Merge branch 'restructure2' into 'master'

Hosts Restructuring See merge request private-void/depot!45
2023-03-11 19:11:50 +00:00 · 2023-03-11 19:11:50 +00:00 · 625ae1ea25
commit 625ae1ea25
parent 1f1c0554a6 1c27955577
62 changed files with 517 additions and 340 deletions
--- a/cluster/default.nix
+++ b/cluster/default.nix
@ -1,6 +1,9 @@
-{ lib, hostName }:
+{ lib, depot, hostName }:
 lib.evalModules {
  specialArgs = {
    inherit depot;
  };
  modules = [
    # Arbitrary variables to reference across multiple services
    ./lib/vars
@ -10,7 +13,6 @@ lib.evalModules {
    ../modules/port-magic
    ../tools/inject.nix
    ./lib/load-hosts.nix
    ./lib/services.nix
    ./lib/inject-nixos-config.nix
    ./lib/port-magic-multi.nix
--- a/cluster/inject.nix
+++ b/cluster/inject.nix
@ -1,8 +1,8 @@
 hostName:
-{ lib, ... }:
+{ depot, lib, ... }:
 let
-  cluster = import ./. { inherit lib hostName; };
+  cluster = import ./. { inherit lib depot hostName; };
 in
 {
--- a/cluster/lib/load-hosts.nix
+++ b/cluster/lib/load-hosts.nix
@ -1,9 +0,0 @@
 { config, lib, ... }:
 let
  hosts = import ../../hosts;
  self = hosts.${config.vars.hostName};
  others = lib.filterAttrs (_: host: host != self) hosts;
 in
 {
  config.vars.hosts = hosts // { inherit self others; };
 }
--- a/cluster/services/consul/remote-api.nix
+++ b/cluster/services/consul/remote-api.nix
@ -1,16 +1,14 @@
-{ config, cluster, hosts, lib, tools, ... }:
+{ config, cluster, depot, lib, tools, ... }:
 let
  inherit (tools.meta) domain;
-  inherit (config.networking) hostName;
+  inherit (depot.reflection) hyprspace;
  hyprspaceConfig = hosts.${hostName}.hypr;
  frontendDomain = "consul-remote.internal.${domain}";
 in
 {
  services.nginx.virtualHosts.${frontendDomain} = tools.nginx.vhosts.proxy "http://127.0.0.1:8500" // {
-    listenAddresses = lib.singleton hyprspaceConfig.addr;
+    listenAddresses = lib.singleton hyprspace.addr;
    enableACME = false;
    useACMEHost = "internal.${domain}";
  };
@ -20,13 +18,13 @@ in
    mode = "external";
    definition = {
      name = "consul-remote";
-      address = hyprspaceConfig.addr;
+      address = hyprspace.addr;
      port = 443;
      checks = [
        {
          name = "Frontend";
          id = "service:consul-remote:frontend";
-          http = "https://${hyprspaceConfig.addr}/v1/status/leader";
+          http = "https://${hyprspace.addr}/v1/status/leader";
          tls_server_name = frontendDomain;
          interval = "60s";
        }
--- a/cluster/services/dns/authoritative.nix
+++ b/cluster/services/dns/authoritative.nix
@ -1,7 +1,7 @@
-{ cluster, config, hosts, lib, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
  inherit (tools.meta) domain;
  patroni = cluster.config.links.patroni-pg-access;
--- a/cluster/services/dns/coredns.nix
+++ b/cluster/services/dns/coredns.nix
@ -1,10 +1,10 @@
-{ config, hosts, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
  inherit (tools.meta) domain;
  inherit (config.links) localRecursor;
-  inherit (inputs.self.packages.${pkgs.system}) stevenblack-hosts;
+  inherit (depot.packages) stevenblack-hosts;
  dot = config.security.acme.certs."securedns.${domain}";
 in
--- a/cluster/services/dns/default.nix
+++ b/cluster/services/dns/default.nix
@ -1,7 +1,7 @@
-{ config, ... }:
+{ config, depot, ... }:
 let
-  inherit (config.vars) hosts;
+  inherit (depot.config) hours;
 in
 {
  vars.pdns-api-key-secret = {
@ -10,7 +10,7 @@ in
  };
  links = {
    dnsResolver = {
-      ipv4 = hosts.VEGAS.interfaces.vstub.addr;
+      ipv4 = hours.VEGAS.interfaces.vstub.addr;
      port = 53;
    };
    powerdns-api = {
--- a/cluster/services/hercules-ci-multi-agent/common.nix
+++ b/cluster/services/hercules-ci-multi-agent/common.nix
@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, depot, lib, pkgs, ... }:
 let
  mapAgents = lib.flip lib.mapAttrs config.services.hercules-ci-agents;
@ -17,7 +17,7 @@ let
 in
 {
  imports = [
-    inputs.hercules-ci-agent.nixosModules.multi-agent-service
+    depot.inputs.hercules-ci-agent.nixosModules.multi-agent-service
  ];
  age.secrets = mergeMap (name: _: {
--- a/cluster/services/hercules-ci-multi-agent/orgs/max.nix
+++ b/cluster/services/hercules-ci-multi-agent/orgs/max.nix
@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 {
  services.hercules-ci-agents.max = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
    settings = {
      clusterJoinTokenPath = config.age.secrets.hci-token-max.path;
      binaryCachesPath = config.age.secrets.hci-cache-config-max.path;
--- a/cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix
+++ b/cluster/services/hercules-ci-multi-agent/orgs/nixpak.nix
@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 {
  services.hercules-ci-agents.nixpak = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
    settings = {
      clusterJoinTokenPath = config.age.secrets.hci-token-nixpak.path;
      binaryCachesPath = config.age.secrets.hci-cache-config-nixpak.path;
--- a/cluster/services/hercules-ci-multi-agent/orgs/private-void.nix
+++ b/cluster/services/hercules-ci-multi-agent/orgs/private-void.nix
@ -1,8 +1,8 @@
-{ config, lib, inputs, pkgs, ... }:
+{ config, lib, depot, pkgs, ... }:
 {
  services.hercules-ci-agents.private-void = {
-    package = lib.mkForce inputs.self.packages.${pkgs.system}.hercules-ci-agent;
+    package = lib.mkForce depot.packages.hercules-ci-agent;
    settings = {
      clusterJoinTokenPath = config.age.secrets.hci-token-private-void.path;
