mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: transition to flake-part (half done)

Browse source
This commit is contained in:
oddlama 2024-05-29 00:33:52 +02:00
parent 6483bd4f7e
commit 78f79917f1
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 525 additions and 280 deletions
Download patch file Download diff file Expand all files Collapse all files

300
flake.lock generated
View file

@ -44,9 +44,7 @@
"agenix-rekey": {
"inputs": {
"devshell": "devshell",
"flake-utils": [
"flake-utils"
],
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
@ -183,7 +181,7 @@
"crane": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"elewrap",
"nixpkgs"
@ -271,7 +269,7 @@
},
"devshell_2": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
@ -292,7 +290,7 @@
},
"devshell_3": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_6",
"nixpkgs": [
"nix-topology",
"nixpkgs"
@ -318,7 +316,7 @@
"nixos-extra-modules",
"nixpkgs"
],
"systems": "systems_8"
"systems": "systems_10"
},
"locked": {
"lastModified": 1701787589,
@ -336,7 +334,7 @@
},
"devshell_5": {
"inputs": {
"flake-utils": "flake-utils_6",
"flake-utils": "flake-utils_9",
"nixpkgs": [
"nixvim",
"nixpkgs"
@ -380,7 +378,7 @@
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane",
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
],
@ -511,6 +509,22 @@
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -527,6 +541,24 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
@ -547,9 +579,9 @@
"type": "github"
}
},
"flake-parts_2": {
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1714641030,
@ -584,6 +616,42 @@
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_10": {
"inputs": {
"systems": "systems_13"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
@ -598,9 +666,9 @@
"type": "github"
}
},
"flake-utils_2": {
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1685518550,
@ -616,9 +684,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
"systems": "systems_6"
},
"locked": {
"lastModified": 1687709756,
@ -634,9 +702,9 @@
"type": "github"
}
},
"flake-utils_4": {
"flake-utils_5": {
"inputs": {
"systems": "systems_6"
"systems": "systems_7"
},
"locked": {
"lastModified": 1710146030,
@ -652,27 +720,9 @@
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"inputs": {
"systems": "systems_9"
"systems": "systems_8"
},
"locked": {
"lastModified": 1701680307,
@ -690,14 +740,50 @@
},
"flake-utils_7": {
"inputs": {
"systems": "systems_10"
"systems": "systems_9"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": {
"systems": "systems_11"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_9": {
"inputs": {
"systems": "systems_12"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
@ -811,6 +897,28 @@
}
},
"gitignore_5": {
"inputs": {
"nixpkgs": [
"nixvim",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_6": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
@ -919,9 +1027,7 @@
},
"microvm": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixpkgs"
],
@ -985,9 +1091,7 @@
"nix-topology": {
"inputs": {
"devshell": "devshell_3",
"flake-utils": [
"flake-utils"
],
"flake-utils": "flake-utils_7",
"nixpkgs": [
"nixpkgs"
],
@ -1025,9 +1129,7 @@
"nixos-extra-modules": {
"inputs": {
"devshell": "devshell_4",
"flake-utils": [
"flake-utils"
],
"flake-utils": "flake-utils_8",
"lib-net": "lib-net",
"nixpkgs": [
"nixpkgs"
@ -1133,6 +1235,18 @@
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
}
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1714640452,
"narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1685801374,
@ -1233,16 +1347,14 @@
"inputs": {
"devshell": "devshell_5",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"flake-root": "flake-root",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": [
"pre-commit-hooks"
],
"pre-commit-hooks": "pre-commit-hooks_5",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -1375,6 +1487,33 @@
"inputs": {
"flake-compat": "flake-compat_7",
"gitignore": "gitignore_5",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_6": {
"inputs": {
"flake-compat": "flake-compat_8",
"gitignore": "gitignore_6",
"nixpkgs": [
"nixpkgs"
],
@ -1401,7 +1540,7 @@
"devshell": "devshell_2",
"disko": "disko",
"elewrap": "elewrap",
"flake-utils": "flake-utils_4",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"impermanence": "impermanence",
"microvm": "microvm",
@ -1413,7 +1552,7 @@
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs",
"nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_5",
"pre-commit-hooks": "pre-commit-hooks_6",
"stylix": "stylix",
"templates": "templates",
"wired-notify": "wired-notify"
@ -1448,7 +1587,7 @@
},
"rust-overlay_2": {
"inputs": {
"flake-utils": "flake-utils_7",
"flake-utils": "flake-utils_10",
"nixpkgs": "nixpkgs_2"
},
"locked": {
@ -1490,7 +1629,7 @@
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_8",
"flake-compat": "flake-compat_9",
"gnome-shell": "gnome-shell",
"home-manager": [
"home-manager"
@ -1543,6 +1682,51 @@
"type": "github"
}
},
"systems_11": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_12": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_13": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
@ -1701,7 +1885,7 @@
},
"wired-notify": {
"inputs": {
"flake-parts": "flake-parts_2",
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],

