diff --git a/flake.lock b/flake.lock index f9050b6..881d823 100644 --- a/flake.lock +++ b/flake.lock @@ -44,9 +44,7 @@ "agenix-rekey": { "inputs": { "devshell": "devshell", - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ], @@ -183,7 +181,7 @@ "crane": { "inputs": { "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "elewrap", "nixpkgs" @@ -271,7 +269,7 @@ }, "devshell_2": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] @@ -292,7 +290,7 @@ }, "devshell_3": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": [ "nix-topology", "nixpkgs" @@ -318,7 +316,7 @@ "nixos-extra-modules", "nixpkgs" ], - "systems": "systems_8" + "systems": "systems_10" }, "locked": { "lastModified": 1701787589, @@ -336,7 +334,7 @@ }, "devshell_5": { "inputs": { - "flake-utils": "flake-utils_6", + "flake-utils": "flake-utils_9", "nixpkgs": [ "nixvim", "nixpkgs" @@ -380,7 +378,7 @@ "inputs": { "advisory-db": "advisory-db", "crane": "crane", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ], @@ -511,6 +509,22 @@ } }, "flake-compat_8": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_9": { "flake": false, "locked": { "lastModified": 1673956053, @@ -527,6 +541,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -547,9 +579,9 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1714641030, @@ -584,6 +616,42 @@ "inputs": { "systems": "systems_3" }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_10": { + "inputs": { + "systems": "systems_13" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_4" + }, "locked": { "lastModified": 1701680307, "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", @@ -598,9 +666,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1685518550, @@ -616,9 +684,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1687709756, @@ -634,9 +702,9 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1710146030, @@ -652,27 +720,9 @@ "type": "github" } }, - "flake-utils_5": { - "inputs": { - "systems": "systems_7" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_6": { "inputs": { - "systems": "systems_9" + "systems": "systems_8" }, "locked": { "lastModified": 1701680307, @@ -690,14 +740,50 @@ }, "flake-utils_7": { "inputs": { - "systems": "systems_10" + "systems": "systems_9" }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "inputs": { + "systems": "systems_11" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_9": { + "inputs": { + "systems": "systems_12" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -811,6 +897,28 @@ } }, "gitignore_5": { + "inputs": { + "nixpkgs": [ + "nixvim", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_6": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -919,9 +1027,7 @@ }, "microvm": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_5", "nixpkgs": [ "nixpkgs" ], @@ -985,9 +1091,7 @@ "nix-topology": { "inputs": { "devshell": "devshell_3", - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_7", "nixpkgs": [ "nixpkgs" ], @@ -1025,9 +1129,7 @@ "nixos-extra-modules": { "inputs": { "devshell": "devshell_4", - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_8", "lib-net": "lib-net", "nixpkgs": [ "nixpkgs" @@ -1133,6 +1235,18 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "nixpkgs-lib_2": { + "locked": { + "lastModified": 1714640452, + "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1685801374, @@ -1233,16 +1347,14 @@ "inputs": { "devshell": "devshell_5", "flake-compat": "flake-compat_6", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-root": "flake-root", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": [ "nixpkgs" ], - "pre-commit-hooks": [ - "pre-commit-hooks" - ], + "pre-commit-hooks": "pre-commit-hooks_5", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -1375,6 +1487,33 @@ "inputs": { "flake-compat": "flake-compat_7", "gitignore": "gitignore_5", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716213921, + "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_6": { + "inputs": { + "flake-compat": "flake-compat_8", + "gitignore": "gitignore_6", "nixpkgs": [ "nixpkgs" ], @@ -1401,7 +1540,7 @@ "devshell": "devshell_2", "disko": "disko", "elewrap": "elewrap", - "flake-utils": "flake-utils_4", + "flake-parts": "flake-parts", "home-manager": "home-manager", "impermanence": "impermanence", "microvm": "microvm", @@ -1413,7 +1552,7 @@ "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", "nixvim": "nixvim", - "pre-commit-hooks": "pre-commit-hooks_5", + "pre-commit-hooks": "pre-commit-hooks_6", "stylix": "stylix", "templates": "templates", "wired-notify": "wired-notify" @@ -1448,7 +1587,7 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_10", "nixpkgs": "nixpkgs_2" }, "locked": { @@ -1490,7 +1629,7 