diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c7a9a3..dd559bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,3 +23,11 @@ Minor patches - cerulean no longer depends on `nixpkgs`, `base` package set should be set instead - rename `extraModules` -> `modules` - rename `specialArgs` -> `args` + +## v0.2.3-alpha +>[!TODO] +> I've been too focused on upcoming changes... + +## v0.2.4-alpha +- `homeManager` flake reference may now be specified in snowflake +- `` diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..f85b4fa --- /dev/null +++ b/NOTICE @@ -0,0 +1,26 @@ +Cerulean (https://dobutterfliescry.net/cerulean) +Copyright 2025-2026 _cry64 (Emile Clark-Boman) + +This product includes software developed by +_cry64 (Emile Clark-Boman) (https://github.com/cry128/nt) under the MIT license. +Copyright 2025-2026 _cry64 (Emile Clark-Boman) + +This product includes software developed by +Eelco Dolstra and the Nixpkgs/NixOS contributors under the MIT license. +Copyright 2003-2026 Eelco Dolstra and the Nixpkgs/NixOS contributors + +This product includes software developed by +the Home Manager contributors (https://github.com/nix-community/home-manager) under the MIT license. +Copyright 2017-2026 Home Manager contributors + +This product includes software developed by +Serokell (https://serokell.io) under the MPL-2.0 license. +Copyright 2020-2026 Serokell + +This product includes software developed by +nix-systems (https://github.com/nix-systems) under the MIT license. +Copyright 2023 nix-systems + +This product includes software developed by +Astro (https://github.com/astro) and the MicroVM.nix contributors (https://github.com/microvm-nix/microvm.nix) under the MIT license. +Copyright 2021 Astro, and MicroVM.nix contributors diff --git a/TODO.md b/TODO.md index 1dde662..2f4edac 100755 --- a/TODO.md +++ b/TODO.md @@ -1,10 +1,15 @@ -- [ ] base should automatically be set as the default (dont do anything with the default) -- [ ] try to remove common foot guns, ie abort if the user provides the home-manager or microvm nixosModules +## Next +- [ ] use the Nix module system instead of projectOnto for `cerulean.mkNexus` +- [ ] add `options.experimental` for snowflake +- [ ] add `legacyImports` support + +## Queued +- [X] base should automatically be set as the default (dont do anything with the default) +- [X] try to remove common foot guns, ie abort if the user provides the home-manager or microvm nixosModules since cerulean ALREADY provides these - [ ] deploy port should default to the first port given to `services.openssh` -- [ ] use the Nix module system instead of projectOnto for `cerulean.mkNexus` - [ ] create an alternative to nixos-install called cerulean-install that allows people to easily bootstrap new machines (and host it on dobutterfliescry.net) @@ -34,10 +39,6 @@ that allows transformations (ie a stop post config, ie outputs, which it then returns instead of config) - -- [ ] what if we automated the process of replacing windows with Nix?? - then push this to nixos-anywhere or nix-infect lmaooo - - [ ] patch microvm so that acpi=off https://github.com/microvm-nix/microvm.nix/commit/b59a26962bb324cc0a134756a323f3e164409b72 cause otherwise 2GB causes a failure diff --git a/ceru/ceru b/ceru/ceru index f407960..5630489 100755 --- a/ceru/ceru +++ b/ceru/ceru @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/libceru.sh b/ceru/libceru.sh index 95aba51..ed1b6c3 100755 --- a/ceru/libceru.sh +++ b/ceru/libceru.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/subcmds/new/cache-key b/ceru/subcmds/new/cache-key index 0b5aa13..e193e83 100755 --- a/ceru/subcmds/new/cache-key +++ b/ceru/subcmds/new/cache-key @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/subcmds/new/default.sh b/ceru/subcmds/new/default.sh index af34920..88175fa 100755 --- a/ceru/subcmds/new/default.sh +++ b/ceru/subcmds/new/default.