simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

Convert to flake 

Fixes #3.
pull/52/head
Simon Bruder 2021-05-01 16:30:48 +02:00
parent af036e88db
commit 400b55a293
Signed by: simon
GPG Key ID: 8D3C82F9F309F8EC
16 changed files with 441 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.envrc
View File

@ -1 +1,6 @@
use nix
use_flake() {
watch_file flake.nix
watch_file flake.lock
eval "$(nix print-dev-env)"
}
use flake

63
deploy.nix
View File

@ -1,63 +0,0 @@
let
sources = import ./nix/sources.nix;
krops = sources.krops;
lib = import "${krops}/lib";
kropsPkgs = import "${krops}/pkgs" { };
kropsDeploy =
{ hostname
, target ? null
, extraSources ? { }
}:
let
source = lib.evalSource [
{
nixpkgs.git = {
ref = sources.nixpkgs.rev;
url = https://github.com/NixOS/nixpkgs;
shallow = true;
};
nixos-hardware.git = {
ref = sources.nixos-hardware.rev;
url = https://github.com/NixOS/nixos-hardware;
};
config.file = {
path = toString ./.;
filters = [
{
type = "exclude";
pattern = ".git";
}
{
type = "exclude";
pattern = "*.qcow2";
}
{
type = "include";
pattern = "/machines/${hostname}/";
}
{
type = "exclude";
pattern = "/machines/*/";
}
];
};
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
}
extraSources
];
in
kropsPkgs.krops.writeDeploy "deploy-${hostname}" {
source = source;
target = lib.mkTarget target // {
extraOptions = [
# force allocation of tty to allow aborting with ^C and to show build progress
"-t"
];
};
};
in
lib.mapAttrs
(hostname: configuration: kropsDeploy ({ inherit hostname; } // configuration))
(import ./machines)

187
flake.lock Normal file
View File

@ -0,0 +1,187 @@
{
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1619345332,
"narHash": "sha256-qHnQkEp1uklKTpx3MvKtY6xzgcqXDsz5nLilbbuL+3A=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1617824794,
"narHash": "sha256-UGkvzx0nIXHhNq/KwJLjXvKAQRE2V33MuX+UirvqrkQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2aa20ae969f2597c4df10a094440a66e9d7f8c86",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-20.09",
"repo": "home-manager",
"type": "github"
}
},
"infinisilSystem": {
"flake": false,
"locked": {
"lastModified": 1588451792,
"narHash": "sha256-+2ovLk3z1kKKmLTLraNfyCHPPK8X5dQV1jQDRatJn+I=",
"owner": "Infinisil",
"repo": "system",
"rev": "91c5df20db68a995155218c5334db0e394185ca8",
"type": "github"
},
"original": {
"owner": "Infinisil",
"repo": "system",
"rev": "91c5df20db68a995155218c5334db0e394185ca8",
"type": "github"
}
},
"krops": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1597485541,
"narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=",
"owner": "Mic92",
"repo": "krops",
"rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "krops",
"type": "github"
}
},
"nix-pre-commit-hooks": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1619771587,
"narHash": "sha256-ICgBLhEygiLu524Xn8wnpFT547hInf2Zqpq0M59CBp4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f3fec488b5efed9104742811862e434e8f992dc9",
"type": "github"
},
"original": {
"owner": "cachix",
"ref": "master",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1619336929,
"narHash": "sha256-joIC2D26jtSbHodR/o8r+5T9XL2hXs6NIp5mVyA4JOc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1619792299,
"narHash": "sha256-hpg6wU0QLcNXj5/Nj8NT4p97R9SUGR8RBwjYNsMSKng=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "be58d0fbaa401922a090735edfc08442aed69b47",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.09",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1619464443,
"narHash": "sha256-R7WAb8EnkIJxxaF6GTHUPytjonhB4Zm0iatyWoW169A=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"infinisilSystem": "infinisilSystem",
"krops": "krops",
"nix-pre-commit-hooks": "nix-pre-commit-hooks",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1618840526,
"narHash": "sha256-3VAac44xE+kO8o7BQXLqHrAMUQT+XqIK8BcLkEEDwOA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

