From 8b700b61cc405c85849b9df0fb2496d480e87984 Mon Sep 17 00:00:00 2001
From: main <magic_rb@redalder.org>
Date: Wed, 23 Nov 2022 20:48:59 +0100
Subject: [PATCH] Make sure everything evaluates and builds even without
 secrets

Signed-off-by: main <magic_rb@redalder.org>
---
 flake.nix                            |  2 +-
 nixos/hardware/blowhole.nix          |  2 +-
 nixos/modules/main.nix               |  2 +-
 nixos/secret-lib/default.nix         |  4 +--
 nixos/secret-lib/emacs.nix           |  2 ++
 nixos/secret-lib/ical2org.nix        |  3 ++
 nixos/secret-lib/mounts.nix          |  1 +
 nixos/secret-lib/network.nix         | 48 +++++++++++++++++++++-------
 nixos/secret-lib/password-hashes.nix | 25 ++++++++++-----
 nixos/systems/blowhole/firewall.nix  |  2 +-
 nixos/systems/omen.nix               |  2 +-
 nixos/systems/toothpick/default.nix  |  2 +-
 12 files changed, 67 insertions(+), 28 deletions(-)

diff --git a/flake.nix b/flake.nix
index 09ecad9..5149169 100644
--- a/flake.nix
+++ b/flake.nix
@@ -101,7 +101,7 @@
     vtermModule.url = "github:akermu/emacs-libvterm";
     vtermModule.flake = false;
 
-    secret.url = "git+ssh://git@github.com/MagicRB/dotfiles-secret";
+    secret.url = "path:///var/empty";
     secret.flake = false;
 
     qmk.url = "https://github.com/qmk/qmk_firmware";
diff --git a/nixos/hardware/blowhole.nix b/nixos/hardware/blowhole.nix
index 3f6a133..e521873 100644
--- a/nixos/hardware/blowhole.nix
+++ b/nixos/hardware/blowhole.nix
@@ -77,6 +77,6 @@ in {
           options = singleton "bind";
         };
       }
-      // secret.mounts.blowhole;
+      // secret.mounts.blowhole or {};
   };
 }
diff --git a/nixos/modules/main.nix b/nixos/modules/main.nix
index 1af13c7..f2885dc 100644
--- a/nixos/modules/main.nix
+++ b/nixos/modules/main.nix
@@ -14,7 +14,7 @@ with lib; {
     users.main = {
       isNormalUser = true;
       home = "/home/main";
-      hashedPassword = secret.passwordHashes.main.generic;
+      hashedPassword = secret.passwordHashes.main or "";
       description = "main";
 
       uid = 1000;
diff --git a/nixos/secret-lib/default.nix b/nixos/secret-lib/default.nix
index ab39e1f..3ec63f3 100644
--- a/nixos/secret-lib/default.nix
+++ b/nixos/secret-lib/default.nix
@@ -35,8 +35,8 @@ with lib; {
               ({...}: {_module.args.pkgs = pkgs;})
             ]
             ++ (
-              if (builtins.tryEval {x = import secret;}).success
-              then [secret]
+              if (builtins.pathExists (secret + "default.nix"))
+              then [ secret ]
               else builtins.trace "Warning! Not loading any secrets, you may get errors." []
             );
         };
diff --git a/nixos/secret-lib/emacs.nix b/nixos/secret-lib/emacs.nix
index 29be483..d014686 100644
--- a/nixos/secret-lib/emacs.nix
+++ b/nixos/secret-lib/emacs.nix
@@ -13,10 +13,12 @@ in {
   options.emacs = {
     mbsyncrc = mkOption {
       type = types.path;
+      default = pkgs.writeText "mbsyncrb" "";
     };
 
     mu4eContexts = mkOption {
       type = types.path;
+      default = pkgs.writeText "mu4e-contexts.el" "";
     };
   };
 }
diff --git a/nixos/secret-lib/ical2org.nix b/nixos/secret-lib/ical2org.nix
index c457563..1d5932d 100644
--- a/nixos/secret-lib/ical2org.nix
+++ b/nixos/secret-lib/ical2org.nix
@@ -13,13 +13,16 @@ in {
   options.ical2org = {
     icalUrlCanvas = mkOption {
       type = types.str;
+      default = "";
     };
     icalUrlRooster = mkOption {
       type = types.str;
+      default = "";
     };
 
