
 }
--- a/common/nix-builder.nix
+++ b/common/nix-builder.nix
@ -1,18 +1,14 @@
 { config, lib, ... }:
 let
  builderRole = "nix-builder";
  builderUserName = "nix-builder";
-  machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
+  builderRole = "nix-builder";
-  otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
+  builders = config.machines.withRole.${builderRole};
-  thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
+  thisMachineIsABuilder = config.thisMachine.hasRole.${builderRole};
  builders = machinesByRole builderRole;
  thisMachineIsABuilder = thisMachineHasRole builderRole;
  # builders don't include themselves as a remote builder
-  otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
+  otherBuilders = lib.filter (hostname: hostname != config.networking.hostName) builders;
 in
 lib.mkMerge [
  # configure builder
@ -40,9 +36,9 @@ lib.mkMerge [
    nix.distributedBuilds = true;
    nix.buildMachines = builtins.map
-      (builderCfg: {
+      (builderHostname: {
-        hostName = builtins.elemAt builderCfg.hostNames 0;
+        hostName = builderHostname;
-        system = builderCfg.arch;
+        system = config.machines.hosts.${builderHostname}.arch;
        protocol = "ssh-ng";
        sshUser = builderUserName;
        sshKey = "/etc/ssh/ssh_host_ed25519_key";
@ -50,7 +46,7 @@ lib.mkMerge [
        speedFactor = 10;
        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
      })
-      (builtins.attrValues otherBuilders);
+      otherBuilders;
    # It is very likely that the builder's internet is faster or just as fast
    nix.extraOptions = ''
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@ -9,10 +9,7 @@
 # TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
 let
-  runnerRole = "gitea-actions-runner";
+  thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
  runners = config.machines.roles.${runnerRole};
  thisMachineIsARunner = builtins.elem config.networking.hostName runners;
  containerName = "gitea-runner";
 in
 {
--- a/flake.nix
+++ b/flake.nix
@ -84,13 +84,11 @@
  outputs = { self, nixpkgs, ... }@inputs:
    let
-      machines = (import ./common/machine-info/moduleless.nix
+      machineHosts = (import ./common/machine-info/moduleless.nix
        {
          inherit nixpkgs;
          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
-        }).machines;
+        }).machines.hosts;
      machineHosts = machines.hosts;
      machineRoles = machines.roles;
    in
    {
      nixosConfigurations =
@ -115,10 +113,7 @@
                home-manager.useGlobalPkgs = true;
                home-manager.useUserPackages = true;
-                home-manager.users.googlebot = import ./home/googlebot.nix {
+                home-manager.users.googlebot = import ./home/googlebot.nix;
                  inherit hostname;
                  inherit machineRoles;
                };
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
--- a/home/googlebot.nix
+++ b/home/googlebot.nix
@ -1,9 +1,8 @@
-{ hostname, machineRoles }:
+{ config, lib, pkgs, osConfig, ... }:
 { config, lib, pkgs, ... }:
 let
  # Check if the current machine has the role "personal"
-  thisMachineIsPersonal = builtins.elem hostname machineRoles.personal;
+  thisMachineIsPersonal = osConfig.thisMachine.hasRole."personal";
 in
 {
  home.username = "googlebot";
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@ -1,6 +1,7 @@
 {
  hostNames = [
    "s0"
    "s0.neet.dev"
  ];
  arch = "x86_64-linux";
@ -19,6 +20,8 @@
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
    clearnetHost = "192.168.1.2";
    onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
  };
 }
Author	SHA1	Message	Date
Zuckerberg	1c9fa418b3	Make s0 easier to unlock All checks were successful Check Flake / check-flake (push) Successful in 1m25s Details	2025-03-29 22:52:00 -07:00
Zuckerberg	8c4dc9cb74	Improve usage of roles. It should be much easier to read and use now.	2025-03-29 22:48:14 -07:00