209
flake.nix Normal file
View File

@ -0,0 +1,209 @@
{
description = "NixOS system configuration";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager/release-20.09";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
krops.url = "github:Mic92/krops";
krops.inputs.flake-utils.follows = "flake-utils";
krops.inputs.nixpkgs.follows = "nixpkgs";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8";
infinisilSystem.flake = false;
};
outputs =
{ self
, flake-utils
, home-manager
, infinisilSystem
, krops
, nix-pre-commit-hooks
, nixos-hardware
, nixpkgs
, nixpkgs-unstable
, sops-nix
}: flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = nixpkgs.legacyPackages.${system};
inherit (pkgs) lib;
in
{
checks = {
pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixpkgs-fmt.enable = true;
};
};
};
apps = {
deploy = lib.mapAttrs
(hostname: machine:
let
inherit (krops.packages.${system}) writeCommand;
inherit (krops) lib;
in
writeCommand "/bin/deploy-${hostname}" {
target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
extraOptions = [
# force allocation of tty to allow aborting with ^C and to show build progress
"-t"
];
};
source = lib.evalSource (lib.singleton {
config.file = {
path = toString ./.;
useChecksum = true;
filters = [
{
type = "include";
pattern = "/machines/${hostname}/";
}
{
type = "exclude";
pattern = "/machines/*/";
}
];
};
});
command = targetPath: ''
nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
'';
})
self.nixosConfigurations;
unlock = lib.mapAttrs
(hostname: machine:
let
inherit (machine.config.deployment)
targetHost
unlockOverV4;
in
pkgs.writeShellScriptBin hostname ''
set -exo pipefail
# opening luks fails if gpg-agent is not unlocked yet
pass "devices/${hostname}/luks" >/dev/null
ssh \
${lib.optionalString unlockOverV4 "-4"} \
-p 2222 \
"root@${targetHost}" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
'')
self.nixosConfigurations;
updateInputs = pkgs.writeShellScriptBin "updateInputs" ''
set -e
git diff --exit-code -s flake.lock || (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1)
git diff --cached --exit-code -s flake.lock || (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1)
nix flake update
git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0
git commit -m "Update flake inputs" flake.lock
'';
showKeyFingerprint = pkgs.writeShellScriptBin "showKeyFingerprint" ''
gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
};
devShell = pkgs.mkShell {
buildInputs = (with pkgs; [
nixpkgs-fmt
sops
ssh-to-pgp
]);
shellHook = ''
find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
'' + self.checks.${system}.pre-commit-check.shellHook;
};
}) // {
overlay = import ./pkgs;
nixosConfigurations = nixpkgs.lib.mapAttrs
(hostname: { system
, extraModules ? [ ]
, targetHost ? hostname
, unlockOverV4 ? true
}: nixpkgs.lib.nixosSystem rec {
inherit system;
modules = [
(./machines + "/${hostname}/configuration.nix")
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
# NIX_PATH for legacy tooling and flake registry pinning
{
nix = {
nixPath = [
"nixpkgs=${nixpkgs}"
];
registry = {
nixpkgs.flake = nixpkgs;
};
};
}
# overlays
({ config, ... }: {
nixpkgs.overlays = [
self.overlay
(final: prev: {
unstable = import nixpkgs-unstable {
inherit system;
config = config.nixpkgs.config;
overlays = config.nixpkgs.overlays;
};
})
];
})
# deployment settings
({ lib, ... }: {
options.deployment = {
targetHost = lib.mkOption {
type = lib.types.str;
readOnly = true;
internal = true;
};
unlockOverV4 = lib.mkOption {
type = lib.types.bool;
readOnly = true;
internal = true;
description = "Whether to unlock the host over IPv4 (only)";
};
};
config.deployment = {
inherit
targetHost
unlockOverV4;
};
})
] ++ extraModules;
})
(import ./machines {
inherit
infinisilSystem
nixos-hardware;
});
};
}

48
machines/default.nix
View File

@ -1,24 +1,40 @@
{ infinisilSystem
, nixos-hardware
}:
let
sources = import ../nix/sources.nix;
pkgs = import sources.nixpkgs { };
lib = pkgs.lib;
hardware = nixos-hardware.nixosModules;
in
lib.mapAttrs
(hostname: options: {
inherit hostname;
target =
if lib.hasAttr "target" options
then options.target
else "root@${hostname}";
})
{
nunotaba = { };
sayuri = { };
nunotaba = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
};
sayuri = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
};
vueko = {
target = "root@vueko.sbruder.de";
system = "x86_64-linux";
extraModules = [
"${infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "vueko.sbruder.de";
};
fuuko = {
target = "root@fuuko.home.sbruder.de";
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
targetHost = "fuuko.home.sbruder.de";
unlockOverV4 = false; # gets slaac ipv6 address from router
};
}

2
machines/fuuko/hardware-configuration.nix
View File

@ -4,8 +4,6 @@
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
<nixos-hardware/common/cpu/intel>
<nixos-hardware/common/pc/ssd>
];
boot = {

2
machines/nunotaba/hardware-configuration.nix
View File

@ -3,8 +3,6 @@
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
<nixos-hardware/common/cpu/intel>
<nixos-hardware/common/pc/ssd>
];
boot = {

2
machines/sayuri/hardware-configuration.nix
View File

@ -3,8 +3,6 @@
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
<nixos-hardware/common/cpu/intel>
<nixos-hardware/common/pc/ssd>
];
boot = {