      binaryCachesPath = config.age.secrets.hci-cache-config-private-void.path;
--- a/cluster/services/ipfs/cluster.nix
+++ b/cluster/services/ipfs/cluster.nix
@ -1,4 +1,4 @@
-{ aspect, config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 let
  inherit (tools.meta) domain;
@ -11,7 +11,7 @@ let
  proxySocket = "/run/ipfs-cluster/ipfs-api-proxy.sock";
 in {
  imports = [
-    aspect.modules.ipfs-cluster
+    depot.nixosModules.ipfs-cluster
  ];
  age.secrets = {
@ -24,7 +24,7 @@ in {
  services.ipfs-cluster = {
    enable = true;
-    package = inputs.self.packages.${pkgs.system}.ipfs-cluster;
+    package = depot.packages.ipfs-cluster;
    consensus = "crdt";
    dataDir = "/srv/storage/ipfs/cluster";
    secretFile = config.age.secrets.ipfs-cluster-secret.path;
--- a/cluster/services/ipfs/default.nix
+++ b/cluster/services/ipfs/default.nix
@ -1,8 +1,8 @@
-{ config, lib, tools, ... }:
+{ config, depot, lib, tools, ... }:
 {
  hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
-    host = config.vars.hosts.${name};
+    host = depot.reflection;
    intf = host.interfaces.primary;
    self = config.hostLinks.${name}.ipfs;
  in {
--- a/cluster/services/ipfs/gateway.nix
+++ b/cluster/services/ipfs/gateway.nix
@ -1,4 +1,4 @@
-{ config, hosts, tools, ... }:
+{ config, depot, tools, ... }:
 with tools.nginx;
 let
  inherit (tools.meta) domain;
@ -64,7 +64,7 @@ in
        extraConfig = ''
          access_log off;
          auth_request off;
-          allow ${hosts.VEGAS.interfaces.primary.addr};
+          allow ${depot.config.hours.VEGAS.interfaces.primary.addr};
          deny all;
        '';
      };
--- a/cluster/services/ipfs/node.nix
+++ b/cluster/services/ipfs/node.nix
@ -1,4 +1,4 @@
-{ aspect, cluster, config, inputs, lib, hosts, pkgs, tools, ... }:
+{ cluster, config, depot, lib, pkgs, tools, ... }:
 let
  inherit (tools.meta) domain;
  cfg = config.services.ipfs;
@ -9,7 +9,7 @@ let
 in
 {
  imports = [
-    aspect.modules.ipfs
+    depot.nixosModules.ipfs
  ];
  links.ipfsGateway.protocol = "http";
@ -21,7 +21,7 @@ in
  services.ipfs = {
    enable = true;
-    package = inputs.self.packages.${pkgs.system}.ipfs;
+    package = depot.packages.ipfs;
    startWhenNeeded = false;
    autoMount = true;
    autoMigrate = false;
@ -40,7 +40,7 @@ in
    extraFlags = [ "--migrate" ];
    extraConfig = {
      Bootstrap = [
-        "/ip4/${hosts.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
+        "/ip4/${depot.config.hours.VEGAS.interfaces.primary.addr}/tcp/${toString ipfsPort}/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo"
        "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
        "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb"
        "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN"
--- a/cluster/services/patroni/worker.nix
+++ b/cluster/services/patroni/worker.nix
@ -1,4 +1,4 @@
-{ aspect, cluster, config, lib, pkgs, ... }:
+{ cluster, config, depot, lib, pkgs, ... }:
 let
  inherit (cluster.config) vars;
@ -14,7 +14,7 @@ in
 {
  imports = [
-    aspect.modules.patroni
+    depot.nixosModules.patroni
  ];
  age.secrets = lib.mapAttrs (_: file: {
--- a/cluster/services/websites/host.nix
+++ b/cluster/services/websites/host.nix
@ -1,9 +1,9 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, pkgs, tools, ... }:
 let
  importWebsites = expr: import expr {
    tools = tools.nginx;
-    packages = inputs.self.packages.${pkgs.system};
+    inherit (depot) packages;
  };
  websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
--- a/cluster/services/wireguard/default.nix
+++ b/cluster/services/wireguard/default.nix
@ -1,7 +1,7 @@
-{ config, ... }:
+{ config, depot, ... }:
 let
-  inherit (config.vars) hosts;
+  inherit (depot.config) hours;
  meshNet = rec {
    netAddr = "10.1.1.0";
@ -9,7 +9,7 @@ let
    cidr = "${netAddr}/${toString prefix}";
  };
-  getExtAddr = host: host.interfaces.primary.addrPublic or host.interfaces.primary.addr;
+  getExtAddr = host: host.interfaces.primary.addrPublic;
 in
 {
  vars = {
@ -22,7 +22,7 @@ in
  };
  links = {
    mesh-node-checkmate = {
-      ipv4 = getExtAddr hosts.checkmate;
+      ipv4 = getExtAddr hours.checkmate;
      extra = {
        meshIp = "10.1.1.32";
        inherit meshNet;
@ -32,17 +32,17 @@ in
      };
    };
    mesh-node-VEGAS = {
-      ipv4 = getExtAddr hosts.VEGAS;
+      ipv4 = getExtAddr hours.VEGAS;
      extra = {
        meshIp = "10.1.1.5";
        inherit meshNet;
        pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
        privKeyFile = ./mesh-keys/VEGAS.age;
-        extraRoutes = [ "${hosts.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
+        extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
      };
    };
    mesh-node-prophet = {
-      ipv4 = getExtAddr hosts.prophet;
+      ipv4 = getExtAddr hours.prophet;
      extra = {
        meshIp = "10.1.1.9";
        inherit meshNet;
--- a/flake.nix
+++ b/flake.nix
@ -7,88 +7,15 @@
  };
  outputs = { self, nixpkgs, flake-parts, ... }@inputs:
-    let
+    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [ "x86_64-linux" "aarch64-linux" ];
      nixpkgsFor = nixpkgs.legacyPackages;
      inherit (nixpkgs) lib;
      aspect = import ./modules inputs;
      hosts = import ./hosts;
      nixosHosts' = lib.filterAttrs (_: host: host ? nixos) hosts;
      nixosHosts = lib.attrNames nixosHosts';
