From 400b55a293bbfee0b1beb0e7bd637961b30b3d92 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sat, 1 May 2021 16:30:48 +0200 Subject: [PATCH] Convert to flake Fixes #3. --- .envrc | 7 +- deploy.nix | 63 ------ flake.lock | 187 +++++++++++++++++ flake.nix | 209 +++++++++++++++++++ machines/default.nix | 48 +++-- machines/fuuko/hardware-configuration.nix | 2 - machines/nunotaba/hardware-configuration.nix | 2 - machines/sayuri/hardware-configuration.nix | 2 - machines/vueko/configuration.nix | 11 +- modules/default.nix | 2 - modules/nix.nix | 19 +- nix/sources.json | 86 -------- nix/sources.nix | 149 ------------- pkgs/overlays.nix | 2 +- shell.nix | 65 ------ users/simon/default.nix | 4 - 16 files changed, 441 insertions(+), 417 deletions(-) delete mode 100644 deploy.nix create mode 100644 flake.lock create mode 100644 flake.nix delete mode 100644 nix/sources.json delete mode 100644 nix/sources.nix delete mode 100644 shell.nix diff --git a/.envrc b/.envrc index 1d953f4..7c7e899 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,6 @@ -use nix +use_flake() { + watch_file flake.nix + watch_file flake.lock + eval "$(nix print-dev-env)" +} +use flake diff --git a/deploy.nix b/deploy.nix deleted file mode 100644 index 2cb74d2..0000000 --- a/deploy.nix +++ /dev/null @@ -1,63 +0,0 @@ -let - sources = import ./nix/sources.nix; - - krops = sources.krops; - lib = import "${krops}/lib"; - kropsPkgs = import "${krops}/pkgs" { }; - - kropsDeploy = - { hostname - , target ? null - , extraSources ? { } - }: - let - source = lib.evalSource [ - { - nixpkgs.git = { - ref = sources.nixpkgs.rev; - url = https://github.com/NixOS/nixpkgs; - shallow = true; - }; - nixos-hardware.git = { - ref = sources.nixos-hardware.rev; - url = https://github.com/NixOS/nixos-hardware; - }; - config.file = { - path = toString ./.; - filters = [ - { - type = "exclude"; - pattern = ".git"; - } - { - type = "exclude"; - pattern = "*.qcow2"; - } - { - type = "include"; - pattern = "/machines/${hostname}/"; - } - { - type = "exclude"; - pattern = "/machines/*/"; - } - ]; - }; - nixos-config.symlink = "config/machines/${hostname}/configuration.nix"; - } - extraSources - ]; - in - kropsPkgs.krops.writeDeploy "deploy-${hostname}" { - source = source; - target = lib.mkTarget target // { - extraOptions = [ - # force allocation of tty to allow aborting with ^C and to show build progress - "-t" - ]; - }; - }; -in -lib.mapAttrs - (hostname: configuration: kropsDeploy ({ inherit hostname; } // configuration)) - (import ./machines) diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..e25de31 --- /dev/null +++ b/flake.lock @@ -0,0 +1,187 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1619345332, + "narHash": "sha256-qHnQkEp1uklKTpx3MvKtY6xzgcqXDsz5nLilbbuL+3A=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "2ebf2558e5bf978c7fb8ea927dfaed8fefab2e28", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1617824794, + "narHash": "sha256-UGkvzx0nIXHhNq/KwJLjXvKAQRE2V33MuX+UirvqrkQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "2aa20ae969f2597c4df10a094440a66e9d7f8c86", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-20.09", + "repo": "home-manager", + "type": "github" + } + }, + "infinisilSystem": { + "flake": false, + "locked": { + "lastModified": 1588451792, + "narHash": "sha256-+2ovLk3z1kKKmLTLraNfyCHPPK8X5dQV1jQDRatJn+I=", + "owner": "Infinisil", + "repo": "system", + "rev": "91c5df20db68a995155218c5334db0e394185ca8", + "type": "github" + }, + "original": { + "owner": "Infinisil", + "repo": "system", + "rev": "91c5df20db68a995155218c5334db0e394185ca8", + "type": "github" + } + }, + "krops": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1597485541, + "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=", + "owner": "Mic92", + "repo": "krops", + "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "krops", + "type": "github" + } + }, + "nix-pre-commit-hooks": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1619771587, + "narHash": "sha256-ICgBLhEygiLu524Xn8wnpFT547hInf2Zqpq0M59CBp4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "f3fec488b5efed9104742811862e434e8f992dc9", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1619336929, + "narHash": "sha256-joIC2D26jtSbHodR/o8r+5T9XL2hXs6NIp5mVyA4JOc=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1619792299, + "narHash": "sha256-hpg6wU0QLcNXj5/Nj8NT4p97R9SUGR8RBwjYNsMSKng=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "be58d0fbaa401922a090735edfc08442aed69b47", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-20.09", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1619464443, + "narHash": "sha256-R7WAb8EnkIJxxaF6GTHUPytjonhB4Zm0iatyWoW169A=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "home-manager": "home-manager", + "infinisilSystem": "infinisilSystem", + "krops": "krops", + "nix-pre-commit-hooks": "nix-pre-commit-hooks", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1618840526, + "narHash": "sha256-3VAac44xE+kO8o7BQXLqHrAMUQT+XqIK8BcLkEEDwOA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..66fdfe0 --- /dev/null +++ b/flake.nix @@ -0,0 +1,209 @@ +{ + description = "NixOS system configuration"; + + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + + nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-20.09"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + krops.url = "github:Mic92/krops"; + krops.inputs.flake-utils.follows = "flake-utils"; + krops.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-hardware.url = "github:nixos/nixos-hardware/master"; + + nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; + nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; + nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + + infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8"; + infinisilSystem.flake = false; + }; + + outputs = + { self + , flake-utils + , home-manager + , infinisilSystem + , krops + , nix-pre-commit-hooks + , nixos-hardware + , nixpkgs + , nixpkgs-unstable + , sops-nix + }: flake-utils.lib.eachDefaultSystem + (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + inherit (pkgs) lib; + in + { + checks = { + pre-commit-check = nix-pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + nixpkgs-fmt.enable = true; + }; + }; + }; + + apps = { + deploy = lib.mapAttrs + (hostname: machine: + let + inherit (krops.packages.${system}) writeCommand; + inherit (krops) lib; + in + writeCommand "/bin/deploy-${hostname}" { + target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // { + extraOptions = [ + # force allocation of tty to allow aborting with ^C and to show build progress + "-t" + ]; + }; + source = lib.evalSource (lib.singleton { + config.file = { + path = toString ./.; + useChecksum = true; + filters = [ + { + type = "include"; + pattern = "/machines/${hostname}/"; + } + { + type = "exclude"; + pattern = "/machines/*/"; + } + ]; + }; + }); + command = targetPath: '' + nixos-rebuild switch --flake ${targetPath}/config -L --keep-going + ''; + }) + self.nixosConfigurations; + + unlock = lib.mapAttrs + (hostname: machine: + let + inherit (machine.config.deployment) + targetHost + unlockOverV4; + in + pkgs.writeShellScriptBin hostname '' + set -exo pipefail + # opening luks fails if gpg-agent is not unlocked yet + pass "devices/${hostname}/luks" >/dev/null + ssh \ + ${lib.optionalString unlockOverV4 "-4"} \ + -p 2222 \ + "root@${targetHost}" \ + "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks") + '') + self.nixosConfigurations; + + updateInputs = pkgs.writeShellScriptBin "updateInputs" '' + set -e + git diff --exit-code -s flake.lock || (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1) + git diff --cached --exit-code -s flake.lock || (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1) + nix flake update + git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0 + git commit -m "Update flake inputs" flake.lock + ''; + + showKeyFingerprint = pkgs.writeShellScriptBin "showKeyFingerprint" '' + gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }' + ''; + }; + + devShell = pkgs.mkShell { + buildInputs = (with pkgs; [ + nixpkgs-fmt + sops + ssh-to-pgp + ]); + + shellHook = '' + find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import + '' + self.checks.${system}.pre-commit-check.shellHook; + }; + }) // { + overlay = import ./pkgs; + + nixosConfigurations = nixpkgs.lib.mapAttrs + (hostname: { system + , extraModules ? [ ] + , targetHost ? hostname + , unlockOverV4 ? true + }: nixpkgs.lib.nixosSystem rec { + inherit system; + + modules = [ + (./machines + "/${hostname}/configuration.nix") + + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + + # NIX_PATH for legacy tooling and flake registry pinning + { + nix = { + nixPath = [ + "nixpkgs=${nixpkgs}" + ]; + registry = { + nixpkgs.flake = nixpkgs; + }; + }; + } + + # overlays + ({ config, ... }: { + nixpkgs.overlays = [ + self.overlay + (final: prev: { + unstable = import nixpkgs-unstable { + inherit system; + config = config.nixpkgs.config; + overlays = config.nixpkgs.overlays; + }; + }) + ]; + }) + + # deployment settings + ({ lib, ... }: { + options.deployment = { + targetHost = lib.mkOption { + type = lib.types.str; + readOnly = true; + internal = true; + }; + unlockOverV4 = lib.mkOption { + type = lib.types.bool; + readOnly = true; + internal = true; + description = "Whether to unlock the host over IPv4 (only)"; + }; + }; + config.deployment = { + inherit + targetHost + unlockOverV4; + }; + }) + ] ++ extraModules; + }) + (import ./machines { + inherit + infinisilSystem + nixos-hardware; + }); + }; +} diff --git a/machines/default.nix b/machines/default.nix index 02a7cab..4a92c9d 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -1,24 +1,40 @@ +{ infinisilSystem +, nixos-hardware +}: let - sources = import ../nix/sources.nix; - - pkgs = import sources.nixpkgs { }; - lib = pkgs.lib; + hardware = nixos-hardware.nixosModules; in -lib.mapAttrs - (hostname: options: { - inherit hostname; - target = - if lib.hasAttr "target" options - then options.target - else "root@${hostname}"; - }) { - nunotaba = { }; - sayuri = { }; + nunotaba = { + system = "x86_64-linux"; + extraModules = [ + hardware.common-cpu-intel + hardware.common-pc-ssd + ]; + }; + sayuri = { + system = "x86_64-linux"; + extraModules = [ + hardware.common-cpu-intel + hardware.common-pc-ssd + ]; + }; vueko = { - target = "root@vueko.sbruder.de"; + system = "x86_64-linux"; + extraModules = [ + "${infinisilSystem}/config/new-modules/murmur.nix" + ]; + + targetHost = "vueko.sbruder.de"; }; fuuko = { - target = "root@fuuko.home.sbruder.de"; + system = "x86_64-linux"; + extraModules = [ + hardware.common-cpu-intel + hardware.common-pc-ssd + ]; + + targetHost = "fuuko.home.sbruder.de"; + unlockOverV4 = false; # gets slaac ipv6 address from router }; } diff --git a/machines/fuuko/hardware-configuration.nix b/machines/fuuko/hardware-configuration.nix index b43e25e..11ffaae 100644 --- a/machines/fuuko/hardware-configuration.nix +++ b/machines/fuuko/hardware-configuration.nix @@ -4,8 +4,6 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") - - ]; boot = { diff --git a/machines/nunotaba/hardware-configuration.nix b/machines/nunotaba/hardware-configuration.nix index d09ddab..c075a77 100644 --- a/machines/nunotaba/hardware-configuration.nix +++ b/machines/nunotaba/hardware-configuration.nix @@ -3,8 +3,6 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - - ]; boot = { diff --git a/machines/sayuri/hardware-configuration.nix b/machines/sayuri/hardware-configuration.nix index 8b0001a..dd20c22 100644 --- a/machines/sayuri/hardware-configuration.nix +++ b/machines/sayuri/hardware-configuration.nix @@ -3,8 +3,6 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - - ]; boot = { diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix index 7ff84e5..dc785e4 100644 --- a/machines/vueko/configuration.nix +++ b/machines/vueko/configuration.nix @@ -1,12 +1,5 @@ { config, lib, pkgs, ... }: -let - # any nixpkgs fetcher fails with infinite recursion when importing a module - # from it - infinisilSystem = fetchTarball { - url = "https://github.com/Infinisil/system/archive/91c5df20db68a995155218c5334db0e394185ca8.tar.gz"; - sha256 = "1qlz96mla0rlsqax9r8pmwycy8f8byisvjxlk2545mpk9lp2yspv"; - }; -in + { imports = [ ./hardware-configuration.nix @@ -14,8 +7,6 @@ in ./services/coturn.nix ./services/element-web.nix - - "${infinisilSystem}/config/new-modules/murmur.nix" ]; sbruder = { diff --git a/modules/default.nix b/modules/default.nix index 6c344a1..fc3e9aa 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -44,8 +44,6 @@ ./udev.nix ./unfree.nix ./wireguard - - "${(import ../nix/sources.nix).sops-nix}/modules/sops" ]; config = lib.mkMerge [ diff --git a/modules/nix.nix b/modules/nix.nix index 09d6997..c43a2e0 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - # Taken from https://nixos.wiki/wiki/Overlays + # Adapted from https://nixos.wiki/wiki/Overlays overlaysCompat = pkgs.writeTextFile { name = "overlays-compat"; destination = "/overlays.nix"; @@ -9,7 +9,10 @@ let with super.lib; let # Load the system config and get the `nixpkgs.overlays` option - overlays = (import { }).config.nixpkgs.overlays; + # This fails gracefully if getFlake is not available + overlays = if builtins.hasAttr "getFlake" builtins + then (builtins.getFlake "/var/src/config").nixosConfigurations.