Merge branch 'restructure2' into 'master'

Hosts Restructuring

See merge request private-void/depot!45

cluster/default.nix

@@ -1,6 +1,9 @@
-{ lib, hostName }:
+{ lib, depot, hostName }:
 
 lib.evalModules {
+  specialArgs = {
+    inherit depot;
+  };
   modules = [
     # Arbitrary variables to reference across multiple services
     ./lib/vars
@@ -10,7 +13,6 @@ lib.evalModules {
     ../modules/port-magic
 
     ../tools/inject.nix
-    ./lib/load-hosts.nix
     ./lib/services.nix
     ./lib/inject-nixos-config.nix
     ./lib/port-magic-multi.nix

cluster/inject.nix

@@ -1,8 +1,8 @@
 hostName:
-{ lib, ... }:
+{ depot, lib, ... }:
 
 let
-  cluster = import ./. { inherit lib hostName; };
+  cluster = import ./. { inherit lib depot hostName; };
 in
 
 {

cluster/lib/load-hosts.nix

@@ -1,9 +0,0 @@
-{ config, lib, ... }:
-let
-  hosts = import ../../hosts;
-  self = hosts.${config.vars.hostName};
-  others = lib.filterAttrs (_: host: host != self) hosts;
-in
-{
-  config.vars.hosts = hosts // { inherit self others; };
-}

cluster/services/consul/remote-api.nix

@@ -1,16 +1,14 @@
-{ config, cluster, hosts, lib, tools, ... }:
+{ config, cluster, depot, lib, tools, ... }:
 
 let
   inherit (tools.meta) domain;
-  inherit (config.networking) hostName;
+  inherit (depot.reflection) hyprspace;
-
-  hyprspaceConfig = hosts.${hostName}.hypr;
   frontendDomain = "consul-remote.internal.${domain}";
 in
 
 {
   services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
-    listenAddresses = lib.singleton hyprspaceConfig.addr;
+    listenAddresses = lib.singleton hyprspace.addr;
     enableACME = false;
     useACMEHost = "internal.${domain}";
   };
@@ -20,13 +18,13 @@ in
     mode = "external";
     definition = {
       name = "consul-remote";
-      address = hyprspaceConfig.addr;
+      address = hyprspace.addr;
       port = 443;
       checks = [
         {
           name = "Frontend";
           id = "service:consul-remote:frontend";
-          http = "https://${hyprspaceConfig.addr}/v1/status/leader";
+          http = "https://${hyprspace.addr}/v1/status/leader";
           tls_server_name = frontendDomain;
           interval = "60s";
         }

cluster/services/dns/authoritative.nix

@@ -1,7 +1,7 @@
-{ cluster, config, hosts, lib, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
   inherit (tools.meta) domain;
 
   patroni = cluster.config.links.patroni-pg-access;

cluster/services/dns/coredns.nix

@@ -1,10 +1,10 @@
-{ config, hosts, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
   inherit (tools.meta) domain;
   inherit (config.links) localRecursor;
-  inherit (inputs.self.packages.${pkgs.system}) stevenblack-hosts;
+  inherit (depot.packages) stevenblack-hosts;
   dot = config.security.acme.certs."securedns.${domain}";
 in
 

cluster/services/dns/default.nix

@@ -1,7 +1,7 @@
-{ config, ... }:
+{ config, depot, ... }:
 
 let
-  inherit (config.vars) hosts;
+  inherit (depot.config) hours;
 in
 {
   vars.pdns-api-key-secret = {
@@ -10,7 +10,7 @@ in
   };
   links = {
     dnsResolver = {
-      ipv4 = hosts.VEGAS.interfaces.vstub.addr;
+      ipv4 = hours.VEGAS.interfaces.vstub.addr;
       port = 53;
     };
     powerdns-api = {

cluster/services/hercules-ci-multi-agent/common.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, depot, lib, pkgs, ... }:
 
 let
   mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents;
@@ -17,7 +17,7 @@ let
 in
 {
   imports = [
-    inputs.hercules-ci-agent.nixosModules.multi-agent-service
+    depot.inputs.hercules-ci-agent.nixosModules.multi-agent-service
   ];
 
   age.secrets = mergeMap (name: _: {

cluster/services/hercules-ci-multi-agent/orgs/max.nix

@@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 
 {
   services.hercules-ci-agents.max = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
     settings = {
       clusterJoinTokenPath = config.age.secrets.hci-token-max.path;
       binaryCachesPath = config.age.secrets.hci-cache-config-max.path;

cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix

@@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 
 {
   services.hercules-ci-agents.nixpak = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
     settings = {
       clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path;
       binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path;

cluster/services/hercules-ci-multi-agent/orgs/private-void.nix

@@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 
 {
   services.hercules-ci-agents.private-void = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
     settings = {
       clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
       binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;

cluster/services/ipfs/cluster.nix

@@ -1,4 +1,4 @@
-{ aspect, config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 
 let
   inherit (tools.meta) domain;
@@ -11,7 +11,7 @@ let
   proxySocket = "/run/ipfs-cluster/ipfs-api-proxy.sock";
 in {
   imports = [
-    aspect.modules.ipfs-cluster
+    depot.nixosModules.ipfs-cluster
   ];
 
   age.secrets = {
@@ -24,7 +24,7 @@ in {
 
   services.ipfs-cluster = {
     enable = true;
-    package = inputs.self.packages.${pkgs.system}.ipfs-cluster;
+    package = depot.packages.ipfs-cluster;
     consensus = "crdt";
     dataDir = "/srv/storage/ipfs/cluster";
     secretFile = config.age.secrets.ipfs-cluster-secret.path;

cluster/services/ipfs/default.nix

@@ -1,8 +1,8 @@
-{ config, lib, tools, ... }:
+{ config, depot, lib, tools, ... }:
 
