Christoph Heiss
4b2edbe511
All checks were successful
flake / build (push) Successful in 3m23s
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
214 lines
7 KiB
Nix
214 lines
7 KiB
Nix
{
|
|
description = "c8h4.io NixOS configuration";
|
|
|
|
inputs = {
|
|
nixpkgs = {
|
|
type = "github";
|
|
owner = "NixOS";
|
|
repo = "nixpkgs";
|
|
rev =
|
|
"80657da2c1d4c35ba4331e85513223c7c2cdc485"; # nixos-unstable; 31-07-2024
|
|
};
|
|
home-manager = {
|
|
type = "github";
|
|
owner = "nix-community";
|
|
repo = "home-manager";
|
|
rev = "6e090576c4824b16e8759ebca3958c5b09659ee8"; # master; 31-07-2024
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
nixos-hardware = {
|
|
type = "github";
|
|
owner = "NixOS";
|
|
repo = "nixos-hardware";
|
|
rev = "14c333162ba53c02853add87a0000cbd7aa230c2"; # master; 30-07-2024
|
|
};
|
|
simple-nixos-mailserver = {
|
|
type = "gitlab";
|
|
owner = "simple-nixos-mailserver";
|
|
repo = "nixos-mailserver";
|
|
rev = "c63f6e7b053c18325194ff0e274dba44e8d2271e"; # master; 21-07-2023
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
nixgl = {
|
|
type = "github";
|
|
owner = "nix-community";
|
|
repo = "nixGL";
|
|
rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a"; # main; 19-04-2024
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
inputs.flake-utils.follows = "flake-utils";
|
|
};
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
treefmt-nix = {
|
|
url = "github:numtide/treefmt-nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
nixinate = {
|
|
url = "github:MatthewCroughan/nixinate";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
sops-nix = {
|
|
type = "github";
|
|
owner = "Mic92";
|
|
repo = "sops-nix";
|
|
rev = "eb34eb588132d653e4c4925d862f1e5a227cc2ab"; # master; 27-07-2024
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
inputs.nixpkgs-stable.follows = "nixpkgs";
|
|
};
|
|
lix-module = {
|
|
url =
|
|
"git+https://git.lix.systems/lix-project/nixos-module?ref=refs/tags/2.91.0";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
inputs.flake-utils.follows = "flake-utils";
|
|
};
|
|
};
|
|
|
|
outputs = { self, nixpkgs, home-manager, nixos-hardware
|
|
, simple-nixos-mailserver, nixgl, flake-utils, treefmt-nix, nixinate
|
|
, sops-nix, lix-module, ... }:
|
|
flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
|
|
let
|
|
pkgs = import nixpkgs { inherit system; };
|
|
inherit (pkgs) lib;
|
|
inherit (flake-utils.lib) mkApp;
|
|
|
|
treefmt = treefmt-nix.lib.evalModule pkgs {
|
|
projectRootFile = "flake.nix";
|
|
programs = {
|
|
deadnix.enable = true;
|
|
nixfmt = {
|
|
enable = true;
|
|
package = pkgs.nixfmt-classic;
|
|
};
|
|
prettier.enable = true;
|
|
shellcheck.enable = true;
|
|
statix.enable = true;
|
|
stylua.enable = true;
|
|
taplo.enable = true;
|
|
};
|
|
};
|
|
|
|
mkHomeManagerFlake = name:
|
|
pkgs.writeShellApplication {
|
|
name = "hm-flake-${name}";
|
|
runtimeInputs = with pkgs; [ home-manager ];
|
|
text = ''
|
|
set -x
|
|
home-manager switch --flake .#${name} -b bak
|
|
'';
|
|
};
|
|
|
|
checkGitHistory = pkgs.writeShellApplication {
|
|
name = "check-git-history";
|
|
runtimeInputs = with pkgs; [ git gnugrep gnupg ];
|
|
text = ''
|
|
set +o pipefail # `git verify-commit` exits with 1 on expired keys
|
|
result=0
|
|
ret=
|
|
for h in $(git log --format=%h | tac); do
|
|
git verify-commit --raw "$h" 2>&1 | grep -qP '^\[GNUPG:\] VALIDSIG (\S+ )+9C561D6430B28D6BDCBC9CEB73D5E7FDEE3DE49A$'
|
|
ret=$?
