From 7adc4a20bd1061d56954276dd1b5426cecbaf509 Mon Sep 17 00:00:00 2001
From: Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>
Date: Mon, 4 Aug 2025 22:23:47 +0200
Subject: [PATCH] Clean up provisioning code by moving some logic into readOnly
 options

---
 nix/lib/mkSubmodule/default.nix               |  11 ++
 .../infrastructure/provisioning/default.nix   | 124 +++++++-----------
 nix/packages/nixos-install/default.nix        |   2 +-
 nix/packages/post-provisioning/default.nix    |   4 +-
 nix/packages/pre-provisioning/default.nix     |   4 +-
 5 files changed, 67 insertions(+), 78 deletions(-)

diff --git a/nix/lib/mkSubmodule/default.nix b/nix/lib/mkSubmodule/default.nix
index ef43f4c..ac429e9 100644
--- a/nix/lib/mkSubmodule/default.nix
+++ b/nix/lib/mkSubmodule/default.nix
@@ -10,4 +10,15 @@
       shorthandOnlyDefinesConfig = true;
       modules = lib.toList { inherit options; };
     };
+  mkSubmodule' =
+    fn:
+    lib.types.submodule (
+      { config, ... }:
+      let
+        data = fn { inherit config; };
+      in
+      {
+        inherit (data) options;
+      }
+    );
 }
diff --git a/nix/modules/nixos/infrastructure/provisioning/default.nix b/nix/modules/nixos/infrastructure/provisioning/default.nix
index 9d48555..3331cbd 100644
--- a/nix/modules/nixos/infrastructure/provisioning/default.nix
+++ b/nix/modules/nixos/infrastructure/provisioning/default.nix
@@ -1,19 +1,20 @@
 {
-  config,
   lib,
   inputs,
   pkgs,
   ...
 }:
 let
-  cfg = config.khscodes.infrastructure.provisioning;
-  provisioning = {
-    modules = lib.mkOption {
-      type = lib.types.listOf lib.types.anything;
-      description = "Modules used to bring up the needed resources";
-      default = [ ];
-    };
-  };
+  terranixConfig =
+    cfg:
+    if lib.lists.length cfg.modules > 0 then
+      inputs.terranix.lib.terranixConfiguration {
+        system = pkgs.hostPlatform.system;
+        modules = cfg.modules;
+        extraArgs = { inherit lib inputs; };
+      }
+    else
+      null;
   usesEndpoint =
     search: endpoint: config:
     if lib.strings.hasInfix search (builtins.readFile config) then [ endpoint ] else [ ];
@@ -49,31 +50,49 @@ let
       [ ]
     else
       lib.lists.flatten (lib.lists.map (c: usesEndpoint c.search c.endpoint config) endpointsMaps);
-  preConfig =
-    if lib.lists.length cfg.pre.modules > 0 then
-      inputs.terranix.lib.terranixConfiguration {
-        system = pkgs.hostPlatform.system;
-        modules = cfg.pre.modules;
-        extraArgs = { inherit lib inputs; };
-      }
-    else
-      null;
-  preEndpoints = endpointsUsed preConfig;
-  postConfig =
-    if lib.lists.length cfg.post.modules > 0 then
-      inputs.terranix.lib.terranixConfiguration {
-        system = pkgs.hostPlatform.system;
-        modules = cfg.post.modules;
-        extraArgs = { inherit lib inputs; };
-      }
-    else
-      null;
-  postEndpoints = endpointsUsed postConfig;
+  provisioning = lib.khscodes.mkSubmodule' (
+    { config }:
+    {
+      description = "Module for handling provisioning";
+      options = {
+        modules = lib.mkOption {
+          type = lib.types.listOf lib.types.anything;
+          description = "Modules used to bring up the needed resources";
+          default = [ ];
+        };
+        config = lib.mkOption {
+          type = lib.types.nullOr lib.types.path;
+          readOnly = true;
+          default = terranixConfig config;
+        };
+        endpoints = lib.mkOption {
+          type = lib.types.listOf (
+            lib.types.enum [
+              "openstack"
+              "aws"
+              "unifi"
+              "hcloud"
+              "cloudflare"
+              "vault"
+            ]
+          );
+          readOnly = true;
+          default = endpointsUsed config.config;
+        };
+      };
+    }
+  );
 in
 {
   options.khscodes.infrastructure.provisioning = {
-    pre = provisioning;
-    post = provisioning;
+    pre = lib.mkOption {
+      type = provisioning;
+      default = { };
+    };
+    post = lib.mkOption {
+      type = provisioning;
+      default = { };
+    };
     secretsSource = lib.mkOption {
       type = lib.types.enum [
         "vault"
@@ -87,53 +106,12 @@ in
       description = "User data that should be added to the instance during provisioning";
       default = "";
     };
-    preConfig = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-      description = "The generated config for the pre provisioning, if any was specified";
-    };
-    preEndpoints = lib.mkOption {
-      type = lib.types.listOf (
-        lib.types.enum [
-          "openstack"
-          "aws"
-          "unifi"
-          "hcloud"
-          "cloudflare"
-          "vault"
-        ]
-      );
-      description = "Needed endpoints to be used during provisioning";
-      default = [ ];
-    };
     preImageUsername = lib.mkOption {
       type = lib.types.str;
       description = "The username for the image being deployed before being swapped for NixOS";
       default = "root";
     };
-    postConfig = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-      description = "The generated config for the post provisioning, if any was specified";
-    };
-    postEndpoints = lib.mkOption {
-      type = lib.types.listOf (
-        lib.types.enum [
-          "openstack"
-          "aws"
-          "unifi"
-          "hcloud"
-          "cloudflare"
-          "vault"
-        ]
-      );
-      description = "Needed endpoints to be used during provisioning";
-      default = [ ];
-    };
   };
 