 {
   hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
-    host = config.vars.hosts.${name};
+    host = depot.reflection;
     intf = host.interfaces.primary;
     self = config.hostLinks.${name}.ipfs;
   in {

cluster/services/ipfs/gateway.nix

@@ -1,4 +1,4 @@
-{ config, hosts, tools, ... }:
+{ config, depot, tools, ... }:
 with tools.nginx;
 let
   inherit (tools.meta) domain;
@@ -64,7 +64,7 @@ in
         extraConfig = ''
           access_log off;
           auth_request off;
-          allow ${hosts.VEGAS.interfaces.primary.addr};
+          allow ${depot.config.hours.VEGAS.interfaces.primary.addr};
           deny all;
         '';
       };

cluster/services/ipfs/node.nix

@@ -1,4 +1,4 @@
-{ aspect, cluster, config, inputs, lib, hosts, pkgs, tools, ... }:
+{ cluster, config, depot, lib, pkgs, tools, ... }:
 let
   inherit (tools.meta) domain;
   cfg = config.services.ipfs;
@@ -9,7 +9,7 @@ let
 in
 {
   imports = [
-    aspect.modules.ipfs
+    depot.nixosModules.ipfs
   ];
 
   links.ipfsGateway.protocol = "http";
@@ -21,7 +21,7 @@ in
 
   services.ipfs = {
     enable = true;
-    package = inputs.self.packages.${pkgs.system}.ipfs;
+    package = depot.packages.ipfs;
     startWhenNeeded = false;
     autoMount = true;
     autoMigrate = false;
@@ -40,7 +40,7 @@ in
     extraFlags = [ "--migrate" ];
     extraConfig = {
       Bootstrap = [
-        "/ip4/${hosts.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
+        "/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
         "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
         "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
         "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"

cluster/services/patroni/worker.nix

@@ -1,4 +1,4 @@
-{ aspect, cluster, config, lib, pkgs, ... }:
+{ cluster, config, depot, lib, pkgs, ... }:
 
 let
   inherit (cluster.config) vars;
@@ -14,7 +14,7 @@ in
 
 {
   imports = [
-    aspect.modules.patroni
+    depot.nixosModules.patroni
   ];
 
   age.secrets = lib.mapAttrs (_: file: {

cluster/services/websites/host.nix

@@ -1,9 +1,9 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 
 let
   importWebsites = expr: import expr {
     tools = tools.nginx;
-    packages = inputs.self.packages.${pkgs.system};
+    inherit (depot) packages;
   };
 
   websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);

cluster/services/wireguard/default.nix

@@ -1,7 +1,7 @@
-{ config, ... }:
+{ config, depot, ... }:
 
 let
-  inherit (config.vars) hosts;
+  inherit (depot.config) hours;
 
   meshNet = rec {
     netAddr = "10.1.1.0";
@@ -9,7 +9,7 @@ let
     cidr = "${netAddr}/${toString prefix}";
   };
 
-  getExtAddr = host: host.interfaces.primary.addrPublic or host.interfaces.primary.addr;
+  getExtAddr = host: host.interfaces.primary.addrPublic;
 in
 {
   vars = {
@@ -22,7 +22,7 @@ in
   };
   links = {
     mesh-node-checkmate = {
-      ipv4 = getExtAddr hosts.checkmate;
+      ipv4 = getExtAddr hours.checkmate;
       extra = {
         meshIp = "10.1.1.32";
         inherit meshNet;
@@ -32,17 +32,17 @@ in
       };
     };
     mesh-node-VEGAS = {
-      ipv4 = getExtAddr hosts.VEGAS;
+      ipv4 = getExtAddr hours.VEGAS;
       extra = {
         meshIp = "10.1.1.5";
         inherit meshNet;
         pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
         privKeyFile = ./mesh-keys/VEGAS.age;
-        extraRoutes = [ "${hosts.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
+        extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
       };
     };
     mesh-node-prophet = {
-      ipv4 = getExtAddr hosts.prophet;
+      ipv4 = getExtAddr hours.prophet;
       extra = {
         meshIp = "10.1.1.9";
         inherit meshNet;

flake.nix

@@ -7,88 +7,15 @@
   };
 
   outputs = { self, nixpkgs, flake-parts, ... }@inputs:
-    let
+    flake-parts.lib.mkFlake { inherit inputs; } {
       systems = [ "x86_64-linux" "aarch64-linux" ];
 