|
|
if [ $ret -ne 0 ]; then
|
|
echo "[!] found unsigned commit: $h" >&2
|
|
result=1
|
|
fi
|
|
done
|
|
exit $result
|
|
'';
|
|
};
|
|
|
|
setupGitHooks = pkgs.writeShellApplication {
|
|
name = "setup-git-hooks";
|
|
text = ''
|
|
echo -e '#!/usr/bin/env sh\nexec nix flake check' >.git/hooks/pre-commit
|
|
chmod +x .git/hooks/pre-commit
|
|
'';
|
|
};
|
|
in {
|
|
apps = (nixinate.nixinate.${system} self).nixinate // {
|
|
maui = mkApp { drv = mkHomeManagerFlake "maui"; };
|
|
check-git-history = mkApp { drv = checkGitHistory; };
|
|
setup-git-hooks = mkApp { drv = setupGitHooks; };
|
|
};
|
|
|
|
checks = {
|
|
formatting = treefmt.config.build.check self;
|
|
} // (import ./pkgs null pkgs)
|
|
// (import ./pkgs/vim-plugins.nix null pkgs);
|
|
|
|
formatter = treefmt.config.build.wrapper;
|
|
|
|
devShells.default = pkgs.mkShell {
|
|
inputsFrom = [ treefmt.config.build.devShell ];
|
|
nativeBuildInputs = with pkgs; [ age nix-tree sops ];
|
|
};
|
|
|
|
packages = (import ./pkgs) null pkgs;
|
|
}) // (let
|
|
overlays = [
|
|
(import ./pkgs)
|
|
(self: super: {
|
|
vimPlugins = super.vimPlugins
|
|
// (import ./pkgs/vim-plugins.nix self super);
|
|
})
|
|
];
|
|
machines = {
|
|
back = { };
|
|
fort = { };
|
|
tank = { };
|
|
trek.extraModules =
|
|
[ nixos-hardware.nixosModules.framework-12th-gen-intel ];
|
|
zero = { };
|
|
};
|
|
mkSystem = name:
|
|
{ extraModules ? [ ], system ? "x86_64-linux" }:
|
|
nixpkgs.lib.nixosSystem {
|
|
inherit system;
|
|
modules = [
|
|
sops-nix.nixosModules.sops
|
|
simple-nixos-mailserver.nixosModules.mailserver
|
|
lix-module.nixosModules.default
|
|
home-manager.nixosModules.home-manager
|
|
# who doesn't love a bit of composability
|
|
({ config, ... }:
|
|
let my = import ./secrets/my.nix;
|
|
in {
|
|
_module.args = rec {
|
|
inherit (config.sops) secrets;
|
|
inherit my;
|
|
nixinate = {
|
|
host = "${name}.${my.domain}";
|
|
sshUser = "christoph";
|
|
buildOn = "local";
|
|
substituteOnTarget = true;
|
|
};
|
|
};
|
|
|
|
imports = [ (./machines + "/${name}.nix") ];
|
|
nixpkgs = { inherit overlays; };
|
|
networking = {
|
|
hostName = name;
|
|
hosts."127.0.0.1" = [ "${name}.${my.domain}" ];
|
|
};
|
|
sops.age = {
|
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
keyFile = "/var/lib/sops-nix/key.txt";
|
|
generateKey = true;
|
|
};
|
|
})
|
|
] ++ (builtins.attrValues self.nixosModules) ++ extraModules;
|
|
};
|
|
in {
|
|
homeConfigurations.maui = home-manager.lib.homeManagerConfiguration {
|
|
pkgs = import nixpkgs {
|
|
system = "x86_64-linux";
|
|
overlays = overlays ++ [ nixgl.overlay ];
|
|
};
|
|
|
|
modules = [ ./machines/maui.nix lix-module.nixosModules.default ];
|
|
};
|
|
|
|
nixosConfigurations = builtins.mapAttrs mkSystem machines;
|
|
nixosModules = import ./modules;
|
|
});
|
|
}
|