cfg cosmetics

modules/services/deployerbot/default.nix

@@ -45,89 +45,96 @@ in {
   };
 
   config = lib.mkMerge [
-    (lib.mkIf cfg.main.enable {
+    (let
-      # TODO: git config --global user.email bot@jakstys.lt
+      cfg = config.mj.services.deployerbot.main;
-      users.users.deployerbot-main = {
+    in
-        description = "Deployerbot Main";
+      lib.mkIf cfg.enable {
-        home = "/var/lib/deployerbot-main";
+        # TODO: git config --global user.email bot@jakstys.lt
-        useDefaultShell = true;
+        users.users.deployerbot-main = {
-        group = "deployerbot-main";
+          description = "Deployerbot Main";
-        isSystemUser = true;
+          home = "/var/lib/deployerbot-main";
-        createHome = true;
-        uid = cfg.main.uidgid;
-      };
-      users.groups.deployerbot-main.gid = cfg.main.uidgid;
-
-      systemd.services.deployerbot = {
-        description = "Update all known systems";
-        environment = {TZ = "UTC";};
-        path = [pkgs.git pkgs.openssh pkgs.nix];
-        restartIfChanged = false;
-        serviceConfig = {
-          Type = "oneshot";
-          User = "deployerbot-main";
-          WorkingDirectory = config.users.users.deployerbot-main.home;
-          LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
-        };
-        script = let
-          deployDerivationsStr = builtins.concatStringsSep " " cfg.main.deployDerivations;
-        in ''
-          set -x
-          export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
-          if [[ ! -d config ]]; then
-            git clone ${cfg.main.repo} config
-            cd config
-          else
-            cd config
-            git fetch origin
-            git reset --hard origin/main
-          fi
-
-          nix flake update --accept-flake-config --commit-lock-file
-
-          ${pkgs.deploy-rs}/bin/deploy \
-            --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
-            --ssh-user=deployerbot-follower \
-            --confirm-timeout 60 \
-            --targets ${deployDerivationsStr} -- \
-              --accept-flake-config
-
-          # Optional deployments
-          ${lib.concatLines (map mkOptional cfg.main.deployIfPresent)}
-
-          # done
-          git push origin main
-        '';
-      };
-
-      systemd.timers.deployerbot = {
-        description = "deployerbot-main timer";
-        wantedBy = ["timers.target"];
-        timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
-      };
-
-      mj.base.unitstatus.units = ["deployerbot"];
-
-      nix.settings.trusted-users = ["deployerbot-main"];
-    })
-    (lib.mkIf cfg.follower.enable {
-      users.users = {
-        deployerbot-follower = {
-          description = "Deployerbot Follower";
-          home = "/var/lib/deployerbot-follower";
           useDefaultShell = true;
-          group = "deployerbot-follower";
+          group = "deployerbot-main";
-          extraGroups = ["wheel"];
           isSystemUser = true;
           createHome = true;
-          uid = cfg.follower.uidgid;
+          uid = cfg.uidgid;
-          openssh.authorizedKeys.keys = let
-            restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey;
-          in [restrictedPubKey];
         };
-      };
+        users.groups.deployerbot-main.gid = cfg.uidgid;
-      users.groups.deployerbot-follower.gid = cfg.follower.uidgid;
+
-      nix.settings.trusted-users = ["deployerbot-follower"];
+        systemd.services.deployerbot = {
-    })
+          description = "Update all known systems";
+          environment = {TZ = "UTC";};
+          path = [pkgs.git pkgs.openssh pkgs.nix];
+          restartIfChanged = false;
+          serviceConfig = {
+            Type = "oneshot";
+            User = "deployerbot-main";
+            WorkingDirectory = config.users.users.deployerbot-main.home;
+            LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
+          };
+          script = let
+            deployDerivationsStr = builtins.concatStringsSep " " cfg.deployDerivations;
+          in ''
+            set -x
+            export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
+            if [[ ! -d config ]]; then
+              git clone ${cfg.repo} config
+              cd config
+            else
+              cd config
+              git fetch origin
+              git reset --hard origin/main
+            fi
+
+            nix flake update --accept-flake-config --commit-lock-file
+
+            ${pkgs.deploy-rs}/bin/deploy \
+              --ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
+              --ssh-user=deployerbot-follower \
+              --confirm-timeout 60 \
+              --targets ${deployDerivationsStr} -- \
+                --accept-flake-config
+
+            # Optional deployments
+            ${lib.concatLines (map mkOptional cfg.deployIfPresent)}
+
+            # done
+            git push origin main
+          '';
+        };
+
+        systemd.timers.deployerbot = {
+          description = "deployerbot-main timer";
+          wantedBy = ["timers.target"];
+          timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
+        };
+
+        mj.base.unitstatus.units = ["deployerbot"];
+
+        nix.settings.trusted-users = ["deployerbot-main"];
+      })
+
+    (let
+      cfg = config.mj.services.deployerbot.follower;
+    in
+      lib.mkIf cfg.enable {
+        users.users = {
+          deployerbot-follower = {
+            description = "Deployerbot Follower";
+            home = "/var/lib/deployerbot-follower";
+            useDefaultShell = true;
+            group = "deployerbot-follower";
+            extraGroups = ["wheel"];
+            isSystemUser = true;
+            createHome = true;
+            uid = cfg.uidgid;
+            openssh.authorizedKeys.keys = let
+              restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
+            in [restrictedPubKey];
+          };
+        };
+        users.groups.deployerbot-follower.gid = cfg.uidgid;
+        nix.settings.trusted-users = ["deployerbot-follower"];
+      })
   ];
 }

modules/services/nsd-acme/default.nix

@@ -4,6 +4,7 @@
   pkgs,
   ...
 }: let
+  cfg = config.mj.services.nsd-acme;
   mkHook = zone: let
     rc = config.services.nsd.remoteControl;
     fullZone = "_acme-endpoint.${zone}";
@@ -84,7 +85,7 @@ in {
   };
 
   # TODO assert services.nsd.enable
-  config = lib.mkIf config.mj.services.nsd-acme.enable {
+  config = lib.mkIf cfg.enable {
     services.nsd.remoteControl.enable = true;
     services.nsd.extraConfig = ''
       pattern:
@@ -186,7 +187,7 @@ in {
             };
           }
       )
-      config.mj.services.nsd-acme.zones;
+      cfg.zones;
 
     systemd.timers =
       lib.mapAttrs'
@@ -201,14 +202,14 @@ in {
             after = ["network-online.target"];
           }
       )
-      config.mj.services.nsd-acme.zones;
+      cfg.zones;
 
     mj.base.unitstatus.units =
       lib.mkIf config.mj.base.unitstatus.enable
       (
         ["nsd-control-setup"]
         ++ map (z: "nsd-acme-${z}")
-        (lib.attrNames config.mj.services.nsd-acme.zones)
+        (lib.attrNames cfg.zones)
       );
   };
 }