mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: transition to flake-part (half done)

Browse source
This commit is contained in:
oddlama 2024-05-29 00:33:52 +02:00
parent 6483bd4f7e
commit 78f79917f1
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 525 additions and 280 deletions
Download patch file Download diff file Expand all files Collapse all files

300
flake.lock generated
View file

@ -44,9 +44,7 @@
"agenix-rekey": { "agenix-rekey": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-utils": [ "flake-utils": "flake-utils",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -183,7 +181,7 @@
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"elewrap", "elewrap",
"nixpkgs" "nixpkgs"
@ -271,7 +269,7 @@
}, },
"devshell_2": { "devshell_2": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -292,7 +290,7 @@
}, },
"devshell_3": { "devshell_3": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_5", "flake-utils": "flake-utils_6",
"nixpkgs": [ "nixpkgs": [
"nix-topology", "nix-topology",
"nixpkgs" "nixpkgs"
@ -318,7 +316,7 @@
"nixos-extra-modules", "nixos-extra-modules",
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_8" "systems": "systems_10"
}, },
"locked": { "locked": {
"lastModified": 1701787589, "lastModified": 1701787589,
@ -336,7 +334,7 @@
}, },
"devshell_5": { "devshell_5": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_6", "flake-utils": "flake-utils_9",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"nixpkgs" "nixpkgs"
@ -380,7 +378,7 @@
"inputs": { "inputs": {
"advisory-db": "advisory-db", "advisory-db": "advisory-db",
"crane": "crane", "crane": "crane",
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_4",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -511,6 +509,22 @@
} }
}, },
"flake-compat_8": { "flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_9": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -527,6 +541,24 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixvim", "nixvim",
@ -547,9 +579,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": { "flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1714641030, "lastModified": 1714641030,
@ -584,6 +616,42 @@
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_10": {
"inputs": {
"systems": "systems_13"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
},
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
@ -598,9 +666,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_4" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1685518550, "lastModified": 1685518550,
@ -616,9 +684,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_3": { "flake-utils_4": {
"inputs": { "inputs": {
"systems": "systems_5" "systems": "systems_6"
}, },
"locked": { "locked": {
"lastModified": 1687709756, "lastModified": 1687709756,
@ -634,9 +702,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_4": { "flake-utils_5": {
"inputs": { "inputs": {
"systems": "systems_6" "systems": "systems_7"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@ -652,27 +720,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": { "flake-utils_6": {
"inputs": { "inputs": {
"systems": "systems_9" "systems": "systems_8"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,
@ -690,14 +740,50 @@
}, },
"flake-utils_7": { "flake-utils_7": {
"inputs": { "inputs": {
"systems": "systems_10" "systems": "systems_9"
}, },
"locked": { "locked": {
"lastModified": 1705309234, "lastModified": 1710146030,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": {
"systems": "systems_11"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_9": {
"inputs": {
"systems": "systems_12"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -811,6 +897,28 @@
} }
}, },
"gitignore_5": { "gitignore_5": {
"inputs": {
"nixpkgs": [
"nixvim",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_6": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"pre-commit-hooks", "pre-commit-hooks",
@ -919,9 +1027,7 @@
}, },
"microvm": { "microvm": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": "flake-utils_5",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -985,9 +1091,7 @@
"nix-topology": { "nix-topology": {
"inputs": { "inputs": {
"devshell": "devshell_3", "devshell": "devshell_3",
"flake-utils": [ "flake-utils": "flake-utils_7",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -1025,9 +1129,7 @@
"nixos-extra-modules": { "nixos-extra-modules": {
"inputs": { "inputs": {
"devshell": "devshell_4", "devshell": "devshell_4",
"flake-utils": [ "flake-utils": "flake-utils_8",
"flake-utils"
],
"lib-net": "lib-net", "lib-net": "lib-net",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -1133,6 +1235,18 @@
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
} }
}, },
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1714640452,
"narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1685801374, "lastModified": 1685801374,
@ -1233,16 +1347,14 @@
"inputs": { "inputs": {
"devshell": "devshell_5", "devshell": "devshell_5",
"flake-compat": "flake-compat_6", "flake-compat": "flake-compat_6",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"flake-root": "flake-root", "flake-root": "flake-root",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"pre-commit-hooks": [ "pre-commit-hooks": "pre-commit-hooks_5",
"pre-commit-hooks"
],
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
@ -1375,6 +1487,33 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat_7", "flake-compat": "flake-compat_7",
"gitignore": "gitignore_5", "gitignore": "gitignore_5",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_6": {
"inputs": {
"flake-compat": "flake-compat_8",
"gitignore": "gitignore_6",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -1401,7 +1540,7 @@
"devshell": "devshell_2", "devshell": "devshell_2",
"disko": "disko", "disko": "disko",
"elewrap": "elewrap", "elewrap": "elewrap",
"flake-utils": "flake-utils_4", "flake-parts": "flake-parts",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"microvm": "microvm", "microvm": "microvm",
@ -1413,7 +1552,7 @@
"nixos-nftables-firewall": "nixos-nftables-firewall", "nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_5", "pre-commit-hooks": "pre-commit-hooks_6",
"stylix": "stylix", "stylix": "stylix",
"templates": "templates", "templates": "templates",
"wired-notify": "wired-notify" "wired-notify": "wired-notify"
@ -1448,7 +1587,7 @@
}, },
"rust-overlay_2": { "rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_7", "flake-utils": "flake-utils_10",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
@ -1490,7 +1629,7 @@
"base16-kitty": "base16-kitty", "base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux", "base16-tmux": "base16-tmux",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"flake-compat": "flake-compat_8", "flake-compat": "flake-compat_9",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": [ "home-manager": [
"home-manager" "home-manager"
@ -1543,6 +1682,51 @@
"type": "github" "type": "github"
} }
}, },
"systems_11": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_12": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_13": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": { "systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -1701,7 +1885,7 @@
}, },
"wired-notify": { "wired-notify": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],

