{ self, nixpkgs, system, openwrt-imagebuilder }: let inherit (self.lib) config; pkgs = nixpkgs.legacyPackages.${system}; export-openwrt-models = pkgs.writeText "openwrt-models.nix" ( nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels ); export-config = pkgs.writeText "config.nix" ( nixpkgs.lib.generators.toPretty {} config ); encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" '' #! ${pkgs.runtimeShell} -e cd config exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \ --encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \ < secrets-production.nix \ > secrets-production.nix.gpg ''; decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" '' #! ${pkgs.runtimeShell} -e cd config [ -e secrets-production.nix ] && \ mv secrets-production.nix secrets-production.nix.old exec ${pkgs.gnupg}/bin/gpg -d \ > secrets-production.nix \ < secrets-production.nix.gpg ''; switch-to-production = pkgs.writeScriptBin "decrypt-secrets" '' #! ${pkgs.runtimeShell} -e ${decrypt-secrets}/bin/decrypt-secrets cd config cp secrets-production.nix secrets.nix ''; network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; }; network-graphs = import ./network-graphs.nix { inherit config pkgs; }; mkRootfs = hostName: self.nixosConfigurations.${hostName}.config.system.build.toplevel; rootfs-packages = builtins.foldl' (rootfs: hostName: rootfs // { "${hostName}-rootfs" = mkRootfs hostName; }) {} ( builtins.attrNames ( nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"]) config.site.hosts ) ); vm-packages = builtins.foldl' (rootfs: hostName: rootfs // { "${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm .overrideAttrs (_oa: { meta.mainProgram = "run-${hostName}-vm"; }); }) {} ( builtins.attrNames ( nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server") config.site.hosts ) ); all-rootfs = with pkgs; runCommand "all-rootfs" {} '' mkdir -p $out ${lib.concatMapStrings (pkg: '' ln -s ${pkg} $out/${pkg.name} '') (builtins.attrValues rootfs-packages)} ''; openwrt-images = let profiles = openwrt-imagebuilder.lib.profiles { inherit pkgs; }; build = args: openwrt-imagebuilder.lib.build (args // { extraImageName = "zw"; packages = [ # remove unused default .ipk "-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only" # debugging "tcpdump" # monitoring "collectd" "collectd-mod-interface" "collectd-mod-load" "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network" ]; disabledServices = [ "dnsmasq" "uhttpd" ]; # TODO: files }); in builtins.foldl' (images: hostName: let hostConfig = config.site.hosts.${hostName}; matches = profiles.identifyProfiles hostConfig.model; in if matches == [] then builtins.trace "${hostName} (${hostConfig.model}) not supported by OpenWRT" images else if builtins.length matches == 1 then images // { "${hostName}-image" = build ( builtins.elemAt matches 0 ); } else builtins.trace "${hostName} (${hostConfig.model}) has multiple models!" images // { "${hostName}-image" = build ( builtins.elemAt matches 0 ); } ) {} ( builtins.attrNames ( nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap") config.site.hosts ) ); device-templates = import ./device-templates.nix { inherit self nixpkgs system; }; dns-slaves = import ./dns-slaves.nix { inherit self nixpkgs system; }; starlink = import ./starlink { inherit pkgs; }; subnetplans = import ./subnetplans.nix { inherit self nixpkgs system; }; vlan-report = import ./vlan-report.nix { inherit self nixpkgs system; }; in rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // { inherit all-rootfs export-openwrt-models export-config dns-slaves encrypt-secrets decrypt-secrets switch-to-production vlan-report ; }