      deployableNixosHosts' = lib.filterAttrs (_: host: host ? container -> !host.container) nixosHosts';
      deployableNixosHosts = lib.attrNames deployableNixosHosts';
      meta = import ./tools/meta.nix;
      specialArgs = {
        inherit inputs hosts aspect;
        toolsets = import ./tools;
      };
      mkNixOS' = lib: name: let host = hosts.${name}; in lib.nixosSystem {
        inherit specialArgs;
        system = "${host.arch}-linux";
        modules = [ host.nixos ./tools/inject.nix (import ./cluster/inject.nix name) ];
      };
      mkNixOS = mkNixOS' lib;  
      mkDeployEffect = branch: name: host: let
        subdomain = host.enterprise.subdomain or "services";
        hostname = "${lib.toLower name}.${subdomain}.${meta.domain}";
      in effects.runIf (branch == "master" || branch == "staging") (effects.runNixOS {
        requiredSystemFeatures = [ "hci-deploy-agent-nixos" ];
        inherit (self.nixosConfigurations.${name}) config;
        secretsMap.ssh = "deploy-ssh";
        userSetupScript = ''
          writeSSHKey ssh
          cat >>~/.ssh/known_hosts <<EOF
          ${hostname} ${host.ssh.id.publicKey}
          EOF
        '';
        ssh.destination = "root@${hostname}";
      });
      mkDeployEffects = branch: hostnames: lib.genAttrs hostnames
        (name: mkDeployEffect branch name hosts.${name});
      mkDeploy = name: let
        host = hosts.${name};
        subdomain = host.enterprise.subdomain or "services";
        deploy-rs = inputs.deploy-rs.lib."${host.arch}-linux";
      in {
        hostname = "${lib.toLower name}.${subdomain}.${meta.domain}";
        profiles.system = {
          user = "root";
          sshUser = "deploy";
          path = deploy-rs.activate.nixos self.nixosConfigurations.${name};
        };
      };
      mkDeployments = hosts: overrides: lib.genAttrs hosts
        (host: mkDeploy host // (overrides.${host} or {}) );
      effects = inputs.hercules-ci-effects.lib.withPkgs nixpkgsFor.x86_64-linux;
    in flake-parts.lib.mkFlake { inherit inputs; } {
      inherit systems;
      flake = {
        nixosModules = aspect.modules;
        nixosConfigurations = lib.genAttrs nixosHosts mkNixOS;
        deploy.nodes = mkDeployments deployableNixosHosts {};
        effects = { branch, ... }: mkDeployEffects branch deployableNixosHosts;
      };
      imports = [
        inputs.hercules-ci-effects.flakeModule
        inputs.drv-parts.flakeModule
        inputs.dream2nix.flakeModuleBeta
        ./hosts/part.nix
        ./modules/part.nix
        ./packages/part.nix
      ];
    };
--- a/hosts/VEGAS/default.nix
+++ b/hosts/VEGAS/default.nix
@ -1,4 +1,5 @@
 tools: {
  ssh.enable = true;
  ssh.id = with tools.dns; {
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz2nGA+Y4OxhMKsV6vKIns3hOoBkK557712h7FfWXcE";
    hostNames = subResolve "vegas" "backbone";
@ -15,7 +16,8 @@ tools: {
    };
  };
-  hypr = {
+  hyprspace = {
    enable = true;
    id = "QmYs4xNBby2fTs8RnzfXEk161KD4mftBfCiR8yXtgGPj4J";
    addr = "10.100.3.5";
    listenPort = 995;
@ -29,6 +31,6 @@ tools: {
    subdomain = "backbone";
  };
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }
--- a/hosts/VEGAS/services/backbone-routing/default.nix
+++ b/hosts/VEGAS/services/backbone-routing/default.nix
@ -1,6 +1,6 @@
-{ config, hosts, ... }:
+{ config, depot, ... }:
 let
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
 in
 {
  imports = [
--- a/hosts/VEGAS/services/backbone-routing/port-forward.nix
+++ b/hosts/VEGAS/services/backbone-routing/port-forward.nix
@ -1,10 +1,10 @@
-{ hosts, ... }:
+{ depot, ... }:
 {
  networking.nat.forwardPorts = [
    {
      sourcePort = 52222;
-      destination = "${hosts.soda.interfaces.primary.addr}:22";
+      destination = "${depot.config.hours.soda.interfaces.primary.addr}:22";
      proto = "tcp";
    }
  ];
--- a/hosts/VEGAS/services/mail/postfix.nix
+++ b/hosts/VEGAS/services/mail/postfix.nix
@ -1,4 +1,4 @@
-{ config, hosts, tools, ... }:
+{ config, depot, tools, ... }:
 let
  inherit (tools.meta) domain;
  certDir = config.security.acme.certs."mail.${domain}".directory;
@ -10,7 +10,7 @@ let
  lmtpSocket = "lmtp:unix:/run/dovecot2/lmtp";
  postfixLdapMailboxes = "ldap:${config.age.secrets."postfix-ldap-mailboxes.cf".path}";
-  inherit (hosts.${config.networking.hostName}) interfaces;
+  inherit (depot.reflection) interfaces;
 in
 {
  age.secrets."postfix-ldap-mailboxes.cf" = {
--- a/hosts/VEGAS/services/matrix/web-client.nix
+++ b/hosts/VEGAS/services/matrix/web-client.nix
@ -1,7 +1,7 @@
-{ inputs, lib, pkgs, tools, ... }:
+{ depot, lib, pkgs, tools, ... }:
 let
  inherit (tools.nginx) domain vhosts;
-  inherit (inputs.self.packages.${pkgs.system}) cinny;
+  inherit (depot.packages) cinny;
 in
 {
  services.nginx.virtualHosts."chat.${domain}" = lib.recursiveUpdate
--- a/hosts/VEGAS/services/meet/default.nix
+++ b/hosts/VEGAS/services/meet/default.nix
@ -1,9 +1,6 @@
-{ config, lib, hosts, tools, ... }:
+{ config, lib, depot, tools, ... }:
 let
-  host = hosts.${config.networking.hostName};
+  inherit (depot.reflection) interfaces;
  inherit (host) interfaces;
  isNAT = interfaces.primary ? addrPublic;
 in
 {
  services.jitsi-meet = {
@ -30,7 +27,7 @@ in
        { type = "colibri"; }
      ];
    };
-    nat = lib.optionalAttrs isNAT {
+    nat = lib.optionalAttrs interfaces.primary.isNat {
      localAddress = interfaces.primary.addr;
      publicAddress = interfaces.primary.addrPublic;
    };
--- a/hosts/VEGAS/services/monitoring/default.nix