350
flake.nix
View file

@ -1,6 +1,4 @@
{ {
description = " oddlama's nix config and dotfiles";
inputs = { inputs = {
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
@ -11,7 +9,6 @@
agenix-rekey = { agenix-rekey = {
url = "github:oddlama/agenix-rekey"; url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
}; };
devshell = { devshell = {
@ -29,7 +26,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
flake-utils.url = "github:numtide/flake-utils"; flake-parts.url = "github:hercules-ci/flake-parts";
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
@ -41,7 +38,6 @@
microvm = { microvm = {
url = "github:astro/microvm.nix"; url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
}; };
nix-index-database = { nix-index-database = {
@ -52,13 +48,11 @@
nix-topology = { nix-topology = {
url = "github:oddlama/nix-topology"; url = "github:oddlama/nix-topology";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
}; };
nixos-extra-modules = { nixos-extra-modules = {
url = "github:oddlama/nixos-extra-modules"; url = "github:oddlama/nixos-extra-modules";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
}; };
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
@ -78,7 +72,6 @@
nixvim = { nixvim = {
url = "github:nix-community/nixvim"; url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.pre-commit-hooks.follows = "pre-commit-hooks";
}; };
pre-commit-hooks = { pre-commit-hooks = {
@ -100,224 +93,143 @@
}; };
}; };
outputs = { outputs = inputs:
self, inputs.flake-parts.lib.mkFlake {inherit inputs;} {
nixpkgs, imports = [
... inputs.devshell.flakeModule
} @ inputs: let inputs.pre-commit-hooks.flakeModule
inherit ./nix/devshell.nix
(nixpkgs.lib) ./nix/agenix-rekey.nix
cleanSource ./nix/globals.nix
foldl' (
mapAttrs {
mapAttrsToList lib,
recursiveUpdate flake-parts-lib,
; ...
in }:
{ flake-parts-lib.mkTransposedPerSystemModule {
# The identities that are used to rekey agenix secrets and to name = "images";
# decrypt all repository-wide secrets. file = ./flake.nix;
secretsConfig = { option = lib.mkOption {
masterIdentities = [./secrets/yk1-nix-rage.pub]; type = lib.types.unspecified;
extraEncryptionPubkeys = [./secrets/backup.pub]; };
}
)
(
{
lib,
flake-parts-lib,
...
}:
flake-parts-lib.mkTransposedPerSystemModule {
name = "pkgs";
file = ./flake.nix;
option = lib.mkOption {
type = lib.types.unspecified;
};
}
)
];
flake = {
config,
lib,
...
}: let
inherit
(lib)
foldl'
mapAttrs
mapAttrsToList
recursiveUpdate
;
in {
inherit
(import ./nix/hosts.nix inputs)
hosts
guestConfigs
nixosConfigurations
nixosConfigurationsMinimal
;
# All nixosSystem instanciations are collected here, so that we can refer
# to any system via nodes.<name>
nodes = config.nixosConfigurations // config.guestConfigs;
# Add a shorthand to easily target toplevel derivations
"@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
# For each true NixOS system, we want to expose an installer package that
# can be used to do the initial setup on the node from a live environment.
# We use the minimal sibling configuration to reduce the amount of stuff
# we have to copy to the live system.
inherit
(foldl' recursiveUpdate {}
(mapAttrsToList
(import ./nix/generate-installer-package.nix inputs)
config.nixosConfigurationsMinimal))
packages
;
}; };
agenix-rekey = inputs.agenix-rekey.configure { systems = [
userFlake = self; "x86_64-linux"
inherit (self) nodes pkgs; "aarch64-linux"
}; ];
inherit perSystem = {
(import ./nix/hosts.nix inputs) config,
hosts pkgs,
guestConfigs system,
nixosConfigurations ...
nixosConfigurationsMinimal }: {
; _module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
overlays =
import ./lib inputs
++ import ./pkgs/default.nix
++ [
inputs.agenix-rekey.overlays.default
inputs.devshell.overlays.default
inputs.nix-topology.overlays.default
inputs.nixos-extra-modules.overlays.default
];
};
# All nixosSystem instanciations are collected here, so that we can refer inherit pkgs;
# to any system via nodes.<name>
nodes = self.nixosConfigurations // self.guestConfigs;
# Add a shorthand to easily target toplevel derivations
"@" = mapAttrs (_: v: v.config.system.build.toplevel) self.nodes;
globals = let apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
globalsSystem = nixpkgs.lib.evalModules { inherit pkgs;
prefix = ["globals"]; nixosConfigurations = config.nodes;
