{ description = "c8h4.io NixOS configuration"; inputs = { nixpkgs = { type = "github"; owner = "NixOS"; repo = "nixpkgs"; rev = "7e7941b89e9d2ad4d01892a5af4f17c8e34e3b2b"; # nixos-unstable; 31-08-2024 }; home-manager = { type = "github"; owner = "nix-community"; repo = "home-manager"; rev = "c2cd2a52e02f1dfa1c88f95abeb89298d46023be"; # master; 23-08-2024 inputs.nixpkgs.follows = "nixpkgs"; }; nixos-hardware = { type = "github"; owner = "NixOS"; repo = "nixos-hardware"; rev = "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef"; # master; 28-08-2024 }; simple-nixos-mailserver = { type = "gitlab"; owner = "simple-nixos-mailserver"; repo = "nixos-mailserver"; rev = "af7d3bf5daeba3fc28089b015c0dd43f06b176f2"; # master; 05-08-2023 inputs.nixpkgs.follows = "nixpkgs"; }; nixgl = { type = "github"; owner = "nix-community"; repo = "nixGL"; rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a"; # main; 19-04-2024 inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; flake-utils.url = "github:numtide/flake-utils"; treefmt-nix = { url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; nixinate = { url = "github:MatthewCroughan/nixinate"; inputs.nixpkgs.follows = "nixpkgs"; }; sops-nix = { type = "github"; owner = "Mic92"; repo = "sops-nix"; rev = "be0eec2d27563590194a9206f551a6f73d52fa34"; # master; 13-08-2024 inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs-stable.follows = "nixpkgs"; }; lix-module = { url = "git+https://git.lix.systems/lix-project/nixos-module?ref=refs/tags/2.91.0"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; }; outputs = { self, nixpkgs, home-manager, nixos-hardware , simple-nixos-mailserver, nixgl, flake-utils, treefmt-nix, nixinate , sops-nix, lix-module, ... }: let lib = nixpkgs.lib.extend (import ./lib); overlays = [ (nixpkgs.lib.composeManyExtensions [ (import ./pkgs/build-support.nix) ]) (_: super: import ./pkgs super) (_: super: { vimPlugins = super.vimPlugins // (import ./pkgs/vim-plugins.nix super); }) ]; in (flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: let pkgs = import nixpkgs { inherit lib overlays system; }; inherit (flake-utils.lib) mkApp; treefmt = treefmt-nix.lib.evalModule pkgs { projectRootFile = "flake.nix"; programs = { deadnix.enable = true; nixfmt = { enable = true; package = pkgs.nixfmt-classic; }; prettier.enable = true; shellcheck.enable = true; statix.enable = true; stylua.enable = true; taplo.enable = true; }; }; mkHomeManagerFlake = name: pkgs.writeShellApplication { name = "hm-flake-${name}"; runtimeInputs = with pkgs; [ home-manager ]; text = '' set -x home-manager switch --flake .#${name} -b bak ''; }; checkGitHistory = pkgs.writeShellApplication { name = "check-git-history"; runtimeInputs = with pkgs; [ git gnugrep gnupg ]; text = '' set +o pipefail # `git verify-commit` exits with 1 on expired keys result=0 ret= for h in $(git log --format=%h | tac); do git verify-commit --raw "$h" 2>&1 | grep -qP '^\[GNUPG:\] VALIDSIG (\S+ )+9C561D6430B28D6BDCBC9CEB73D5E7FDEE3DE49A$' ret=$? if [ $ret -ne 0 ]; then echo "[!] found unsigned commit: $h" >&2 result=1 fi done exit $result ''; }; setupGitHooks = pkgs.writeShellApplication { name = "setup-git-hooks"; text = '' echo -e '#!/usr/bin/env sh\nexec nix flake check' >.git/hooks/pre-commit chmod +x .git/hooks/pre-commit ''; }; in { apps = (nixinate.nixinate.${system} self).nixinate // { maui = mkApp { drv = mkHomeManagerFlake "maui"; }; check-git-history = mkApp { drv = checkGitHistory; }; setup-git-hooks = mkApp { drv = setupGitHooks; }; }; checks = { formatting = treefmt.config.build.check self; } // self.packages.${system}; formatter = treefmt.config.build.wrapper; devShells.default = pkgs.mkShell { inputsFrom = [ treefmt.config.build.devShell ]; nativeBuildInputs = with pkgs; [ age nix-tree sops ]; }; packages = (import ./pkgs pkgs) // (import ./pkgs/vim-plugins.nix pkgs); })) // (let machines = { back = { }; fort = { }; tank = { }; trek.extraModules = [ nixos-hardware.nixosModules.framework-12th-gen-intel ]; zero = { }; }; mkSystem = name: { extraModules ? [ ], system ? "x86_64-linux" }: nixpkgs.lib.nixosSystem { inherit system; specialArgs = { inherit lib; }; modules = [ sops-nix.nixosModules.sops simple-nixos-mailserver.nixosModules.mailserver lix-module.nixosModules.default home-manager.nixosModules.home-manager # who doesn't love a bit of composability ({ config, ... }: let my = import ./secrets/my.nix; in { _module.args = rec { inherit (config.sops) secrets; inherit my; nixinate = { host = "${name}.${my.domain}"; sshUser = "christoph"; buildOn = "local"; substituteOnTarget = true; }; }; imports = [ (./machines + "/${name}.nix") ]; nixpkgs = { inherit overlays; }; networking = { hostName = name; hosts."127.0.0.1" = [ "${name}.${my.domain}" ]; }; sops.age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; }) ] ++ (builtins.attrValues self.nixosModules) ++ extraModules; }; in { homeConfigurations.maui = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; overlays = overlays ++ [ nixgl.overlay ]; }; modules = [ ./machines/maui.nix lix-module.nixosModules.default ]; }; nixosConfigurations = builtins.mapAttrs mkSystem machines; nixosModules = import ./modules; overlays.default = final: prev: map (f: f final prev) overlays; }); }