+++ b/hosts/VEGAS/services/monitoring/default.nix
@ -1,4 +1,4 @@
-{ cluster, config, inputs, lib, pkgs, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 let
  inherit (tools.meta) domain;
@ -29,7 +29,7 @@ in
  };
  services.grafana = {
    enable = true;
-    package = inputs.self.packages.${pkgs.system}.grafana;
+    package = depot.packages.grafana;
    dataDir = "/srv/storage/private/grafana";
    settings = {
      server = {
--- a/hosts/VEGAS/services/nix/nar-serve.nix
+++ b/hosts/VEGAS/services/nix/nar-serve.nix
@ -1,4 +1,4 @@
-{ config, inputs, pkgs, tools, ... }:
+{ config, depot, tools, ... }:
  let
    mkNarServe = NAR_CACHE_URL: PORT: {
@ -6,7 +6,7 @@
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        DynamicUser = true;
-        ExecStart = "${inputs.nar-serve.defaultPackage."${pkgs.system}"}/bin/nar-serve";
+        ExecStart = "${depot.inputs.nar-serve.packages.nar-serve}/bin/nar-serve";
      };
      environment = { inherit NAR_CACHE_URL PORT; };
    };
--- a/hosts/VEGAS/services/reflex/default.nix
+++ b/hosts/VEGAS/services/reflex/default.nix
@ -1,4 +1,4 @@
-{ config, inputs, pkgs, tools, ... }:
+{ config, depot, tools, ... }:
 {
  links.nixIpfs.protocol = "http";
@ -6,7 +6,7 @@
  systemd.services.nix-ipfs-cache = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
-      ExecStart = "${inputs.self.packages.${pkgs.system}.reflex-cache}/bin/reflex";
+      ExecStart = "${depot.packages.reflex-cache}/bin/reflex";
      DynamicUser = true;
      SupplementaryGroups = [ "ipfs" ];
      CacheDirectory = "nix-ipfs-cache";
--- a/hosts/VEGAS/services/searxng/default.nix
+++ b/hosts/VEGAS/services/searxng/default.nix
@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, tools, ... }:
 let
  inherit (config) links;
 in
@ -9,7 +9,7 @@ in
  services.searx = {
    enable = true;
    runInUwsgi = true;
-    package = inputs.self.packages.${pkgs.system}.searxng;
+    package = depot.packages.searxng;
    environmentFile = config.age.secrets.searxng-secrets.path;
    settings = {
      server = {
--- a/hosts/VEGAS/services/sso/default.nix
+++ b/hosts/VEGAS/services/sso/default.nix
@ -1,4 +1,4 @@
-{ cluster, config, inputs, lib, pkgs, tools, ... }:
+{ cluster, config, depot, lib, tools, ... }:
 with tools.nginx;
 let
  login = "login.${tools.meta.domain}";
@ -32,7 +32,7 @@ in
  };
  services.keycloak = {
    enable = true;
-    package = inputs.self.packages.${pkgs.system}.keycloak;
+    package = depot.packages.keycloak;
    database = {
      createLocally = false;
      type = "postgresql";
@ -52,7 +52,7 @@ in
  };
  systemd.services.keycloak.environment = {
    JAVA_OPTS = builtins.concatStringsSep " " [
-      "-javaagent:${inputs.self.packages.${pkgs.system}.opentelemetry-java-agent-bin}"
+      "-javaagent:${depot.packages.opentelemetry-java-agent-bin}"
      "-Dotel.resource.attributes=service.name=keycloak"
      "-Dotel.traces.exporter=otlp"
    ];
--- a/hosts/VEGAS/services/uptime-kuma/default.nix
+++ b/hosts/VEGAS/services/uptime-kuma/default.nix
@ -1,10 +1,8 @@
-{ config, inputs, lib, pkgs, tools, ... }:
+{ config, depot, lib, tools, ... }:
 let
  inherit (tools.meta) domain;
  flakePkgs = inputs.self.packages.${pkgs.system};
  link = config.links.uptime-kuma;
  dataDir = "/srv/storage/private/uptime-kuma";
@ -55,7 +53,7 @@ in
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
-      ExecStart = flakePkgs.uptime-kuma + /bin/uptime-kuma;
+      ExecStart = depot.packages.uptime-kuma + /bin/uptime-kuma;
    };
--- a/hosts/VEGAS/services/websites/default.nix
+++ b/hosts/VEGAS/services/websites/default.nix
@ -1,9 +1,9 @@
-{ inputs, pkgs, tools, ... }:
+{ depot, tools, ... }:
 let
  importWebsites = expr: import expr {
    tools = tools.nginx;
-    packages = inputs.self.packages.${pkgs.system};
+    inherit (depot) packages;
  };
  websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -1,4 +1,4 @@
-{ aspect, config, hosts, inputs, tools, ... }:
+{ config, depot, tools, ... }:
 {
  imports =
@ -11,8 +11,8 @@
      ./modules/oauth2-proxy
      ./modules/redis
      ./modules/virtualisation
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
-      inputs.mms.module
+      depot.inputs.mms.module
      # Services
      ./services/api
@ -40,12 +40,13 @@
      ./services/warehouse
      ./services/websites
      ./services/wireguard-server
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.nix-builder
+      depot.nixosModules.nix-builder
-    ]
+
      depot.nixosModules.backboneBase
    ];
    # TODO: fix users
    # ++ (import ../../users "server").groups.admin
    ++ aspect.sets.backbone;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
@ -90,7 +91,7 @@
        "fe80::/10"
      ];
-      mkRules = ipt: ranges: map (x: "${ipt} -I nixos-fw 1 -d ${x} -o ${hosts.${config.networking.hostName}.interfaces.primary.link} -j DROP") ranges;
+      mkRules = ipt: ranges: map (x: "${ipt} -I nixos-fw 1 -d ${x} -o ${depot.reflection.interfaces.primary.link} -j DROP") ranges;
      rules4 = mkRules "iptables" privateIp4Ranges;
@ -102,10 +103,10 @@
  services.openssh.passwordAuthentication = false;
  containers.soda = {
-    path = inputs.self.nixosConfigurations.soda.config.system.build.toplevel;
+    path = depot.nixosConfigurations.soda.config.system.build.toplevel;
    privateNetwork = true;
    hostBridge = "vmdefault";
-    localAddress = "${hosts.soda.interfaces.primary.addr}/24";