11
machines/vueko/configuration.nix
View File

@ -1,12 +1,5 @@
{ config, lib, pkgs, ... }:
let
# any nixpkgs fetcher fails with infinite recursion when importing a module
# from it
infinisilSystem = fetchTarball {
url = "https://github.com/Infinisil/system/archive/91c5df20db68a995155218c5334db0e394185ca8.tar.gz";
sha256 = "1qlz96mla0rlsqax9r8pmwycy8f8byisvjxlk2545mpk9lp2yspv";
};
in
{
imports = [
./hardware-configuration.nix
@ -14,8 +7,6 @@ in
./services/coturn.nix
./services/element-web.nix
"${infinisilSystem}/config/new-modules/murmur.nix"
];
sbruder = {

2
modules/default.nix
View File

@ -44,8 +44,6 @@
./udev.nix
./unfree.nix
./wireguard
"${(import ../nix/sources.nix).sops-nix}/modules/sops"
];
config = lib.mkMerge [

19
modules/nix.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }:
let
# Taken from https://nixos.wiki/wiki/Overlays
# Adapted from https://nixos.wiki/wiki/Overlays
overlaysCompat = pkgs.writeTextFile {
name = "overlays-compat";
destination = "/overlays.nix";
@ -9,7 +9,10 @@ let
with super.lib;
let
# Load the system config and get the `nixpkgs.overlays` option
overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
# This fails gracefully if getFlake is not available
overlays = if builtins.hasAttr "getFlake" builtins
then (builtins.getFlake "/var/src/config").nixosConfigurations.${config.networking.hostName}.config.nixpkgs.overlays
else [ ];
in
# Apply all overlays to the input of the current "main" overlay
foldl' (flip extends) (_: super) overlays self
@ -28,8 +31,6 @@ in
package = pkgs.nixUnstable;
nixPath = [
"/var/src" # pinned nixpkgs and configuration
"nixpkgs=/var/src/nixpkgs" # for nix run
"nixpkgs-overlays=${overlaysCompat}"
];
# Make sudoers trusted nix users
@ -60,14 +61,4 @@ in
daemonNiceLevel = 10;
daemonIONiceLevel = 5; # 0-7
};
nixpkgs.overlays = [
(import ../pkgs)
(final: prev: {
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
config = config.nixpkgs.config;
overlays = config.nixpkgs.overlays;
};
})
];
}

86
nix/sources.json
View File

@ -1,86 +0,0 @@
{
"home-manager": {
"branch": "release-20.09",
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
"homepage": "https://nix-community.github.io/home-manager/",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2aa20ae969f2597c4df10a094440a66e9d7f8c86",
"sha256": "0i5fxaxqm53zp767smrn250q1wjywf9c1jmg6vhp28973p7jysah",
"type": "tarball",
"url": "https://github.com/nix-community/home-manager/archive/2aa20ae969f2597c4df10a094440a66e9d7f8c86.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"krops": {
"branch": "master",
"description": "Mirror of https://cgit.krebsco.de/krops/about/ (PRs / issues accepted, as can be seen by not having them disabled)",
"homepage": "",
"owner": "krebs",
"repo": "krops",
"rev": "cccebf3ff7a53336b3f106cb96dddd5892d427ed",
"sha256": "07mg3iaqjf1w49vmwfchi7b1w55bh7rvsbgicp2m47gnj9alwdb6",
"type": "tarball",
"url": "https://github.com/krebs/krops/archive/cccebf3ff7a53336b3f106cb96dddd5892d427ed.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixos-hardware": {
"branch": "master",
"description": "A collection of NixOS modules covering hardware quirks.",
"homepage": "",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0",
"sha256": "1rr470h5frly4a6wwpm1pmfgv57v5f7zwlc73sdx93ms7pc050lf",
"type": "tarball",
"url": "https://github.com/nixos/nixos-hardware/archive/f7540d6c27704ec0fe56ecc8b2a9b663181850b0.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs": {
"branch": "nixos-20.09",
"description": "Nix Packages collection",
"homepage": "",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "17b101e29dfff7ae02cdd00e8cde243d2a56472d",
"sha256": "142lbns0qxl9c6gz035c07v9gpsfd29absqvpd539iz898bdlc48",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/17b101e29dfff7ae02cdd00e8cde243d2a56472d.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-unstable": {
"branch": "nixos-unstable",
"description": "Nix Packages collection",
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17",
"sha256": "1l7bnn2mlwmbi6s9kqa1g2i66arzshqijym1qmqq5417q5pq1da7",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"pre-commit-hooks.nix": {
"branch": "master",
"description": "Seamless integration of https://pre-commit.com git hooks with Nix.",
"homepage": "",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2d169bb1b23f3b71a894a66ea81f45c788943248",
"sha256": "1iyvi56rzszwizq0ymf1x262yhjwzk8k77qahb65fcync99jha2a",
"type": "tarball",
"url": "https://github.com/cachix/pre-commit-hooks.nix/archive/2d169bb1b23f3b71a894a66ea81f45c788943248.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"sops-nix": {
"branch": "master",
"description": "Atomic secret provisioning for NixOS based on sops",
"homepage": "",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88",
"sha256": "1q600d0r02qpy05a4ppy0i8hrc0yx9r43hcfy87fj4riirrill6x",
"type": "tarball",
"url": "https://github.com/Mic92/sops-nix/archive/4f384662a85804fa2bc1bc1f99e70bb468e76f88.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

