simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity
nixos-config/flake.nix

235 lines
7.7 KiB
Nix
Raw Blame History

{
description = "NixOS system configuration";
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/nixos-20.09";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager/release-20.09";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
krops.url = "github:Mic92/krops";
krops.inputs.flake-utils.follows = "flake-utils";
krops.inputs.nixpkgs.follows = "nixpkgs";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
infinisilSystem.url = "github:Infinisil/system/91c5df20db68a995155218c5334db0e394185ca8";
infinisilSystem.flake = false;
bang-evaluator.url = "git+https://git.sbruder.de/simon/bangs";
bang-evaluator.inputs.flake-utils.follows = "flake-utils";
bang-evaluator.inputs.nixpkgs.follows = "nixpkgs";
aria2_exporter.url = "github:sbruder/aria2_exporter";
aria2_exporter.inputs.flake-utils.follows = "flake-utils";
aria2_exporter.inputs.nixpkgs.follows = "nixpkgs";
AriaNg.url = "git+https://git.sbruder.de/simon/AriaNg";
AriaNg.inputs.flake-utils.follows = "flake-utils";
AriaNg.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{ self
, AriaNg
, aria2_exporter
, bang-evaluator
, flake-utils
, home-manager
, infinisilSystem
, krops
, nix-pre-commit-hooks
, nixos-hardware
, nixpkgs
, nixpkgs-unstable
, sops-nix
}: flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = nixpkgs.legacyPackages.${system};
inherit (pkgs) lib;
in
{
checks = {
pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixpkgs-fmt.enable = true;
};
};
};
apps = lib.mapAttrs
(name: program: { type = "app"; program = toString program; })
(flake-utils.lib.flattenTree {
deploy = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine:
let
inherit (krops.packages.${system}) writeCommand;
inherit (krops) lib;
in
writeCommand "deploy-${hostname}" {
target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
extraOptions = [
# force allocation of tty to allow aborting with ^C and to show build progress
"-t"
];
};
source = lib.evalSource (lib.singleton {
config.file = {
path = toString ./.;
useChecksum = true;
filters = [
{
type = "include";
pattern = "/machines/${hostname}/";
}
{
type = "exclude";
pattern = "/machines/*/";
}
];
};
});
command = targetPath: ''
nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
'';
}
)
self.nixosConfigurations);
unlock = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine:
let
inherit (machine.config.deployment)
targetHost
unlockOverV4;
in
pkgs.writeShellScript "unlock-${hostname}" ''
set -exo pipefail
# opening luks fails if gpg-agent is not unlocked yet
pass "devices/${hostname}/luks" >/dev/null
ssh \
${lib.optionalString unlockOverV4 "-4"} \
-p 2222 \
"root@${targetHost}" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
'')
self.nixosConfigurations);
updateInputs = pkgs.writeShellScript "update-inputs" ''
set -e
git diff --exit-code -s flake.lock || (echo "Lockfile has unstaged changes, refusing to update." >&2 && exit 1)
git diff --cached --exit-code -s flake.lock || (echo "Lockfile has staged changes, refusing to update." >&2 && exit 1)
nix flake update
git diff --exit-code -s flake.lock && echo "Already up to date." && exit 0
git commit -m "Update flake inputs" flake.lock
'';
showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" ''
gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
});
devShell = pkgs.mkShell {
buildInputs = (with pkgs; [
nixpkgs-fmt
sops
ssh-to-pgp
]);
shellHook = ''
find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
'' + self.checks.${system}.pre-commit-check.shellHook;
};
}) // {
overlay = import ./pkgs;
nixosConfigurations = nixpkgs.lib.mapAttrs
(hostname: { system
, extraModules ? [ ]
, targetHost ? hostname
, unlockOverV4 ? true
}: nixpkgs.lib.nixosSystem rec {
inherit system;
modules = [
(./machines + "/${hostname}/configuration.nix")
home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
aria2_exporter.nixosModules.aria2_exporter
bang-evaluator.nixosModules.bang-evaluator
# NIX_PATH for legacy tooling and flake registry pinning
{
nix = {
nixPath = [
"nixpkgs=${nixpkgs}"
];
registry = {
nixpkgs.flake = nixpkgs;
nixpkgs-unstable.flake = nixpkgs-unstable;
};
};
}
# overlays
({ config, ... }: {
nixpkgs.overlays = [
self.overlay
(final: prev: {
unstable = import nixpkgs-unstable {
inherit system;
config = config.nixpkgs.config;
overlays = config.nixpkgs.overlays;
};
})
AriaNg.overlay
];
})
# deployment settings
({ lib, ... }: {
options.deployment = {
targetHost = lib.mkOption {
type = lib.types.str;
readOnly = true;
internal = true;
};
unlockOverV4 = lib.mkOption {
type = lib.types.bool;
readOnly = true;
internal = true;
description = "Whether to unlock the host over IPv4 (only)";
};
};
config.deployment = {
inherit
targetHost
unlockOverV4;
};
})
] ++ extraModules;
})
(import ./machines {
inherit
infinisilSystem
nixos-hardware;
});
};
}
Reference in New Issue View Git Blame Copy Permalink