${config.networking.hostName}.config.nixpkgs.overlays + else [ ]; in # Apply all overlays to the input of the current "main" overlay foldl' (flip extends) (_: super) overlays self @@ -28,8 +31,6 @@ in package = pkgs.nixUnstable; nixPath = [ - "/var/src" # pinned nixpkgs and configuration - "nixpkgs=/var/src/nixpkgs" # for nix run "nixpkgs-overlays=${overlaysCompat}" ]; # Make sudoers trusted nix users @@ -60,14 +61,4 @@ in daemonNiceLevel = 10; daemonIONiceLevel = 5; # 0-7 }; - - nixpkgs.overlays = [ - (import ../pkgs) - (final: prev: { - unstable = import (import ../nix/sources.nix).nixpkgs-unstable { - config = config.nixpkgs.config; - overlays = config.nixpkgs.overlays; - }; - }) - ]; } diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index aace163..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "home-manager": { - "branch": "release-20.09", - "description": "Manage a user environment using Nix [maintainer=@rycee] ", - "homepage": "https://nix-community.github.io/home-manager/", - "owner": "nix-community", - "repo": "home-manager", - "rev": "2aa20ae969f2597c4df10a094440a66e9d7f8c86", - "sha256": "0i5fxaxqm53zp767smrn250q1wjywf9c1jmg6vhp28973p7jysah", - "type": "tarball", - "url": "https://github.com/nix-community/home-manager/archive/2aa20ae969f2597c4df10a094440a66e9d7f8c86.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "krops": { - "branch": "master", - "description": "Mirror of https://cgit.krebsco.de/krops/about/ (PRs / issues accepted, as can be seen by not having them disabled)", - "homepage": "", - "owner": "krebs", - "repo": "krops", - "rev": "cccebf3ff7a53336b3f106cb96dddd5892d427ed", - "sha256": "07mg3iaqjf1w49vmwfchi7b1w55bh7rvsbgicp2m47gnj9alwdb6", - "type": "tarball", - "url": "https://github.com/krebs/krops/archive/cccebf3ff7a53336b3f106cb96dddd5892d427ed.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "nixos-hardware": { - "branch": "master", - "description": "A collection of NixOS modules covering hardware quirks.", - "homepage": "", - "owner": "nixos", - "repo": "nixos-hardware", - "rev": "f7540d6c27704ec0fe56ecc8b2a9b663181850b0", - "sha256": "1rr470h5frly4a6wwpm1pmfgv57v5f7zwlc73sdx93ms7pc050lf", - "type": "tarball", - "url": "https://github.com/nixos/nixos-hardware/archive/f7540d6c27704ec0fe56ecc8b2a9b663181850b0.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "nixpkgs": { - "branch": "nixos-20.09", - "description": "Nix Packages collection", - "homepage": "", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "17b101e29dfff7ae02cdd00e8cde243d2a56472d", - "sha256": "142lbns0qxl9c6gz035c07v9gpsfd29absqvpd539iz898bdlc48", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/17b101e29dfff7ae02cdd00e8cde243d2a56472d.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "nixpkgs-unstable": { - "branch": "nixos-unstable", - "description": "Nix Packages collection", - "homepage": "", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17", - "sha256": "1l7bnn2mlwmbi6s9kqa1g2i66arzshqijym1qmqq5417q5pq1da7", - "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "pre-commit-hooks.nix": { - "branch": "master", - "description": "Seamless integration of https://pre-commit.com git hooks with Nix.", - "homepage": "", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "2d169bb1b23f3b71a894a66ea81f45c788943248", - "sha256": "1iyvi56rzszwizq0ymf1x262yhjwzk8k77qahb65fcync99jha2a", - "type": "tarball", - "url": "https://github.com/cachix/pre-commit-hooks.nix/archive/2d169bb1b23f3b71a894a66ea81f45c788943248.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "sops-nix": { - "branch": "master", - "description": "Atomic secret provisioning for NixOS based on sops", - "homepage": "", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88", - "sha256": "1q600d0r02qpy05a4ppy0i8hrc0yx9r43hcfy87fj4riirrill6x", - "type": "tarball", - "url": "https://github.com/Mic92/sops-nix/archive/4f384662a85804fa2bc1bc1f99e70bb468e76f88.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index f614e68..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,149 +0,0 @@ -# This file has been generated by Niv. -let - # - # The fetchers. fetch_ fetches specs of type . - # - - fetch_file = pkgs: spec: - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; } - else - pkgs.fetchurl { inherit (spec) url sha256; }; - - fetch_tarball = pkgs: name: spec: - let - ok = str: ! builtins.isNull (builtins.match "[a-zA-Z0-9+-._?