-      nixpkgsFor = nixpkgs.legacyPackages;
-
-      inherit (nixpkgs) lib;
-
-      aspect = import ./modules inputs;
-      hosts = import ./hosts;
-
-      nixosHosts' = lib.filterAttrs (_: host: host ? nixos) hosts;
-
-      nixosHosts = lib.attrNames nixosHosts';
-
-      deployableNixosHosts' = lib.filterAttrs (_: host: host ? container -> !host.container) nixosHosts';
-
-      deployableNixosHosts = lib.attrNames deployableNixosHosts';
-
-      meta = import ./tools/meta.nix;
-
-      specialArgs = {
-        inherit inputs hosts aspect;
-        toolsets = import ./tools;
-      };
-      mkNixOS' = lib: name: let host = hosts.${name}; in lib.nixosSystem {
-        inherit specialArgs;
-        system = "${host.arch}-linux";
-        modules = [ host.nixos ./tools/inject.nix (import ./cluster/inject.nix name) ];
-      };
-      mkNixOS = mkNixOS' lib;  
-
-      mkDeployEffect = branch: name: host: let
-        subdomain = host.enterprise.subdomain or "services";
-        hostname = "${lib.toLower name}.${subdomain}.${meta.domain}";
-      in effects.runIf (branch == "master" || branch == "staging") (effects.runNixOS {
-        requiredSystemFeatures = [ "hci-deploy-agent-nixos" ];
-        inherit (self.nixosConfigurations.${name}) config;
-        secretsMap.ssh = "deploy-ssh";
-
-        userSetupScript = ''
-          writeSSHKey ssh
-          cat >>~/.ssh/known_hosts <<EOF
-          ${hostname} ${host.ssh.id.publicKey}
-          EOF
-        '';
-        ssh.destination = "root@${hostname}";
-      });
-
-      mkDeployEffects = branch: hostnames: lib.genAttrs hostnames
-        (name: mkDeployEffect branch name hosts.${name});
-
-      mkDeploy = name: let
-        host = hosts.${name};
-        subdomain = host.enterprise.subdomain or "services";
-        deploy-rs = inputs.deploy-rs.lib."${host.arch}-linux";
-      in {
-        hostname = "${lib.toLower name}.${subdomain}.${meta.domain}";
-        profiles.system = {
-          user = "root";
-          sshUser = "deploy";
-          path = deploy-rs.activate.nixos self.nixosConfigurations.${name};
-        };
-      };
-
-      mkDeployments = hosts: overrides: lib.genAttrs hosts
-        (host: mkDeploy host // (overrides.${host} or {}) );
-
-      effects = inputs.hercules-ci-effects.lib.withPkgs nixpkgsFor.x86_64-linux;
-    in flake-parts.lib.mkFlake { inherit inputs; } {
-      inherit systems;
-      flake = {
-        nixosModules = aspect.modules;
-
-        nixosConfigurations = lib.genAttrs nixosHosts mkNixOS;
-
-        deploy.nodes = mkDeployments deployableNixosHosts {};
-
-        effects = { branch, ... }: mkDeployEffects branch deployableNixosHosts;
-      };
       imports = [
+        inputs.hercules-ci-effects.flakeModule
         inputs.drv-parts.flakeModule
         inputs.dream2nix.flakeModuleBeta
+        ./hosts/part.nix
+        ./modules/part.nix
         ./packages/part.nix
       ];
     };

hosts/VEGAS/default.nix

@@ -1,4 +1,5 @@
 tools: {
+  ssh.enable = true;
   ssh.id = with tools.dns; {
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz2nGA+Y4OxhMKsV6vKIns3hOoBkK557712h7FfWXcE";
     hostNames = subResolve "vegas" "backbone";
@@ -15,7 +16,8 @@ tools: {
     };
   };
 
-  hypr = {
+  hyprspace = {
+    enable = true;
     id = "QmYs4xNBby2fTs8RnzfXEk161KD4mftBfCiR8yXtgGPj4J";
     addr = "10.100.3.5";
     listenPort = 995;
@@ -29,6 +31,6 @@ tools: {
     subdomain = "backbone";
   };
 
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }

hosts/VEGAS/services/backbone-routing/default.nix

@@ -1,6 +1,6 @@
-{ config, hosts, ... }:
+{ config, depot, ... }:
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
 in
 {
   imports = [

hosts/VEGAS/services/backbone-routing/port-forward.nix

@@ -1,10 +1,10 @@
-{ hosts, ... }:
+{ depot, ... }:
 
 {
   networking.nat.forwardPorts = [
     {
       sourcePort = 52222;
-      destination = "${hosts.soda.interfaces.primary.addr}:22";
+      destination = "${depot.config.hours.soda.interfaces.primary.addr}:22";
       proto = "tcp";
     }
   ];

hosts/VEGAS/services/mail/postfix.nix

@@ -1,4 +1,4 @@
-{ config, hosts, tools, ... }:
+{ config, depot, tools, ... }:
 let
   inherit (tools.meta) domain;
   certDir = config.security.acme.certs."mail.${domain}".directory;
@@ -10,7 +10,7 @@ let
   lmtpSocket = "lmtp:unix:/run/dovecot2/lmtp";
   postfixLdapMailboxes = "ldap:${config.age.secrets."postfix-ldap-mailboxes.cf".path}";
 
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
 in
 {
   age.secrets."postfix-ldap-mailboxes.cf" = {

hosts/VEGAS/services/matrix/web-client.nix

@@ -1,7 +1,7 @@
-{ inputs, lib, pkgs, tools, ... }:
+{ depot, lib, pkgs, tools, ... }:
 let
   inherit (tools.nginx) domain vhosts;
-  inherit (inputs.self.packages.${pkgs.system}) cinny;
+  inherit (depot.packages) cinny;
 in
 {
   services.nginx.virtualHosts."chat.${domain}" = lib.recursiveUpdate

hosts/VEGAS/services/meet/default.nix

@@ -1,9 +1,6 @@
-{ config, lib, hosts, tools, ... }:
+{ config, lib, depot, tools, ... }:
 let
-  host = hosts.${config.networking.hostName};
+  inherit (depot.reflection) interfaces;
-  inherit (host) interfaces;
-
-  isNAT = interfaces.primary ? addrPublic;
 in
 {
   services.jitsi-meet = {
@@ -30,7 +27,7 @@ in
         { type = "colibri"; }
       ];
     };
-    nat = lib.optionalAttrs isNAT {
+    nat = lib.optionalAttrs interfaces.primary.isNat {
       localAddress = interfaces.primary.addr;
       publicAddress = interfaces.primary.addrPublic;
     };

hosts/VEGAS/services/monitoring/default.nix

@@ -1,4 +1,4 @@
-{ cluster, config, inputs, lib, pkgs, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 let
   inherit (tools.meta) domain;
 
