infra/flake.nix

{
  description = "Bagel cooking infrastructure";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    terranix.url = "github:terranix/terranix";

    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";

    colmena.url = "github:zhaofengli/colmena";
    colmena.inputs.nixpkgs.follows = "nixpkgs";

    hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
    hydra.inputs.nixpkgs.follows = "nixpkgs";

    nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
    nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";

    buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes";
    buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";

    lix.follows = "hydra/lix";
  };

  outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
  let
    supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
    forEachSystem = f: builtins.listToAttrs (map (system: {
      name = system;
      value = f system;
    }) supportedSystems);
    systemBits = forEachSystem (system: rec {
      inherit system;
      pkgs = import nixpkgs {
        localSystem = system;
        overlays = [
          inputs.hydra.overlays.default
          inputs.lix.overlays.default
          inputs.nix-gerrit.overlays.default
        ];
      };
      terraform = pkgs.opentofu;
      terraformCfg = terranix.lib.terranixConfiguration {
        inherit system;
        modules = [
          ./terraform
          {
            bagel.gandi.enable = true;
            bagel.hydra.enable = true;
          }
        ];
      };
    });
    forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
    inherit (nixpkgs) lib;
  in
  {
    apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
      tf = {
        type = "app";
        program = toString (pkgs.writers.writeBash "tf" ''
            set -eo pipefail
            ln -snf ${terraformCfg} config.tf.json
            exec ${lib.getExe terraform} "$@"
          '');
      };

      default = self.apps.${system}.tf;
    });

    devShells = forEachSystem' ({ system, pkgs, ... }: {
      default = pkgs.mkShell {
        packages = [
          inputs.agenix.packages.${system}.agenix

          pkgs.opentofu

          (pkgs.callPackage ./lib/colmena-wrapper.nix { })
        ];
      };
    });

    nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;

    colmena = let
      commonModules = [
        inputs.agenix.nixosModules.default
        inputs.hydra.nixosModules.hydra
        inputs.buildbot-nix.nixosModules.buildbot-coordinator
        inputs.buildbot-nix.nixosModules.buildbot-worker

        ./services
        ./common
        {
          # This means that anyone with @build-infra permissions
          # can ssh on root of every machines handled here.
          bagel.admins.allowedGroups = [
            "build-infra"
          ];
        }
      ];

      makeBuilder = i: lib.nameValuePair "builder-${toString i}" {
        imports = commonModules;
        bagel.baremetal.builders = { enable = true; num = i; netboot = i >= 6; };
      };

      builders = lib.listToAttrs (lib.genList makeBuilder 12);
    in {
      meta.nixpkgs = systemBits.x86_64-linux.pkgs;
      meta.specialArgs.inputs = inputs;

      bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ];
      meta01.imports = commonModules ++ [ ./hosts/meta01 ];
      gerrit01.imports = commonModules ++ [ ./hosts/gerrit01 ];
      fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
      git.imports = commonModules ++ [ ./hosts/git ];
      wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
      buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
      public01.imports = commonModules ++ [ ./hosts/public01 ];
    } // builders;

    hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
    buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
  };
}