network/nix/pkgs/default.nix

{ self, nixpkgs, system, openwrt-imagebuilder }:

let
  inherit (self.lib) config;

  pkgs = nixpkgs.legacyPackages.${system};

  export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
    nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
  );
  export-config = pkgs.writeText "config.nix" (
    nixpkgs.lib.generators.toPretty {} config
  );

  encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \
      --encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \
      < secrets-production.nix \
      > secrets-production.nix.gpg
  '';
  decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    cd config
    [ -e secrets-production.nix ] && \
      mv secrets-production.nix secrets-production.nix.old
    exec ${pkgs.gnupg}/bin/gpg -d \
      > secrets-production.nix \
      < secrets-production.nix.gpg
  '';
  switch-to-production = pkgs.writeScriptBin "decrypt-secrets" ''
    #! ${pkgs.runtimeShell} -e

    ${decrypt-secrets}/bin/decrypt-secrets

    cd config
    cp secrets-production.nix secrets.nix
  '';

  network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
  network-graphs = import ./network-graphs.nix { inherit config pkgs; };

  mkRootfs = hostName:
    self.nixosConfigurations.${hostName}.config.system.build.toplevel;

  rootfs-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-rootfs" = mkRootfs hostName;
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
          config.site.hosts
      )
    );

  vm-packages =
    builtins.foldl' (rootfs: hostName: rootfs // {
      "${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm
        .overrideAttrs (_oa: {
          meta.mainProgram = "run-${hostName}-vm";
        });
    }) {} (
      builtins.attrNames (
        nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
          config.site.hosts
      )
    );

  all-rootfs = with pkgs;
    runCommand "all-rootfs" {} ''
      mkdir -p $out
      ${lib.concatMapStrings (pkg: ''
        ln -s ${pkg} $out/${pkg.name}
      '') (builtins.attrValues rootfs-packages)}
    '';

  openwrt-images =
    let
      profiles = openwrt-imagebuilder.lib.profiles { inherit pkgs; };
      build = args:
        openwrt-imagebuilder.lib.build (args // {
          extraImageName = "zw";
          packages = [
            # remove unused default .ipk
            "-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"
            # debugging
            "tcpdump"
            # monitoring
            "collectd" "collectd-mod-interface" "collectd-mod-load"
            "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
          ];
          disabledServices = [ "dnsmasq" "uhttpd" ];
          # TODO: files
        });
    in
      builtins.foldl' (images: hostName:
        let
          hostConfig = config.site.hosts.${hostName};
          matches = profiles.identifyProfiles hostConfig.model;
        in
          if matches == []
          then builtins.trace "${hostName} (${hostConfig.model}) not supported by OpenWRT"
            images
          else if builtins.length matches == 1
          then
            images // {
              "${hostName}-image" = build (
                builtins.elemAt matches 0
              );
            }
          else builtins.trace "${hostName} (${hostConfig.model}) has multiple models!"
            images // {
              "${hostName}-image" = build (
                builtins.elemAt matches 0
              );
            }
      ) {} (
        builtins.attrNames (
          nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")
            config.site.hosts
        )
      );

  device-templates = import ./device-templates.nix {
    inherit self nixpkgs system;
  };

  dns-slaves = import ./dns-slaves.nix {
    inherit self nixpkgs system;
  };

  starlink = import ./starlink {
    inherit pkgs;
  };

  subnetplans = import ./subnetplans.nix {
    inherit self nixpkgs system;
  };

  vlan-report = import ./vlan-report.nix {
    inherit self nixpkgs system;
  };
in
rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // {
  inherit all-rootfs export-openwrt-models export-config dns-slaves
    encrypt-secrets decrypt-secrets switch-to-production
    vlan-report
    ;
}
add nix-openwrt-imagebuilder 2022-04-29 00:49:45 +02:00			`{ self, nixpkgs, system, openwrt-imagebuilder }:`
nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00
			`let`
			`inherit (self.lib) config;`

nix/pkgs: build *-vm packages 2021-03-31 01:23:58 +02:00			`pkgs = nixpkgs.legacyPackages.${system};`

lib/openwrt-models: add code to get port definitions 2021-11-03 23:21:43 +01:00			`export-openwrt-models = pkgs.writeText "openwrt-models.nix" (`
			`nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels`
			`);`
			`export-config = pkgs.writeText "config.nix" (`
nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00			`nixpkgs.lib.generators.toPretty {} config`
			`);`

config: nixify everything 2021-11-13 01:23:23 +01:00			`encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''`
			`#! ${pkgs.runtimeShell} -e`

			`cd config`
			`exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \`
			`--encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \`
			`< secrets-production.nix \`
			`> secrets-production.nix.gpg`
			`'';`
			`decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" ''`
			`#! ${pkgs.runtimeShell} -e`

			`cd config`
			`[ -e secrets-production.nix ] && \`
			`mv secrets-production.nix secrets-production.nix.old`
			`exec ${pkgs.gnupg}/bin/gpg -d \`
			`> secrets-production.nix \`
			`< secrets-production.nix.gpg`
			`'';`
			`switch-to-production = pkgs.writeScriptBin "decrypt-secrets" ''`
			`#! ${pkgs.runtimeShell} -e`