+    localAddress = "${depot.config.hours.soda.interfaces.primary.addr}/24";
    autoStart = true;
    bindMounts.sodaDir = {
      hostPath = "/srv/storage/www/soda";
--- a/hosts/checkmate/default.nix
+++ b/hosts/checkmate/default.nix
@ -1,4 +1,5 @@
 tools: {
  ssh.enable = true;
  ssh.id = with tools.dns; {
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINImnMfEzUBU5qiuu05DMPrddTGypOtr+cL1/yQN2GFn";
    hostNames = subResolve "checkmate" "node";
@ -12,7 +13,8 @@ tools: {
    };
  };
-  hypr = {
+  hyprspace = {
    enable = true;
    id = "12D3KooWL84sAtq1QTYwb7gVbhSNX5ZUfVt4kgYKz8pdif1zpGUh";
    addr = "10.100.3.32";
    listenPort = 995;
@ -22,6 +24,6 @@ tools: {
    subdomain = "node";
  };
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }
--- a/hosts/checkmate/system.nix
+++ b/hosts/checkmate/system.nix
@ -1,4 +1,4 @@
-{ aspect, inputs, hosts, ... }:
+{ depot, ... }:
 {
  imports =
@ -6,19 +6,19 @@
      # Hardware
      ./hardware-configuration.nix
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.sss
+      depot.nixosModules.sss
-    ]
+      depot.nixosModules.serverBase
-    ++ aspect.sets.server;
+    ];
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "checkmate";
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
  time.timeZone = "Europe/Zurich";
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,31 +0,0 @@
 let
  tools = import ./tools.nix;
 in with tools.dns; {
  # NixOS machines
  VEGAS = import ./VEGAS tools;
  prophet = import ./prophet tools;
  soda = import ./soda tools;
  checkmate = import ./checkmate tools;
  # Non-NixOS machine metadata
  AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
    ssh.id = {
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpFR47Ev+W+bdng6IrDVpl8rlKBBHSr1v5lwJmZcEFH";
      hostNames = portMap 69 hostNames;
    };
    ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ];
  };
  # peering
  # max
  TITAN.hypr = {
    id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM";
    addr = "10.100.3.7";
  };
  jericho.hypr = {
    id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9";
    addr = "10.100.3.13";
  };
 }
--- a/hosts/deploy.nix
+++ b/hosts/deploy.nix
@ -0,0 +1,57 @@
 { config, inputs, lib, self, withSystem, ... }:
 let
  inherit (lib) elem mapAttrs toLower;
  inherit (config) gods cluster defaultEffectSystem;
  inherit (config.herculesCI) branch;
  inherit (self) nixosConfigurations;
  chosenHours = gods.fromLight;
  withEffectSystem = withSystem defaultEffectSystem;
  callUpon = name: host: withEffectSystem ({ hci-effects, ... }: let
    inherit (hci-effects) runIf runNixOS;
    inherit (host.enterprise) subdomain;
    hostname = "${toLower name}.${subdomain}.${cluster.domain}";
    deploy-rs = inputs.deploy-rs.lib."${host.system}";
  in {
    effect = runIf (elem branch [ "master" "staging" ]) (runNixOS {
      requiredSystemFeatures = [ "hci-deploy-agent-nixos" ];
      inherit (nixosConfigurations.${name}) config;
      secretsMap.ssh = "deploy-ssh";
      userSetupScript = ''
        writeSSHKey ssh
        cat >>~/.ssh/known_hosts <<EOF
        ${hostname} ${host.ssh.id.publicKey}
        EOF
      '';
      ssh.destination = "root@${hostname}";
    });
    deploy = {
      inherit hostname;
      profiles.system = {
        user = "root";
        sshUser = "deploy";
        path = deploy-rs.activate.nixos self.nixosConfigurations.${name};
      };
    };
  });
  calledUponHours = mapAttrs callUpon chosenHours;
  pick = format: _: calledUponHour: calledUponHour.${format};
 in
 {
  flake.effects = mapAttrs (pick "effect") calledUponHours;
  flake.deploy.nodes = mapAttrs (pick "deploy") calledUponHours;
 }
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -0,0 +1,24 @@
 { config, inputs, lib, self, withSystem, ... }:
 let
  inherit (lib) const mapAttrs nixosSystem;
  inherit (config) gods;
  mkSpecialArgs = system: hostName: withSystem system ({ inputs', self', ... }: {
    depot = self // self' // {
      inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs;
      inherit config;
      # peer into the Watchman's Glass
      reflection = config.hours.${hostName};
    };
    toolsets = import ../tools;
  });
  mkNixOS = name: host: nixosSystem {
    specialArgs = mkSpecialArgs host.system name;
    inherit (host) system;
    modules = [ host.nixos ../tools/inject.nix (import ../cluster/inject.nix name) ];
  };
 in {
  flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
 }
--- a/hosts/options/default.nix
+++ b/hosts/options/default.nix
@ -0,0 +1,34 @@
 { config, lib, ... }:
 with lib;
 let
  hourType = types.submodule {
    imports = [
      ./hour/enterprise.nix
      ./hour/hyprspace.nix
      ./hour/interfaces.nix
      ./hour/nixos.nix
      ./hour/ssh.nix
    ];
  };
  mkHours = description: mkOption {
    inherit description;
    type = with types; attrsOf hourType;
    default = {};
  };
 in
 {
  options = {
    gods = {
      fromLight = mkHours "Gods-from-Light: The emanations of The Glory";
      fromFlesh = mkHours "Gods-from-Flesh: Mortals who penetrated the Mansus";
      fromNowhere = mkHours "Gods-from-Nowhere: Lesser Hours";
    };
    hours = mkHours "Hours are the incarnate principles of the world." // {
      readOnly = true;
      default = with config.gods; fromLight // fromFlesh // fromNowhere;
    };
  };
 }
--- a/hosts/options/hour/enterprise.nix
+++ b/hosts/options/hour/enterprise.nix
@ -0,0 +1,12 @@
 { lib, ... }:
 with lib;
 {
