dotfiles/nixos/systems/blowhole/default.nix

# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
  inherit (lib')
    flip
    mapAttrs
    singleton;

  config' = config;
in
{
  flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";

    specialArgs = {
      config' = config';
      inputs' = inputs;
      secret = lib'.loadSecrets inputs.secret;
    };

    modules = singleton
      ({ pkgs, config, ... }:
        {
          imports = [
            ./bind.nix
            ./consul.nix
            ./filesystems.nix
            ./firewall.nix
            ./grub.nix
            ./hardware.nix
            ./hostapd.nix
            ./ical2org.nix
            ./klipper.nix
            ./monitoring.nix
            ./nas.nix
            ./networking.nix
            ./nfs.nix
            ./nomad.nix
            ./uterranix.nix
            ./vault-agent.nix
            ./vault.nix
            ./watchdog.nix
            ./nixpkgs.nix
            ./users.nix
            ../../common/remote_access.nix
            inputs.serokell-nix.nixosModules.acme-sh
            config'.flake.nixosModules.hashicorp
            config'.flake.nixosModules.hashicorp-envoy
            config'.flake.nixosModules.telegraf
            config'.flake.nixosModules.grafana
          ];

          _module.args.nixinate = {
            host = "blowhole.hosts.in.redalder.org";
            sshUser = "main";
            buildOn = "local";
            substituteOnTarget = true;
            hermetic = false;
            nixOptions = [
              "--override-input secret path://$HOME/dotfiles/secret"
            ];
          };

          systemd.services.vault-unsealed = {
            description = "Check whether the local Vault instance is unsealed and fail if not.";
            path = with pkgs; [ getent vault ];

            unitConfig = {
              StartLimitInterval = 0;
            };

            serviceConfig = {
              Restart = "always";
              RestartSec = 30;
            };

            script = ''
              export VAULT_ADDR="https://vault.in.redalder.org:8200/"

              while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
              do
                sleep 30
              done
              exit 2
            '';
          };

          system.stateVersion = "21.05";
        });
  };
}