flake-parts/setups: set separate namespace for custom library

This at least allows us to make custom environment-specific library sets.
2025-04-24 18:19:11 +00:00 · 2024-02-11 15:16:25 +08:00 · 2024-02-11 15:16:25 +08:00 · a4177f9382
commit a4177f9382
parent 95b3e7bc2e
27 changed files with 151 additions and 123 deletions
--- a/apps/run-workflow-with-vm/configuration.nix
+++ b/apps/run-workflow-with-vm/configuration.nix
@ -6,7 +6,7 @@
 let
  pkgs = import <nixpkgs> { };
  config' = import <config> { };
-  lib = pkgs.lib.extend (import <config/lib/extras/extend-lib.nix>);
+  lib = pkgs.lib;
 in
 import <nixpkgs/nixos/lib/eval-config.nix> {
  inherit lib;
@ -41,9 +41,14 @@ import <nixpkgs/nixos/lib/eval-config.nix> {
          <sops-nix/modules/home-manager/sops.nix>
          ({ config, lib, ... }: {
            xdg.userDirs.createDirectories = lib.mkForce true;
            _module.args.foodogsquaredLib =
              import ../../lib/extras/home-manager-set.nix { inherit lib; };
          })
        ];
        _module.args.foodogsquaredLib =
          import ../../lib/extras/nixos-set.nix { inherit lib; };
        workflows.workflows.${workflow}.enable = true;
        nixpkgs.overlays = [
--- a/configs/home-manager/foo-dogsquared/default.nix
+++ b/configs/home-manager/foo-dogsquared/default.nix
@ -1,4 +1,4 @@
-{ config, lib, options, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 {
  imports = [ ./modules ];
@ -32,7 +32,7 @@
  # The keyfile required to decrypt the secrets.
  sops.age.keyFile = "${config.xdg.configHome}/age/user";
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
    davfs2-credentials = {
      path = "${config.home.homeDirectory}/.davfs2/davfs2.conf";
    };
--- a/configs/nixos/_users/plover/default.nix
+++ b/configs/nixos/_users/plover/default.nix
@ -1,9 +1,9 @@
 # This is the user that is often used for servers.
-{ lib, pkgs, ... }:
+{ lib, pkgs, foodogsquaredLib, ... }:
 let
  user = "plover";
-  homeManagerUser = lib.private.getConfig "home-manager" user;
+  homeManagerUser = foodogsquaredLib.getConfig "home-manager" user;
 in
 {
  users.users.${user} = {
--- a/configs/nixos/ni/default.nix
+++ b/configs/nixos/ni/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, foodogsquaredModulesPath, ... }:
+{ config, pkgs, lib, foodogsquaredLib, foodogsquaredModulesPath, ... }:
 {
  imports = [
@ -33,7 +33,7 @@
    type = "ed25519";
  }];
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
  };
--- a/configs/nixos/ni/modules/networking/wireguard.nix
+++ b/configs/nixos/ni/modules/networking/wireguard.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.ni;
@ -31,7 +31,7 @@ in
    {
      environment.systemPackages = with pkgs; [ wireguard-tools ];
      networking.firewall.allowedUDPPorts = [ wireguardPort ];
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
        "wireguard/private-key" = { };
        "wireguard/preshared-keys/plover" = { };
        "wireguard/preshared-keys/phone" = { };
--- a/configs/nixos/ni/modules/services/backup/default.nix
+++ b/configs/nixos/ni/modules/services/backup/default.nix
@ -1,5 +1,5 @@
 # It's a setup for my backup.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.ni;
@ -47,9 +47,9 @@ in
    lib.mkEnableOption "backup setup with BorgBackup";
