althaea.zone
ALPHA: wire is a tool to deploy nixos systems
wire.althaea.zone/
1# SPDX-License-Identifier: AGPL-3.0-or-later
2# Copyright 2024-2025 wire Contributors
3
4{
5 lib,
6 snakeOil,
7 wire-small-dev,
8 config,
9 pkgs,
10 ...
11}:
12let
13 inherit (lib)
14 mkEnableOption
15 mkMerge
16 mkIf
17 mkOption
18 ;
19 inherit (lib.types) lines;
20 cfg = config._wire;
21in
22{
23 options._wire = {
24 deployer = mkEnableOption "deployment-specific settings";
25 receiver = mkEnableOption "receiver-specific settings";
26 testScript = mkOption {
27 type = lines;
28 default = "";
29 description = "node-specific test script";
30 };
31 };
32
33 config = mkMerge [
34 (mkIf cfg.deployer {
35 systemd.tmpfiles.rules = [
36 "C+ /root/.ssh/id_ed25519 600 - - - ${snakeOil.snakeOilEd25519PrivateKey}"
37 ];
38 environment.systemPackages = [
39 wire-small-dev
40 pkgs.ripgrep
41 ];
42 # It's important to note that you should never ever use this configuration
43 # for production. You are risking a MITM attack with this!
44 programs.ssh.extraConfig = ''
45 Host *
46 StrictHostKeyChecking no
47 UserKnownHostsFile /dev/null
48 '';
49
50 # owner user used to test keys on the deployer.
51 # here instead of in the test case hive because we lose the wire binary when
52 # applying to deployer.
53 users.groups."owner" = { };
54 users.users."owner" = {
55 group = "owner";
56 isNormalUser = true;
57 };
58 })
59 (mkIf cfg.receiver {
60 services.openssh.enable = true;
61 users.users.root.openssh.authorizedKeys.keys = [ snakeOil.snakeOilEd25519PublicKey ];
62 _wire.testScript = ''
63 ${config.networking.hostName}.wait_for_unit("sshd.service")
64 '';
65 })
66 ];
67}