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat_8", + "flake-compat": "flake-compat_9", "gnome-shell": "gnome-shell", "home-manager": [ "home-manager" @@ -1543,6 +1682,51 @@ "type": "github" } }, + "systems_11": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_12": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_13": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -1701,7 +1885,7 @@ }, "wired-notify": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], diff --git a/flake.nix b/flake.nix index c4db527..f43aef5 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,4 @@ { - description = "❄️ oddlama's nix config and dotfiles"; - inputs = { agenix = { url = "github:ryantm/agenix"; @@ -11,7 +9,6 @@ agenix-rekey = { url = "github:oddlama/agenix-rekey"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; }; devshell = { @@ -29,7 +26,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - flake-utils.url = "github:numtide/flake-utils"; + flake-parts.url = "github:hercules-ci/flake-parts"; home-manager = { url = "github:nix-community/home-manager"; @@ -41,7 +38,6 @@ microvm = { url = "github:astro/microvm.nix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; }; nix-index-database = { @@ -52,13 +48,11 @@ nix-topology = { url = "github:oddlama/nix-topology"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; }; nixos-extra-modules = { url = "github:oddlama/nixos-extra-modules"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; }; nixos-hardware.url = "github:NixOS/nixos-hardware"; @@ -78,7 +72,6 @@ nixvim = { url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.pre-commit-hooks.follows = "pre-commit-hooks"; }; pre-commit-hooks = { @@ -100,224 +93,143 @@ }; }; - outputs = { - self, - nixpkgs, - ... - } @ inputs: let - inherit - (nixpkgs.lib) - cleanSource - foldl' - mapAttrs - mapAttrsToList - recursiveUpdate - ; - in - { - # The identities that are used to rekey agenix secrets and to - # decrypt all repository-wide secrets. - secretsConfig = { - masterIdentities = [./secrets/yk1-nix-rage.pub]; - extraEncryptionPubkeys = [./secrets/backup.pub]; + outputs = inputs: + inputs.flake-parts.lib.mkFlake {inherit inputs;} { + imports = [ + inputs.devshell.flakeModule + inputs.pre-commit-hooks.flakeModule + ./nix/devshell.nix + ./nix/agenix-rekey.nix + ./nix/globals.nix + ( + { + lib, + flake-parts-lib, + ... + }: + flake-parts-lib.mkTransposedPerSystemModule { + name = "images"; + file = ./flake.nix; + option = lib.mkOption { + type = lib.types.unspecified; + }; + } + ) + ( + { + lib, + flake-parts-lib, + ... + }: + flake-parts-lib.mkTransposedPerSystemModule { + name = "pkgs"; + file = ./flake.nix; + option = lib.mkOption { + type = lib.types.unspecified; + }; + } + ) + ]; + + flake = { + config, + lib, + ... + }: let + inherit + (lib) + foldl' + mapAttrs + mapAttrsToList + recursiveUpdate + ; + in { + inherit + (import ./nix/hosts.nix inputs) + hosts + guestConfigs + nixosConfigurations + nixosConfigurationsMinimal + ; + + # All nixosSystem instanciations are collected here, so that we can refer + # to any system via nodes. + nodes = config.nixosConfigurations // config.guestConfigs; + # Add a shorthand to easily target toplevel derivations + "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; + + # For each true NixOS system, we want to expose an installer package that + # can be used to do the initial setup on the node from a live environment. + # We use the minimal sibling configuration to reduce the amount of stuff + # we have to copy to the live system. + inherit + (foldl' recursiveUpdate {} + (mapAttrsToList + (import ./nix/generate-installer-package.nix inputs) + config.nixosConfigurationsMinimal)) + packages + ; }; - agenix-rekey = inputs.agenix-rekey.configure { - userFlake = self; - inherit (self) nodes pkgs; - }; + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; - inherit - (import ./nix/hosts.nix inputs) - hosts - guestConfigs - nixosConfigurations - nixosConfigurationsMinimal - ; + perSystem = { + config, + pkgs, + system, + ... + }: { + _module.args.pkgs = import inputs.nixpkgs { + inherit system; + config.allowUnfree = true; + overlays = + import ./lib inputs + ++ import ./pkgs/default.nix + ++ [ + inputs.agenix-rekey.overlays.default + inputs.devshell.overlays.default + inputs.nix-topology.overlays.default + inputs.nixos-extra-modules.overlays.default + ]; + }; - # All nixosSystem instanciations are collected here, so that we can refer - # to any system via nodes. - nodes = self.nixosConfigurations // self.guestConfigs; - # Add a shorthand to easily target toplevel derivations - "@" = mapAttrs (_: v: v.config.system.build.toplevel) self.nodes; + inherit pkgs; - globals = let - globalsSystem = nixpkgs.lib.evalModules { - prefix = ["globals"]; + apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") { + inherit pkgs; + nixosConfigurations = config.nodes; + decryptIdentity = builtins.head config.secretsConfig.masterIdentities; + }; + + #topology = import inputs.nix-topology { + # inherit pkgs; + # modules = [ + # ./topology + # { + # inherit (inputs.self) nixosConfigurations; + # } + # ]; + #}; + + # For each major system, we provide a customized installer image that + # has ssh and some other convenience stuff preconfigured. + # Not strictly necessary for new setups. + images.live-iso = inputs.nixos-generators.nixosGenerate { + inherit pkgs; modules = [ - ./modules/globals.nix - ({lib, ...}: { - globals = lib.mkMerge ( - lib.concatLists (lib.flip lib.mapAttrsToList self.nodes ( - name: cfg: - builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:" - cfg.config._globalsDefs - )) - ); - }) + ./nix/installer-configuration.nix + ./config/ssh.nix ]; - }; - in - globalsSystem.config.globals; - - # For each true NixOS system, we want to expose an installer package that - # can be used to do the initial setup on the node from a live environment. - # We use the minimal sibling configuration to reduce the amount of stuff - # we have to copy to the live system. - inherit - (foldl' recursiveUpdate {} - (mapAttrsToList - (import ./nix/generate-installer-package.nix inputs) - self.nixosConfigurationsMinimal)) - packages - ; - } - // inputs.flake-utils.lib.eachDefaultSystem (system: rec { - apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") { - inherit pkgs; - nixosConfigurations = self.nodes; - decryptIdentity = builtins.head self.secretsConfig.masterIdentities; - }; - - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - overlays = - import ./lib inputs - ++ import ./pkgs/default.nix - ++ [ - inputs.agenix-rekey.overlays.default - inputs.devshell.overlays.default - inputs.nix-topology.overlays.default - inputs.nixos-extra-modules.overlays.default - ]; - }; - - topology = import inputs.nix-topology { - inherit pkgs; - modules = [ - ./topology - { - inherit (self) nixosConfigurations; - } - ]; - }; - - # For each major system, we provide a customized installer image that - # has ssh and some other convenience stuff preconfigured. - # Not strictly necessary for new setups. - images.live-iso = inputs.nixos-generators.nixosGenerate { - inherit pkgs; - modules = [ - ./nix/installer-configuration.nix - ./modules/config/ssh.nix - ]; - format = - { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - } - .${system}; - }; - - # `nix flake check` - checks.pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { - src = cleanSource ./.; - hooks = { - # Nix - alejandra.enable = true; - deadnix.enable = true; - statix.enable = true; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + } + .${system}; }; }; - - # `nix develop` - devShells.default = pkgs.devshell.mkShell { - name = "nix-config"; - packages = [ - pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. - ]; - - commands = [ - { - package = pkgs.deploy; - help = "Build and deploy this nix config to nodes"; - } - { - package = pkgs.agenix-rekey; - help = "Edit and rekey secrets"; - } - { - package = pkgs.alejandra; - help = "Format nix code"; - } - { - package = pkgs.statix; - help = "Lint nix code"; - } - { - package = pkgs.deadnix; - help = "Find unused expressions in nix code"; - } - { - package = pkgs.update-nix-fetchgit; - help = "Update fetcher hashes inside nix files"; - } - { - package = pkgs.nix-tree; - help = "Interactively browse dependency graphs of Nix derivations"; - } - { - package = pkgs.nvd; - help = "Diff two nix toplevels and show which packages were upgraded"; - } - { - package = pkgs.nix-diff; - help = "Explain why two Nix derivations differ"; - } - { - package = pkgs.nix-output-monitor; - help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; - } - { - package = pkgs.writeShellApplication { - name = "build"; - text = '' - set -euo pipefail - [[ "$#" -ge 1 ]] \ - || { echo "usage: build ..." >&2; exit 1; } - HOSTS=() - for h in "$@"; do - HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel") - done - nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}" - ''; - }; - help = "Build a host configuration"; - } - ]; - - devshell.startup.pre-commit.text = self.checks.${system}.pre-commit-hooks.shellHook; - - env = [ - { - # Additionally configure nix-plugins with our extra builtins file. - # We need this for our repo secrets. - name = "NIX_CONFIG"; - value = '' - plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self.outPath}/nix/extra-builtins.nix - ''; - } - { - # Always add files to git after agenix rekey and agenix generate. - name = "AGENIX_REKEY_ADD_TO_GIT"; - value = "true"; - } - ]; - }; - - # `nix fmt` - formatter = pkgs.alejandra; - }); + }; } diff --git a/nix/agenix-rekey.nix b/nix/agenix-rekey.nix new file mode 100644 index 0000000..0567b93 --- /dev/null +++ b/nix/agenix-rekey.nix @@ -0,0 +1,23 @@ +{inputs, ...