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/subcmds/new/password b/ceru/subcmds/new/password index d5cd795..232539b 100755 --- a/ceru/subcmds/new/password +++ b/ceru/subcmds/new/password @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/subcmds/new/ssh-key b/ceru/subcmds/new/ssh-key index d0aa524..651aadb 100755 --- a/ceru/subcmds/new/ssh-key +++ b/ceru/subcmds/new/ssh-key @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/ceru/subcmds/new/wg-key b/ceru/subcmds/new/wg-key index 2efa85c..bab6773 100755 --- a/ceru/subcmds/new/wg-key +++ b/ceru/subcmds/new/wg-key @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/cerulean/default.nix b/cerulean/default.nix index 202fdf9..47fcdfd 100644 --- a/cerulean/default.nix +++ b/cerulean/default.nix @@ -1,4 +1,4 @@ -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,20 +17,23 @@ ... } @ args: mix.newMixture args (mixture: { - includes.public = [ - ./nexus + submods.public = [ + ./snow ]; - version = "0.2.2"; + version = "0.2.3"; - nixosModules = rec { - default = cerulean; - cerulean = ./nixos; - }; + # WARNING: legacy + mkFlake = mixture.snow.flake; overlays = [ # build deploy-rs as a package not from the flake input, # hence we can rely on a nixpkg binary cache. inputs.deploy-rs.overlays.default ]; + + nixosModules = rec { + default = cerulean; + cerulean = ./nixos; + }; }) diff --git a/cerulean/nexus/nexus.nix b/cerulean/nexus/nexus.nix deleted file mode 100644 index 5d0ca02..0000000 --- a/cerulean/nexus/nexus.nix +++ /dev/null @@ -1,297 +0,0 @@ -# Copyright 2025 Emile Clark-Boman -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -{ - self, - this, - nt, - inputs, - ... -}: let - inherit - (builtins) - all - attrNames - concatLists - concatStringsSep - elem - filter - getAttr - isAttrs - isFunction - isList - mapAttrs - pathExists - typeOf - ; - - inherit - (this) - mapNodes - ; - - inherit - (nt) - findImport - ; - - templateNexus = let - inherit - (nt.naive.terminal) - Terminal - ; - in { - base = null; - modules = []; - args = Terminal {}; - homeManager = null; - - groups = Terminal {}; - nodes = Terminal {}; - }; - - ROOT_GROUP_NAME = "all"; - - parseGroupDecl = groups: let - validGroup = g: - isAttrs g - || throw '' - Cerulean Nexus groups must be provided as attribute sets, got "${typeOf g}" instead! - Ensure all the group definitions are attribute sets under your call to `cerulean.mkNexus`. - NOTE: Groups can be accessed via `self.groups.PATH.TO.YOUR.GROUP` - ''; - delegate = parent: gName: g: let - result = - (g - // { - _name = gName; - _parent = parent; - }) - |> mapAttrs (name: value: - if elem name ["_name" "_parent"] - # ignore metadata fields - then value - else assert validGroup value; (delegate result name value)); - in - result; - in - assert validGroup groups; - delegate null ROOT_GROUP_NAME groups; - - parseNexus = nexus: - assert isAttrs nexus - || abort '' - Cerulean Nexus config must be provided as an attribute set, got "${typeOf nexus}" instead! - Ensure the `nexus` declaration is an attribute set under your call to `cerulean.mkNexus`. - ''; let - decl = nt.projectOnto templateNexus nexus; - in - # XXX: TODO: create a different version of nt.projectOnto that can actually - # XXX: TODO: handle applying a transformation to the result of each datapoint - decl - // { - groups = parseGroupDecl decl.groups; - }; - - parseDecl = outputsBuilder: let - decl = ( - if isFunction outputsBuilder - then outputsBuilder final # provide `self` - else - assert (isAttrs outputsBuilder) - || abort '' - Cerulean declaration must be provided as an attribute set, got "${typeOf outputsBuilder}" instead! - Ensure your declaration is an attribute set or function under your call to `cerulean.mkNexus`. - ''; outputsBuilder - ); - - final = - decl - // { - nexus = parseNexus (decl.nexus or {}); - }; - in - final; - - getGroupModules = root: nodeName: node: - assert isList node.groups - || throw '' - Cerulean Nexus node "${nodeName}" does not declare group membership as a list, got "${typeOf node.groups}" instead! - Ensure `nexus.nodes.