decryptIdentity = builtins.head config.secretsConfig.masterIdentities;
};
#topology = import inputs.nix-topology {
# inherit pkgs;
# modules = [
# ./topology
# {
# inherit (inputs.self) nixosConfigurations;
# }
# ];
#};
# For each major system, we provide a customized installer image that
# has ssh and some other convenience stuff preconfigured.
# Not strictly necessary for new setups.
images.live-iso = inputs.nixos-generators.nixosGenerate {
inherit pkgs;
modules = [ modules = [
./modules/globals.nix ./nix/installer-configuration.nix
({lib, ...}: { ./config/ssh.nix
globals = lib.mkMerge (
lib.concatLists (lib.flip lib.mapAttrsToList self.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:"
cfg.config._globalsDefs
))
);
})
]; ];
}; format =
in {
globalsSystem.config.globals; x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
# For each true NixOS system, we want to expose an installer package that }
# can be used to do the initial setup on the node from a live environment. .${system};
# We use the minimal sibling configuration to reduce the amount of stuff
# we have to copy to the live system.
inherit
(foldl' recursiveUpdate {}
(mapAttrsToList
(import ./nix/generate-installer-package.nix inputs)
self.nixosConfigurationsMinimal))
packages
;
}
// inputs.flake-utils.lib.eachDefaultSystem (system: rec {
apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
inherit pkgs;
nixosConfigurations = self.nodes;
decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
};
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays =
import ./lib inputs
++ import ./pkgs/default.nix
++ [
inputs.agenix-rekey.overlays.default
inputs.devshell.overlays.default
inputs.nix-topology.overlays.default
inputs.nixos-extra-modules.overlays.default
];
};
topology = import inputs.nix-topology {
inherit pkgs;
modules = [
./topology
{
inherit (self) nixosConfigurations;
}
];
};
# For each major system, we provide a customized installer image that
# has ssh and some other convenience stuff preconfigured.
# Not strictly necessary for new setups.
images.live-iso = inputs.nixos-generators.nixosGenerate {
inherit pkgs;
modules = [
./nix/installer-configuration.nix
./modules/config/ssh.nix
];
format =
{
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}
.${system};
};
# `nix flake check`
checks.pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
src = cleanSource ./.;
hooks = {
# Nix
alejandra.enable = true;
deadnix.enable = true;
statix.enable = true;
}; };
}; };
};
# `nix develop`
devShells.default = pkgs.devshell.mkShell {
name = "nix-config";
packages = [
pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
];
commands = [
{
package = pkgs.deploy;
help = "Build and deploy this nix config to nodes";
}
{
package = pkgs.agenix-rekey;
help = "Edit and rekey secrets";
}
{
package = pkgs.alejandra;
help = "Format nix code";
}
{
package = pkgs.statix;
help = "Lint nix code";
}
{
package = pkgs.deadnix;
help = "Find unused expressions in nix code";
}
{
package = pkgs.update-nix-fetchgit;
help = "Update fetcher hashes inside nix files";
}
{
package = pkgs.nix-tree;
help = "Interactively browse dependency graphs of Nix derivations";
}
{
package = pkgs.nvd;
help = "Diff two nix toplevels and show which packages were upgraded";
}
{
package = pkgs.nix-diff;
help = "Explain why two Nix derivations differ";
}
{
package = pkgs.nix-output-monitor;
help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)";
}
{
package = pkgs.writeShellApplication {
name = "build";
text = ''
set -euo pipefail
[[ "$#" -ge 1 ]] \
|| { echo "usage: build <HOST>..." >&2; exit 1; }
HOSTS=()
for h in "$@"; do
HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel")
done
nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}"
'';
};
help = "Build a host configuration";
}
];
devshell.startup.pre-commit.text = self.checks.${system}.pre-commit-hooks.shellHook;
env = [
{
# Additionally configure nix-plugins with our extra builtins file.
# We need this for our repo secrets.
name = "NIX_CONFIG";
value = ''
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${self.outPath}/nix/extra-builtins.nix
'';
}
{
# Always add files to git after agenix rekey and agenix generate.
name = "AGENIX_REKEY_ADD_TO_GIT";
value = "true";
}
];
};
# `nix fmt`
formatter = pkgs.alejandra;
});
} }

