flake-parts/setups: set separate namespace for custom library

This at least allows us to make custom environment-specific library sets.

apps/run-workflow-with-vm/configuration.nix

@@ -6,7 +6,7 @@
 let
   pkgs = import <nixpkgs> { };
   config' = import <config> { };
-  lib = pkgs.lib.extend (import <config/lib/extras/extend-lib.nix>);
+  lib = pkgs.lib;
 in
 import <nixpkgs/nixos/lib/eval-config.nix> {
   inherit lib;
@@ -41,9 +41,14 @@ import <nixpkgs/nixos/lib/eval-config.nix> {
           <sops-nix/modules/home-manager/sops.nix>
           ({ config, lib, ... }: {
             xdg.userDirs.createDirectories = lib.mkForce true;
+            _module.args.foodogsquaredLib =
+              import ../../lib/extras/home-manager-set.nix { inherit lib; };
           })
         ];
 
+        _module.args.foodogsquaredLib =
+          import ../../lib/extras/nixos-set.nix { inherit lib; };
+
         workflows.workflows.${workflow}.enable = true;
 
         nixpkgs.overlays = [

configs/home-manager/foo-dogsquared/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 {
   imports = [ ./modules ];
@@ -32,7 +32,7 @@
   # The keyfile required to decrypt the secrets.
   sops.age.keyFile = "${config.xdg.configHome}/age/user";
 
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
     davfs2-credentials = {
       path = "${config.home.homeDirectory}/.davfs2/davfs2.conf";
     };

configs/nixos/_users/plover/default.nix

@@ -1,9 +1,9 @@
 # This is the user that is often used for servers.
-{ lib, pkgs, ... }:
+{ lib, pkgs, foodogsquaredLib, ... }:
 
 let
   user = "plover";
-  homeManagerUser = lib.private.getConfig "home-manager" user;
+  homeManagerUser = foodogsquaredLib.getConfig "home-manager" user;
 in
 {
   users.users.${user} = {

configs/nixos/ni/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, foodogsquaredModulesPath, ... }:
+{ config, pkgs, lib, foodogsquaredLib, foodogsquaredModulesPath, ... }:
 
 {
   imports = [
@@ -33,7 +33,7 @@
     type = "ed25519";
   }];
 
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
     "ssh-key" = { };
   };
 

configs/nixos/ni/modules/networking/wireguard.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.ni;
@@ -31,7 +31,7 @@ in
     {
       environment.systemPackages = with pkgs; [ wireguard-tools ];
       networking.firewall.allowedUDPPorts = [ wireguardPort ];
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
         "wireguard/private-key" = { };
         "wireguard/preshared-keys/plover" = { };
         "wireguard/preshared-keys/phone" = { };

configs/nixos/ni/modules/services/backup/default.nix

@@ -1,5 +1,5 @@
 # It's a setup for my backup.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.ni;
@@ -47,9 +47,9 @@ in
     lib.mkEnableOption "backup setup with BorgBackup";
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = lib.private.getSecrets
+    sops.secrets = foodogsquaredLib.sops-nix.getSecrets
       ./secrets.yaml
-      (lib.private.attachSopsPathPrefix pathPrefix {
+      (foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
         "patterns/home" = { };
         "patterns/etc" = { };
         "patterns/keys" = { };
@@ -94,18 +94,18 @@ in
         startAt = "04:30";
       };
 
-      remote-backup-hetzner-box = borgJobCommonSetting
-        {
-          patterns = with config.sops; [
-            secrets."${pathPrefix}/patterns/remote-backup".path
-          ];
-          passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";
-        } // {
-        doInit = true;
-        repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
-        startAt = "04:30";
-        environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";
-      };
+      #remote-backup-hetzner-box = borgJobCommonSetting
+      #  {
+      #    patterns = with config.sops; [
+      #      secrets."${pathPrefix}/patterns/remote-backup".path
+      #    ];
+      #    passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";
+      #  } // {
+      #  doInit = true;
+      #  repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
+      #  startAt = "04:30";
+      #  environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";
+      #};
     };
 
     programs.ssh.extraConfig = ''

configs/nixos/ni/modules/services/download-media/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.ni;
@@ -95,7 +95,7 @@ in
     {
       environment.systemPackages = [ ytdlpArchiveVariant ];
 