  options.enterprise = {
    subdomain = mkOption {
      description = "Host FQDN subdomain.";
      type = types.str;
      default = "services";
    };
  };
 }
--- a/hosts/options/hour/hyprspace.nix
+++ b/hosts/options/hour/hyprspace.nix
@ -0,0 +1,30 @@
 { lib, ... }:
 with lib;
 {
  options.hyprspace = {
    enable = mkEnableOption "Cross-host Hyprspace configuration";
    id = mkOption {
      description = "Hyprspace PeerID.";
      type = types.str;
    };
    addr = mkOption {
      description = "Hyprspace internal IP address.";
      type = types.str;
    };
    routes = mkOption {
      description = "Networks to export to Hyprspace.";
      type = with types; listOf str;
      default = [];
    };
    listenPort = mkOption {
      description = "The port the Hyprspace daemon should listen on.";
      type = types.port;
      default = 8001;
    };
  };
 }
--- a/hosts/options/hour/interfaces.nix
+++ b/hosts/options/hour/interfaces.nix
@ -0,0 +1,38 @@
 { lib, ... }:
 with lib;
 let
  interfaceType = types.submodule ({ config, name, ... }: {
    options = {
      addr = mkOption {
        description = "Static IP address assigned to this interface.";
        type = types.str;
      };
      addrPublic = mkOption {
        description = "Static public IP address.";
        type = types.str;
        default = config.addr;
      };
      link = mkOption {
        description = "Interface link name.";
        type = types.str;
        default = name;
      };
      isNat = mkOption {
        description = "Whether the host is behind NAT.";
        type = types.bool;
        default = config.addr != config.addrPublic;
      };
    };
  });
 in
 {
  options.interfaces = mkOption {
    description = "Network interface information.";
    type = with types; attrsOf interfaceType;
  };
 }
--- a/hosts/options/hour/nixos.nix
+++ b/hosts/options/hour/nixos.nix
@ -0,0 +1,18 @@
 { lib, ... }:
 with lib;
 {
  options = {
    system = mkOption {
      description = "Nix system double for this NixOS host.";
      type = types.enum systems.doubles.linux;
      default = "x86_64-linux";
    };
    nixos = mkOption {
      description = "NixOS configuration.";
      type = with types; nullOr anything;
      default = null;
    };
  };
 }
--- a/hosts/options/hour/ssh.nix
+++ b/hosts/options/hour/ssh.nix
@ -0,0 +1,28 @@
 { lib, ... }:
 with lib;
 {
  options.ssh = {
    enable = mkEnableOption "Cross-host SSH configuration";
    id = {
      publicKey = mkOption {
        description = "Host SSH public key.";
        type = with types; nullOr str;
        default = null;
      };
      hostNames = mkOption {
        description = "Hostnames through which this host can be reached over SSH.";
        type = with types; listOf str;
        default = [];
      };
    };
    extraConfig = mkOption {
      description = "Extra SSH client configuration used to connect to this host.";
      type = types.lines;
      default = "";
    };
  };
 }
--- a/hosts/part.nix
+++ b/hosts/part.nix
@ -0,0 +1,49 @@
 let
  tools = import ./tools.nix;
 in with tools.dns;
 {
  imports = [
    ./deploy.nix
    ./nixos.nix
    ./options
  ];
  gods = {
    fromLight = {
      checkmate = import ./checkmate tools;
      VEGAS = import ./VEGAS tools;
      prophet = import ./prophet tools;
    };
    fromFlesh = {
      soda = import ./soda tools;
    };
    fromNowhere = {
      AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in {
        ssh.enable = true;
        ssh.id = {
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpFR47Ev+W+bdng6IrDVpl8rlKBBHSr1v5lwJmZcEFH";
          hostNames = portMap 69 hostNames;
        };
        ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ];
      };
      # peering
      # max
      TITAN.hyprspace = {
        enable = true;
        id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM";
        addr = "10.100.3.7";
      };
      jericho.hyprspace = {
        enable = true;
        id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9";
        addr = "10.100.3.13";
      };
    };
  };
 }
--- a/hosts/prophet/default.nix
+++ b/hosts/prophet/default.nix
@ -1,4 +1,5 @@
 tools: {
  ssh.enable = true;
  ssh.id = with tools.dns; {
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ4FyGi69MksEn+UJZ87vw1APqiZmPNlEYIr0CbEoGv";
    hostNames = subResolve "prophet" "node";
@ -12,7 +13,8 @@ tools: {
    };
  };
-  hypr = {
+  hyprspace = {
    enable = true;
    id = "QmbrAHuh4RYcyN9fWePCZMVmQjbaNXtyvrDCWz4VrchbXh";
    addr = "10.100.3.9";
    listenPort = 995;
@ -22,6 +24,6 @@ tools: {
    subdomain = "node";
  };
-  arch = "aarch64";
+  system = "aarch64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
 }
--- a/hosts/prophet/system.nix
+++ b/hosts/prophet/system.nix
@ -1,4 +1,4 @@
-{ aspect, inputs, hosts, ... }:
+{ depot, ... }:
 {
  imports =
@ -6,22 +6,21 @@
      # Hardware
      ./hardware-configuration.nix
-      inputs.agenix.nixosModules.age
+      depot.inputs.agenix.nixosModules.age
-      aspect.modules.hyprspace
+      depot.nixosModules.hyprspace
-      aspect.modules.nix-builder
+      depot.nixosModules.nix-builder
-      aspect.modules.sss
+      depot.nixosModules.sss
-
+      depot.nixosModules.serverBase
-    ]
+    ];
    ++ aspect.sets.server;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "prophet";
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
  time.timeZone = "Europe/Zurich";
--- a/hosts/soda/default.nix
