checks/simulacrum: better networking

cluster/lib/inject-nixos-config.nix

@@ -2,9 +2,9 @@
 with lib;
 
 {
-  options.out = mkOption {
+  options.out.injectNixosConfig = mkOption {
-    description = "Output functions.";
+    description = "NixOS configuration to inject into the given host.";
-    type = with types; lazyAttrsOf (functionTo raw);
+    type = with types; functionTo raw;
     default = const [];
   };
 }

cluster/lib/services.nix

@@ -39,11 +39,7 @@ in
     default = {};
   };
 
-  config.out = {
+  config.out.injectNixosConfig = hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) config.services)) ++ [
-    injectNixosConfigForServices = services: hostName: (lib.flatten (lib.mapAttrsToList (getHostConfigurations hostName) (lib.getAttrs services config.services))) ++ [
     introspectionModule
   ];
-
-    injectNixosConfig = config.out.injectNixosConfigForServices (lib.attrNames config.services);
-  };
 }

cluster/services/bitwarden/default.nix

@@ -1,10 +1,5 @@
 { depot, ... }:
 
 {
-  services.bitwarden = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
 }

cluster/services/fbi/default.nix

@@ -1,11 +1,6 @@
 { depot, ... }:
 
 {
-  services.fbi = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   dns.records = let
     fbiAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
   in {

cluster/services/frangiclave/default.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-{
-  services.frangiclave = {
-    nodes = {
-      server = [ "VEGAS" "grail" "prophet" ];
-      cluster = config.services.frangiclave.nodes.server;
-      agent = []; # all nodes, for vault-agent, secret templates, etc.
-    };
-    meshLinks = {
-      server.link.protocol = "http";
-      cluster.link.protocol = "http";
-    };
-    nixos = {
-      server = [
-        ./server.nix
-      ];
-      cluster = [];
-      agent = [];
-    };
-  };
-}

cluster/services/frangiclave/server.nix

@@ -1,23 +0,0 @@
-{ cluster, config, depot, ... }:
-
-let
-  apiLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-server;
-  clusterLink = cluster.config.hostLinks.${config.networking.hostName}.frangiclave-cluster;
-in
-
-{
-  services.vault = {
-    enable = true;
-    package = depot.packages.openbao;
-    address = apiLink.tuple;
-    extraConfig = /*hcl*/ ''
-      api_addr = "${apiLink.url}"
-      cluster_addr = "${clusterLink.url}"
-    '';
-
-    storageBackend = "raft";
-    storageConfig = /*hcl*/ ''
-      node_id = "x${builtins.hashString "sha256" "frangiclave-node-${config.networking.hostName}"}"
-    '';
-  };
-}

cluster/services/gitlab/default.nix

@@ -1,10 +1,5 @@
 { depot, ... }:
 
 {
-  services.gitlab = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   dns.records.git.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
 }

cluster/services/reflex/default.nix

@@ -1,10 +1,5 @@
 { depot, ... }:
 
 {
-  services.reflex = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   dns.records.reflex.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
 }

cluster/services/soda/default.nix

@@ -1,11 +1,6 @@
 { depot, ... }:
 
 {
-  services.soda = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   monitoring.blackbox.targets.soda-machine = {
     address = "soda.int.${depot.lib.meta.domain}:22";
     module = "sshConnect";

cluster/services/soda/host.nix

@@ -1,26 +0,0 @@
-{ depot, ... }:
-
-{
-  containers.soda = {
-    path = depot.nixosConfigurations.soda.config.system.build.toplevel;
-    privateNetwork = true;
-    hostBridge = "vmdefault";
-    localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
-    autoStart = true;
-    bindMounts.sodaDir = {
-      hostPath = "/srv/storage/www/soda";
-      mountPoint = "/soda";
-      isReadOnly = false;
-    };
-  };
-
-  systemd.services."container@soda".after = [ "libvirtd.service" "sys-devices-virtual-net-vmdefault.device" ];
-
-  networking.nat.forwardPorts = [
-    {
-      sourcePort = 52222;
-      destination = "${depot.hours.soda.interfaces.primary.addr}:22";
-      proto = "tcp";
-    }
-  ];
-}

cluster/services/sso/default.nix

@@ -1,11 +1,6 @@
 { depot, ... }:
 
