From 91b56423f25982755641b6ac7c828e3696a10ea3 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 14 Oct 2024 07:51:07 +0200
Subject: [PATCH] wip: figuring out how to do multiple envs and stuff

---
 apps/atlantis.nix    |  4 ++--
 apps/default.nix     | 18 ------------------
 apps/openfga.nix     | 24 ++++++++++++++++++-----
 envs/prod.nix        | 13 +++++++++++++
 envs/staging.nix     | 17 +++++++++++++++++
 flake.nix            | 11 ++++++-----
 justfile             |  4 ++--
 modules/default.nix  | 45 +++++++++++++++++++++++++++++++++++++++-----
 modules/lib.nix      | 25 ++++++++++++++++++++++++
 policies/default.nix |  7 +++++++
 10 files changed, 131 insertions(+), 37 deletions(-)
 create mode 100644 envs/prod.nix
 create mode 100644 envs/staging.nix
 create mode 100644 policies/default.nix

diff --git a/apps/atlantis.nix b/apps/atlantis.nix
index 3929aecd..4bbae45e 100644
--- a/apps/atlantis.nix
+++ b/apps/atlantis.nix
@@ -1,9 +1,9 @@
 { lib, config, ... }:
 let
-  cfg = config.services.atlantis;
+  cfg = config.apps.atlantis;
 in
 {
-  options.services.atlantis = {
+  options.apps.atlantis = {
     enable = lib.mkOption {
       type = lib.types.bool;
       default = true;
diff --git a/apps/default.nix b/apps/default.nix
index 563e75cc..6277483d 100644
--- a/apps/default.nix
+++ b/apps/default.nix
@@ -4,22 +4,4 @@
     ./atlantis.nix
     ./openfga.nix
   ];
-
-  config = {
-    services = {
-
-      atlantis = {
-        enable = true;
-        autoSync = true;
-        prune = false;
-      };
-
-      openfga = {
-        enable = true;
-        autoSync = true;
-        prune = false;
-      };
-
-    };
-  };
 }
diff --git a/apps/openfga.nix b/apps/openfga.nix
index 1e1adb17..99a986b0 100644
--- a/apps/openfga.nix
+++ b/apps/openfga.nix
@@ -1,18 +1,31 @@
 { lib, applib, config, ... }:
 let
-  cfg = config.services.openfga;
+  cfg = config.apps.openfga;
 
+  env = config.apps.env;
   namespace = "${env}-openfga";
-  env = "prod";
   project = "aux";
   cluster = "https://kubernetes.default.svc";
+  vs = ../values/openfga;
+
+  # values = applib.appValues ../values/openfga {};
+
+  values = with lib;
+    attrsets.mergeAttrsList (lists.flatten [
+      (kube.fromYAML (builtins.readFile "${vs}/values.yaml"))
+      (kube.fromYAML (builtins.readFile "${vs}/values-${env}.yaml"))
+      [ cfg.values ]
+  ]);
+  kustomize = r:
+    if r.kind == "Job" then
+      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
+    else r;
 
-  values = lib.attrsets.recursiveUpdate {} cfg.values;
 in
   {
-    options.services.openfga = applib.appOptions {};
+    options.apps.openfga = applib.appOptions {};
 
-    config = applib.appConfig cfg "${cfg.env}-openfga" {
+    config = applib.appConfig cfg "${env}-openfga" {
         inherit namespace;
         inherit project;
 
@@ -26,6 +39,7 @@ in
               version = "0.2.12";
               chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
           };
+          transformer = rs: builtins.map (x: kustomize x) rs;
         };
 