+++ b/hosts/soda/default.nix
@ -1,4 +1,5 @@
 tools: {
  ssh.enable = true;
  ssh.id = with tools.dns; {
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDShq3dbZy9SARsH8aSjfMQ+/eTW44eZuHVCLvgtDNKw";
    hostNames = subResolve "soda" "int";
@ -16,7 +17,6 @@ tools: {
    subdomain = "int";
  };
-  arch = "x86_64";
+  system = "x86_64-linux";
-  nixos = import ./system.nix;
+  nixos = ./system.nix;
  container = true;
 }
--- a/hosts/soda/system.nix
+++ b/hosts/soda/system.nix
@ -1,12 +1,12 @@
-{ aspect, hosts, ... }:
+{ depot, ... }:
 {
-  imports = with aspect; [
+  imports = with depot.nixosModules; [
-    modules.fail2ban
+    containerBase
-    modules.nix-config-server
+    fail2ban
-    modules.sss
+    sss
    ./soda.nix
-  ] ++ sets.base ++ sets.networking;
+  ];
  boot.isContainer = true;
@ -14,9 +14,9 @@
  networking.interfaces.eth0.useDHCP = true;
-  networking.nameservers = [ hosts.VEGAS.interfaces.vstub.addr ];
+  networking.nameservers = [ depot.config.hours.VEGAS.interfaces.vstub.addr ];
-  networking.resolvconf.extraConfig = "local_nameservers='${hosts.VEGAS.interfaces.vstub.addr}'";
+  networking.resolvconf.extraConfig = "local_nameservers='${depot.config.hours.VEGAS.interfaces.vstub.addr}'";
  networking.hostName = "soda";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,63 +0,0 @@
 inputs:
 with builtins;
 let
  aspects = {
    autopatch = import ./autopatch;
    consul-service-registry = import ./consul-service-registry;
    deploy-rs-receiver = import ./deploy-rs-receiver;
    enterprise = import ./enterprise;
    fail2ban = import ./fail2ban;
    hydra = import ./hydra;
    hyprspace = import ./hyprspace;
    ipfs = import ./ipfs;
    ipfs-cluster = import ./ipfs-cluster;
    maintenance = import ./maintenance;
    minimal = import ./minimal;
    motd = import ./motd;
    nix-builder = import ./nix-builder;
    nix-config-server = import ./nix-config/server.nix;
    nix-register-flakes = import ./nix-register-flakes;
    patroni = import ./patroni;
    port-magic = import ./port-magic;
    shell-config = import ./shell-config;
    ssh = import ./ssh;
    sss = import ./sss;
    system-info = import ./system-info;
    system-recovery = import ./system-recovery;
    tested = import ./tested;
  };
 in rec {
  modules = aspects;
  sets = with modules; rec {
    base = [
      autopatch
      enterprise
      maintenance
      minimal
    ];
    networking = [
      port-magic
      ssh
    ];
    server = [
      consul-service-registry
      deploy-rs-receiver
      fail2ban
      motd
      nix-config-server
      system-info
      system-recovery
      tested
    ] ++ base ++ networking;
    container = [
      nix-config-server
    ] ++ base ++ networking;
    backbone = server ++ [
      sss
    ];
  };
 }
--- a/modules/enterprise/default.nix
+++ b/modules/enterprise/default.nix
@ -1,8 +1,8 @@
-{ config, hosts, lib, tools, ... }:
+{ config, depot, lib, tools, ... }:
 let
  orgDomain = tools.meta.domain;
  orgRealm = lib.toUpper orgDomain;
-  host = hosts.${config.networking.hostName} or null;
+  host = depot.reflection;
 in {
  krb5 = {
    enable = true;
--- a/modules/fail2ban/default.nix
+++ b/modules/fail2ban/default.nix
@ -1,4 +1,4 @@
-{ config, hosts, ... }:
+{ config, depot, ... }:
 {
  services.fail2ban = {
    enable = true;
@ -10,7 +10,7 @@
    '';
    ignoreIP = [
      "10.0.0.0/8"
-      hosts.${config.networking.hostName}.interfaces.primary.addr
+      depot.reflection.interfaces.primary.addr
    ];
    bantime-increment = {
      enable = true;
--- a/modules/hyprspace/default.nix
+++ b/modules/hyprspace/default.nix
@ -1,23 +1,23 @@
-{ pkgs, inputs, lib, hosts, config, ... }:
+{ pkgs, depot, lib, config, ... }:
 let
  inherit (config.networking) hostName;
-  inherit (inputs.self.packages.${pkgs.system}) hyprspace;
+  inherit (depot.packages) hyprspace;
-  hyprspaceCapableNodes = lib.filterAttrs (_: host: host ? hypr) hosts;
+  hyprspaceCapableNodes = lib.filterAttrs (_: host: host.hyprspace.enable) depot.config.hours;
  peersFormatted = builtins.mapAttrs (_: x: {
-    inherit (x.hypr) id;
+    inherit (x.hyprspace) id;
-    routes = map (net: { inherit net; }) ((x.hypr.routes or []) ++ [ "${x.hypr.addr}/32" ]);
+    routes = map (net: { inherit net; }) ((x.hyprspace.routes or []) ++ [ "${x.hyprspace.addr}/32" ]);
  }) hyprspaceCapableNodes;
  peersFiltered = lib.filterAttrs (name: _: name != hostName) peersFormatted;
  peerList = builtins.attrValues peersFiltered;
-  myNode = hosts.${hostName};
+  myNode = depot.reflection;
-  listenPort = myNode.hypr.listenPort or 8001;
+  listenPort = myNode.hyprspace.listenPort or 8001;
  interfaceConfig = pkgs.writeText "hyprspace.yml" (builtins.toJSON {
    interface = {
      name = "hyprspace";
      listen_port = listenPort;
-      inherit (myNode.hypr) id;
+      inherit (myNode.hyprspace) id;
-      address = "${myNode.hypr.addr}/24";
+      address = "${myNode.hyprspace.addr}/24";
      private_key = "@HYPRSPACEPRIVATEKEY@";
    };
    peers = peerList;
@ -26,7 +26,7 @@ let
  privateKeyFile = config.age.secrets.hyprspace-key.path;
  runConfig = "/run/hyprspace.yml";
 in {
-  networking.hosts = lib.mapAttrs' (k: v: lib.nameValuePair v.hypr.addr [k "${k}.hypr"]) hyprspaceCapableNodes;
+  networking.hosts = lib.mapAttrs' (k: v: lib.nameValuePair v.hyprspace.addr [k "${k}.hypr"]) hyprspaceCapableNodes;
  age.secrets.hyprspace-key = {
    file = ../../secrets/hyprspace-key- + "${hostName}.age";