@@ -29,7 +29,7 @@ in
   };
   services.grafana = {
     enable = true;
-    package = inputs.self.packages.${pkgs.system}.grafana;
+    package = depot.packages.grafana;
     dataDir = "/srv/storage/private/grafana";
     settings = {
       server = {

hosts/VEGAS/services/nix/nar-serve.nix

@@ -1,4 +1,4 @@
-{ config, inputs, pkgs, tools, ... }:
+{ config, depot, tools, ... }:
 
   let
     mkNarServe = NAR_CACHE_URL: PORT: {
@@ -6,7 +6,7 @@
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         DynamicUser = true;
-        ExecStart = "${inputs.nar-serve.defaultPackage."${pkgs.system}"}/bin/nar-serve";
+        ExecStart = "${depot.inputs.nar-serve.packages.nar-serve}/bin/nar-serve";
       };
       environment = { inherit NAR_CACHE_URL PORT; };
     };

hosts/VEGAS/services/reflex/default.nix

@@ -1,4 +1,4 @@
-{ config, inputs, pkgs, tools, ... }:
+{ config, depot, tools, ... }:
 
 {
   links.nixIpfs.protocol = "http";
@@ -6,7 +6,7 @@
   systemd.services.nix-ipfs-cache = {
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
-      ExecStart = "${inputs.self.packages.${pkgs.system}.reflex-cache}/bin/reflex";
+      ExecStart = "${depot.packages.reflex-cache}/bin/reflex";
       DynamicUser = true;
       SupplementaryGroups = [ "ipfs" ];
       CacheDirectory = "nix-ipfs-cache";

hosts/VEGAS/services/searxng/default.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, tools, ... }:
 let
   inherit (config) links;
 in
@@ -9,7 +9,7 @@ in
   services.searx = {
     enable = true;
     runInUwsgi = true;
-    package = inputs.self.packages.${pkgs.system}.searxng;
+    package = depot.packages.searxng;
     environmentFile = config.age.secrets.searxng-secrets.path;
     settings = {
       server = {

hosts/VEGAS/services/sso/default.nix

@@ -1,4 +1,4 @@
-{ cluster, config, inputs, lib, pkgs, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 with tools.nginx;
 let
   login = "login.${tools.meta.domain}";
@@ -32,7 +32,7 @@ in
   };
   services.keycloak = {
     enable = true;
-    package = inputs.self.packages.${pkgs.system}.keycloak;
+    package = depot.packages.keycloak;
     database = {
       createLocally = false;
       type = "postgresql";
@@ -52,7 +52,7 @@ in
   };
   systemd.services.keycloak.environment = {
     JAVA_OPTS = builtins.concatStringsSep " " [
-      "-javaagent:${inputs.self.packages.${pkgs.system}.opentelemetry-java-agent-bin}"
+      "-javaagent:${depot.packages.opentelemetry-java-agent-bin}"
       "-Dotel.resource.attributes=service.name=keycloak"
       "-Dotel.traces.exporter=otlp"
     ];

hosts/VEGAS/services/uptime-kuma/default.nix

@@ -1,10 +1,8 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, tools, ... }:
 
 let
   inherit (tools.meta) domain;
 
-  flakePkgs = inputs.self.packages.${pkgs.system};
-
   link = config.links.uptime-kuma;
 
   dataDir = "/srv/storage/private/uptime-kuma";
@@ -55,7 +53,7 @@ in
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
 
-      ExecStart = flakePkgs.uptime-kuma + /bin/uptime-kuma;
+      ExecStart = depot.packages.uptime-kuma + /bin/uptime-kuma;
     };
 
 

hosts/VEGAS/services/websites/default.nix

@@ -1,9 +1,9 @@
-{ inputs, pkgs, tools, ... }:
+{ depot, tools, ... }:
 
 let
   importWebsites = expr: import expr {
     tools = tools.nginx;
-    packages = inputs.self.packages.${pkgs.system};
+    inherit (depot) packages;
   };
 
   websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);

hosts/VEGAS/system.nix

@@ -1,4 +1,4 @@
-{ aspect, config, hosts, inputs, tools, ... }:
+{ config, depot, tools, ... }:
 
 {
   imports =
@@ -11,8 +11,8 @@
       ./modules/oauth2-proxy
       ./modules/redis
       ./modules/virtualisation
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
-      inputs.mms.module
+      depot.inputs.mms.module
 
       # Services
       ./services/api
@@ -40,12 +40,13 @@
       ./services/warehouse
       ./services/websites
       ./services/wireguard-server
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.nix-builder
+      depot.nixosModules.nix-builder
-    ]
+
+      depot.nixosModules.backboneBase
+    ];
     # TODO: fix users
     # ++ (import ../../users "server").groups.admin
-    ++ aspect.sets.backbone;
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
@@ -90,7 +91,7 @@
         "fe80::/10"
       ];
 
-      mkRules = ipt: ranges: map (x: "${ipt} -I nixos-fw 1 -d ${x} -o ${hosts.${config.networking.hostName}.interfaces.primary.link} -j DROP") ranges;
+      mkRules = ipt: ranges: map (x: "${ipt} -I nixos-fw 1 -d ${x} -o ${depot.reflection.interfaces.primary.link} -j DROP") ranges;
 
       rules4 = mkRules "iptables" privateIp4Ranges;
 
@@ -102,10 +103,10 @@
   services.openssh.passwordAuthentication = false;
 
   containers.soda = {
-    path = inputs.self.nixosConfigurations.soda.config.system.build.toplevel;
+    path = depot.nixosConfigurations.soda.config.system.build.toplevel;
     privateNetwork = true;
     hostBridge = "vmdefault";
-    localAddress = "${hosts.soda.interfaces.primary.addr}/24";
+    localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24";
     autoStart = true;
     bindMounts.sodaDir = {
       hostPath = "/srv/storage/www/soda";

hosts/checkmate/default.nix

@@ -1,4 +1,5 @@
 tools: {
+  ssh.enable = true;
   ssh.id = with tools.dns; {
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINImnMfEzUBU5qiuu05DMPrddTGypOtr+cL1/yQN2GFn";
     hostNames = subResolve "checkmate" "node";
@@ -12,7 +13,8 @@ tools: {
     };
   };
 
