]> Git — Sourcephile - sourcephile-nix.git/blob - flake.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
creds: finish to migrate to systemd-creds.nix
[sourcephile-nix.git] / flake.nix
1 {
2 # Pin down nixpkgs from github, instead of using global, system or user registries.
3 inputs.nixpkgs.url = "github:NixOS/nixpkgs/32096899af23d49010bd8cf6a91695888d9d9e73";
4 #inputs.nixpkgs.url = "flake:nixpkgs";
5 inputs.flake-utils.url = "github:numtide/flake-utils";
6 inputs.home-manager.follows = "julm-nix/home-manager";
7 #inputs.julm-nix.url = "git+https://git.hut.sourcephile.fr/~julm/julm-nix?ref=main";
8 inputs.julm-nix.url = "git+file:///home/julm/work/sourcephile/nix/julm-nix?ref=main";
9 #inputs.julm-nix.type = "path";
10 #inputs.julm-nix.path = "/home/julm/work/sourcephile/nix/julm-nix";
11 inputs.julm-nix.inputs.flake-utils.follows = "flake-utils";
12 inputs.julm-nix.inputs.nixpkgs.follows = "nixpkgs";
13 inputs.doom-emacs.follows = "julm-nix/doom-emacs";
14 inputs.shell.url = "path:./shell";
15 inputs.shell.flake = false;
16 inputs.pass.type = "path";
17 inputs.pass.path = "/home/julm/work/sourcephile/nix/pass";
18 inputs.pass.flake = false;
19
20 outputs = inputs: let
21 remoteNixpkgsPatches = import nixpkgs/patches.nix;
22 localNixpkgsPatches = [
23 #nixpkgs/patches/sourcehut.diff
24 #nixpkgs/patches/bitmask.diff
25 #nixpkgs/patches/systemd-coredump.diff
26 ];
27 originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
28 nixpkgsPath = originPkgs.applyPatches {
29 name = "nixpkgs-patched";
30 src = inputs.nixpkgs;
31 patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches;
32 postPatch = ''
33 patch=$(printf '%s\n' ${builtins.concatStringsSep " "
34 (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} |
35 sort | sha256sum | cut -c -7)
36 echo "+patch-$patch" >.version-suffix
37 '';
38 };
39 lib = originPkgs.lib;
40 hosts = builtins.mapAttrs (hostName: hostConfig:
41 let cfg = import hostConfig { inherit inputs hostName nixpkgsPath; }; in
42 import (nixpkgsPath + "/nixos/lib/eval-config.nix") (lib.recursiveUpdate cfg {
43 specialArgs = {
44 inherit hostName inputs;
45 };
46 modules = cfg.modules ++ [
47 {
48 config._module.args = {
49 hosts = inputs.self.nixosConfigurations;
50 host = inputs.self.nixosConfigurations.${hostName}._module.args;
51 };
52 }
53 inputs.home-manager.nixosModules.home-manager
54 {
55 home-manager.useGlobalPkgs = true;
56 home-manager.useUserPackages = true;
57 home-manager.verbose = true;
58 home-manager.backupFileExtension = null;
59 home-manager.extraSpecialArgs = {
60 inherit hostName inputs;
61 };
62 }
63 ({ pkgs, ... }: {
64 nix.package = pkgs.nixUnstable;
65 nixpkgs.overlays =
66 import nixpkgs/overlays.nix ++
67 import (inputs.julm-nix + "/nixpkgs/overlays.nix");
68 system.nixos.versionSuffix = ".${
69 lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
70 inputs.self.shortRev or "dirty"}";
71 system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
72 # Let 'nixos-version --json' know about the Git revision of this flake.