=]" str); - # sanitize the name, though nix will still fail if name starts with period - name' = stringAsChars (x: if ! ok x then "-" else x) "${name}-src"; - in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; - - fetch_git = spec: - builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: throw - ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: throw - ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: - let - sourcesNixpkgs = - import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import { } - else - abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - - if ! builtins.hasAttr "type" spec then - abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" then fetch_file pkgs spec - else if spec.type == "tarball" then fetch_tarball pkgs name spec - else if spec.type == "git" then fetch_git spec - else if spec.type == "local" then fetch_local spec - else if spec.type == "builtin-tarball" then fetch_builtin-tarball name - else if spec.type == "builtin-url" then fetch_builtin-url name - else - abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: - let - saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" then drv else ersatz; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = builtins.mapAttrs or ( - f: set: with builtins; - listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) - ); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatStrings = builtins.concatStringsSep ""; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { url, name, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" then - fetchTarball { inherit name url; } - else - fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { url, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" then - fetchurl { inherit url; } - else - fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs - ( - name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) - config.sources; - - # The "config" used by the fetchers - mkConfig = - { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if isNull sourcesFile then { } else builtins.fromJSON (builtins.readFile sourcesFile) - , pkgs ? mkPkgs sources - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; - -in -mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/pkgs/overlays.nix b/pkgs/overlays.nix index 212d4dc..8c6dad7 100644 --- a/pkgs/overlays.nix +++ b/pkgs/overlays.nix @@ -1,3 +1,3 @@ # This allows using nix cli tools to build a package from the overlay without running nixos-rebuild: -# nix run -I nixpkgs-overlays=./pkgs/overlays.nix nixpkgs.overlay-pkg +# nix-run -I nixpkgs-overlays=./pkgs/overlays.nix -p overlay-pkg [ (import ./default.nix) ] diff --git a/shell.nix b/shell.nix deleted file mode 100644 index c6c379b..0000000 --- a/shell.nix +++ /dev/null @@ -1,65 +0,0 @@ -let - sources = import ./nix/sources.nix; - pkgs = import sources.nixpkgs { }; - - nix-pre-commit-hooks = import sources."pre-commit-hooks.nix"; - - pre-commit-check = nix-pre-commit-hooks.run { - src = ./.; - hooks = { - nixpkgs-fmt.enable = true; - }; - }; - - scripts = { - update-sources = '' - set -e - git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1) - git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1) - niv update - git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0 - git commit -m "Update sources" nix/sources.json - ''; - - deploy = '' - set -e - # If a deployment to localhost introduces an evaluation error, future - # deployments will fail since the overlay compat can’t parse the - # configuration. Overlays aren’t needed to build the krops deploy script. - export NIX_PATH="$(sed 's/:nixpkgs-overlays=[^:]*//' <<< "$NIX_PATH")" - $(nix-build --no-out-link deploy.nix -A "$1") - ''; - - unlock = '' - set -eo pipefail - machine="$1" - hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)" - # opening luks fails if gpg-agent is not unlocked yet - pass "devices/$machine/luks" >/dev/null - ssh \ - -4 \ - -p 2222 \ - "root@$hostname" \ - "cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks") - ''; - - show-key-fingerprint = '' - gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }' - ''; - }; -in -pkgs.mkShell { - buildInputs = (with pkgs; [ - git - niv - nixpkgs-fmt - sops - ssh-to-pgp - ]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts); - - shellHook = '' - ${pre-commit-check.shellHook} - - find ${./. + "/keys"} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import - ''; -} diff --git a/users/simon/default.nix b/users/simon/default.nix index 738ea37..1c49657 100644 --- a/users/simon/default.nix +++ b/users/simon/default.nix @@ -1,9 +1,5 @@ { config, options, pkgs, ... }: { - imports = [ - (import "${(import ../../nix/sources.nix).home-manager}/nixos") - ]; - users.users.simon = { isNormalUser = true; extraGroups = [