{ description = "NixOS system configuration"; inputs = { flake-utils.url = "github:numtide/flake-utils"; nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager/release-20.09"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; krops.url = "github:Mic92/krops"; krops.inputs.flake-utils.follows = "flake-utils"; krops.inputs.nixpkgs.follows = "nixpkgs"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8"; infinisilSystem.flake = false; bang-evaluator.url = "git+https://git.sbruder.de/simon/bangs"; bang-evaluator.inputs.flake-utils.follows = "flake-utils"; bang-evaluator.inputs.nixpkgs.follows = "nixpkgs"; aria2_exporter.url = "github:sbruder/aria2_exporter"; aria2_exporter.inputs.flake-utils.follows = "flake-utils"; aria2_exporter.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self , aria2_exporter , bang-evaluator , flake-utils , home-manager , infinisilSystem , krops , nix-pre-commit-hooks , nixos-hardware , nixpkgs , nixpkgs-unstable , sops-nix }: flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; inherit (pkgs) lib; in { checks = { pre-commit-check = nix-pre-commit-hooks.lib.${system}.run { src = ./.; hooks = { nixpkgs-fmt.enable = true; }; }; }; apps = { deploy = lib.mapAttrs (hostname: machine: let inherit (krops.packages.${system}) writeCommand; inherit (krops) lib; in writeCommand "/bin/deploy-${hostname}" { target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // { extraOptions = [ # force allocation of tty to allow aborting with ^C and to show build progress "-t" ]; }; source = lib.evalSource (lib.singleton { config.file = { path = toString ./.; useChecksum = true; filters = [ { type = "include"; pattern = "/machines/${hostname}/"; } { type = "exclude"; pattern = "/machines/*/"; } ]; }; }); command = targetPath: '' nixos-rebuild switch --flake ${targetPath}/config -L --keep-going ''; }) self.nixosConfigurations; unlock = lib.mapAttrs (hostname: machine: let inherit (machine.config.deployment) targetHost unlockOverV4; in pkgs.writeShellScriptBin hostname '' set -exo pipefail # opening luks fails if gpg-agent is not unlocked yet pass "devices/${hostname}/luks" >/dev/null ssh \ ${lib.optionalString unlockOverV4 "-4"} \ -p 2222 \ "root@${targetHost}" \ "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks") '') self.nixosConfigurations; updateInputs = pkgs.writeShellScriptBin "updateInputs" '' set -e git diff --exit-code -s flake.lock || (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1) git diff --cached --exit-code -s flake.lock || (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1) nix flake update git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0 git commit -m "Update flake inputs" flake.lock ''; showKeyFingerprint = pkgs.writeShellScriptBin "showKeyFingerprint" '' gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }' ''; }; devShell = pkgs.mkShell { buildInputs = (with pkgs; [ nixpkgs-fmt sops ssh-to-pgp ]); shellHook = '' find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import '' + self.checks.${system}.pre-commit-check.shellHook; }; }) // { overlay = import ./pkgs; nixosConfigurations = nixpkgs.lib.mapAttrs (hostname: { system , extraModules ? [ ] , targetHost ? hostname , unlockOverV4 ? true }: nixpkgs.lib.nixosSystem rec { inherit system; modules = [ (./machines + "/${hostname}/configuration.nix") home-manager.nixosModules.home-manager sops-nix.nixosModules.sops aria2_exporter.nixosModules.aria2_exporter bang-evaluator.nixosModules.bang-evaluator # NIX_PATH for legacy tooling and flake registry pinning { nix = { nixPath = [ "nixpkgs=${nixpkgs}" ]; registry = { nixpkgs.flake = nixpkgs; }; }; } # overlays ({ config, ... }: { nixpkgs.overlays = [ self.overlay (final: prev: { unstable = import nixpkgs-unstable { inherit system; config = config.nixpkgs.config; overlays = config.nixpkgs.overlays; }; }) ]; }) # deployment settings ({ lib, ... }: { options.deployment = { targetHost = lib.mkOption { type = lib.types.str; readOnly = true; internal = true; }; unlockOverV4 = lib.mkOption { type = lib.types.bool; readOnly = true; internal = true; description = "Whether to unlock the host over IPv4 (only)"; }; }; config.deployment = { inherit targetHost unlockOverV4; }; }) ] ++ extraModules; }) (import ./machines { inherit infinisilSystem nixos-hardware; }); }; }