nixos-config/flake.nix

{
  description = "NixOS system configuration";

  inputs = {
    flake-utils.url = "github:numtide/flake-utils";

    nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    home-manager.url = "github:nix-community/home-manager/release-20.09";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

    krops.url = "github:Mic92/krops";
    krops.inputs.flake-utils.follows = "flake-utils";
    krops.inputs.nixpkgs.follows = "nixpkgs";

    nixos-hardware.url = "github:nixos/nixos-hardware/master";

    nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";

    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

    infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8";
    infinisilSystem.flake = false;
  };

  outputs =
    { self
    , flake-utils
    , home-manager
    , infinisilSystem
    , krops
    , nix-pre-commit-hooks
    , nixos-hardware
    , nixpkgs
    , nixpkgs-unstable
    , sops-nix
    }: flake-utils.lib.eachDefaultSystem
      (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        inherit (pkgs) lib;
      in
      {
        checks = {
          pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
            src = ./.;
            hooks = {
              nixpkgs-fmt.enable = true;
            };
          };
        };

        apps = {
          deploy = lib.mapAttrs
            (hostname: machine:
              let
                inherit (krops.packages.${system}) writeCommand;
                inherit (krops) lib;
              in
              writeCommand "/bin/deploy-${hostname}" {
                target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
                  extraOptions = [
                    # force allocation of tty to allow aborting with ^C and to show build progress
                    "-t"
                  ];
                };
                source = lib.evalSource (lib.singleton {
                  config.file = {
                    path = toString ./.;
                    useChecksum = true;
                    filters = [
                      {
                        type = "include";
                        pattern = "/machines/${hostname}/";
                      }
                      {
                        type = "exclude";
                        pattern = "/machines/*/";
                      }
                    ];
                  };
                });
                command = targetPath: ''
                  nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
                '';
              })
            self.nixosConfigurations;

          unlock = lib.mapAttrs
            (hostname: machine:
              let
                inherit (machine.config.deployment)
                  targetHost
                  unlockOverV4;
              in
              pkgs.writeShellScriptBin hostname ''
                set -exo pipefail
                # opening luks fails if gpg-agent is not unlocked yet
                pass "devices/${hostname}/luks" >/dev/null
                ssh \
                    ${lib.optionalString unlockOverV4 "-4"} \
                    -p 2222 \
                    "root@${targetHost}" \
                    "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
              '')
            self.nixosConfigurations;

          updateInputs = pkgs.writeShellScriptBin "updateInputs" ''
            set -e
            git diff --exit-code -s flake.lock || (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1)
            git diff --cached --exit-code -s flake.lock || (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1)
            nix flake update
            git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0
            git commit -m "Update flake inputs" flake.lock
          '';

          showKeyFingerprint = pkgs.writeShellScriptBin "showKeyFingerprint" ''
            gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
          '';
        };

        devShell = pkgs.mkShell {
          buildInputs = (with pkgs; [
            nixpkgs-fmt
            sops
            ssh-to-pgp
          ]);

          shellHook = ''
            find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
          '' + self.checks.${system}.pre-commit-check.shellHook;
        };
      }) // {
      overlay = import ./pkgs;

      nixosConfigurations = nixpkgs.lib.mapAttrs
        (hostname: { system
                   , extraModules ? [ ]
                   , targetHost ? hostname
                   , unlockOverV4 ? true
                   }: nixpkgs.lib.nixosSystem rec {
          inherit system;

          modules = [
            (./machines + "/${hostname}/configuration.nix")

            home-manager.nixosModules.home-manager
            sops-nix.nixosModules.sops

            # NIX_PATH for legacy tooling and flake registry pinning
            {
              nix = {
                nixPath = [
                  "nixpkgs=${nixpkgs}"
                ];
                registry = {
                  nixpkgs.flake = nixpkgs;
                };
              };
            }

            # overlays
            ({ config, ... }: {
              nixpkgs.overlays = [
                self.overlay
                (final: prev: {
                  unstable = import nixpkgs-unstable {
                    inherit system;
                    config = config.nixpkgs.config;
                    overlays = config.nixpkgs.overlays;
                  };
                })
              ];
            })

            # deployment settings
            ({ lib, ... }: {
              options.deployment = {
                targetHost = lib.mkOption {
                  type = lib.types.str;
                  readOnly = true;
                  internal = true;
                };
                unlockOverV4 = lib.mkOption {
                  type = lib.types.bool;
                  readOnly = true;
                  internal = true;
                  description = "Whether to unlock the host over IPv4 (only)";
                };
              };
              config.deployment = {
                inherit
                  targetHost
                  unlockOverV4;
              };
            })
          ] ++ extraModules;
        })
        (import ./machines {
          inherit
            infinisilSystem
            nixos-hardware;
        });
    };
}
Convert to flake Fixes #3. 2021-05-01 16:30:48 +02:00			`{`
			`description = "NixOS system configuration";`

			`inputs = {`
			`flake-utils.url = "github:numtide/flake-utils";`

			`nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09";`
			`nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";`

			`home-manager.url = "github:nix-community/home-manager/release-20.09";`
			`home-manager.inputs.nixpkgs.follows = "nixpkgs";`

			`krops.url = "github:Mic92/krops";`
			`krops.inputs.flake-utils.follows = "flake-utils";`
			`krops.inputs.nixpkgs.follows = "nixpkgs";`

			`nixos-hardware.url = "github:nixos/nixos-hardware/master";`

			`nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";`
			`nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";`
			`nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";`