         annotations = {};
diff --git a/envs/prod.nix b/envs/prod.nix
new file mode 100644
index 00000000..af2a38ab
--- /dev/null
+++ b/envs/prod.nix
@@ -0,0 +1,13 @@
+_:
+{
+  config = {
+    apps = {
+      env = "prod";
+      autoSync = false;
+      prune = false;
+
+      atlantis.enable = true;
+      openfga.enable = true;
+    };
+  };
+}
diff --git a/envs/staging.nix b/envs/staging.nix
new file mode 100644
index 00000000..3f23a385
--- /dev/null
+++ b/envs/staging.nix
@@ -0,0 +1,17 @@
+_:
+{
+  config = {
+    apps = {
+      env = "staging";
+      autoSync = true;
+      prune = true;
+
+      atlantis = {
+        enable = true;
+        autoSync = true;
+        prune = false;
+      };
+      openfga.enable = true;
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index 4bca7076..81513491 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,19 +44,20 @@
         applib = import ./modules/lib.nix { inherit pkgs; };
       in
       {
-        nixidyEnvs = {
-          prod = nixidy.lib.mkEnv {
+        nixidyEnvs = nixidy.lib.mkEnvs {
             inherit pkgs;
             extraSpecialArgs = { inherit applib; };
             charts = nixhelm.chartsDerivations.${system};
             modules = [
               ./modules
               ./apps
-              ./policies/oceanbox/network
-              # ./policies/oceanbox/kyverno
+              ./policies
             ];
+            envs = {
+              prod.modules = [ ./envs/prod.nix ];
+              staging.modules = [ ./envs/staging.nix ];
+            };
           };
-        };
 
         checks = {
           pre-commit-check = pre-commit-hooks.lib.${system}.run {
diff --git a/justfile b/justfile
index d3674829..10d9d46e 100644
--- a/justfile
+++ b/justfile
@@ -12,6 +12,6 @@ build target=default:
 switch target=default:
   nix run .#nixidy -- switch .#{{target}}
 
-generate target=default:
+generate:
   nix build .#generators.cilium
-  # nix build .#generators.kyverno
+  nix build .#generators.kyverno
diff --git a/modules/default.nix b/modules/default.nix
index 029d8022..90f6a1c9 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,41 @@
-{ lib, ... }:
+{ lib, config, ... }:
+let
+  cfg = config.apps;
+in
 {
-  imports = [ ];
+  imports = [];
+
+  options.apps = with lib; {
+      env = mkOption {
+        type = types.string;
+        default = "prod";
+        description = "Enable";
+      };
+
+      autoSync = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Auto sync";
+      };
+
+      prune = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Prune";
+      };
+
+      selfHeal = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Self-heal";
+      };
+
+      serverSideDiff = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable server-side diffing";
+      };
+  };
 
   config = {
     nixidy = {
@@ -20,9 +55,9 @@
       defaults = {
         syncPolicy = {
           autoSync = {
-            enabled = true;
-            prune = false;
-            selfHeal = false;
+            enabled = cfg.autoSync;
+            prune = cfg.prune;
+            selfHeal = cfg.selfHeal;
           };
         };
 
diff --git a/modules/lib.nix b/modules/lib.nix
index ee83a9be..065766a9 100644
--- a/modules/lib.nix
+++ b/modules/lib.nix
@@ -25,6 +25,24 @@
         description = "Enable server-side diffing";
       };
 
+      namespace = mkOption {
+        type = types.string;
+        default = null;
+        description = "Namespace";
+      };
+
+      project = mkOption {
+        type = types.string;
+        default = "default";
+        description = "Project";
+      };
+
+      cluster = mkOption {
+        type = types.string;
+        default = "https://kubernetes.default.svc";
+        description = "Cluster";
+      };
+
       values = mkOption {
         type = types.attrsOf types.anything;
         default = {};
@@ -55,4 +73,11 @@
        };
 
     in mkIf cfg.enable { applications.${name} = app; };
+
+  appValues = with pkgs.lib; vs: values:
+    attrsets.mergeAttrsList (lists.flatten [
+      (lib.kube.fromYAML (builtins.readFile "${vs}/values.yaml"))
+      (lib.kube.fromYAML (builtins.readFile "${vs}/values-${env}.yaml"))
+      [ values ]
+  ]);
 }
diff --git a/policies/default.nix b/policies/default.nix
new file mode 100644
index 00000000..a745e10c
--- /dev/null
+++ b/policies/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./oceanbox/network
+    # ./oceanbox/kyverno
+  ];
+}