${nodeName}.groups` is a list under your call to `cerulean.mkNexus`. - ''; - # ensure root group is always added - (node.groups - ++ [ - { - _parent = null; - _name = ROOT_GROUP_NAME; - } - ]) - # ensure all members are actually groups - |> map (group: let - got = - if ! isAttrs group - then toString group - else - group - |> attrNames - |> map (name: "${name} = <${typeOf (getAttr name group)}>;") - |> concatStringsSep " " - |> (x: "{ ${x} }"); - in - if group ? _name - then group - else - throw '' - Cerulean Nexus node "${nodeName}" is a member of an incorrectly structured group. - Got "${got}" of primitive type "${typeOf group}". - NOTE: Groups can be accessed via `self.groups.PATH.TO.YOUR.GROUP` - '') - # add all inherited groups via _parent - |> map (let - delegate = g: - if g._parent == null - then [g] - else [g] ++ delegate (g._parent); - in - delegate) - # flatten recursion result - |> concatLists - # find import location - |> map (group: findImport (root + "/groups/${group._name}")) - # filter by uniqueness - |> nt.prim.unique - # ignore missing groups - |> filter pathExists; -in { - mkNexus = root: outputsBuilder: let - decl = parseDecl outputsBuilder; - - inherit - (decl) - nexus - ; - customOutputs = removeAttrs decl ["nexus"]; - - outputs = rec { - nixosConfigurations = mapNodes nexus ( - { - base, - lib, - nodeName, - node, - ... - }: let - nixosDecl = let - homeManager = - if node.homeManager != null - then node.homeManager - else nexus.homeManager; - - userArgs = nexus.args // node.args; - ceruleanArgs = { - inherit root base; - inherit (node) system; - _cerulean = { - inherit inputs userArgs ceruleanArgs homeManager; - specialArgs = userArgs // ceruleanArgs; - }; - }; - specialArgs = assert (userArgs - |> attrNames - |> all (argName: - ! ceruleanArgs ? argName - || abort '' - `specialArgs` are like super important to Cerulean my love... mapAttrs (nodeName: nodeAttrs: let - node = parseNode nodeName nodeAttrs; - - # use per-node base or default to nexus base - base = - if node.base != null - then node.base - else if nexus.base != null - then nexus.base - else - abort '' - Cerulean cannot construct nexus node "${nodeName}" without a base package source. - Ensure `nexus.nodes.*.base` or `nexus.base` is a flake reference to the github:NixOS/nixpkgs repository. - ''; - in - f { - inherit nodeName node base; - inherit (base) lib; - }); -} diff --git a/cerulean/nexus/snow.nix b/cerulean/nexus/snow.nix deleted file mode 100644 index 28496ca..0000000 --- a/cerulean/nexus/snow.nix +++ /dev/null @@ -1,108 +0,0 @@ -# Copyright 2026 Emile Clark-Boman -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -{ - inputs, - lib, - ... -}: { - # nexus - options = let - inherit - (lib) - mkOption - types - ; - in { - modules = mkOption { - type = types.listOf types.path; - }; - args = mkOption { - type = types.attrs; - }; - - groups = mkOption { - type = types.attrs; - }; - - nodes = mkOption { - type = types.attrsOf (types.submoduleWith ({...}: { - options = { - enabled = mkOption { - type = types.bool; - default = true; - }; - system = mkOption { - type = types.enum inputs.systems; - }; - groups = mkOption { - type = types.list; - }; - modules = mkOption { - type = types.list; - }; - args = mkOption { - type = types.attrs; - }; - - deploy = { - user = mkOption { - type = types.str; - }; - sudoCmd = mkOption { - type = types.str; - }; - interactiveSudo = mkOption { - type = types.bool; - }; - - remoteBuild = mkOption { - type = types.bool; - }; - autoRollback = mkOption { - type = types.bool; - }; - magicRollback = mkOption { - type = types.bool; - }; - - activationTimeout = mkOption { - type = types.int; - }; - confirmTimeout = mkOption { - type = types.int; - }; - - ssh = { - host = mkOption { - type = types.str; - }; - user = mkOption { - type = types.str; - }; - port = mkOption { - type = types.int; - }; - opts = mkOption { - type = types.listOf types.str; - }; - }; - }; - }; - })); - }; - }; - - config = { - }; -} diff --git a/cerulean/nixos/default.nix b/cerulean/nixos/default.nix index ea7c359..8d96f08 