Commit files for public release

packages/all.nix

@@ -0,0 +1,11 @@
+{
+  self,
+  system,
+  pkgs,
+  ...
+}:
+with pkgs.lib;
+let
+  nixosConfigs = mapAttrsToList (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
+in
+pkgs.linkFarmFromDrvs "allHosts" (nixosConfigs ++ [ self.packages.${system}.docs ])

packages/cache.nix

@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+pkgs.writeShellApplication {
+  name = "cache";
+  meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
+  runtimeInputs = [
+    pkgs.attic-client
+    pkgs.findutils
+    pkgs.gnugrep
+  ];
+  text = ''
+    SERVER="https://attic.qo.is/"
+    CACHE_NAME="qois"
+    CACHE_REPO="$CACHE_NAME:qois-infrastructure"
+    if [ -z "$ATTIC_AUTH_TOKEN" ]; then
+      echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
+      exit 3
+    fi
+    attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
+
+    case "$1" in
+      use)
+        attic use "$CACHE_REPO"
+      ;;
+      watch)
+        attic watch-store "$CACHE_REPO"
+      ;;
+      push)
+        RESULT_PATH="./result"
+        # Add build dependencies as well
+        nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)"   | grep -v '\.drv$' \
+          | xargs attic push "$CACHE_REPO" "$RESULT_PATH"
+      ;;
+
+    esac
+  '';
+}

packages/default.nix

@@ -0,0 +1,17 @@
+{ system, ... }@inputs:
+{
+  ${system} =
+    let
+      all = import ./all.nix inputs;
+    in
+    {
+      inherit all;
+      default = all;
+      cache = import ./cache.nix inputs;
+      deploy-qois = import ./deploy-qois.nix inputs;
+      docs = import ./docs.nix inputs;
+      sops = import ./sops.nix inputs;
+      sops-config = import ./sops-config.nix inputs;
+      sops-rekey = import ./sops-rekey.nix inputs;
+    };
+}

packages/deploy-qois.nix

@@ -0,0 +1,14 @@
+{
+  pkgs,
+  self,
+  system,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "deploy-qois";
+  meta.description = "Deploy configuration to specificed targets.";
+  runtimeInputs = [ pkgs.deploy-rs ];
+  text = ''
+    deploy --interactive --targets "''${@:-${self}}"
+  '';
+}

packages/docs.nix

@@ -0,0 +1,16 @@
+{ pkgs, self, ... }:
+let
+  version = self.rev or self.dirtyRev;
+in
+pkgs.stdenv.mkDerivation {
+  inherit version;
+  name = "qois-docs-${version}";
+  buildInputs = with pkgs; [
+    mdbook
+    mdbook-cmdrun
+    mdbook-plantuml
+    plantuml
+  ];
+  src = ../.;
+  buildPhase = "mdbook build --dest-dir $out";
+}

packages/sops-config.nix

@@ -0,0 +1,87 @@
+{
+  pkgs,
+  self,
+  system,
+  ...
+}:
+let
+  metaHostConfigs = import ../defaults/meta/hosts.nix { inherit pkgs; };
+  userPgpKeys =
+    let
+      keysFolder = "${self.inputs.private}/sops_keys";
+      gpgFingerprintsFile =
+        pkgs.runCommand "userPgpKeys"
+          {
+            src = keysFolder;
+            buildInputs = with pkgs; [
+              gnupg
+              gnugrep
+            ];
+          }
+          ''
+            echo -n "[ " > $out
+            for KEY in $src/*.asc; do
+              FINGERPRINT=`
+                gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
+                  | grep ^fpr \
+                  | grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
+                  | cut -c -40
+                `
+              echo -n "\"$FINGERPRINT\" " >> $out
+            done
+            echo "]" >> $out
+          '';
+    in
+    import "${gpgFingerprintsFile}";
+  userAgeKeys = [ ];
+  serverAgeKeys =
+    let
+      getHostsWithSshKeys = pkgs.lib.filterAttrs (name: cfg: cfg ? sshKey);
+      mapHostToAgeKey = builtins.mapAttrs (
+        name: cfg:
+        pkgs.lib.readFile (
+          pkgs.runCommand "sshToAgeKey"
+            {
+              buildInputs = [ pkgs.ssh-to-age ];
+            }
+            ''
+              echo "${cfg.sshKey}" | ssh-to-age -o $out
+            ''
+        )
+      );
+    in
+    mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
+  toCommaList = builtins.concatStringsSep ",";
+in
+pkgs.writeText ".sops.yaml" (
+  ''
+    # This file was generated by nix, see packages/sops-config.nix for details.
+  ''
+  + builtins.toJSON {
+    keys = userPgpKeys ++ userAgeKeys ++ builtins.attrValues serverAgeKeys;
+    creation_rules =
+      [
+        # Secrets for administrators (a.k.a. passwords)
+        {
+          path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
+          pgp = toCommaList userPgpKeys;
+          age = toCommaList userAgeKeys;
+        }
+
+        # Secrets for all hosts
+        {
+          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
+          pgp = toCommaList userPgpKeys;
+          age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
+        }
+      ]
+      ++
+
+      # Server specific secrets
+      (pkgs.lib.mapAttrsToList (serverName: serverKey: {
+        path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
+        pgp = toCommaList userPgpKeys;
+        age = toCommaList (userAgeKeys ++ [ serverKey ]);
+      }) serverAgeKeys);
+  }
+)

packages/sops-rekey.nix

@@ -0,0 +1,17 @@
+{
+  pkgs,
+  self,
+  system,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "sops-rekey";
+  meta.description = "Rekey all sops secrets with changed keys";
+  runtimeInputs = [
+    pkgs.findutils
+    self.packages.${system}.sops
+  ];
+  text = ''
+    find . -regex '.*\.sops\..*$' -type f -exec sops updatekeys {} \;
+  '';
+}

packages/sops.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  self,
+  system,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "sops";
+  meta.description = "Run SOPS with the generated configuration";
+  runtimeInputs = with pkgs; [
+    sops
+    gitMinimal
+    nix
+  ];
+  text = ''
+    FLAKE_ROOT="$(git rev-parse --show-toplevel)"
+    nix build --out-link "$FLAKE_ROOT/.sops.yaml" "$FLAKE_ROOT#sops-config"
+    sops --config "''${FLAKE_ROOT}/.sops.yaml" "''${@}"
+  '';
+}