hosts: deduplicate host registration in default.nix

henrirosten · henrirosten · commit 66906dc5a483 · 2026-03-03T12:28:12.000+02:00
Define hosts once in hostModules and derive both flake.nixosModules and
flake.nixosConfigurations from that registry.

This removes the duplicated host lists in hosts/default.nix and reduces
the risk of drift when adding or renaming hosts.

Update docs/adding-a-host.md to document the new registration step and
renumber the runbook accordingly.

Signed-off-by: Henri Rosten &lt;henri.rosten@unikie.com&gt;
diff --git a/docs/adding-a-host.md b/docs/adding-a-host.md
@@ -93,19 +93,22 @@ ghaf-example = {
 The `publicKey` field is populated after the first install (see
 [print-keys](./tasks.md#print-keys)).
 
-### 4. Add NixOS module to `hosts/default.nix`
+### 4. Register host in `hosts/default.nix`
 
-In the `flake.nixosModules` attrset, add:
+In `hosts/default.nix`, add the host to the `hostModules` attrset:
 
 ```nix
-nixos-ghaf-example = ./ghaf-example/configuration.nix;
+hostModules = {
+  # ...
+  ghaf-example = ./ghaf-example/configuration.nix;
+};
 ```
 
-### 5. Add to nixosConfigurations list
-
-In the same file, add `"ghaf-example"` to the list passed to `builtins.map`.
+`flake.nixosModules.nixos-ghaf-example` and
+`flake.nixosConfigurations.ghaf-example` are generated from this entry
+automatically.
 
-### 6. Add deploy-rs node to `nix/deployments.nix`
+### 5. Add deploy-rs node to `nix/deployments.nix`
 
 Add the host to the appropriate node set (`x86-nodes` or `aarch64-nodes`):
 
@@ -135,7 +138,7 @@ After the first install the host has generated its SSH host key. The
 following steps retrieve that key, add it to sops, and redeploy so the
 host receives its encrypted secrets.
 
-### 7. Add host age key to `.sops.yaml`
+### 6. Add host age key to `.sops.yaml`
 
 Retrieve the host's SSH public key and convert it to an age key:
 
@@ -149,7 +152,7 @@ Add the resulting age key to the `keys` section of `.sops.yaml`:
 - &ghaf-example age1...
 ```
 
-### 8. Add creation rule in `.sops.yaml`
+### 7. Add creation rule in `.sops.yaml`
 
 Add a `creation_rules` entry so sops knows which keys can decrypt the
 host's secrets:
@@ -162,7 +165,7 @@ host's secrets:
     - *your-admin-anchor
 ```
 
-### 9. Create secrets file
+### 8. Create secrets file
 
 Copy the host's private SSH key from the remote host and store it as
 a sops secret:
@@ -180,15 +183,15 @@ rm /tmp/host-key
 
 At minimum, the secrets file must contain the `ssh_host_ed25519_key`.
 
-### 10. Run `inv update-sops-files`
+### 9. Run `inv update-sops-files`
 
 Re-encrypt all sops files to reflect the updated `.sops.yaml` rules:
 
 ```sh
 inv update-sops-files
 ```
 