100644 --- a/cerulean/nixos/default.nix +++ b/cerulean/nixos/default.nix @@ -1,4 +1,4 @@ -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,16 +13,23 @@ # limitations under the License. { root, + pkgs, system, _cerulean, ... } @ args: { - imports = + imports = with _cerulean.inputs; [ + # add support for `options.legacyImports` + # ./legacy-imports.nix + # user configuration (import (root + "/nixpkgs.nix")) # options declarations (import ./nixpkgs.nix (args // {contextName = "hosts";})) + + sops-nix.nixosModules.sops + # microvm.nixosModules.microvm ] ++ ( if _cerulean.homeManager != null @@ -30,7 +37,11 @@ else [] ); - environment.systemPackages = with _cerulean.inputs; [ - deploy-rs.packages.${system}.default - ]; + environment.systemPackages = + (with pkgs; [ + sops + ]) + ++ (with _cerulean.inputs; [ + deploy-rs.packages.${system}.default + ]); } diff --git a/cerulean/nixos/home-manager.nix b/cerulean/nixos/home-manager.nix index 1d281cb..8c1aa8b 100644 --- a/cerulean/nixos/home-manager.nix +++ b/cerulean/nixos/home-manager.nix @@ -1,4 +1,4 @@ -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,6 +25,10 @@ pathExists ; in { + imports = [ + _cerulean.homeManager.nixosModules.default + ]; + home-manager = { users = config.users.users diff --git a/cerulean/nixos/microvm-child.nix b/cerulean/nixos/microvm-child.nix index 2b6a12e..d13e217 100644 --- a/cerulean/nixos/microvm-child.nix +++ b/cerulean/nixos/microvm-child.nix @@ -1,4 +1,4 @@ -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/cerulean/nixos/microvm-parent.nix b/cerulean/nixos/microvm-parent.nix index 2b6a12e..d13e217 100644 --- a/cerulean/nixos/microvm-parent.nix +++ b/cerulean/nixos/microvm-parent.nix @@ -1,4 +1,4 @@ -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/cerulean/nixos/nixpkgs.nix b/cerulean/nixos/nixpkgs.nix index 0376f47..03925c8 100644 --- a/cerulean/nixos/nixpkgs.nix +++ b/cerulean/nixos/nixpkgs.nix @@ -1,4 +1,4 @@ -# Copyright 2026 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -75,19 +75,19 @@ in { # NOTE: _module.args is a special option that allows us to # NOTE: set extend specialArgs from inside the modules. # WARNING: pkgs is a reserved specialArg - _module.args = removeAttrs repos ["pkgs"]; + _module.args = removeAttrs repos ["pkgs" "default"]; nixpkgs = if contextName == "hosts" then { - flake.source = lib.mkOverride 200 base; # DEBUG: temp while getting base to work - overlays = lib.mkOverride 200 (defaultPkgs.overlays or {}); - config = lib.mkOverride 200 (defaultPkgs.config or {}); + flake.source = lib.mkForce base; # DEBUG: temp while getting base to work + overlays = lib.mkForce (defaultPkgs.overlays or {}); + config = lib.mkForce (defaultPkgs.config or {}); } else if contextName == "homes" then { - config = lib.mkOverride 200 (defaultPkgs.config or {}); - overlays = lib.mkOverride 200 (defaultPkgs.overlays or []); + config = lib.mkForce (defaultPkgs.config or {}); + overlays = lib.mkForce (defaultPkgs.overlays or []); } else {}; }; diff --git a/cerulean/snow/default.nix b/cerulean/snow/default.nix new file mode 100644 index 0000000..048572b --- /dev/null +++ b/cerulean/snow/default.nix @@ -0,0 +1,182 @@ +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{ + this, + self, + inputs, + systems, + nt, + mix, + ... +} @ args: let + inherit + (builtins) + all + attrNames + elem + mapAttrs + warn + ; + + inherit (inputs.nixpkgs) lib; + + inherit (nt) findImport; +in + mix.newMixture args (mixture: let + inherit (mixture) mapNodes; + in { + includes.private = [ + ./lib/nodes.nix + ]; + + inherit findImport; + + # snow.flake + flake = flakeInputs: root: let + module = lib.evalModules { + class = "snowflake"; + # TODO: abort if inputs contains reserved names + specialArgs = + flakeInputs + // { + inherit root; + inherit systems; + inherit (this) snow; # please don't be infinite recursion... + inputs = flakeInputs; + }; + + modules = [ + ./module.nix + ]; + }; + + nodes = module.config.nodes; + in rec { + nixosConfigurations = mapNodes nodes ( + { + base, + lib, + name, + node, + groupModules, + ... + }: let + homeManager = + if node.homeManager != null + then node.homeManager + else if nodes.homeManager != null + then nodes.homeManager + else + warn '' + [snowflake] Neither `nodes.homeManager` nor `nodes.nodes.