240
flake.nix
View file

@ -1,6 +1,4 @@
{
description = " oddlama's nix config and dotfiles";
inputs = {
agenix = {
url = "github:ryantm/agenix";
@ -11,7 +9,6 @@
agenix-rekey = {
url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
devshell = {
@ -29,7 +26,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils.url = "github:numtide/flake-utils";
flake-parts.url = "github:hercules-ci/flake-parts";
home-manager = {
url = "github:nix-community/home-manager";
@ -41,7 +38,6 @@
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nix-index-database = {
@ -52,13 +48,11 @@
nix-topology = {
url = "github:oddlama/nix-topology";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nixos-extra-modules = {
url = "github:oddlama/nixos-extra-modules";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nixos-hardware.url = "github:NixOS/nixos-hardware";
@ -78,7 +72,6 @@
nixvim = {
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
inputs.pre-commit-hooks.follows = "pre-commit-hooks";
};
pre-commit-hooks = {
@ -100,33 +93,57 @@
};
};
outputs = {
self,
nixpkgs,
outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
imports = [
inputs.devshell.flakeModule
inputs.pre-commit-hooks.flakeModule
./nix/devshell.nix
./nix/agenix-rekey.nix
./nix/globals.nix
(
{
lib,
flake-parts-lib,
...
} @ inputs: let
}:
flake-parts-lib.mkTransposedPerSystemModule {
name = "images";
file = ./flake.nix;
option = lib.mkOption {
type = lib.types.unspecified;
};
}
)
(
{
lib,
flake-parts-lib,
...
}:
flake-parts-lib.mkTransposedPerSystemModule {
name = "pkgs";
file = ./flake.nix;
option = lib.mkOption {
type = lib.types.unspecified;
};
}
)
];
flake = {
config,
lib,
...
}: let
inherit
(nixpkgs.lib)
cleanSource
(lib)
foldl'
mapAttrs
mapAttrsToList
recursiveUpdate
;
in
{
# The identities that are used to rekey agenix secrets and to
# decrypt all repository-wide secrets.
secretsConfig = {
masterIdentities = [./secrets/yk1-nix-rage.pub];
extraEncryptionPubkeys = [./secrets/backup.pub];
};
agenix-rekey = inputs.agenix-rekey.configure {
userFlake = self;
inherit (self) nodes pkgs;
};
in {
inherit
(import ./nix/hosts.nix inputs)
hosts
@ -137,28 +154,9 @@
# All nixosSystem instanciations are collected here, so that we can refer
# to any system via nodes.<name>
nodes = self.nixosConfigurations // self.guestConfigs;
nodes = config.nixosConfigurations // config.guestConfigs;
# Add a shorthand to easily target toplevel derivations
"@" = mapAttrs (_: v: v.config.system.build.toplevel) self.nodes;
globals = let
globalsSystem = nixpkgs.lib.evalModules {
prefix = ["globals"];
modules = [
./modules/globals.nix
({lib, ...}: {
globals = lib.mkMerge (
lib.concatLists (lib.flip lib.mapAttrsToList self.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:"
cfg.config._globalsDefs
))
);
})
];
};
in
globalsSystem.config.globals;
"@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
# For each true NixOS system, we want to expose an installer package that
# can be used to do the initial setup on the node from a live environment.
@ -168,18 +166,23 @@
(foldl' recursiveUpdate {}
(mapAttrsToList
(import ./nix/generate-installer-package.nix inputs)
self.nixosConfigurationsMinimal))
config.nixosConfigurationsMinimal))
packages
;
}