149
nix/sources.nix
View File

@ -1,149 +0,0 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file = pkgs: spec:
if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; }
else
pkgs.fetchurl { inherit (spec) url sha256; };
fetch_tarball = pkgs: name: spec:
let
ok = str: ! builtins.isNull (builtins.match "[a-zA-Z0-9+-._?=]" str);
# sanitize the name, though nix will still fail if name starts with period
name' = stringAsChars (x: if ! ok x then "-" else x) "${name}-src";
in
if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = spec:
builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; };
fetch_local = spec: spec.path;
fetch_builtin-tarball = name: throw
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url = name: throw
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources:
let
sourcesNixpkgs =
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { };
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
import <nixpkgs> { }
else
abort
''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch = pkgs: name: spec:
if ! builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then fetch_file pkgs spec
else if spec.type == "tarball" then fetch_tarball pkgs name spec
else if spec.type == "git" then fetch_git spec
else if spec.type == "local" then fetch_local spec
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
else if spec.type == "builtin-url" then fetch_builtin-url name
else
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace = name: drv:
let
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == "" then drv else ersatz;
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs = builtins.mapAttrs or (
f: set: with builtins;
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatStrings = builtins.concatStringsSep "";
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball { inherit name url; }
else
fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12" then
fetchurl { inherit url; }
else
fetchurl attrs;
# Create the final "sources" from the config
mkSources = config:
mapAttrs
(
name: spec:
if builtins.hasAttr "outPath" spec
then
abort
"The values in sources.json should not have an 'outPath' attribute"
else
spec // { outPath = replace name (fetch config.pkgs name spec); }
)
config.sources;
# The "config" used by the fetchers
mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if isNull sourcesFile then { } else builtins.fromJSON (builtins.readFile sourcesFile)
, pkgs ? mkPkgs sources
}: rec {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }

2
pkgs/overlays.nix
View File

@ -1,3 +1,3 @@
# This allows using nix cli tools to build a package from the overlay without running nixos-rebuild:
# nix run -I nixpkgs-overlays=./pkgs/overlays.nix nixpkgs.overlay-pkg
# nix-run -I nixpkgs-overlays=./pkgs/overlays.nix -p overlay-pkg
[ (import ./default.nix) ]

65
shell.nix
View File

@ -1,65 +0,0 @@
let
sources = import ./nix/sources.nix;
pkgs = import sources.nixpkgs { };
nix-pre-commit-hooks = import sources."pre-commit-hooks.nix";
pre-commit-check = nix-pre-commit-hooks.run {
src = ./.;
hooks = {
nixpkgs-fmt.enable = true;
};
};
scripts = {
update-sources = ''
set -e
git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1)
git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1)
niv update
git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0
git commit -m "Update sources" nix/sources.json
'';
deploy = ''
set -e
# If a deployment to localhost introduces an evaluation error, future
# deployments will fail since the overlay compat cant parse the
# configuration. Overlays arent needed to build the krops deploy script.
export NIX_PATH="$(sed 's/:nixpkgs-overlays=[^:]*//' <<< "$NIX_PATH")"
$(nix-build --no-out-link deploy.nix -A "$1")
'';
unlock = ''
set -eo pipefail
machine="$1"
hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)"
# opening luks fails if gpg-agent is not unlocked yet
pass "devices/$machine/luks" >/dev/null
ssh \
-4 \
-p 2222 \
"root@$hostname" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
'';
show-key-fingerprint = ''
gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
};
in
pkgs.mkShell {
buildInputs = (with pkgs; [
git
niv
nixpkgs-fmt
sops
ssh-to-pgp
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
shellHook = ''
${pre-commit-check.shellHook}
find ${./. + "/keys"} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
'';
}

4
users/simon/default.nix
View File

@ -1,9 +1,5 @@
{ config, options, pkgs, ... }:
{
imports = [
(import "${(import ../../nix/sources.nix).home-manager}/nixos")
];
users.users.simon = {
isNormalUser = true;
extraGroups = [