  config = lib.mkIf cfg.enable {
-    sops.secrets = lib.private.getSecrets
+    sops.secrets = foodogsquaredLib.sops-nix.getSecrets
      ./secrets.yaml
-      (lib.private.attachSopsPathPrefix pathPrefix {
+      (foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
        "patterns/home" = { };
        "patterns/etc" = { };
        "patterns/keys" = { };
@ -94,18 +94,18 @@ in
        startAt = "04:30";
      };
-      remote-backup-hetzner-box = borgJobCommonSetting
+      #remote-backup-hetzner-box = borgJobCommonSetting
-        {
+      #  {
-          patterns = with config.sops; [
+      #    patterns = with config.sops; [
-            secrets."${pathPrefix}/patterns/remote-backup".path
+      #      secrets."${pathPrefix}/patterns/remote-backup".path
-          ];
+      #    ];
-          passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";
+      #    passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";
-        } // {
+      #  } // {
-        doInit = true;
+      #  doInit = true;
-        repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
+      #  repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
-        startAt = "04:30";
+      #  startAt = "04:30";
-        environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";
+      #  environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";
-      };
+      #};
    };
    programs.ssh.extraConfig = ''
--- a/configs/nixos/ni/modules/services/download-media/default.nix
+++ b/configs/nixos/ni/modules/services/download-media/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.ni;
@ -95,7 +95,7 @@ in
    {
      environment.systemPackages = [ ytdlpArchiveVariant ];
-      sops.secrets = lib.private.getSecrets ./secrets.yaml
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml
        (lib.attachSopsPathPrefix pathPrefix {
          "secrets-config" = { };
        });
--- a/configs/nixos/plover/default.nix
+++ b/configs/nixos/plover/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, foodogsquaredModulesPath, ... }:
+{ config, lib, pkgs, foodogsquaredLib, foodogsquaredModulesPath, ... }:
 {
  imports = [
@ -8,8 +8,8 @@
    ./modules/profiles/hetzner-cloud-cx21.nix
    # The users for this host.
-    (lib.private.getUser "nixos" "admin")
+    (foodogsquaredLib.getUser "nixos" "admin")
-    (lib.private.getUser "nixos" "plover")
+    (foodogsquaredLib.getUser "nixos" "plover")
    "${foodogsquaredModulesPath}/profiles/headless.nix"
    "${foodogsquaredModulesPath}/profiles/hardened.nix"
@ -45,7 +45,7 @@
  # Offline SSH!?!
  programs.mosh.enable = true;
-  sops.secrets = lib.private.getSecrets ./secrets/secrets.yaml {
+  sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets/secrets.yaml {
    "ssh-key" = { };
    "lego/env" = { };
  };
--- a/configs/nixos/plover/modules/services/backup.nix
+++ b/configs/nixos/plover/modules/services/backup.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -49,7 +49,7 @@ in
    lib.mkEnableOption "backup service";
  config = lib.mkIf cfg.enable {
-    sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+    sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
      "borg/repos/host/patterns/keys" = { };
      "borg/repos/host/password" = { };
      "borg/repos/services/password" = { };