// inputs.flake-utils.lib.eachDefaultSystem (system: rec {
apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
inherit pkgs;
nixosConfigurations = self.nodes;
decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
};
pkgs = import nixpkgs {
systems = [
"x86_64-linux"
"aarch64-linux"
];
perSystem = {
config,
pkgs,
system,
...
}: {
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfree = true;
overlays =
@ -193,16 +196,24 @@
];
};
topology = import inputs.nix-topology {
inherit pkgs;
modules = [
./topology
{
inherit (self) nixosConfigurations;
}
];
apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
inherit pkgs;
nixosConfigurations = config.nodes;
decryptIdentity = builtins.head config.secretsConfig.masterIdentities;
};
#topology = import inputs.nix-topology {
# inherit pkgs;
# modules = [
# ./topology
# {
# inherit (inputs.self) nixosConfigurations;
# }
# ];
#};
# For each major system, we provide a customized installer image that
# has ssh and some other convenience stuff preconfigured.
# Not strictly necessary for new setups.
@ -210,7 +221,7 @@
inherit pkgs;
modules = [
./nix/installer-configuration.nix
./modules/config/ssh.nix
./config/ssh.nix
];
format =
{
@ -219,105 +230,6 @@
}
.${system};
};
# `nix flake check`
checks.pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
src = cleanSource ./.;
hooks = {
# Nix
alejandra.enable = true;
deadnix.enable = true;
statix.enable = true;
};
};
# `nix develop`
devShells.default = pkgs.devshell.mkShell {
name = "nix-config";
packages = [
pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
];
commands = [
{
package = pkgs.deploy;
help = "Build and deploy this nix config to nodes";
}
{
package = pkgs.agenix-rekey;
help = "Edit and rekey secrets";
}
{
package = pkgs.alejandra;
help = "Format nix code";
}
{
package = pkgs.statix;
help = "Lint nix code";
}
{
package = pkgs.deadnix;
help = "Find unused expressions in nix code";
}
{
package = pkgs.update-nix-fetchgit;
help = "Update fetcher hashes inside nix files";
}
{
package = pkgs.nix-tree;
help = "Interactively browse dependency graphs of Nix derivations";
}
{
package = pkgs.nvd;
help = "Diff two nix toplevels and show which packages were upgraded";
}
{
package = pkgs.nix-diff;
help = "Explain why two Nix derivations differ";
}
{
package = pkgs.nix-output-monitor;
help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)";
}
{
package = pkgs.writeShellApplication {
name = "build";
text = ''
set -euo pipefail
[[ "$#" -ge 1 ]] \
|| { echo "usage: build <HOST>..." >&2; exit 1; }
HOSTS=()
for h in "$@"; do
HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel")
done
nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}"
'';
};
help = "Build a host configuration";
}
];
devshell.startup.pre-commit.text = self.checks.${system}.pre-commit-hooks.shellHook;
env = [
{
# Additionally configure nix-plugins with our extra builtins file.
# We need this for our repo secrets.
name = "NIX_CONFIG";
value = ''
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${self.outPath}/nix/extra-builtins.nix
'';
}
{
# Always add files to git after agenix rekey and agenix generate.
name = "AGENIX_REKEY_ADD_TO_GIT";
value = "true";
}
];
};
# `nix fmt`
formatter = pkgs.alejandra;
});
}