-      sops.secrets = lib.private.getSecrets ./secrets.yaml
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml
         (lib.attachSopsPathPrefix pathPrefix {
           "secrets-config" = { };
         });

configs/nixos/plover/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, foodogsquaredModulesPath, ... }:
+{ config, lib, pkgs, foodogsquaredLib, foodogsquaredModulesPath, ... }:
 
 {
   imports = [
@@ -8,8 +8,8 @@
     ./modules/profiles/hetzner-cloud-cx21.nix
 
     # The users for this host.
-    (lib.private.getUser "nixos" "admin")
-    (lib.private.getUser "nixos" "plover")
+    (foodogsquaredLib.getUser "nixos" "admin")
+    (foodogsquaredLib.getUser "nixos" "plover")
 
     "${foodogsquaredModulesPath}/profiles/headless.nix"
     "${foodogsquaredModulesPath}/profiles/hardened.nix"
@@ -45,7 +45,7 @@
   # Offline SSH!?!
   programs.mosh.enable = true;
 
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
     "ssh-key" = { };
     "lego/env" = { };
   };

configs/nixos/plover/modules/services/backup.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -49,7 +49,7 @@ in
     lib.mkEnableOption "backup service";
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+    sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
       "borg/repos/host/patterns/keys" = { };
       "borg/repos/host/password" = { };
       "borg/repos/services/password" = { };

configs/nixos/plover/modules/services/dns-server.nix

@@ -1,7 +1,7 @@
 # The DNS server for my domains. Take note it uses a hidden master setup with
 # the secondary nameservers of the service (as of 2023-10-05, we're using
 # Hetzner's secondary nameservers).
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -46,7 +46,7 @@ in
             mode = "0400";
           };
         in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
           "dns/${domain}/mailbox-security-key" = dnsFileAttribute;
           "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
           "dns/${domain}/keybase-verification-key" = dnsFileAttribute;

configs/nixos/plover/modules/services/gitea.nix

@@ -2,7 +2,7 @@
 # feature in particular to see how this plays out. It might not be toppling
 # over the popular services but it is interesting to see new spaces for this
 # one.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -18,7 +18,7 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
         "gitea/db/password".owner = giteaUser;
         "gitea/smtp/password".owner = giteaUser;
       };

configs/nixos/plover/modules/services/grafana.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -28,7 +28,7 @@ in
             mode = "0400";
           };
         in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
           "grafana/database/password" = grafanaFileAttributes;
           "grafana/users/admin/password" = grafanaFileAttributes;
         };

configs/nixos/plover/modules/services/vaultwarden.nix

@@ -1,6 +1,6 @@
 # An alternative implementation of Bitwarden written in Rust. The project
 # being written in Rust is a insta-self-hosting material right there.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -20,7 +20,7 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
         "vaultwarden/env".owner = vaultwardenUser;
       };
 

configs/nixos/plover/modules/services/vouch-proxy.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 let
   hostCfg = config.hosts.plover;
@@ -22,7 +22,7 @@ in
             mode = "0400";
           };
         in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
           "vouch-proxy/jwt/secret" = vouchPermissions;
           "vouch-proxy/client/secret" = vouchPermissions;
         };

configs/nixos/plover/modules/services/wireguard.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 
 # Take note this service is heavily based on the hardware networking setup of
 # this host so better stay focused on the hardware configuration on this host.
@@ -29,7 +29,7 @@ in
             mode = "0640";
           };
         in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
           "wireguard/private-key" = systemdNetworkdPermission;
           "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
           "wireguard/preshared-keys/phone" = systemdNetworkdPermission;

configs/nixos/winnowing/default.nix

@@ -1,10 +1,10 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, foodogsquaredLib, ... }:
 
 {
   imports = [
     "${modulesPath}/profiles/minimal.nix"
 
-    (lib.private.mapHomeManagerUser "winnow" {
+    (foodogsquaredLib.mapHomeManagerUser "winnow" {
       extraGroups = [
         "wheel"
         "docker"

lib/default.nix

@@ -1,4 +1,4 @@
-# All of the custom functions used for this configuration.
+# All of the custom functions suitable for all environments.
 { lib }:
 
 rec {
@@ -15,52 +15,7 @@ rec {
     lib.count (attr: pred attr.name attr.value)
       (lib.mapAttrsToList lib.nameValuePair attrs);
 