--- a/configs/nixos/plover/modules/services/dns-server.nix
+++ b/configs/nixos/plover/modules/services/dns-server.nix
@ -1,7 +1,7 @@
 # The DNS server for my domains. Take note it uses a hidden master setup with
 # the secondary nameservers of the service (as of 2023-10-05, we're using
 # Hetzner's secondary nameservers).
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -46,7 +46,7 @@ in
            mode = "0400";
          };
        in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
          "dns/${domain}/mailbox-security-key" = dnsFileAttribute;
          "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
          "dns/${domain}/keybase-verification-key" = dnsFileAttribute;
--- a/configs/nixos/plover/modules/services/gitea.nix
+++ b/configs/nixos/plover/modules/services/gitea.nix
@ -2,7 +2,7 @@
 # feature in particular to see how this plays out. It might not be toppling
 # over the popular services but it is interesting to see new spaces for this
 # one.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -18,7 +18,7 @@ in
  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
        "gitea/db/password".owner = giteaUser;
        "gitea/smtp/password".owner = giteaUser;
      };
--- a/configs/nixos/plover/modules/services/grafana.nix
+++ b/configs/nixos/plover/modules/services/grafana.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -28,7 +28,7 @@ in
            mode = "0400";
          };
        in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
          "grafana/database/password" = grafanaFileAttributes;
          "grafana/users/admin/password" = grafanaFileAttributes;
        };
--- a/configs/nixos/plover/modules/services/vaultwarden.nix
+++ b/configs/nixos/plover/modules/services/vaultwarden.nix
@ -1,6 +1,6 @@
 # An alternative implementation of Bitwarden written in Rust. The project
 # being written in Rust is a insta-self-hosting material right there.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -20,7 +20,7 @@ in
  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
-      sops.secrets = lib.private.getSecrets ../../secrets/secrets.yaml {
+      sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
        "vaultwarden/env".owner = vaultwardenUser;
      };
--- a/configs/nixos/plover/modules/services/vouch-proxy.nix
+++ b/configs/nixos/plover/modules/services/vouch-proxy.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 let
  hostCfg = config.hosts.plover;
@ -22,7 +22,7 @@ in
            mode = "0400";
          };
        in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
          "vouch-proxy/jwt/secret" = vouchPermissions;
          "vouch-proxy/client/secret" = vouchPermissions;
        };
--- a/configs/nixos/plover/modules/services/wireguard.nix
+++ b/configs/nixos/plover/modules/services/wireguard.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, foodogsquaredLib, ... }:
 # Take note this service is heavily based on the hardware networking setup of
 # this host so better stay focused on the hardware configuration on this host.
@ -29,7 +29,7 @@ in
            mode = "0640";
          };
        in
-        lib.private.getSecrets ../../secrets/secrets.yaml {
+        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
          "wireguard/private-key" = systemdNetworkdPermission;
          "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
          "wireguard/preshared-keys/phone" = systemdNetworkdPermission;
--- a/configs/nixos/winnowing/default.nix
+++ b/configs/nixos/winnowing/default.nix
@ -1,10 +1,10 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, foodogsquaredLib, ... }:
 {
  imports = [
    "${modulesPath}/profiles/minimal.nix"
-    (lib.private.mapHomeManagerUser "winnow" {
+    (foodogsquaredLib.mapHomeManagerUser "winnow" {
      extraGroups = [
        "wheel"
        "docker"
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,4 +1,4 @@
-# All of the custom functions used for this configuration.
+# All of the custom functions suitable for all environments.
 { lib }:
 rec {
@ -15,52 +15,7 @@ rec {
    lib.count (attr: pred attr.name attr.value)
      (lib.mapAttrsToList lib.nameValuePair attrs);
-  /* Get the secrets from a given sops file. This will set the individual
+  getConfig = type: config: ../configs/${type}/${config};
     attributes `sopsFile` with the given file to not interrupt as much as
     possible with your own sops-nix workflow.
-     Examples:
+  getUser = type: user: ../configs/${type}/_users/${user};
      lib.getSecrets ./sops.yaml {
        ssh-key = { };
        "borg/ssh-key" = { };
        "wireguard/private-key" = {
          group = config.users.users.systemd-network.group;
          reloadUnits = [ "systemd-networkd.service" ];
          mode = "0640";
        };
      }
  */
  getSecrets = sopsFile: secrets:
    let
      getKey = key: { inherit key sopsFile; };
    in
    lib.mapAttrs
      (path: attrs:
        (getKey path) // attrs)
      secrets;
  /* Prepend a prefix for the given secrets. This allows a workflow for
     separate sops file.