-  hypr = {
+  hyprspace = {
+    enable = true;
     id = "12D3KooWL84sAtq1QTYwb7gVbhSNX5ZUfVt4kgYKz8pdif1zpGUh";
     addr = "10.100.3.32";
     listenPort = 995;
@@ -22,6 +24,6 @@ tools: {
     subdomain = "node";
   };
 
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }

hosts/checkmate/system.nix

@@ -1,4 +1,4 @@
-{ aspect, inputs, hosts, ... }:
+{ depot, ... }:
 
 {
   imports =
@@ -6,19 +6,19 @@
       # Hardware
       ./hardware-configuration.nix
 
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
 
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.sss
+      depot.nixosModules.sss
-    ]
+      depot.nixosModules.serverBase
-    ++ aspect.sets.server;
+    ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking.hostName = "checkmate";
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
 
   time.timeZone = "Europe/Zurich";
 

hosts/default.nix

@@ -1,31 +0,0 @@
-let
-  tools = import ./tools.nix;
-in with tools.dns; {
-
-  # NixOS machines
-  VEGAS = import ./VEGAS tools;
-  prophet = import ./prophet tools;
-  soda = import ./soda tools;
-  checkmate = import ./checkmate tools;
-
-  # Non-NixOS machine metadata
-  AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
-    ssh.id = {
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpFR47Ev+W+bdng6IrDVpl8rlKBBHSr1v5lwJmZcEFH";
-      hostNames = portMap 69 hostNames;
-    };
-    ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ];
-  };
-
-  # peering
-
-  # max
-  TITAN.hypr = {
-    id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM";
-    addr = "10.100.3.7";
-  };
-  jericho.hypr = {
-    id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9";
-    addr = "10.100.3.13";
-  };
-}

hosts/deploy.nix

@@ -0,0 +1,57 @@
+{ config, inputs, lib, self, withSystem, ... }:
+
+let
+  inherit (lib) elem mapAttrs toLower;
+  inherit (config) gods cluster defaultEffectSystem;
+  inherit (config.herculesCI) branch;
+  inherit (self) nixosConfigurations;
+
+  chosenHours = gods.fromLight;
+
+  withEffectSystem = withSystem defaultEffectSystem;
+
+  callUpon = name: host: withEffectSystem ({ hci-effects, ... }: let
+    inherit (hci-effects) runIf runNixOS;
+    inherit (host.enterprise) subdomain;
+
+    hostname = "${toLower name}.${subdomain}.${cluster.domain}";
+
+    deploy-rs = inputs.deploy-rs.lib."${host.system}";
+  in {
+    effect = runIf (elem branch [ "master" "staging" ]) (runNixOS {
+      requiredSystemFeatures = [ "hci-deploy-agent-nixos" ];
+
+      inherit (nixosConfigurations.${name}) config;
+
+      secretsMap.ssh = "deploy-ssh";
+
+      userSetupScript = ''
+        writeSSHKey ssh
+        cat >>~/.ssh/known_hosts <<EOF
+        ${hostname} ${host.ssh.id.publicKey}
+        EOF
+      '';
+
+      ssh.destination = "root@${hostname}";
+    });
+
+    deploy = {
+      inherit hostname;
+      profiles.system = {
+        user = "root";
+        sshUser = "deploy";
+        path = deploy-rs.activate.nixos self.nixosConfigurations.${name};
+      };
+    };
+  });
+
+  calledUponHours = mapAttrs callUpon chosenHours;
+
+  pick = format: _: calledUponHour: calledUponHour.${format};
+in
+
+{
+  flake.effects = mapAttrs (pick "effect") calledUponHours;
+
+  flake.deploy.nodes = mapAttrs (pick "deploy") calledUponHours;
+}

hosts/nixos.nix

@@ -0,0 +1,24 @@
+{ config, inputs, lib, self, withSystem, ... }:
+
+let
+  inherit (lib) const mapAttrs nixosSystem;
+  inherit (config) gods;
+
+  mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
+    depot = self // self' // {
+      inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
+      inherit config;
+      # peer into the Watchman's Glass
+      reflection = config.hours.${hostName};
+    };
+    toolsets = import ../tools;
+  });
+
+  mkNixOS = name: host: nixosSystem {
+    specialArgs = mkSpecialArgs host.system name;
+    inherit (host) system;
+    modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ];
+  };
+in {
+  flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
+}

hosts/options/default.nix

@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+with lib;
+
+let
+  hourType = types.submodule {
+    imports = [
+      ./hour/enterprise.nix
+      ./hour/hyprspace.nix
+      ./hour/interfaces.nix
+      ./hour/nixos.nix
+      ./hour/ssh.nix
+    ];
+  };
+
+  mkHours = description: mkOption {
+    inherit description;
+    type = with types; attrsOf hourType;
+    default = {};
+  };
+in
+
+{
+  options = {
+    gods = {
+      fromLight = mkHours "Gods-from-Light: The emanations of The Glory";
+      fromFlesh = mkHours "Gods-from-Flesh: Mortals who penetrated the Mansus";
+      fromNowhere = mkHours "Gods-from-Nowhere: Lesser Hours";
+    };
+    hours = mkHours "Hours are the incarnate principles of the world." // {
+      readOnly = true;
+      default = with config.gods; fromLight // fromFlesh // fromNowhere;
+    };
+  };
+}

hosts/options/hour/enterprise.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+with lib;
+
+{
+  options.enterprise = {
+    subdomain = mkOption {
+      description = "Host FQDN subdomain.";
+      type = types.str;
+      default = "services";
+    };
+  };
+}