    mode = "0400";
--- a/modules/maintenance/default.nix
+++ b/modules/maintenance/default.nix
@ -1,5 +1,3 @@
 { inputs, pkgs, ... }:
 {
  systemd.targets.maintenance = {
    unitConfig.AllowIsolate = true;
--- a/modules/motd/default.nix
+++ b/modules/motd/default.nix
@ -1,4 +1,4 @@
-{ config, inputs, pkgs, ... }:
+{ config, depot, pkgs, ... }:
 {
  users.motd = builtins.readFile ./motd.txt;
  environment.interactiveShellInit = let
@ -40,7 +40,7 @@
    echo -e " █ ''${BGREEN}(✓)''${CO} ''${BWHITE}You are using a genuine Private Void™ system.''${CO}"
    echo    " █"
    echo -e " █ ''${BWHITE}OS Version....:''${CO} NixOS ''${CAB}${config.system.nixos.version}''${CO}" 
-    echo -e " █ ''${BWHITE}Configuration.:''${CO} ''${CAB}${inputs.self.rev or "\${BRED}(✘)\${CO}\${BWHITE} Dirty"}''${CO}" 
+    echo -e " █ ''${BWHITE}Configuration.:''${CO} ''${CAB}${depot.rev or "\${BRED}(✘)\${CO}\${BWHITE} Dirty"}''${CO}" 
    echo -e " █ ''${BWHITE}Uptime........:''${CO} $(${uptime} -p | ${util "cut"} -d ' ' -f2- | GREP_COLORS='mt=01;35' ${grep} --color=always '[0-9]*')"
    echo -e " █ ''${BWHITE}SSH Logins....:''${CO} There are currently ''${CAB}$(${countUsers})''${CO} users logged in on ''${CAB}$(${countSessions})''${CO} sessions"
    )
--- a/modules/nix-config/server.nix
+++ b/modules/nix-config/server.nix
@ -1,8 +1,8 @@
-{ pkgs, lib, config, inputs, tools, ... }:
+{ pkgs, lib, config, depot, tools, ... }:
 {
  nix = {
-    package = inputs.nix-super.packages.${pkgs.system}.default;
+    package = depot.inputs.nix-super.packages.default;
    settings = {
      trusted-users = [ "root" "@wheel" "@admins" ];
--- a/modules/nix-register-flakes/default.nix
+++ b/modules/nix-register-flakes/default.nix
@ -1,6 +1,6 @@
-{ inputs, ... }:
+{ depot, ... }:
-with inputs;
+with depot.inputs;
 {
  nix.nixPath = [
    "repl=/etc/nixos/flake-channels/system/repl.nix"
@ -8,13 +8,13 @@ with inputs;
  ];
  nix.registry = {
-    system.flake = self;
+    system.flake = depot;
    nixpkgs.flake = nixpkgs;
    default.flake = nixpkgs;
  };
  environment.etc = {
-    "nixos/flake-channels/system".source = inputs.self;
+    "nixos/flake-channels/system".source = depot;
    "nixos/flake-channels/nixpkgs".source = nixpkgs;
  };
 }
--- a/modules/part.nix
+++ b/modules/part.nix
@ -0,0 +1,64 @@
 { config, ... }:
 let
  group = imports: { inherit imports; };
 in
 {
  flake.nixosModules = with config.flake.nixosModules; {
    autopatch = ./autopatch;
    consul-service-registry = ./consul-service-registry;
    deploy-rs-receiver = ./deploy-rs-receiver;
    enterprise = ./enterprise;
    fail2ban = ./fail2ban;
    hydra = ./hydra;
    hyprspace = ./hyprspace;
    ipfs = ./ipfs;
    ipfs-cluster = ./ipfs-cluster;
    maintenance = ./maintenance;
    minimal = ./minimal;
    motd = ./motd;
    nix-builder = ./nix-builder;
    nix-config-server = ./nix-config/server.nix;
    nix-register-flakes = ./nix-register-flakes;
    patroni = ./patroni;
    port-magic = ./port-magic;
    shell-config = ./shell-config;
    ssh = ./ssh;
    sss = ./sss;
    system-info = ./system-info;
    system-recovery = ./system-recovery;
    tested = ./tested;
    machineBase = group [
      autopatch
      enterprise
      maintenance
      minimal
      port-magic
      ssh
    ];
    serverBase = group [
      machineBase
      consul-service-registry
      deploy-rs-receiver
      fail2ban
      motd
      nix-config-server
      system-info
      system-recovery
      tested
    ];
    containerBase = group [
      machineBase
      nix-config-server
    ];
    backboneBase = group [
      serverBase
      sss
    ];
  };
 }
--- a/modules/ssh/default.nix
+++ b/modules/ssh/default.nix
@ -1,8 +1,8 @@
-{ hosts, lib, ... }:
+{ depot, lib, ... }:
 let
-  filtered = lib.filterAttrs (_: host: host ? ssh) hosts;
+  filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.config.hours;
-  idCapable = lib.filterAttrs (_: host: host.ssh ? id) filtered;
+  idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered;
-  configCapable = lib.filterAttrs (_: host: host.ssh ? extraConfig) filtered;
+  configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered;
  sshHosts = lib.mapAttrs (_: host: host.ssh.id) idCapable;
  sshExtras = lib.mapAttrsToList (_: host: host.ssh.extraConfig) configCapable;
--- a/modules/sss/default.nix
+++ b/modules/sss/default.nix
@ -1,9 +1,9 @@
-{ config, lib, hosts, tools, utils, ... }:
+{ config, lib, depot, tools, utils, ... }:
 let
  inherit (tools.meta) domain;
  inherit (tools) identity;
  inherit (config.networking) hostName;
-  inherit (hosts.${hostName}) enterprise interfaces;
+  inherit (depot.reflection) enterprise interfaces;
  toINI = content: lib.generators.toINI {} (iniFilter content);
--- a/modules/system-info/default.nix
+++ b/modules/system-info/default.nix
@ -1,5 +1,5 @@
-{ inputs, ... }:
+{ depot, ... }:
 {
-  system.configurationRevision = inputs.self.rev or null;
+  system.configurationRevision = depot.rev or null;
 }
--- a/modules/tested/default.nix
+++ b/modules/tested/default.nix
@ -1,4 +1,4 @@
-{ config, inputs, lib, pkgs, ... }:
+{ config, depot, lib, pkgs, ... }:
 with lib;
 {
@ -9,5 +9,5 @@ with lib;
      default = [];
    };
  };
-  config.system.extraDependencies = map (name: inputs.self.checks.${pkgs.system}.${name}) config.tested.requiredChecks;
+  config.system.extraDependencies = map (name: depot.checks.${name}) config.tested.requiredChecks;
 }