feat: add initial config

intermediate/nginx.nix

@@ -0,0 +1,36 @@
+let
+  lib = import <nixpkgs/lib>;
+  endpoints = (import ../validation/endpoints.nix).getValidatedEndpoints (import ../config/endpoints.nix);
+  net = import ../config/network.nix;
+  tunnelPolicy = import ../validation/tunnel_ports.nix;
+
+  normalizeEndpoint = endpoint:
+    endpoint // {
+      content = endpoint.content // {
+        host = if endpoint.type == "forwarding" then net.tunnel.host else endpoint.content.host;
+      };
+    };
+
+  normalizedEndpoints = map normalizeEndpoint endpoints;
+
+  _forwardPortChecks = map (endpoint:
+    if endpoint.content.host == net.tunnel.host && !(tunnelPolicy.isAllowedTunnelPort endpoint.content.port) then
+      throw "Forwarding endpoint listenPort=${toString endpoint.listenPort} targets tunnel-backed local port ${toString endpoint.content.port}, which is not listed in config/network.nix tunnel.allowedPorts."
+    else
+      null
+  ) normalizedEndpoints;
+
+  mkStreamServer = endpoint: ''
+    server {
+      listen ${toString endpoint.listenPort};
+      proxy_pass ${endpoint.content.host}:${toString endpoint.content.port};
+    }
+  '';
+
+  streamConfig = lib.concatStringsSep "\n" (map mkStreamServer normalizedEndpoints);
+in
+{
+  validatedEndpoints = normalizedEndpoints;
+  inherit streamConfig;
+  nginxUsedPorts = lib.unique (map (endpoint: endpoint.listenPort) normalizedEndpoints);
+}

intermediate/secrets.nix

@@ -0,0 +1,79 @@
+let
+  lib = import <nixpkgs/lib>;
+  secretsConfig = (import ../validation/secrets.nix).getSecretsConfig (import ../config/secrets.nix);
+
+  getRuntimePath = path:
+    "/run/secrets/${builtins.concatStringsSep "_" path}";
+
+  defaultMetadata = {
+    path = null;
+    owner = null;
+    group = null;
+    mode = null;
+  };
+
+  normalizeLeaf = path: node:
+    if builtins.isString node || builtins.isPath node then
+      {
+        file = node;
+        metadata = defaultMetadata;
+      }
+    else if builtins.isAttrs node && node ? file then
+      {
+        file = node.file;
+        metadata = {
+          path = node.path or null;
+          owner = node.owner or null;
+          group = node.group or null;
+          mode = node.mode or null;
+        };
+      }
+    else
+      throw "Invalid secret leaf at ${builtins.concatStringsSep "." path}: must be string, path, or attrset with 'file'";
+
+  flattenTree = path: node:
+    if builtins.isAttrs node && !(node ? file) then
+      lib.concatMap (name:
+        flattenTree (path ++ [ name ]) node.${name}
+      ) (builtins.attrNames node)
+    else
+      let
+        normalized = normalizeLeaf path node;
+      in
+        [ {
+          inherit path;
+          file = normalized.file;
+          metadata = normalized.metadata;
+        } ];
+
+  entries = flattenTree [] secretsConfig;
+
+  isReady = entry:
+    builtins.pathExists entry.file;
+
+  readyEntries = builtins.filter isReady entries;
+  missingEntries = builtins.filter (entry: !(isReady entry)) entries;
+
+  mkSopsSecrets = sourceEntries:
+    builtins.listToAttrs (map (entry:
+      let
+        secretName = builtins.concatStringsSep "_" entry.path;
+      in
+        {
+          name = secretName;
+          value = {
+            sopsFile = entry.file;
+            format = "binary";
+            path = if entry.metadata.path != null then entry.metadata.path else getRuntimePath entry.path;
+            owner = if entry.metadata.owner != null then entry.metadata.owner else "root";
+            group = if entry.metadata.group != null then entry.metadata.group else "root";
+            mode = if entry.metadata.mode != null then entry.metadata.mode else "0400";
+          };
+        }
+    ) sourceEntries);
+in
+{
+  source = secretsConfig;
+  byName = mkSopsSecrets readyEntries;
+  missing = missingEntries;
+}