171 lines
3.7 KiB
Nix
171 lines
3.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
mkHost =
|
|
{
|
|
name,
|
|
displays ? { },
|
|
input ? { },
|
|
sourceControl ? { },
|
|
users ? { },
|
|
imports ? [ ],
|
|
stateVersion ? "24.05",
|
|
}:
|
|
{
|
|
meta.host = {
|
|
inherit
|
|
displays
|
|
input
|
|
name
|
|
sourceControl
|
|
users
|
|
;
|
|
};
|
|
|
|
inherit imports;
|
|
|
|
networking.hostName = name;
|
|
system.stateVersion = stateVersion;
|
|
};
|
|
|
|
mkCaddyReverseProxy =
|
|
{
|
|
domain,
|
|
port,
|
|
extraHeaders ? [ ],
|
|
extraConfigText ? "",
|
|
}:
|
|
let
|
|
headerLines = map (header: " header_up ${header.name} ${header.value}") extraHeaders;
|
|
extraConfigLines = map (line: " ${line}") (
|
|
lib.filter (line: line != "") (lib.splitString "\n" extraConfigText)
|
|
);
|
|
bodyLines = headerLines ++ extraConfigLines;
|
|
body = lib.concatStringsSep "\n" bodyLines;
|
|
in
|
|
{
|
|
services.caddy.virtualHosts.${domain}.extraConfig =
|
|
if body == "" then
|
|
"reverse_proxy :${toString port}"
|
|
else
|
|
''
|
|
reverse_proxy :${toString port} {
|
|
${body}
|
|
}
|
|
'';
|
|
};
|
|
|
|
resolvePackagePath =
|
|
{
|
|
pkgs,
|
|
path,
|
|
}:
|
|
lib.attrByPath path null pkgs;
|
|
|
|
mkHostUser =
|
|
{
|
|
account,
|
|
homeImports,
|
|
needsPassword ? false,
|
|
stateVersion ? "24.05",
|
|
}:
|
|
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
name = account.name;
|
|
primaryEmails = lib.filter (email: email.primary) (builtins.attrValues account.emails);
|
|
in
|
|
{
|
|
assertions = [
|
|
{
|
|
assertion = builtins.length primaryEmails == 1;
|
|
message = "User ${name} must define exactly one primary email entry.";
|
|
}
|
|
];
|
|
|
|
programs.zsh.enable = true;
|
|
|
|
sops.secrets = lib.optionalAttrs needsPassword {
|
|
"hashed-password-${name}".neededForUsers = true;
|
|
};
|
|
|
|
users.users.${name} = {
|
|
name = account.name;
|
|
home = account.homeDirectory;
|
|
isNormalUser = true;
|
|
shell = pkgs.zsh;
|
|
extraGroups = [
|
|
"wheel"
|
|
"networkmanager"
|
|
];
|
|
}
|
|
// lib.optionalAttrs needsPassword {
|
|
hashedPasswordFile = config.sops.secrets."hashed-password-${name}".path;
|
|
};
|
|
|
|
home-manager.users.${name} = {
|
|
imports = homeImports;
|
|
meta = {
|
|
host = config.meta.host;
|
|
user = account;
|
|
};
|
|
home = {
|
|
username = account.name;
|
|
homeDirectory = account.homeDirectory;
|
|
inherit stateVersion;
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
options.meta.lib.mkHost = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = "Internal host constructor shared between flake-parts modules.";
|
|
internal = true;
|
|
readOnly = true;
|
|
};
|
|
|
|
options.meta.lib.mkCaddyReverseProxy = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = "Internal Caddy reverse proxy helper shared between flake-parts modules.";
|
|
internal = true;
|
|
readOnly = true;
|
|
};
|
|
|
|
options.meta.lib.mkHostUser = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = "Internal helper for explicit per-host user assembly.";
|
|
internal = true;
|
|
readOnly = true;
|
|
};
|
|
|
|
options.meta.lib.resolvePackagePath = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = "Internal helper to resolve package attr paths against the local pkgs set.";
|
|
internal = true;
|
|
readOnly = true;
|
|
};
|
|
|
|
options.meta.lib.users = lib.mkOption {
|
|
type = lib.types.attrs;
|
|
description = "Canonical user attrsets shared by host definitions.";
|
|
internal = true;
|
|
readOnly = true;
|
|
};
|
|
|
|
config.meta.lib = {
|
|
inherit
|
|
mkCaddyReverseProxy
|
|
mkHost
|
|
mkHostUser
|
|
resolvePackagePath
|
|
;
|
|
};
|
|
}
|