     Examples:
       lib.getSecrets ./sops.yaml {
        ssh-key = { };
        "borg/ssh-key" = { };
      } //
      (lib.getSecrets ./wireguard.yaml
        (lib.attachSopsPathPrefix "wireguard" {
          "private-key" = {
            group = config.users.users.systemd-network.group;
            reloadUnits = [ "systemd-networkd.service" ];
            mode = "0640";
          };
        }))
  */
  attachSopsPathPrefix = prefix: secrets:
    lib.mapAttrs'
      (key: settings:
        lib.nameValuePair
          "${prefix}/${key}"
          ({ inherit key; } // settings))
      secrets;
 }
--- a/lib/extras/extend-lib.nix
+++ b/lib/extras/extend-lib.nix
@ -1,16 +0,0 @@
 # A lambda suitable to be used for `pkgs.lib.extend`.
 self: super:
 let
  publicLib = import ../. { lib = super; };
 in
 {
  inherit (publicLib) countAttrs getSecrets attachSopsPathPrefix;
  # Until I figure out how to properly add them only for their respective
  # environment, this is the working solution for now. Not really perfect
  # since we use one nixpkgs instance for each configuration (home-manager or
  # otherwise).
  private = publicLib
    // import ../private.nix { lib = self; }
    // import ../home-manager.nix { lib = self; };
 }
--- a/lib/extras/home-manager-set.nix
+++ b/lib/extras/home-manager-set.nix
@ -0,0 +1,6 @@
 # The home-manager set.
 { lib }:
 import ../default.nix { inherit lib; }
 // import ../home-manager.nix { inherit lib; }
 // { sops-nix = import ../sops.nix { inherit lib; }; }
--- a/lib/extras/nixos-set.nix
+++ b/lib/extras/nixos-set.nix
@ -0,0 +1,6 @@
 # The NixOS library set.
 { lib }:
 import ../default.nix { inherit lib; }
 // import ../home-manager.nix { inherit lib; }
 // { sops-nix = import ../sops.nix { inherit lib; }; }
--- a/lib/extras/nixvim-set.nix
+++ b/lib/extras/nixvim-set.nix
@ -0,0 +1,4 @@
 # NixVim library set.
 { lib }:
 import ../default.nix { inherit lib; }
--- a/lib/private.nix
+++ b/lib/private.nix
@ -1,5 +1,4 @@
-# This is just a library intended solely for this flake.
+# All of the functions suitable only for NixOS.
 # It is expected to use the nixpkgs library with `lib/default.nix`.
 { lib }:
 rec {
@ -22,7 +21,7 @@ rec {
            home.homeDirectory = homeDirectory;
          }
-          (getConfig "home-manager" user)
+          ../configs/home-manager/${user}
        ];
      };
@ -31,8 +30,4 @@ rec {
        settings
      ];
    });
  getConfig = type: config: ../configs/${type}/${config};
  getUser = type: user: ../configs/${type}/_users/${user};
 }
--- a/lib/sops.nix
+++ b/lib/sops.nix
@ -0,0 +1,53 @@
 # A library specifically for environments with sops-nix.
 { lib }:
 {
  /* Get the secrets from a given sops file. This will set the individual
     attributes `sopsFile` with the given file to not interrupt as much as
     possible with your own sops-nix workflow.
     Examples:
      lib.getSecrets ./sops.yaml {
        ssh-key = { };
        "borg/ssh-key" = { };
        "wireguard/private-key" = {
          group = config.users.users.systemd-network.group;
          reloadUnits = [ "systemd-networkd.service" ];
          mode = "0640";
        };
      }
  */
  getSecrets = sopsFile: secrets:
    let
      getKey = key: { inherit key sopsFile; };
    in
    lib.mapAttrs
      (path: attrs:
        (getKey path) // attrs)
      secrets;
  /* Prepend a prefix for the given secrets. This allows a workflow for
     separate sops file.