hosts/options/hour/hyprspace.nix

@@ -0,0 +1,30 @@
+{ lib, ... }:
+with lib;
+
+{
+  options.hyprspace = {
+    enable = mkEnableOption "Cross-host Hyprspace configuration";
+
+    id = mkOption {
+      description = "Hyprspace PeerID.";
+      type = types.str;
+    };
+
+    addr = mkOption {
+      description = "Hyprspace internal IP address.";
+      type = types.str;
+    };
+
+    routes = mkOption {
+      description = "Networks to export to Hyprspace.";
+      type = with types; listOf str;
+      default = [];
+    };
+
+    listenPort = mkOption {
+      description = "The port the Hyprspace daemon should listen on.";
+      type = types.port;
+      default = 8001;
+    };
+  };
+}

hosts/options/hour/interfaces.nix

@@ -0,0 +1,38 @@
+{ lib, ... }:
+with lib;
+
+let
+  interfaceType = types.submodule ({ config, name, ... }: {
+    options = {
+      addr = mkOption {
+        description = "Static IP address assigned to this interface.";
+        type = types.str;
+      };
+
+      addrPublic = mkOption {
+        description = "Static public IP address.";
+        type = types.str;
+        default = config.addr;
+      };
+
+      link = mkOption {
+        description = "Interface link name.";
+        type = types.str;
+        default = name;
+      };
+
+      isNat = mkOption {
+        description = "Whether the host is behind NAT.";
+        type = types.bool;
+        default = config.addr != config.addrPublic;
+      };
+    };
+  });
+in
+
+{
+  options.interfaces = mkOption {
+    description = "Network interface information.";
+    type = with types; attrsOf interfaceType;
+  };
+}

hosts/options/hour/nixos.nix

@@ -0,0 +1,18 @@
+{ lib, ... }:
+with lib;
+
+{
+  options = {
+    system = mkOption {
+      description = "Nix system double for this NixOS host.";
+      type = types.enum systems.doubles.linux;
+      default = "x86_64-linux";
+    };
+
+    nixos = mkOption {
+      description = "NixOS configuration.";
+      type = with types; nullOr anything;
+      default = null;
+    };
+  };
+}

hosts/options/hour/ssh.nix

@@ -0,0 +1,28 @@
+{ lib, ... }:
+with lib;
+
+{
+  options.ssh = {
+    enable = mkEnableOption "Cross-host SSH configuration";
+
+    id = {
+      publicKey = mkOption {
+        description = "Host SSH public key.";
+        type = with types; nullOr str;
+        default = null;
+      };
+
+      hostNames = mkOption {
+        description = "Hostnames through which this host can be reached over SSH.";
+        type = with types; listOf str;
+        default = [];
+      };
+    };
+
+    extraConfig = mkOption {
+      description = "Extra SSH client configuration used to connect to this host.";
+      type = types.lines;
+      default = "";
+    };
+  };
+}

hosts/part.nix

@@ -0,0 +1,49 @@
+let
+  tools = import ./tools.nix;
+in with tools.dns;
+{
+  imports = [
+    ./deploy.nix
+    ./nixos.nix
+    ./options
+  ];
+  gods = {
+    fromLight = {
+      checkmate = import ./checkmate tools;
+
+      VEGAS = import ./VEGAS tools;
+
+      prophet = import ./prophet tools;
+    };
+
+    fromFlesh = {
+      soda = import ./soda tools;
+    };
+
+    fromNowhere = {
+      AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
+        ssh.enable = true;
+        ssh.id = {
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpFR47Ev+W+bdng6IrDVpl8rlKBBHSr1v5lwJmZcEFH";
+          hostNames = portMap 69 hostNames;
+        };
+        ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ];
+      };
+
+      # peering
+
+      # max
+      TITAN.hyprspace = {
+        enable = true;
+        id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM";
+        addr = "10.100.3.7";
+      };
+
+      jericho.hyprspace = {
+        enable = true;
+        id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9";
+        addr = "10.100.3.13";
+      };
+    };
+  };
+}

hosts/prophet/default.nix

@@ -1,4 +1,5 @@
 tools: {
+  ssh.enable = true;
   ssh.id = with tools.dns; {
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ4FyGi69MksEn+UJZ87vw1APqiZmPNlEYIr0CbEoGv";
     hostNames = subResolve "prophet" "node";
@@ -12,7 +13,8 @@ tools: {
     };
   };
 
-  hypr = {
+  hyprspace = {
+    enable = true;
     id = "QmbrAHuh4RYcyN9fWePCZMVmQjbaNXtyvrDCWz4VrchbXh";
     addr = "10.100.3.9";
     listenPort = 995;
@@ -22,6 +24,6 @@ tools: {
     subdomain = "node";
   };
 
-  arch = "aarch64";
+  system = "aarch64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }

hosts/prophet/system.nix

@@ -1,4 +1,4 @@
-{ aspect, inputs, hosts, ... }:
+{ depot, ... }:
 
 {
   imports =
@@ -6,22 +6,21 @@
       # Hardware
       ./hardware-configuration.nix
 
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
 
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.nix-builder
+      depot.nixosModules.nix-builder
-      aspect.modules.sss
+      depot.nixosModules.sss
 
-
+      depot.nixosModules.serverBase
-    ]
+    ];
-    ++ aspect.sets.server;
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking.hostName = "prophet";
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
 
   time.timeZone = "Europe/Zurich";
 

hosts/soda/default.nix

@@ -1,4 +1,5 @@
 tools: {
+  ssh.enable = true;
   ssh.id = with tools.dns; {
     publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDShq3dbZy9SARsH8aSjfMQ+/eTW44eZuHVCLvgtDNKw";
     hostNames = subResolve "soda" "int";
@@ -16,7 +17,6 @@ tools: {
     subdomain = "int";
   };
 
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
-  container = true;
 }

hosts/soda/system.nix

@@ -1,12 +1,12 @@
-{ aspect, hosts, ... }:
+{ depot, ... }:
 
 {
-  imports = with aspect; [
+  imports = with depot.nixosModules; [
-    modules.fail2ban
+    containerBase
-    modules.nix-config-server
+    fail2ban
-    modules.sss
+    sss
     ./soda.nix
-  ] ++ sets.base ++ sets.networking;
+  ];
 
   boot.isContainer = true;
 