 {
-  services.sso = {
-    nodes.host = [ "VEGAS" ];
-    nixos.host = ./host.nix;
-  };
-
   dns.records = let
     ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ];
   in {

hosts/VEGAS/services/backbone-routing/default.nix

@@ -3,6 +3,10 @@ let
   inherit (config.reflection) interfaces;
 in
 {
+  imports = [
+    ./port-forward.nix
+  ];
+
   networking.nat = {
     enable = true;
     externalInterface = interfaces.primary.link;

hosts/VEGAS/services/backbone-routing/port-forward.nix

@@ -0,0 +1,11 @@
+{ depot, ... }:
+
+{
+  networking.nat.forwardPorts = [
+    {
+      sourcePort = 52222;
+      destination = "${depot.hours.soda.interfaces.primary.addr}:22";
+      proto = "tcp";
+    }
+  ];
+}

hosts/VEGAS/system.nix

@@ -16,10 +16,15 @@
 
       # Services
       ./services/backbone-routing
+      ./services/bitwarden
       ./services/cdn-shield
+      ./services/fbi
+      ./services/gitlab
       ./services/jokes
       ./services/mail
       ./services/minecraft
+      ./services/reflex
+      ./services/sso
       ./services/websites
       ./services/wireguard-server
       depot.nixosModules.hyprspace
@@ -85,4 +90,18 @@
 
   system.stateVersion = "21.05";
   services.openssh.settings.PasswordAuthentication = false;
+
+  containers.soda = {
+    path = depot.nixosConfigurations.soda.config.system.build.toplevel;
+    privateNetwork = true;
+    hostBridge = "vmdefault";
+    localAddress = "${depot.hours.soda.interfaces.primary.addr}/24";
+    autoStart = true;
+    bindMounts.sodaDir = {
+      hostPath = "/srv/storage/www/soda";
+      mountPoint = "/soda";
+      isReadOnly = false;
+    };
+  };
+  systemd.services."container@soda".after = [ "libvirtd.service" "sys-devices-virtual-net-vmdefault.device" ];
 }

packages/checks/simulacrum.nix

@@ -55,7 +55,7 @@ testers.runNixOSTest {
       specialArgs.depot.hours.${node}.nixos
       ./modules/nixos/age-dummy-secrets
       ./modules/nixos/external-storage.nix
-    ] ++ depot'.config.cluster.config.out.injectNixosConfigForServices [ "consul" "certificates" "nginx" "wireguard" "frangiclave" ] node;
+    ] ++ depot'.config.cluster.config.out.injectNixosConfig node;
 
     boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
     networking = {

packages/websites/stop-using-nix-env/project.nix

@@ -3,7 +3,7 @@
     packages.stop-using-nix-env = let
       site = with pkgs; stdenvNoCC.mkDerivation rec {
         pname = "stop-using-nix-env";
-        version = "1.2.1";
+        version = "1.2.0";
         src = ./src;
         buildCommand = ''
           install -Dm644 $src/* -t $out/share/www/${pname}

packages/websites/stop-using-nix-env/src/index.html

@@ -218,7 +218,7 @@
     Do you often run into a situation where you need a particular command
     for a one-off thing, but don't feel like it should reside on your system
     at all times?
-    <a href="https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html">Ephemeral shells</a>
+    <a href="https://nixos.org/guides/ad-hoc-developer-environments.html">Ephemeral shells</a>
     allow you to <i>gain temporary access</i> to a command and after you exit
     out of the shell, it's as if the package was never installed.
     If you're using Flakes,