-### 11. Redeploy with secrets
+### 10. Redeploy with secrets
 
 Deploy the configuration again so the host receives its secrets
 (see [deploy-rs.md](./deploy-rs.md)):
diff --git a/hosts/default.nix b/hosts/default.nix
@@ -63,97 +63,65 @@ let
         }
       ];
     };
+
+  # All host module paths in one place.
+  # Most hosts can be instantiated with mkNixOS; hetzci-vm is created by mkHetzciVm.
+  hostModules = {
+    hetzarm = ./builders/hetzarm/configuration.nix;
+    hetzarm-dbg-1 = ./builders/hetzarm-dbg-1/configuration.nix;
+    hetzarm-rel-1 = ./builders/hetzarm-rel-1/configuration.nix;
+    testagent-prod = ./testagent/prod/configuration.nix;
+    testagent-dev = ./testagent/dev/configuration.nix;
+    testagent2-prod = ./testagent/prod2/configuration.nix;
+    testagent-release = ./testagent/release/configuration.nix;
+    nethsm-gateway = ./nethsm-gateway/configuration.nix;
+    ghaf-log = ./ghaf-log/configuration.nix;
+    ghaf-webserver = ./ghaf-webserver/configuration.nix;
+    ghaf-auth = ./ghaf-auth/configuration.nix;
+    ghaf-monitoring = ./ghaf-monitoring/configuration.nix;
+    ghaf-lighthouse = ./ghaf-lighthouse/configuration.nix;
+    ghaf-fleetdm = ./ghaf-fleetdm/configuration.nix;
+    ghaf-registry = ./ghaf-registry/configuration.nix;
+    hetzci-dbg = ./hetzci/dbg/configuration.nix;
+    hetzci-dev = ./hetzci/dev/configuration.nix;
+    hetzci-prod = ./hetzci/prod/configuration.nix;
+    hetzci-release = ./hetzci/release/configuration.nix;
+    hetzci-vm = ./hetzci/vm/configuration.nix;
+    hetz86-1 = ./builders/hetz86-1/configuration.nix;
+    hetz86-builder = ./builders/hetz86-builder/configuration.nix;
+    hetz86-dbg-1 = ./builders/hetz86-dbg-1/configuration.nix;
+    hetz86-rel-2 = ./builders/hetz86-rel-2/configuration.nix;
+    uae-lab-node1 = ./uae/lab/node1/configuration.nix;
+    uae-nethsm-gateway = ./uae/nethsm-gateway/configuration.nix;
+    uae-azureci-prod = ./uae/azureci/prod/configuration.nix;
+    uae-azureci-az86-1 = ./uae/azureci/builders/az86-1/configuration.nix;
+    uae-testagent-prod = ./uae/testagent/prod/configuration.nix;
+  };
+
+  nixosModulesFromHosts = lib.mapAttrs' (
+    name: path: lib.nameValuePair "nixos-${name}" path
+  ) hostModules;
+
+  nixosConfigurationsFromHosts = builtins.mapAttrs (name: _path: mkNixOS { systemName = name; }) (
+    lib.removeAttrs hostModules [ "hetzci-vm" ]
+  );
 in
 {
   flake.nixosModules = {
     # shared modules
     common = import ./common.nix;
-
-    # All flake.nixosConfigurations, before we call lib.nixosSystem over them.
-    # We use a 'nixos-' prefix to distinguish them from regular modules.
-    #
-    # These are available to allow extending system configuration with
-    # out-of-tree additional config (like additional trusted cache public keys)
-    nixos-hetzarm = ./builders/hetzarm/configuration.nix;
-    nixos-hetzarm-dbg-1 = ./builders/hetzarm-dbg-1/configuration.nix;
-    nixos-hetzarm-rel-1 = ./builders/hetzarm-rel-1/configuration.nix;
-    nixos-testagent-prod = ./testagent/prod/configuration.nix;
-    nixos-testagent-dev = ./testagent/dev/configuration.nix;
-    nixos-testagent2-prod = ./testagent/prod2/configuration.nix;
-    nixos-testagent-release = ./testagent/release/configuration.nix;
-    nixos-nethsm-gateway = ./nethsm-gateway/configuration.nix;
-    nixos-ghaf-log = ./ghaf-log/configuration.nix;
-    nixos-ghaf-webserver = ./ghaf-webserver/configuration.nix;
-    nixos-ghaf-auth = ./ghaf-auth/configuration.nix;
-    nixos-ghaf-monitoring = ./ghaf-monitoring/configuration.nix;
-    nixos-ghaf-lighthouse = ./ghaf-lighthouse/configuration.nix;
-    nixos-ghaf-fleetdm = ./ghaf-fleetdm/configuration.nix;
-    nixos-ghaf-registry = ./ghaf-registry/configuration.nix;
-    nixos-hetzci-dbg = ./hetzci/dbg/configuration.nix;
-    nixos-hetzci-dev = ./hetzci/dev/configuration.nix;
-    nixos-hetzci-prod = ./hetzci/prod/configuration.nix;
-    nixos-hetzci-release = ./hetzci/release/configuration.nix;
-    nixos-hetzci-vm = ./hetzci/vm/configuration.nix;
-    nixos-hetz86-1 = ./builders/hetz86-1/configuration.nix;
-    nixos-hetz86-builder = ./builders/hetz86-builder/configuration.nix;
-    nixos-hetz86-dbg-1 = ./builders/hetz86-dbg-1/configuration.nix;
-    nixos-hetz86-rel-2 = ./builders/hetz86-rel-2/configuration.nix;
-    nixos-uae-lab-node1 = ./uae/lab/node1/configuration.nix;
-    nixos-uae-nethsm-gateway = ./uae/nethsm-gateway/configuration.nix;
-    nixos-uae-azureci-prod = ./uae/azureci/prod/configuration.nix;
-    nixos-uae-azureci-az86-1 = ./uae/azureci/builders/az86-1/configuration.nix;
-    nixos-uae-testagent-prod = ./uae/testagent/prod/configuration.nix;
-  };
+  }
+  // nixosModulesFromHosts;
 
   # Expose as flake.lib.mkNixOS.
   flake.lib = {
     inherit mkNixOS;
   };
 
-  # for each systemName, call mkNixOS on it, and set flake.nixosConfigurations
-  # to an attrset from systemName to the result of that mkNixOS call.
-  flake.nixosConfigurations =
-    (builtins.listToAttrs (
-      builtins.map
-        (name: {
-          inherit name;
-          value = mkNixOS { systemName = name; };
-        })
-        [
-          "hetzarm"
-          "hetzarm-dbg-1"
-          "hetzarm-rel-1"
-          "testagent-prod"
-          "testagent-dev"
-          "testagent2-prod"
-          "testagent-release"
-          "nethsm-gateway"
-          "ghaf-log"
-          "ghaf-webserver"
-          "ghaf-auth"
-          "ghaf-monitoring"
-          "ghaf-lighthouse"
-          "ghaf-fleetdm"
-          "ghaf-registry"
-          "hetzci-dbg"
-          "hetzci-dev"
-          "hetzci-prod"
-          "hetzci-release"
-          "hetz86-1"
-          "hetz86-builder"
-          "hetz86-dbg-1"
-          "hetz86-rel-2"
-          "uae-lab-node1"
-          "uae-nethsm-gateway"
-          "uae-azureci-prod"
-          "uae-azureci-az86-1"
-          "uae-testagent-prod"
-        ]
-    ))
-    // {
-      hetzci-vm = mkHetzciVm { };
-      hetzci-vm-no-host-nix-store = mkHetzciVm {
-        mountHostNixStore = false;
-      };
+  flake.nixosConfigurations = nixosConfigurationsFromHosts // {
+    hetzci-vm = mkHetzciVm { };
+    hetzci-vm-no-host-nix-store = mkHetzciVm {
+      mountHostNixStore = false;
     };
+  };
 }