23
nix/agenix-rekey.nix Normal file
View file

@ -0,0 +1,23 @@
{inputs, ...}: {
flake = {config, ...}: {
# The identities that are used to rekey agenix secrets and to
# decrypt all repository-wide secrets.
secretsConfig = {
masterIdentities = [../secrets/yk1-nix-rage.pub];
extraEncryptionPubkeys = [../secrets/backup.pub];
};
agenix-rekey = inputs.agenix-rekey.configure {
userFlake = inputs.self;
inherit (config) nodes pkgs;
};
};
perSystem.devshells.default.env = [
{
# Always add files to git after agenix rekey and agenix generate.
name = "AGENIX_REKEY_ADD_TO_GIT";
value = "true";
}
];
}

102
nix/devshell.nix Normal file
View file

@ -0,0 +1,102 @@
{
perSystem = {
config,
pkgs,
...
}: {
pre-commit.settings.hooks = {
alejandra.enable = true;
deadnix.enable = true;
statix.enable = true;
#gitleaks = {
# enable = true;
# name = "gitleaks";
# entry = "${pkgs.gitleaks}/bin/gitleaks protect --verbose --redact --staged";
# language = "system";
# pass_filenames = false;
#};
};
devshells.default = {
packages = [
pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
];
commands = [
{
package = pkgs.deploy;
help = "Build and deploy this nix config to nodes";
}
{
package = pkgs.agenix-rekey;
help = "Edit and rekey secrets";
}
{
package = pkgs.alejandra;
help = "Format nix code";
}
{
package = pkgs.statix;
help = "Lint nix code";
}
{
package = pkgs.deadnix;
help = "Find unused expressions in nix code";
}
{
package = pkgs.update-nix-fetchgit;
help = "Update fetcher hashes inside nix files";
}
{
package = pkgs.nix-tree;
help = "Interactively browse dependency graphs of Nix derivations";
}
{
package = pkgs.nvd;
help = "Diff two nix toplevels and show which packages were upgraded";
}
{
package = pkgs.nix-diff;
help = "Explain why two Nix derivations differ";
}
{
package = pkgs.nix-output-monitor;
help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)";
}
{
package = pkgs.writeShellApplication {
name = "build";
text = ''
set -euo pipefail
[[ "$#" -ge 1 ]] \
|| { echo "usage: build <HOST>..." >&2; exit 1; }
HOSTS=()
for h in "$@"; do
HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel")
done
nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}"
'';
};
help = "Build a host configuration";
}
];
devshell.startup.pre-commit.text = config.pre-commit.installationScript;
env = [
{
# Additionally configure nix-plugins with our extra builtins file.
# We need this for our repo secrets.
name = "NIX_CONFIG";
value = ''
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${./..}/nix/extra-builtins.nix
'';
}
];
};
# `nix fmt`
formatter = pkgs.alejandra;
};
}

2
nix/extra-builtins.nix
View file

@ -29,6 +29,4 @@ in {
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
# currentSystem
unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
}

26
nix/globals.nix Normal file
View file

@ -0,0 +1,26 @@
{
flake = {
config,
lib,
...
}: {
globals = let
globalsSystem = lib.evalModules {
prefix = ["globals"];
modules = [
../modules/globals.nix
({lib, ...}: {
globals = lib.mkMerge (
lib.concatLists (lib.flip lib.mapAttrsToList config.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:"
cfg.config._globalsDefs
))
);
})
];
};
in
globalsSystem.config.globals;
};
}

2
users/config/shell/default.nix
View file

@ -10,7 +10,7 @@
options = ["--cmd p"];
};
# nix-index-database is enabled globally for each user in modules/config/home-manager.nix
# nix-index-database is enabled globally for each user in config/home-manager.nix
programs.nix-index.enable = true;
programs.nix-index.enableZshIntegration = false;
programs.nix-index-database.comma.enable = true;