     Examples:
       lib.getSecrets ./sops.yaml {
        ssh-key = { };
        "borg/ssh-key" = { };
      } //
      (lib.getSecrets ./wireguard.yaml
        (lib.attachSopsPathPrefix "wireguard" {
          "private-key" = {
            group = config.users.users.systemd-network.group;
            reloadUnits = [ "systemd-networkd.service" ];
            mode = "0640";
          };
        }))
  */
  attachSopsPathPrefix = prefix: secrets:
    lib.mapAttrs'
      (key: settings:
        lib.nameValuePair
          "${prefix}/${key}"
          ({ inherit key; } // settings))
      secrets;
 }
--- a/modules/flake-parts/setups/home-manager.nix
+++ b/modules/flake-parts/setups/home-manager.nix
@ -22,7 +22,7 @@ let
      };
      inherit pkgs;
-      lib = pkgs.lib.extend (import ../../../lib/extras/extend-lib.nix);
+      lib = pkgs.lib;
      modules = extraModules;
    };
@ -236,6 +236,11 @@ in
    setups.home-manager.sharedModules = [
      homeManagerModules
      ({ lib, ... }: {
        _module.args.foodogsquaredLib =
          import ../../../lib/extras/home-manager-set.nix { inherit lib; };
      })
      # Import our private modules...
      ../../home-manager/_private
    ];
--- a/modules/flake-parts/setups/nixos.nix
+++ b/modules/flake-parts/setups/nixos.nix
@ -18,7 +18,7 @@ let
      nixpkgs = inputs.${nixpkgsBranch};
      # Just to be sure, we'll use everything with the given nixpkgs' stdlib.
-      lib' = nixpkgs.lib.extend (import ../../../lib/extras/extend-lib.nix);
+      lib = nixpkgs.lib;
      # A modified version of `nixosSystem` from nixpkgs flake. There is a
      # recent change at nixpkgs (at 039f73f134546e59ec6f1b56b4aff5b81d889f64)
@ -26,11 +26,10 @@ let
      # evaluate the NixOS system ourselves.
      nixosSystem = args: import "${nixpkgs}/nixos/lib/eval-config.nix" args;
    in
-    (lib'.makeOverridable nixosSystem) {
+    (lib.makeOverridable nixosSystem) {
      specialArgs = {
        foodogsquaredModulesPath = builtins.toString nixosModules;
      };
      lib = lib';
      modules = extraModules ++ [{
        nixpkgs.hostPlatform = lib.mkForce system;
      }];
@ -515,6 +514,11 @@ in
      # Import our private modules.
      ../../nixos/_private
      ({ lib, ... }: {
        _module.args.foodogsquaredLib =
          import ../../../lib/extras/nixos-set.nix { inherit lib; };
      })
      # Set the home-manager-related settings.
      ({ lib, ... }: {
        home-manager.sharedModules = partsConfig.setups.home-manager.sharedModules;
--- a/modules/flake-parts/setups/nixvim.nix
+++ b/modules/flake-parts/setups/nixvim.nix
@ -102,7 +102,14 @@ in
  };
  config = lib.mkIf (cfg.configs != { }) {
-    setups.nixvim.sharedModules = [ nixvimModules ];
+    setups.nixvim.sharedModules = [
      nixvimModules
      ({ lib, ... }: {
        _module.args.foodogsquaredLib =
          import ../../../lib/extras/nixvim-set.nix { inherit lib; };
      })
    ];
    perSystem = { system, config, lib, ... }:
      (
--- a/modules/nixos/workflows/default.nix
+++ b/modules/nixos/workflows/default.nix
@ -23,7 +23,11 @@ in {
  config = {
    assertions = [{
      assertion =
-        let enabledThemes = lib.countAttrs (_: theme: theme.enable) cfg.workflows;
+        let
          countAttrs = pred: attrs:
            lib.count (attr: pred attr.name attr.value)
                      (lib.mapAttrsToList lib.nameValuePair attrs);
          enabledThemes = countAttrs (_: theme: theme.enable) cfg.workflows;
        in cfg.disableLimit || (enabledThemes <= 1);
      message = "Can't have more than one theme enabled at any given time.";
    }];