			`sops-nix.url = "github:Mic92/sops-nix";`
			`sops-nix.inputs.nixpkgs.follows = "nixpkgs";`

			`infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8";`
			`infinisilSystem.flake = false;`
			`};`

			`outputs =`
			`{ self`
			`, flake-utils`
			`, home-manager`
			`, infinisilSystem`
			`, krops`
			`, nix-pre-commit-hooks`
			`, nixos-hardware`
			`, nixpkgs`
			`, nixpkgs-unstable`
			`, sops-nix`
			`}: flake-utils.lib.eachDefaultSystem`
			`(system:`
			`let`
			`pkgs = nixpkgs.legacyPackages.${system};`
			`inherit (pkgs) lib;`
			`in`
			`{`
			`checks = {`
			`pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {`
			`src = ./.;`
			`hooks = {`
			`nixpkgs-fmt.enable = true;`
			`};`
			`};`
			`};`

			`apps = {`
			`deploy = lib.mapAttrs`
			`(hostname: machine:`
			`let`
			`inherit (krops.packages.${system}) writeCommand;`
			`inherit (krops) lib;`
			`in`
			`writeCommand "/bin/deploy-${hostname}" {`
			`target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {`
			`extraOptions = [`
			`# force allocation of tty to allow aborting with ^C and to show build progress`
			`"-t"`
			`];`
			`};`
			`source = lib.evalSource (lib.singleton {`
			`config.file = {`
			`path = toString ./.;`
			`useChecksum = true;`
			`filters = [`
			`{`
			`type = "include";`
			`pattern = "/machines/${hostname}/";`
			`}`
			`{`
			`type = "exclude";`
			`pattern = "/machines/*/";`
			`}`
			`];`
			`};`
			`});`
			`command = targetPath: ''`
			`nixos-rebuild switch --flake ${targetPath}/config -L --keep-going`
			`'';`
			`})`
			`self.nixosConfigurations;`

			`unlock = lib.mapAttrs`
			`(hostname: machine:`
			`let`
			`inherit (machine.config.deployment)`
			`targetHost`
			`unlockOverV4;`
			`in`
			`pkgs.writeShellScriptBin hostname ''`
			`set -exo pipefail`
			`# opening luks fails if gpg-agent is not unlocked yet`
			`pass "devices/${hostname}/luks" >/dev/null`
			`ssh \`
			`${lib.optionalString unlockOverV4 "-4"} \`
			`-p 2222 \`
			`"root@${targetHost}" \`
			`"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")`
			`'')`
			`self.nixosConfigurations;`

			`updateInputs = pkgs.writeShellScriptBin "updateInputs" ''`
			`set -e`
			`git diff --exit-code -s flake.lock \|\| (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1)`
			`git diff --cached --exit-code -s flake.lock \|\| (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1)`
			`nix flake update`
			`git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0`
			`git commit -m "Update flake inputs" flake.lock`
			`'';`

			`showKeyFingerprint = pkgs.writeShellScriptBin "showKeyFingerprint" ''`
			`gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" \| awk -F: '$1 == "fpr" { print $10; exit }'`
			`'';`
			`};`

			`devShell = pkgs.mkShell {`
			`buildInputs = (with pkgs; [`
			`nixpkgs-fmt`
			`sops`
			`ssh-to-pgp`
			`]);`

			`shellHook = ''`
			`find ${./keys} -type f -print0 \| xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import`
			`'' + self.checks.${system}.pre-commit-check.shellHook;`
			`};`
			`}) // {`
			`overlay = import ./pkgs;`

			`nixosConfigurations = nixpkgs.lib.mapAttrs`
			`(hostname: { system`
			`, extraModules ? [ ]`
			`, targetHost ? hostname`
			`, unlockOverV4 ? true`
			`}: nixpkgs.lib.nixosSystem rec {`
			`inherit system;`

			`modules = [`
			`(./machines + "/${hostname}/configuration.nix")`

			`home-manager.nixosModules.home-manager`
			`sops-nix.nixosModules.sops`

			`# NIX_PATH for legacy tooling and flake registry pinning`
			`{`
			`nix = {`
			`nixPath = [`
			`"nixpkgs=${nixpkgs}"`
			`];`
			`registry = {`
			`nixpkgs.flake = nixpkgs;`
			`};`
			`};`
			`}`

			`# overlays`
			`({ config, ... }: {`
			`nixpkgs.overlays = [`
			`self.overlay`
			`(final: prev: {`
			`unstable = import nixpkgs-unstable {`
			`inherit system;`
			`config = config.nixpkgs.config;`
			`overlays = config.nixpkgs.overlays;`
			`};`
			`})`
			`];`
			`})`

			`# deployment settings`
			`({ lib, ... }: {`
			`options.deployment = {`
			`targetHost = lib.mkOption {`
			`type = lib.types.str;`
			`readOnly = true;`
			`internal = true;`
			`};`
			`unlockOverV4 = lib.mkOption {`
			`type = lib.types.bool;`
			`readOnly = true;`
			`internal = true;`
			`description = "Whether to unlock the host over IPv4 (only)";`
			`};`
			`};`
			`config.deployment = {`
			`inherit`
			`targetHost`
			`unlockOverV4;`
			`};`
			`})`
			`] ++ extraModules;`
			`})`
			`(import ./machines {`
			`inherit`
			`infinisilSystem`
			`nixos-hardware;`
			`});`
			`};`
			`}`