nix/pkgs: fix switch-to-production 2021-11-15 21:56:16 +01:00			`${decrypt-secrets}/bin/decrypt-secrets`
config: nixify everything 2021-11-13 01:23:23 +01:00
			`cd config`
			`cp secrets-production.nix secrets.nix`
			`'';`
nix/lib/salt-support: implement saltPillarFor by hostName 2021-03-20 01:00:18 +01:00
adding cypher graph generation utitlies 2021-12-28 18:43:42 +01:00			`network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };`
pkgs/network-graphs: don't use callPackage as it breaks the flake 2021-11-07 00:05:55 +01:00			`network-graphs = import ./network-graphs.nix { inherit config pkgs; };`
pkgs/network-graphs: init 2021-11-06 19:47:34 +01:00
move rootfs nixos-module to nix/pkgs 2021-03-22 23:47:19 +01:00			`mkRootfs = hostName:`
lxc-containers.nix: start with non-ephemeral rootfs 2021-04-04 20:00:40 +02:00			`self.nixosConfigurations.${hostName}.config.system.build.toplevel;`
move rootfs nixos-module to nix/pkgs 2021-03-22 23:47:19 +01:00
nix/pkgs: build *-vm packages 2021-03-31 01:23:58 +02:00			`rootfs-packages =`
move rootfs nixos-module to nix/pkgs 2021-03-22 23:47:19 +01:00			`builtins.foldl' (rootfs: hostName: rootfs // {`
			`"${hostName}-rootfs" = mkRootfs hostName;`
			`}) {} (`
			`builtins.attrNames (`
nix/pkgs: build *-vm packages 2021-03-31 01:23:58 +02:00			`nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])`
			`config.site.hosts`
			`)`
			`);`

			`vm-packages =`
			`builtins.foldl' (rootfs: hostName: rootfs // {`
nix/pkgs: specify meta.mainProgram for vm-packages enables `nix run .#server1-vm` 2021-04-01 01:14:26 +02:00			`"${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm`
*.nix: remove unused code 2022-03-22 18:13:17 +01:00			`.overrideAttrs (_oa: {`
nix/pkgs: specify meta.mainProgram for vm-packages enables `nix run .#server1-vm` 2021-04-01 01:14:26 +02:00			`meta.mainProgram = "run-${hostName}-vm";`
			`});`
nix/pkgs: build *-vm packages 2021-03-31 01:23:58 +02:00			`}) {} (`
			`builtins.attrNames (`
			`nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")`
move rootfs nixos-module to nix/pkgs 2021-03-22 23:47:19 +01:00			`config.site.hosts`
			`)`
			`);`
nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00
pkgs: add all-rootfs 2021-11-18 20:41:06 +01:00			`all-rootfs = with pkgs;`
			`runCommand "all-rootfs" {} ''`
			`mkdir -p $out`
			`${lib.concatMapStrings (pkg: ''`
			`ln -s ${pkg} $out/${pkg.name}`
			`'') (builtins.attrValues rootfs-packages)}`
			`'';`

add nix-openwrt-imagebuilder 2022-04-29 00:49:45 +02:00			`openwrt-images =`
			`let`
			`profiles = openwrt-imagebuilder.lib.profiles { inherit pkgs; };`
			`build = args:`
			`openwrt-imagebuilder.lib.build (args // {`
			`extraImageName = "zw";`
			`packages = [`
			`# remove unused default .ipk`
			`"-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"`
			`# debugging`
			`"tcpdump"`
			`# monitoring`
			`"collectd" "collectd-mod-interface" "collectd-mod-load"`
			`"collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"`
			`];`
			`disabledServices = [ "dnsmasq" "uhttpd" ];`
			`# TODO: files`
			`});`
			`in`
			`builtins.foldl' (images: hostName:`
			`let`
			`hostConfig = config.site.hosts.${hostName};`
			`matches = profiles.identifyProfiles hostConfig.model;`
			`in`
			`if matches == []`
			`then builtins.trace "${hostName} (${hostConfig.model}) not supported by OpenWRT"`
			`images`
			`else if builtins.length matches == 1`
			`then`
			`images // {`
			`"${hostName}-image" = build (`
			`builtins.elemAt matches 0`
			`);`
			`}`
			`else builtins.trace "${hostName} (${hostConfig.model}) has multiple models!"`
			`images // {`
			`"${hostName}-image" = build (`
			`builtins.elemAt matches 0`
			`);`
			`}`
			`) {} (`
			`builtins.attrNames (`
			`nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")`
			`config.site.hosts`
			`)`
			`);`

nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00			`device-templates = import ./device-templates.nix {`
			`inherit self nixpkgs system;`
			`};`

pkgs/dns-slaves: init 2021-05-06 17:42:26 +02:00			`dns-slaves = import ./dns-slaves.nix {`
			`inherit self nixpkgs system;`
			`};`

nixos-module/collectd: add starlink-stats 2021-05-23 23:16:28 +02:00			`starlink = import ./starlink {`
			`inherit pkgs;`
			`};`
nix/pkgs/subnetplan: init 2021-11-17 23:57:16 +01:00
			`subnetplans = import ./subnetplans.nix {`
			`inherit self nixpkgs system;`
			`};`
pkgs/vlan-report: add 2022-01-24 21:04:11 +01:00
			`vlan-report = import ./vlan-report.nix {`
			`inherit self nixpkgs system;`
			`};`
nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00			`in`
add nix-openwrt-imagebuilder 2022-04-29 00:49:45 +02:00			`rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // {`
pkgs: add all-rootfs 2021-11-18 20:41:06 +01:00			`inherit all-rootfs export-openwrt-models export-config dns-slaves`
nix/pkgs/subnetplan: init 2021-11-17 23:57:16 +01:00			`encrypt-secrets decrypt-secrets switch-to-production`
pkgs/vlan-report: add 2022-01-24 21:04:11 +01:00			`vlan-report`
nix/pkgs/subnetplan: init 2021-11-17 23:57:16 +01:00			`;`
nix/pkgs/default: init, add export-config 2021-03-19 22:11:25 +01:00			`}`