${name}.homeManager` were specified! + [snowflake] home-manager will NOT be used! User configuration will be ignored! + '' + null; + + userArgs = nodes.args // node.args; + ceruleanArgs = { + inherit systems root base; + inherit (node) system; + inherit (this) snow; + + _cerulean = { + inherit inputs userArgs ceruleanArgs homeManager; + specialArgs = userArgs // ceruleanArgs; + }; + }; + specialArgs = assert (userArgs + |> attrNames + |> all (argName: + ! ceruleanArgs ? argName + || abort '' + `specialArgs` are like super important to Cerulean my love... rollback; + magicRollback = magicRollback -> rollback; + activationTimeout = activationTimeout; + confirmTimeout = confirmTimeout; + + remoteBuild = remoteBuild; + sshUser = ssh.user; + sshOpts = + ssh.opts + ++ ( + if elem "-p" ssh.opts + then [] + else ["-p" (toString ssh.port)] + ) + ++ ( + if elem "-A" ssh.opts + then [] + else ["-A"] + ); + }; + }); + + checks = + inputs.deploy-rs.lib + |> mapAttrs (system: deployLib: + deployLib.deployChecks deploy); + }; + }) diff --git a/cerulean/snow/lib/nodes.nix b/cerulean/snow/lib/nodes.nix new file mode 100644 index 0000000..7f1a21b --- /dev/null +++ b/cerulean/snow/lib/nodes.nix @@ -0,0 +1,96 @@ +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{nt, ...}: let + inherit + (builtins) + concatLists + elem + filter + isAttrs + mapAttrs + pathExists + typeOf + ; + + rootGroupName = "all"; + + parseGroupsDecl = groups: let + validGroup = g: + isAttrs g + || throw '' + Cerulean Nexus groups must be provided as attribute sets, got "${typeOf g}" instead! + Ensure all the group definitions are attribute sets under your call to `cerulean.mkNexus`. + NOTE: Groups can be accessed via `self.groups.PATH.TO.YOUR.GROUP` + ''; + delegate = parent: gName: g: let + result = + (g + // { + _name = gName; + _parent = parent; + }) + |> mapAttrs (name: value: + if elem name ["_name" "_parent"] + # ignore metadata fields + then value + else assert validGroup value; (delegate result name value)); + in + result; + in + assert validGroup groups; + delegate null rootGroupName groups; + + getGroupModules = root: groups: + # ensure root group is always added + groups + # add all inherited groups via _parent + |> map (let + delegate = g: + if g._parent == null + then [g] + else [g] ++ delegate (g._parent); + in + delegate) + # flatten recursion result + |> concatLists + # find import location + |> map (group: nt.findImport (root + "/groups/${group._name}")) + # filter by uniqueness + |> nt.prim.unique + # ignore missing groups + |> filter pathExists; +in { + mapNodes = nodes: f: + nodes.nodes + |> mapAttrs (name: node: let + # use per-node base or default to nodes' base + base = + if node.base != null + then node.base + else if nodes.base != null + then nodes.base + else + abort '' + Cerulean cannot construct nodes node "${name}" without a base package source. + Ensure `nodes.nodes.*.base` or `nodes.base` is a flake reference to the github:NixOS/nixpkgs repository. + ''; + in + f rec { + inherit name node base; + inherit (base) lib; + + groups = node.groups (parseGroupsDecl nodes.groups); + groupModules = root: getGroupModules root groups; + }); +} diff --git a/cerulean/nexus/default.nix b/cerulean/snow/module.nix similarity index 79% rename from cerulean/nexus/default.nix rename to cerulean/snow/module.nix index 65495bf..d45b35a 100644 --- a/cerulean/nexus/default.nix +++ b/cerulean/snow/module.nix @@ -1,4 +1,4 @@ -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -11,10 +11,13 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -{mix, ...