-  config = {
-    khscodes.infrastructure.provisioning.preConfig = preConfig;
-    khscodes.infrastructure.provisioning.preEndpoints = preEndpoints;
-    khscodes.infrastructure.provisioning.postConfig = postConfig;
-    khscodes.infrastructure.provisioning.postEndpoints = postEndpoints;
-  };
+  config = { };
 }
diff --git a/nix/packages/nixos-install/default.nix b/nix/packages/nixos-install/default.nix
index a34d72b..24ed100 100644
--- a/nix/packages/nixos-install/default.nix
+++ b/nix/packages/nixos-install/default.nix
@@ -19,7 +19,7 @@ pkgs.writeShellApplication {
       nix build --no-link '${inputs.self}#nixosConfigurations."'"$hostname"'".config.system.build.toplevel'
     fi
     baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure'
-    config="$(nix build --no-link --print-out-paths "''${baseAttr}.provisioning.preConfig")"
+    config="$(nix build --no-link --print-out-paths "''${baseAttr}.provisioning.pre.config")"
     preScript="$(nix eval --raw "''${baseAttr}.nixos-install.preScript")"
     username="$(nix eval --raw "''${baseAttr}.provisioning.preImageUsername")"
     if [[ "$config" == "null" ]]; then
diff --git a/nix/packages/post-provisioning/default.nix b/nix/packages/post-provisioning/default.nix
index 1a647f7..67285a2 100644
--- a/nix/packages/post-provisioning/default.nix
+++ b/nix/packages/post-provisioning/default.nix
@@ -15,9 +15,9 @@ pkgs.writeShellApplication {
     hostname="$1"
     cmd="''${2:-apply}"
     baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning'
-    config="$(nix build --no-link --print-out-paths "''${baseAttr}.postConfig")"
+    config="$(nix build --no-link --print-out-paths "''${baseAttr}.post.config")"
     secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")"
-    endpoints="$(nix eval --show-trace --json "''${baseAttr}.postEndpoints")"
+    endpoints="$(nix eval --show-trace --json "''${baseAttr}.post.endpoints")"
     if [[ "$config" == "null" ]]; then
       echo "No postprovisioning needed"
       exit 0
diff --git a/nix/packages/pre-provisioning/default.nix b/nix/packages/pre-provisioning/default.nix
index 12ba485..076de3c 100644
--- a/nix/packages/pre-provisioning/default.nix
+++ b/nix/packages/pre-provisioning/default.nix
@@ -16,9 +16,9 @@ pkgs.writeShellApplication {
     hostname="$1"
     cmd="''${2:-apply}"
     baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning'
-    config="$(nix build --no-link --print-out-paths "''${baseAttr}.preConfig")"
+    config="$(nix build --no-link --print-out-paths "''${baseAttr}.pre.config")"
     secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")"
-    endpoints="$(nix eval --show-trace --json "''${baseAttr}.preEndpoints")"
+    endpoints="$(nix eval --show-trace --json "''${baseAttr}.pre.endpoints")"
     if [[ "$config" == "null" ]]; then
       echo "No preprovisioning needed"
       exit 0