}: { + flake = {config, ...}: { + # The identities that are used to rekey agenix secrets and to + # decrypt all repository-wide secrets. + secretsConfig = { + masterIdentities = [../secrets/yk1-nix-rage.pub]; + extraEncryptionPubkeys = [../secrets/backup.pub]; + }; + + agenix-rekey = inputs.agenix-rekey.configure { + userFlake = inputs.self; + inherit (config) nodes pkgs; + }; + }; + + perSystem.devshells.default.env = [ + { + # Always add files to git after agenix rekey and agenix generate. + name = "AGENIX_REKEY_ADD_TO_GIT"; + value = "true"; + } + ]; +} diff --git a/nix/devshell.nix b/nix/devshell.nix new file mode 100644 index 0000000..fdd8c9a --- /dev/null +++ b/nix/devshell.nix @@ -0,0 +1,102 @@ +{ + perSystem = { + config, + pkgs, + ... + }: { + pre-commit.settings.hooks = { + alejandra.enable = true; + deadnix.enable = true; + statix.enable = true; + #gitleaks = { + # enable = true; + # name = "gitleaks"; + # entry = "${pkgs.gitleaks}/bin/gitleaks protect --verbose --redact --staged"; + # language = "system"; + # pass_filenames = false; + #}; + }; + + devshells.default = { + packages = [ + pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. + ]; + + commands = [ + { + package = pkgs.deploy; + help = "Build and deploy this nix config to nodes"; + } + { + package = pkgs.agenix-rekey; + help = "Edit and rekey secrets"; + } + { + package = pkgs.alejandra; + help = "Format nix code"; + } + { + package = pkgs.statix; + help = "Lint nix code"; + } + { + package = pkgs.deadnix; + help = "Find unused expressions in nix code"; + } + { + package = pkgs.update-nix-fetchgit; + help = "Update fetcher hashes inside nix files"; + } + { + package = pkgs.nix-tree; + help = "Interactively browse dependency graphs of Nix derivations"; + } + { + package = pkgs.nvd; + help = "Diff two nix toplevels and show which packages were upgraded"; + } + { + package = pkgs.nix-diff; + help = "Explain why two Nix derivations differ"; + } + { + package = pkgs.nix-output-monitor; + help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; + } + { + package = pkgs.writeShellApplication { + name = "build"; + text = '' + set -euo pipefail + [[ "$#" -ge 1 ]] \ + || { echo "usage: build ..." >&2; exit 1; } + HOSTS=() + for h in "$@"; do + HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel") + done + nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}" + ''; + }; + help = "Build a host configuration"; + } + ]; + + devshell.startup.pre-commit.text = config.pre-commit.installationScript; + + env = [ + { + # Additionally configure nix-plugins with our extra builtins file. + # We need this for our repo secrets. + name = "NIX_CONFIG"; + value = '' + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins + extra-builtins-file = ${./..}/nix/extra-builtins.nix + ''; + } + ]; + }; + + # `nix fmt` + formatter = pkgs.alejandra; + }; +} diff --git a/nix/extra-builtins.nix b/nix/extra-builtins.nix index 3bc9c26..4889cb1 100644 --- a/nix/extra-builtins.nix +++ b/nix/extra-builtins.nix @@ -29,6 +29,4 @@ in { assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity."; assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age"; exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities); - # currentSystem - unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"]; } diff --git a/nix/globals.nix b/nix/globals.nix new file mode 100644 index 0000000..4880a47 --- /dev/null +++ b/nix/globals.nix @@ -0,0 +1,26 @@ +{ + flake = { + config, + lib, + ... + }: { + globals = let + globalsSystem = lib.evalModules { + prefix = ["globals"]; + modules = [ + ../modules/globals.nix + ({lib, ...}: { + globals = lib.mkMerge ( + lib.concatLists (lib.flip lib.mapAttrsToList config.nodes ( + name: cfg: + builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:" + cfg.config._globalsDefs + )) + ); + }) + ]; + }; + in + globalsSystem.config.globals; + }; +} diff --git a/users/config/shell/default.nix b/users/config/shell/default.nix index 7126193..c2ed21d 100644 --- a/users/config/shell/default.nix +++ b/users/config/shell/default.nix @@ -10,7 +10,7 @@ options = ["--cmd p"]; }; - # nix-index-database is enabled globally for each user in modules/config/home-manager.nix + # nix-index-database is enabled globally for each user in config/home-manager.nix programs.nix-index.enable = true; programs.nix-index.enableZshIntegration = false; programs.nix-index-database.comma.enable = true;