73 system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
74 /*
75 system.configurationRevision =
76 if inputs.self ? rev
77 then inputs.self.rev
78 else throw "Refusing to build from a dirty Git tree!";
79 */
80 programs.ssh.knownHosts = {
81 carotte = {
82 extraHostNames = [ "carotte" "carotte.sourcephile.fr" ];
83 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnnS0w9zm5KuWwlfJu+qEXC0asESQySPp76szyMTE3J";
84 };
85 mermet = {
86 extraHostNames = [ "mermet" "mermet.sourcephile.fr" ];
87 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvKN2sIpH782MFjaOpcty1Hs/T/TPNJpXI08H3O3oxl";
88 };
89 losurdo = {
90 extraHostNames = [ "losurdo" "losurdo.sourcephile.fr" ];
91 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAq1T0Dxozt4RPylvWrUmeuejiG+n/owb3ucnWP9F";
92 };
93 };
94 })
95 ];
96 }));
97 in
98 {
99 # Example: nix -L build .#nixosConfigurations.losurdo.config.system.build.toplevel
100 # Example: nix -L build .#nixosConfigurations.losurdo.config.boot.kernelPackages.kernel.configfile
101 # Example: nix -L build .#nixosConfigurations.losurdo.pkgs.hello
102 # Example: nix eval .#nixosConfigurations.losurdo.config.networking.hostName
103 nixosConfigurations = hosts {
104 carotte = hosts/carotte.nix;
105 losurdo = hosts/losurdo.nix;
106 mermet = hosts/mermet.nix;
107 };
108 #nixosModule = import nixos/modules.nix;
109 }
110 // inputs.flake-utils.lib.eachDefaultSystem (system:
111 #let pkgs = inputs.nixpkgs.legacyPackages.${system}; in
112 let
113 pkgs = import nixpkgsPath {
114 inherit system;
115 overlays =
116 import nixpkgs/overlays.nix ++
117 import (inputs.julm-nix + "/nixpkgs/overlays.nix");
118 };
119 in {
120 legacyPackages = pkgs;
121 devShell = import ./shell.nix { inherit inputs pkgs; };
122 apps = builtins.mapAttrs (hostName: { config, ... }: let
123 build = config.system.build;
124 target = "\"\${TARGET:-root@${config.networking.hostName}.${config.networking.domain}}\"";
125 profile = "/nix/var/nix/profiles/system";
126 in rec {
127 # Example: nix run .#losurdo.switch
128 "switch" = {
129 type = "app";
130 program = (pkgs.writeShellScript "switch" (''
131 set -eux
132 set -o pipefail
133 shopt -s globstar
134 nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
135 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
136
137 nix copy --to ssh://${target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
138
139 '' + lib.optionalString config.boot.initrd.network.ssh.enable ''
140 # Send the SSH key of the initrd
141 gpg --decrypt 'pass/hosts/${hostName}/initrd/ssh.key.gpg' |
142 ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
143 # Send the Wireguard key of the initrd
144 gpg --decrypt 'pass/hosts/${hostName}/wireguard/wg-intra/privateKey.gpg' |
145 ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
146 '' + ''
147 ssh ${target} set -x ';' \
148 systemctl reset-failed nixos-fallback '2>/dev/null' ';' \
149 systemd-run -u nixos-fallback --description=nixos-fallback /bin/sh -xc '''\'''
150 PATH=${with pkgs; lib.makeBinPath [ coreutils nix systemd ]}
151 sleep $((10 * 60))
152 ${profile}/bin/switch-to-configuration switch
153 systemctl reboot
154 '\'''' '&&' \
155 ${build.toplevel}/bin/switch-to-configuration test
156
157 ssh ${target} -o ControlPath=none set -x ';' \
158 systemctl stop nixos-fallback.service ';' \
159 nix-env --profile ${profile} --set '${build.toplevel}' ';' \
160 ${build.toplevel}/bin/switch-to-configuration boot '&&' \
161 nix-env --delete-generations 7d --profile ${profile}
162 ''
163 )).outPath;
164 };
165 # Example: nix run .#carotte.install-sd
166 "install-sd" = {
167 type = "app";
168 program = (pkgs.writeShellScript "install-sd" ''
169 export PATH="$PATH:${with pkgs; lib.makeBinPath [coreutils zstd]}"
170 set -eux
171 set -o pipefail
172 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.sdImage}
173 unzstd --stdout ${build.sdImage}/sd-image/*.img.zst |
174 sudo -k dd conv=notrunc oflag=direct,sync status=progress of="''${1:-/dev/mmcblk0}"
175 '').outPath;
176 };
177 }) inputs.self.nixosConfigurations;}
178 );
179 }
NixOS configurations for Sourcephile's infrastructure