-  /* Get the secrets from a given sops file. This will set the individual
-     attributes `sopsFile` with the given file to not interrupt as much as
-     possible with your own sops-nix workflow.
+  getConfig = type: config: ../configs/${type}/${config};
 
-     Examples:
-      lib.getSecrets ./sops.yaml {
-        ssh-key = { };
-        "borg/ssh-key" = { };
-        "wireguard/private-key" = {
-          group = config.users.users.systemd-network.group;
-          reloadUnits = [ "systemd-networkd.service" ];
-          mode = "0640";
-        };
-      }
-  */
-  getSecrets = sopsFile: secrets:
-    let
-      getKey = key: { inherit key sopsFile; };
-    in
-    lib.mapAttrs
-      (path: attrs:
-        (getKey path) // attrs)
-      secrets;
-
-  /* Prepend a prefix for the given secrets. This allows a workflow for
-     separate sops file.
-
-     Examples:
-       lib.getSecrets ./sops.yaml {
-        ssh-key = { };
-        "borg/ssh-key" = { };
-      } //
-      (lib.getSecrets ./wireguard.yaml
-        (lib.attachSopsPathPrefix "wireguard" {
-          "private-key" = {
-            group = config.users.users.systemd-network.group;
-            reloadUnits = [ "systemd-networkd.service" ];
-            mode = "0640";
-          };
-        }))
-  */
-  attachSopsPathPrefix = prefix: secrets:
-    lib.mapAttrs'
-      (key: settings:
-        lib.nameValuePair
-          "${prefix}/${key}"
-          ({ inherit key; } // settings))
-      secrets;
+  getUser = type: user: ../configs/${type}/_users/${user};
 }

lib/extras/extend-lib.nix

@@ -1,16 +0,0 @@
-# A lambda suitable to be used for `pkgs.lib.extend`.
-self: super:
-let
-  publicLib = import ../. { lib = super; };
-in
-{
-  inherit (publicLib) countAttrs getSecrets attachSopsPathPrefix;
-
-  # Until I figure out how to properly add them only for their respective
-  # environment, this is the working solution for now. Not really perfect
-  # since we use one nixpkgs instance for each configuration (home-manager or
-  # otherwise).
-  private = publicLib
-    // import ../private.nix { lib = self; }
-    // import ../home-manager.nix { lib = self; };
-}

lib/extras/home-manager-set.nix

@@ -0,0 +1,6 @@
+# The home-manager set.
+{ lib }:
+
+import ../default.nix { inherit lib; }
+// import ../home-manager.nix { inherit lib; }
+// { sops-nix = import ../sops.nix { inherit lib; }; }

lib/extras/nixos-set.nix

@@ -0,0 +1,6 @@
+# The NixOS library set.
+{ lib }:
+
+import ../default.nix { inherit lib; }
+// import ../home-manager.nix { inherit lib; }
+// { sops-nix = import ../sops.nix { inherit lib; }; }

lib/extras/nixvim-set.nix

@@ -0,0 +1,4 @@
+# NixVim library set.
+{ lib }:
+
+import ../default.nix { inherit lib; }

lib/nixos.nix

@@ -1,5 +1,4 @@
-# This is just a library intended solely for this flake.
-# It is expected to use the nixpkgs library with `lib/default.nix`.
+# All of the functions suitable only for NixOS.
 { lib }:
 
 rec {
@@ -22,7 +21,7 @@ rec {
             home.homeDirectory = homeDirectory;
           }
 
-          (getConfig "home-manager" user)
+          ../configs/home-manager/${user}
         ];
       };
 
@@ -31,8 +30,4 @@ rec {
         settings
       ];
     });
-
-  getConfig = type: config: ../configs/${type}/${config};
-
-  getUser = type: user: ../configs/${type}/_users/${user};
 }