     orgPath = mkOption {
       type = types.str;
+      default = "";
     };
   };
 }
diff --git a/nixos/secret-lib/mounts.nix b/nixos/secret-lib/mounts.nix
index 11d4a16..e867689 100644
--- a/nixos/secret-lib/mounts.nix
+++ b/nixos/secret-lib/mounts.nix
@@ -15,5 +15,6 @@ in {
     description = ''
       Mounts
     '';
+    default = {};
   };
 }
diff --git a/nixos/secret-lib/network.nix b/nixos/secret-lib/network.nix
index 2cc24d1..b603dbc 100644
--- a/nixos/secret-lib/network.nix
+++ b/nixos/secret-lib/network.nix
@@ -2,22 +2,46 @@
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
 {lib, ...}:
-with lib; {
-  options = {
-    network.ips = mkOption {
+with lib;
+let
+  mkIpOption =
+    mkOption {
       description = ''
-        Host IPs.
+        Host IP
       '';
-      type = with types; attrsOf (oneOf [str (attrsOf str)]);
-      default = {};
+      type = types.str;
+      default = "";
+    };
+  mkNetworkOption =
+    mkOption {
+      description = ''
+        Network IPs
+      '';
+      type = types.str;
+      default = "";
+    };
+in
+{
+  options = {
+    network.ips = {
+      vault.dns      = mkIpOption;
+      vault.vpn      = mkIpOption;
+      blowhole.dns   = mkIpOption;
+      blowhole.ip    = mkIpOption;
+      blowhole.vpn   = mkIpOption;
+      heater         = mkIpOption;
+      edge.vpn       = mkIpOption;
+      omen.vpn       = mkIpOption;
+      toothpick      = mkIpOption;
+      woodchip       = mkIpOption;
+      media          = mkIpOption;
     };
 
-    network.networks = mkOption {
-      description = ''
-        Network IPs.
-      '';
-      type = with types; attrsOf (oneOf [str (attrsOf str)]);
-      default = {};
+    network.networks = {
+      home.inner     = mkNetworkOption;
+      home.outer     = mkNetworkOption;
+      home.mine      = mkNetworkOption;
+      vpn            = mkNetworkOption;
     };
   };
 }
diff --git a/nixos/secret-lib/password-hashes.nix b/nixos/secret-lib/password-hashes.nix
index 9138dc8..e6decce 100644
--- a/nixos/secret-lib/password-hashes.nix
+++ b/nixos/secret-lib/password-hashes.nix
@@ -2,14 +2,23 @@
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
 {lib, ...}:
-with lib; {
+with lib;
+let
+  mkPasswordHashOptions =
+    users:
+    genAttrs
+      users
+      (user:
+        mkOption {
+          description = ''
+            Password hash for user ${user}.
+          '';
+          type = with types; str;
+          default = "";
+        });
+in
+{
   options = {
-    passwordHashes = mkOption {
-      description = ''
-        Password hashes.
-      '';
-      type = with types; attrsOf (oneOf [str (attrsOf str)]);
-      default = {};
-    };
+    passwordHashes = mkPasswordHashOptions [ "main" ];
   };
 }
diff --git a/nixos/systems/blowhole/firewall.nix b/nixos/systems/blowhole/firewall.nix
index cbf81d1..015c317 100644
--- a/nixos/systems/blowhole/firewall.nix
+++ b/nixos/systems/blowhole/firewall.nix
@@ -105,7 +105,7 @@ in
     wireguard = {
       enable = true;
       interfaces."${doVPN}" =
-        config.magic_rb.secret.wireguard."${config.networking.hostName}"
+        config.magic_rb.secret.wireguard."${config.networking.hostName}" or {}
         // {
           listenPort = 6666;
           privateKeyFile = "/var/secrets/${doVPN}.key";
diff --git a/nixos/systems/omen.nix b/nixos/systems/omen.nix
index 33bd07d..2a62cf6 100644
--- a/nixos/systems/omen.nix
+++ b/nixos/systems/omen.nix
@@ -82,7 +82,7 @@
         firewall.allowedTCPPorts = [22000];
 
         wireguard.interfaces."wg0" =
-          {} // config.magic_rb.secret.wireguard."omen";
+          {} // config.magic_rb.secret.wireguard."omen" or { privateKey = ""; };
       };
 
       # System
diff --git a/nixos/systems/toothpick/default.nix b/nixos/systems/toothpick/default.nix
index 6ebefd0..ec2b2a3 100644
--- a/nixos/systems/toothpick/default.nix
+++ b/nixos/systems/toothpick/default.nix
@@ -78,7 +78,7 @@ with lib;
                 ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -j ACCEPT
               '';
             }
-            // config.magic_rb.secret.wireguard."toothpick";
+            // config.magic_rb.secret.wireguard."toothpick" or { privateKey = ""; };
         };
 
         defaultGateway = "64.225.96.1";