175 lines
5.2 KiB
Nix
175 lines
5.2 KiB
Nix
{ self, nixpkgs, system, openwrt-imagebuilder }:
|
|
|
|
let
|
|
inherit (self.lib) config;
|
|
|
|
pkgs = nixpkgs.legacyPackages.${system};
|
|
|
|
export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
|
|
nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
|
|
);
|
|
export-config = pkgs.writeText "config.nix" (
|
|
nixpkgs.lib.generators.toPretty {} config
|
|
);
|
|
|
|
encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
cd config
|
|
exec ${pkgs.gnupg}/bin/gpg --armor --batch --trust-model always \
|
|
--encrypt -r 1F0F221A7483B5EF5D103D8B32EBADE870BAF886 \
|
|
< secrets-production.nix \
|
|
> secrets-production.nix.gpg
|
|
'';
|
|
decrypt-secrets = pkgs.writeScriptBin "decrypt-secrets" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
cd config
|
|
[ -e secrets-production.nix ] && \
|
|
mv secrets-production.nix secrets-production.nix.old
|
|
exec ${pkgs.gnupg}/bin/gpg -d \
|
|
> secrets-production.nix \
|
|
< secrets-production.nix.gpg
|
|
'';
|
|
switch-to-production = pkgs.writeScriptBin "decrypt-secrets" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
${decrypt-secrets}/bin/decrypt-secrets
|
|
|
|
cd config
|
|
cp secrets-production.nix secrets.nix
|
|
'';
|
|
|
|
network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
|
|
network-graphs = import ./network-graphs.nix { inherit config pkgs; };
|
|
|
|
mkRootfs = hostName:
|
|
self.nixosConfigurations.${hostName}.config.system.build.toplevel;
|
|
|
|
rootfs-packages =
|
|
builtins.foldl' (rootfs: hostName: rootfs // {
|
|
"${hostName}-rootfs" = mkRootfs hostName;
|
|
}) {} (
|
|
builtins.attrNames (
|
|
nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
|
|
config.site.hosts
|
|
)
|
|
);
|
|
|
|
vm-packages =
|
|
builtins.foldl' (rootfs: hostName: rootfs // {
|
|
"${hostName}-vm" = self.nixosConfigurations.${hostName}.config.system.build.vm
|
|
.overrideAttrs (_oa: {
|
|
meta.mainProgram = "run-${hostName}-vm";
|
|
});
|
|
}) {} (
|
|
builtins.attrNames (
|
|
nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
|
|
config.site.hosts
|
|
)
|
|
);
|
|
|
|
all-rootfs = with pkgs;
|
|
runCommand "all-rootfs" {} ''
|
|
mkdir -p $out
|
|
${lib.concatMapStrings (pkg: ''
|
|
ln -s ${pkg} $out/${pkg.name}
|
|
'') (builtins.attrValues rootfs-packages)}
|
|
'';
|
|
|
|
openwrt-images = builtins.foldl' (images: hostName:
|
|
let
|
|
inherit (config.site.hosts.${hostName}) model;
|
|
matches = (openwrt-imagebuilder.lib.profiles {
|
|
inherit pkgs;
|
|
}).identifyProfiles model;
|
|
fallbackProfile =
|
|
if model == "dir-615-d"
|
|
then (openwrt-imagebuilder.lib.profiles {
|
|
inherit pkgs;
|
|
release = "19.07.10";
|
|
}).identifyProfile model
|
|
else if builtins.match "tl-wr.*" model != null
|
|
then {
|
|
release = "18.06.9";
|
|
packagesArch = "mips_24kc";
|
|
target = "ar71xx";
|
|
variant = "tiny";
|
|
profile = model;
|
|
sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
|
|
feedsSha256 = {
|
|
base = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
|
|
packages = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
|
|
};
|
|
}
|
|
else null;
|
|
build = args:
|
|
openwrt-imagebuilder.lib.build (args // {
|
|
extraImageName = "zw-${hostName}";
|
|
packages = [
|
|
# remove unused default .ipk
|
|
"-dnsmasq" "-ppp" "-ppp-mod-pppoe" "-odhcp6c" "-odhcpd-ipv6only"
|
|
# debugging
|
|
"tcpdump"
|
|
# monitoring
|
|
"collectd" "collectd-mod-interface" "collectd-mod-load"
|
|
"collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
|
|
];
|
|
disabledServices = [ "dnsmasq" "uhttpd" ];
|
|
# TODO: files
|
|
});
|
|
in
|
|
if matches == [] && fallbackProfile != null
|
|
then images // {
|
|
"${hostName}-image" = build fallbackProfile;
|
|
}
|
|
else if matches == []
|
|
then builtins.trace "${hostName} (${model}) not supported by OpenWRT"
|
|
images
|
|
else if builtins.length matches == 1
|
|
then
|
|
images // {
|
|
"${hostName}-image" = build (
|
|
builtins.elemAt matches 0
|
|
);
|
|
}
|
|
else builtins.trace "${hostName} (${model}) has multiple models!"
|
|
images // {
|
|
"${hostName}-image" = build (
|
|
builtins.elemAt matches 0
|
|
);
|
|
}
|
|
) {} (
|
|
builtins.attrNames (
|
|
nixpkgs.lib.filterAttrs (_: { role, ... }: role == "ap")
|
|
config.site.hosts
|
|
)
|
|
);
|
|
|
|
device-templates = import ./device-templates.nix {
|
|
inherit self nixpkgs system;
|
|
};
|
|
|
|
dns-slaves = import ./dns-slaves.nix {
|
|
inherit self nixpkgs system;
|
|
};
|
|
|
|
starlink = import ./starlink {
|
|
inherit pkgs;
|
|
};
|
|
|
|
subnetplans = import ./subnetplans.nix {
|
|
inherit self nixpkgs system;
|
|
};
|
|
|
|
vlan-report = import ./vlan-report.nix {
|
|
inherit self nixpkgs system;
|
|
};
|
|
in
|
|
rootfs-packages // vm-packages // device-templates // openwrt-images // network-graphs // network-cypher-graphs // starlink // subnetplans // {
|
|
inherit all-rootfs export-openwrt-models export-config dns-slaves
|
|
encrypt-secrets decrypt-secrets switch-to-production
|
|
vlan-report
|
|
;
|
|
}
|