lib/sops.nix

@@ -0,0 +1,53 @@
+# A library specifically for environments with sops-nix.
+{ lib }:
+
+{
+  /* Get the secrets from a given sops file. This will set the individual
+     attributes `sopsFile` with the given file to not interrupt as much as
+     possible with your own sops-nix workflow.
+
+     Examples:
+      lib.getSecrets ./sops.yaml {
+        ssh-key = { };
+        "borg/ssh-key" = { };
+        "wireguard/private-key" = {
+          group = config.users.users.systemd-network.group;
+          reloadUnits = [ "systemd-networkd.service" ];
+          mode = "0640";
+        };
+      }
+  */
+  getSecrets = sopsFile: secrets:
+    let
+      getKey = key: { inherit key sopsFile; };
+    in
+    lib.mapAttrs
+      (path: attrs:
+        (getKey path) // attrs)
+      secrets;
+
+  /* Prepend a prefix for the given secrets. This allows a workflow for
+     separate sops file.
+
+     Examples:
+       lib.getSecrets ./sops.yaml {
+        ssh-key = { };
+        "borg/ssh-key" = { };
+      } //
+      (lib.getSecrets ./wireguard.yaml
+        (lib.attachSopsPathPrefix "wireguard" {
+          "private-key" = {
+            group = config.users.users.systemd-network.group;
+            reloadUnits = [ "systemd-networkd.service" ];
+            mode = "0640";
+          };
+        }))
+  */
+  attachSopsPathPrefix = prefix: secrets:
+    lib.mapAttrs'
+      (key: settings:
+        lib.nameValuePair
+          "${prefix}/${key}"
+          ({ inherit key; } // settings))
+      secrets;
+}

modules/flake-parts/setups/home-manager.nix

@@ -22,7 +22,7 @@ let
       };
 
       inherit pkgs;
-      lib = pkgs.lib.extend (import ../../../lib/extras/extend-lib.nix);
+      lib = pkgs.lib;
       modules = extraModules;
     };
 
@@ -236,6 +236,11 @@ in
     setups.home-manager.sharedModules = [
       homeManagerModules
 
+      ({ lib, ... }: {
+        _module.args.foodogsquaredLib =
+          import ../../../lib/extras/home-manager-set.nix { inherit lib; };
+      })
+
       # Import our private modules...
       ../../home-manager/_private
     ];

modules/flake-parts/setups/nixos.nix

@@ -18,7 +18,7 @@ let
       nixpkgs = inputs.${nixpkgsBranch};
 
       # Just to be sure, we'll use everything with the given nixpkgs' stdlib.
-      lib' = nixpkgs.lib.extend (import ../../../lib/extras/extend-lib.nix);
+      lib = nixpkgs.lib;
 
       # A modified version of `nixosSystem` from nixpkgs flake. There is a
       # recent change at nixpkgs (at 039f73f134546e59ec6f1b56b4aff5b81d889f64)
@@ -26,11 +26,10 @@ let
       # evaluate the NixOS system ourselves.
       nixosSystem = args: import "${nixpkgs}/nixos/lib/eval-config.nix" args;
     in
-    (lib'.makeOverridable nixosSystem) {
+    (lib.makeOverridable nixosSystem) {
       specialArgs = {
         foodogsquaredModulesPath = builtins.toString nixosModules;
       };
-      lib = lib';
       modules = extraModules ++ [{
         nixpkgs.hostPlatform = lib.mkForce system;
       }];
@@ -515,6 +514,11 @@ in
       # Import our private modules.
       ../../nixos/_private
 
+      ({ lib, ... }: {
+        _module.args.foodogsquaredLib =
+          import ../../../lib/extras/nixos-set.nix { inherit lib; };
+      })
+
       # Set the home-manager-related settings.
       ({ lib, ... }: {
         home-manager.sharedModules = partsConfig.setups.home-manager.sharedModules;

modules/flake-parts/setups/nixvim.nix

@@ -102,7 +102,14 @@ in
   };
 
   config = lib.mkIf (cfg.configs != { }) {
-    setups.nixvim.sharedModules = [ nixvimModules ];
+    setups.nixvim.sharedModules = [
+      nixvimModules
+
+      ({ lib, ... }: {
+        _module.args.foodogsquaredLib =
+          import ../../../lib/extras/nixvim-set.nix { inherit lib; };
+      })
+    ];
 
     perSystem = { system, config, lib, ... }:
       (

modules/nixos/workflows/default.nix

@@ -23,7 +23,11 @@ in {
   config = {
     assertions = [{
       assertion =
-        let enabledThemes = lib.countAttrs (_: theme: theme.enable) cfg.workflows;
+        let
+          countAttrs = pred: attrs:
+            lib.count (attr: pred attr.name attr.value)
+                      (lib.mapAttrsToList lib.nameValuePair attrs);
+          enabledThemes = countAttrs (_: theme: theme.enable) cfg.workflows;
         in cfg.disableLimit || (enabledThemes <= 1);
       message = "Can't have more than one theme enabled at any given time.";
     }];