@@ -14,9 +14,9 @@
 
   networking.interfaces.eth0.useDHCP = true;
 
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
 
-  networking.resolvconf.extraConfig = "local_nameservers='${hosts.VEGAS.interfaces.vstub.addr}'";
+  networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'";
 
   networking.hostName = "soda";
 

modules/default.nix

@@ -1,63 +0,0 @@
-inputs:
-with builtins;
-let
-  aspects = {
-    autopatch = import ./autopatch;
-    consul-service-registry = import ./consul-service-registry;
-    deploy-rs-receiver = import ./deploy-rs-receiver;
-    enterprise = import ./enterprise;
-    fail2ban = import ./fail2ban;
-    hydra = import ./hydra;
-    hyprspace = import ./hyprspace;
-    ipfs = import ./ipfs;
-    ipfs-cluster = import ./ipfs-cluster;
-    maintenance = import ./maintenance;
-    minimal = import ./minimal;
-    motd = import ./motd;
-    nix-builder = import ./nix-builder;
-    nix-config-server = import ./nix-config/server.nix;
-    nix-register-flakes = import ./nix-register-flakes;
-    patroni = import ./patroni;
-    port-magic = import ./port-magic;
-    shell-config = import ./shell-config;
-    ssh = import ./ssh;
-    sss = import ./sss;
-    system-info = import ./system-info;
-    system-recovery = import ./system-recovery;
-    tested = import ./tested;
-  };
-in rec {
-  modules = aspects;
-  sets = with modules; rec {
-    base = [
-      autopatch
-      enterprise
-      maintenance
-      minimal
-    ];
-
-    networking = [
-      port-magic
-      ssh
-    ];
-
-    server = [
-      consul-service-registry
-      deploy-rs-receiver
-      fail2ban
-      motd
-      nix-config-server
-      system-info
-      system-recovery
-      tested
-    ] ++ base ++ networking;
-
-    container = [
-      nix-config-server
-    ] ++ base ++ networking;
-
-    backbone = server ++ [
-      sss
-    ];
-  };
-}

modules/enterprise/default.nix

@@ -1,8 +1,8 @@
-{ config, hosts, lib, tools, ... }:
+{ config, depot, lib, tools, ... }:
 let
   orgDomain = tools.meta.domain;
   orgRealm = lib.toUpper orgDomain;
-  host = hosts.${config.networking.hostName} or null;
+  host = depot.reflection;
 in {
   krb5 = {
     enable = true;

modules/fail2ban/default.nix

@@ -1,4 +1,4 @@
-{ config, hosts, ... }:
+{ config, depot, ... }:
 {
   services.fail2ban = {
     enable = true;
@@ -10,7 +10,7 @@
     '';
     ignoreIP = [
       "10.0.0.0/8"
-      hosts.${config.networking.hostName}.interfaces.primary.addr
+      depot.reflection.interfaces.primary.addr
     ];
     bantime-increment = {
       enable = true;

modules/hyprspace/default.nix

@@ -1,23 +1,23 @@
-{ pkgs, inputs, lib, hosts, config, ... }:
+{ pkgs, depot, lib, config, ... }:
 let
   inherit (config.networking) hostName;
-  inherit (inputs.self.packages.${pkgs.system}) hyprspace;
+  inherit (depot.packages) hyprspace;
-  hyprspaceCapableNodes = lib.filterAttrs (_: host: host ? hypr) hosts;
+  hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours;
   peersFormatted = builtins.mapAttrs (_: x: {
-    inherit (x.hypr) id;
+    inherit (x.hyprspace) id;
-    routes = map (net: { inherit net; }) ((x.hypr.routes or []) ++ [ "${x.hypr.addr}/32" ]);
+    routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);
   }) hyprspaceCapableNodes;
   peersFiltered = lib.filterAttrs (name: _: name != hostName) peersFormatted;
   peerList = builtins.attrValues peersFiltered;
-  myNode = hosts.${hostName};
+  myNode = depot.reflection;
-  listenPort = myNode.hypr.listenPort or 8001;
+  listenPort = myNode.hyprspace.listenPort or 8001;
 
   interfaceConfig = pkgs.writeText "hyprspace.yml" (builtins.toJSON {
     interface = {
       name = "hyprspace";
       listen_port = listenPort;
-      inherit (myNode.hypr) id;
+      inherit (myNode.hyprspace) id;
-      address = "${myNode.hypr.addr}/24";
+      address = "${myNode.hyprspace.addr}/24";
       private_key = "@HYPRSPACEPRIVATEKEY@";
     };
     peers = peerList;
@@ -26,7 +26,7 @@ let
   privateKeyFile = config.age.secrets.hyprspace-key.path;
   runConfig = "/run/hyprspace.yml";
 in {
-  networking.hosts = lib.mapAttrs' (k: v: lib.nameValuePair v.hypr.addr [k "${k}.hypr"]) hyprspaceCapableNodes;
+  networking.hosts = lib.mapAttrs' (k: v: lib.nameValuePair v.hyprspace.addr [k "${k}.hypr"]) hyprspaceCapableNodes;
   age.secrets.hyprspace-key = {
     file = ../../secrets/hyprspace-key- + "${hostName}.age";
     mode = "0400";

modules/maintenance/default.nix

@@ -1,5 +1,3 @@
-{ inputs, pkgs, ... }:
-
 {
   systemd.targets.maintenance = {
     unitConfig.AllowIsolate = true;