23
nix/agenix-rekey.nix Normal file
View file

@ -0,0 +1,23 @@
{inputs, ...}: {
flake = {config, ...}: {
# The identities that are used to rekey agenix secrets and to
# decrypt all repository-wide secrets.
secretsConfig = {
masterIdentities = [../secrets/yk1-nix-rage.pub];
extraEncryptionPubkeys = [../secrets/backup.pub];
};
agenix-rekey = inputs.agenix-rekey.configure {
userFlake = inputs.self;
inherit (config) nodes pkgs;
};
};
perSystem.devshells.default.env = [
{
# Always add files to git after agenix rekey and agenix generate.
name = "AGENIX_REKEY_ADD_TO_GIT";
value = "true";
}
];
}

102
nix/devshell.nix Normal file
View file

@ -0,0 +1,102 @@
{
perSystem = {
config,
pkgs,
...
}: {
pre-commit.settings.hooks = {
alejandra.enable = true;
deadnix.enable = true;
statix.enable = true;
#gitleaks = {
# enable = true;
# name = "gitleaks";
# entry = "${pkgs.gitleaks}/bin/gitleaks protect --verbose --redact --staged";
# language = "system";
# pass_filenames = false;
#};
};
devshells.default = {
packages = [
pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
];
commands = [
{
package = pkgs.deploy;
help = "Build and deploy this nix config to nodes";
}
{
package = pkgs.agenix-rekey;
help = "Edit and rekey secrets";
}
{
package = pkgs.alejandra;
help = "Format nix code";
}
{
package = pkgs.statix;
help = "Lint nix code";
}
{
package = pkgs.deadnix;
help = "Find unused expressions in nix code";
}
{
package = pkgs.update-nix-fetchgit;
help = "Update fetcher hashes inside nix files";
}
{
package = pkgs.nix-tree;
help = "Interactively browse dependency graphs of Nix derivations";
}
{
package = pkgs.nvd;
help = "Diff two nix toplevels and show which packages were upgraded";
}
{
package = pkgs.nix-diff;
help = "Explain why two Nix derivations differ";
}
{
package = pkgs.nix-output-monitor;
help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)";
}
{
package = pkgs.writeShellApplication {
name = "build";
text = ''
set -euo pipefail
[[ "$#" -ge 1 ]] \
|| { echo "usage: build <HOST>..." >&2; exit 1; }
HOSTS=()
for h in "$@"; do
HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel")
done
nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}"
'';
};
help = "Build a host configuration";
}
];
devshell.startup.pre-commit.text = config.pre-commit.installationScript;
env = [
{
# Additionally configure nix-plugins with our extra builtins file.
# We need this for our repo secrets.
name = "NIX_CONFIG";
value = ''
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${./..}/nix/extra-builtins.nix
'';
}
];
};
# `nix fmt`
formatter = pkgs.alejandra;
};
}

2
nix/extra-builtins.nix
View file

@ -29,6 +29,4 @@ in {
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity."; assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age"; assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities); exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
# currentSystem
unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
} }

26
nix/globals.nix Normal file
View file

@ -0,0 +1,26 @@
{
flake = {
config,
lib,
...
}: {
globals = let
globalsSystem = lib.evalModules {
prefix = ["globals"];
modules = [
../modules/globals.nix
({lib, ...}: {
globals = lib.mkMerge (
lib.concatLists (lib.flip lib.mapAttrsToList config.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:"
cfg.config._globalsDefs
))
);
})
];
};
in
globalsSystem.config.globals;
};
}

2
users/config/shell/default.nix
View file

@ -10,7 +10,7 @@
options = ["--cmd p"]; options = ["--cmd p"];
}; };
# nix-index-database is enabled globally for each user in modules/config/home-manager.nix # nix-index-database is enabled globally for each user in config/home-manager.nix
programs.nix-index.enable = true; programs.nix-index.enable = true;
programs.nix-index.enableZshIntegration = false; programs.nix-index.enableZshIntegration = false;
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;