} @ args: -mix.newMixture args (mixture: { - includes.public = [ - ./nodes.nix - ./nexus.nix +{ + root, + snow, + ... +}: { + imports = [ + ./nodes + (snow.findImport (root + "/snow")) ]; -}) +} diff --git a/cerulean/snow/nodes/default.nix b/cerulean/snow/nodes/default.nix new file mode 100644 index 0000000..d3bc9b7 --- /dev/null +++ b/cerulean/snow/nodes/default.nix @@ -0,0 +1,62 @@ +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{ + lib, + specialArgs, + ... +}: { + options.nodes = let + inherit + (lib) + mkOption + types + ; + in + mkOption { + description = '' + Cerulean node declarations. + ''; + type = types.submoduleWith { + inherit specialArgs; + + modules = [ + { + imports = [./shared.nix]; + + options = { + groups = mkOption { + type = types.attrs; + default = {}; + example = lib.literalExpression "{ servers = { staging = {}; production = {}; }; }"; + description = '' + Hierarchical groups that nodes can be a member of. + ''; + }; + + nodes = mkOption { + type = types.attrsOf (types.submoduleWith { + inherit specialArgs; + modules = [(import ./submodule.nix)]; + }); + # example = { ... }; # TODO + description = '' + Node (host systems) declarations. + ''; + }; + }; + } + ]; + }; + }; +} diff --git a/cerulean/snow/nodes/shared.nix b/cerulean/snow/nodes/shared.nix new file mode 100644 index 0000000..c840d22 --- /dev/null +++ b/cerulean/snow/nodes/shared.nix @@ -0,0 +1,82 @@ +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{lib, ...}: let + inherit + (lib) + mkOption + types + ; + + flakeRef = types.either types.str types.path; +in { + options = { + base = lib.mkOption { + # In newer Nix versions, particularly with lazy trees, outPath of + # flakes becomes a Nix-language path object. We deliberately allow this + # to gracefully come through the interface in discussion with @roberth. + # + # See: https://github.com/NixOS/nixpkgs/pull/278522#discussion_r1460292639 + type = types.nullOr flakeRef; + + default = null; + defaultText = "if (using nixpkgsFlake.lib.nixosSystem) then self.outPath else null"; + + example = lib.literalExpression "inputs.nixpkgs"; + + description = '' + The path to the nixpkgs source used to build a system. A `base` package set + is required to be set, and can be specified via either: + 1. `options.nodes.base` (default `base` used for all systems) + 2. `options.nodes.nodes..base` (takes prescedence over `options.nodes.base`) + + This can also be optionally set if the NixOS system is not built with a flake but still uses + pinned sources: set this to the store path for the nixpkgs sources used to build the system, + as may be obtained by `fetchTarball`, for example. + + Note: the name of the store path must be "source" due to + . + ''; + }; + + modules = mkOption { + type = types.listOf types.raw; + default = []; + example = lib.literalExpression "[ { environment.systemPackages = [ pkgs.git ]; } ]"; + description = '' + Shared modules to import; equivalent to the NixOS module system's `extraModules`. + ''; + }; + + args = mkOption { + type = types.attrs; + default = {}; + example = lib.literalExpression "{ inherit inputs; }"; + description = '' + Shared args to provided for each node; equivalent to the NixOS module system's `specialArgs`. + ''; + }; + + homeManager = mkOption { + type = types.nullOr flakeRef; + default = null; + example = lib.literalExpression "inputs.home-manager"; + description = '' + The path to the home-manager source. A `homeManager` flake reference + is required to be set for `homes/` to be evaluated, and can be specified via either: + 1. `options.nodes.homeManager` (default `homManager` used for all systems) + 2. `options.nodes.nodes..homeManager` (takes prescedence over `options.nodes.homeManager`) + ''; + }; + }; +} diff --git a/cerulean/snow/nodes/submodule.nix b/cerulean/snow/nodes/submodule.nix new file mode 100644 index 0000000..ea30c4f --- /dev/null +++ b/cerulean/snow/nodes/submodule.nix @@ -0,0 +1,185 @@ +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{ + lib, + systems, + ... +}: { + imports = [./shared.nix]; + + options = let + inherit + (lib) + mkOption + types + ; + in { + enabled = lib.mkOption { + type = types.bool; + default = true; + example = true; + description = '' + Whether to enable this node. Nodes are enabled by default. + ''; + }; + + system = mkOption { + type = types.nullOr (types.enum systems); + default = null; + example = "x86_64-linux"; + description = '' + The target system architecture to compile for. + ''; + }; + + groups = mkOption { + # TODO: write a custom group type that validates better than types.attrs lol + type = types.functionTo (types.listOf types.attrs); + default = groups: []; + example = lib.literalExpression "( groups: [ groups.servers groups.secure-boot ] )"; + description = '' + A function from the `groups` hierarchy to a list of groups this node inherits from. + ''; + }; + + deploy = { + user = mkOption { + type = types.str; + default = "root"; + example = "admin"; + description = '' + The user that the system derivation will be deployed to. The command specified in + `.deploy.sudoCmd` will be used if `.deploy.user` is not the + same as `.deploy.ssh.user` the same as above). + ''; + }; + + sudoCmd = mkOption { + type = types.str; + default = "sudo -u"; + example = "doas -u"; + description = '' + Which sudo command to use. Must accept at least two arguments: + 1. the user name to execute commands as + 2. the rest is the command to execute + ''; + }; + + interactiveSudo = mkOption { + type = types.bool; + default = false; + example = false; + description = '' + Whether to enable interactive sudo (password based sudo). + NOT RECOMMENDED. Use one of Cerulean's recommended auth methods instead. + ''; + }; + + remoteBuild = mkOption { + type = types.bool; + default = false; + example = false; + description = '' + Whether to build the system derivation on the target system. + Will also fetch all external dependencies from the target system's substituters. + ''; + }; + + rollback = mkOption { + type = types.bool; + default = true; + example = true; + description = '' + Enables both `autoRollback` and `magicRollback`. + ''; + }; + + autoRollback = mkOption { + type = types.bool; + default = true; + example = true; + description = '' + If the previous system derivation should be re-activated if activation fails. + ''; + }; + + magicRollback = mkOption { + type = types.bool; + default = true; + example = true; + description = '' + TODO: im fucking lazy + ''; + }; + + activationTimeout = mkOption { + type = types.int; + default = 500; + example = 30; + description = '' + Time window in seconds allowed for system derivation activation. + If timeout occurs, remote deployment is considered to have failed. + ''; + }; + + confirmTimeout = mkOption { + type = types.int; + default = 30; + example = 15; + description = '' + Time window in seconds allowed for activation confirmation. + If timeout occurs, remote deployment is considered to have failed. + ''; + }; + + ssh = { + host = mkOption { + type = types.str; + default = ""; + example = "dobutterfliescry.net"; + description = '' + The host to connect to over ssh during deployment + ''; + }; + + user = mkOption { + type = types.str; + default = "cerubld"; + example = "custom-user"; + description = '' + The user to connect to over ssh during deployment. + ''; + }; + + port = mkOption { + type = types.int; + default = 22; + example = 2222; + description = '' + The port to connect to over ssh during deployment. + ''; + }; + + opts = mkOption { + type = types.listOf types.str; + default = []; + example = ["-i" "~/.ssh/id_rsa"]; + description = '' + Extra ssh arguments to use during deployment. + ''; + }; + }; + }; + }; +} diff --git a/flake.nix b/flake.nix index c1a5498..80faf5c 100644 --- a/flake.nix +++ b/flake.nix @@ -1,4 +1,4 @@ -# Copyright 2025 Emile Clark-Boman +# Copyright 2025-2026 _cry64 (Emile Clark-Boman) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,6 +32,11 @@ url = "github:microvm-nix/microvm.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -43,5 +48,6 @@ { inherit inputs self nt; inherit (nt) mix; + systems = import inputs.systems; }; }