modules/motd/default.nix

@@ -1,4 +1,4 @@
-{ config, inputs, pkgs, ... }:
+{ config, depot, pkgs, ... }:
 {
   users.motd = builtins.readFile ./motd.txt;
   environment.interactiveShellInit = let
@@ -40,7 +40,7 @@
     echo -e " █ ''${BGREEN}(✓)''${CO} ''${BWHITE}You are using a genuine Private Void™ system.''${CO}"
     echo    " █"
     echo -e " █ ''${BWHITE}OS Version....:''${CO} NixOS ''${CAB}${config.system.nixos.version}''${CO}" 
-    echo -e " █ ''${BWHITE}Configuration.:''${CO} ''${CAB}${inputs.self.rev or "\${BRED}(✘)\${CO}\${BWHITE} Dirty"}''${CO}" 
+    echo -e " █ ''${BWHITE}Configuration.:''${CO} ''${CAB}${depot.rev or "\${BRED}(✘)\${CO}\${BWHITE} Dirty"}''${CO}" 
     echo -e " █ ''${BWHITE}Uptime........:''${CO} $(${uptime} -p | ${util "cut"} -d ' ' -f2- | GREP_COLORS='mt=01;35' ${grep} --color=always '[0-9]*')"
     echo -e " █ ''${BWHITE}SSH Logins....:''${CO} There are currently ''${CAB}$(${countUsers})''${CO} users logged in on ''${CAB}$(${countSessions})''${CO} sessions"
     )

modules/nix-config/server.nix

@@ -1,8 +1,8 @@
-{ pkgs, lib, config, inputs, tools, ... }:
+{ pkgs, lib, config, depot, tools, ... }:
 
 {
   nix = {
-    package = inputs.nix-super.packages.${pkgs.system}.default;
+    package = depot.inputs.nix-super.packages.default;
 
     settings = {
       trusted-users = [ "root" "@wheel" "@admins" ];

modules/nix-register-flakes/default.nix

@@ -1,6 +1,6 @@
-{ inputs, ... }:
+{ depot, ... }:
 
-with inputs;
+with depot.inputs;
 {
   nix.nixPath = [
     "repl=/etc/nixos/flake-channels/system/repl.nix"
@@ -8,13 +8,13 @@ with inputs;
   ];
 
   nix.registry = {
-    system.flake = self;
+    system.flake = depot;
     nixpkgs.flake = nixpkgs;
     default.flake = nixpkgs;
   };
 
   environment.etc = {
-    "nixos/flake-channels/system".source = inputs.self;
+    "nixos/flake-channels/system".source = depot;
     "nixos/flake-channels/nixpkgs".source = nixpkgs;
   };
 }

modules/part.nix

@@ -0,0 +1,64 @@
+{ config, ... }:
+
+let
+  group = imports: { inherit imports; };
+in
+
+{
+  flake.nixosModules = with config.flake.nixosModules; {
+    autopatch = ./autopatch;
+    consul-service-registry = ./consul-service-registry;
+    deploy-rs-receiver = ./deploy-rs-receiver;
+    enterprise = ./enterprise;
+    fail2ban = ./fail2ban;
+    hydra = ./hydra;
+    hyprspace = ./hyprspace;
+    ipfs = ./ipfs;
+    ipfs-cluster = ./ipfs-cluster;
+    maintenance = ./maintenance;
+    minimal = ./minimal;
+    motd = ./motd;
+    nix-builder = ./nix-builder;
+    nix-config-server = ./nix-config/server.nix;
+    nix-register-flakes = ./nix-register-flakes;
+    patroni = ./patroni;
+    port-magic = ./port-magic;
+    shell-config = ./shell-config;
+    ssh = ./ssh;
+    sss = ./sss;
+    system-info = ./system-info;
+    system-recovery = ./system-recovery;
+    tested = ./tested;
+
+    machineBase = group [
+      autopatch
+      enterprise
+      maintenance
+      minimal
+      port-magic
+      ssh
+    ];
+
+    serverBase = group [
+      machineBase
+      consul-service-registry
+      deploy-rs-receiver
+      fail2ban
+      motd
+      nix-config-server
+      system-info
+      system-recovery
+      tested
+    ];
+
+    containerBase = group [
+      machineBase
+      nix-config-server
+    ];
+
+    backboneBase = group [
+      serverBase
+      sss
+    ];
+  };
+}

modules/ssh/default.nix

@@ -1,8 +1,8 @@
-{ hosts, lib, ... }:
+{ depot, lib, ... }:
 let
-  filtered = lib.filterAttrs (_: host: host ? ssh) hosts;
+  filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours;
-  idCapable = lib.filterAttrs (_: host: host.ssh ? id) filtered;
+  idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
-  configCapable = lib.filterAttrs (_: host: host.ssh ? extraConfig) filtered;
+  configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;
 
   sshHosts = lib.mapAttrs (_: host: host.ssh.id) idCapable;
   sshExtras = lib.mapAttrsToList (_: host: host.ssh.extraConfig) configCapable;

modules/sss/default.nix

@@ -1,9 +1,9 @@
-{ config, lib, hosts, tools, utils, ... }:
+{ config, lib, depot, tools, utils, ... }:
 let
   inherit (tools.meta) domain;
   inherit (tools) identity;
   inherit (config.networking) hostName;
-  inherit (hosts.${hostName}) enterprise interfaces;
+  inherit (depot.reflection) enterprise interfaces;
 
   toINI = content: lib.generators.toINI {} (iniFilter content);
 

modules/system-info/default.nix

@@ -1,5 +1,5 @@
-{ inputs, ... }:
+{ depot, ... }:
 
 {
-  system.configurationRevision = inputs.self.rev or null;
+  system.configurationRevision = depot.rev or null;
 }

modules/tested/default.nix

@@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, depot, lib, pkgs, ... }:
 with lib;
 
 {
@@ -9,5 +9,5 @@ with lib;
       default = [];
     };
   };
-  config.system.extraDependencies = map (name: inputs.self.checks.${pkgs.system}.${name}) config.tested.requiredChecks;
+  config.system.extraDependencies = map (name: depot.checks.${name}) config.tested.requiredChecks;
 }