]> Git — Sourcephile - julm/julm-nix.git/blob - flake.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
maint/backup(syncoid): adapt to moving targets
[julm/julm-nix.git] / flake.nix
1 {
2 description = "julm's Nix configurations for hosts (NixOS) and homes (home-manager)";
3 /*
4 nixConfig = {
5 extra-substituters = [
6 "https://nix-community.cachix.org"
7 ];
8 extra-trusted-public-keys = [
9 "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
10 ];
11 };
12 */
13
14 nixConfig = {
15 # Explanation: required due to the applyPatches on nixpkgs below.
16 allow-import-from-derivation = true;
17 };
18
19 # https://status.nixos.org
20 # nix flake update nixpkgs --override-flake nixpkgs github:NixOS/nixpkgs/2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a --allow-dirty-locks
21 inputs = {
22 azaharPlus = {
23 url = "github:AzaharPlus/AzaharPlus?submodules=1";
24 flake = false;
25 };
26 jjui = {
27 url = "github:idursun/jjui";
28 flake = false;
29 };
30 /*
31 doom-emacs.flake = false;
32 doom-emacs.url = "github:hlissner/doom-emacs";
33 */
34 jj-fugitive = {
35 url = "github:martintrojer/jj-fugitive";
36 flake = false;
37 };
38 sivansh11-jj-nvim = {
39 url = "github:sivansh11/jj";
40 flake = false;
41 };
42 eagle-nvim = {
43 url = "github:soulis-1256/eagle.nvim";
44 flake = false;
45 };
46 bufstack = {
47 url = "github:BibekBhusal0/bufstack.nvim";
48 flake = false;
49 };
50 jj-diffconflicts = {
51 url = "github:rafikdraoui/jj-diffconflicts";
52 flake = false;
53 };
54 NicolasGB-jj-nvim = {
55 url = "github:NicolasGB/jj.nvim";
56 #url = "git+file:///home/julm/src/lua/jj.nvim";
57 flake = false;
58 };
59 git-hooks.inputs.nixpkgs.follows = "nixpkgs";
60 git-hooks.url = "github:cachix/git-hooks.nix";
61 home-manager.inputs.nixpkgs.follows = "nixpkgs";
62 home-manager.url = "github:nix-community/home-manager/release-25.11";
63 #home-manager.url = "git+file:///home/julm/src/nix/home-manager";
64 nixos-hardware.url = "github:NixOS/nixos-hardware/master";
65 #nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
66 nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
67 nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
68 nixpkgs-unstable-latest.url = "github:NixOS/nixpkgs/cad22e7d996aea55ecab064e84834289143e44a0";
69 lanzaboote = {
70 url = "github:nix-community/lanzaboote/v1.0.0";
71 inputs.nixpkgs.follows = "nixpkgs";
72 inputs.pre-commit.follows = "git-hooks";
73 };
74 };
75
76 outputs =
77 inputs:
78 let
79 remoteNixpkgsPatches = import nixpkgs/patches.nix;
80 localNixpkgsPatches = [
81 nixpkgs/patches/openvpn/openvpn-netns.patch
82 nixpkgs/patches/openvpn/0001-nixos-netns-init-module-to-manage-network-namespaces.patch
83 ];
84 originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
85 nixpkgsPath = originPkgs.applyPatches {
86 name = "nixpkgs-patched";
87 src = inputs.nixpkgs.outPath;
88 patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches;
89 postPatch = ''
90 patch=$(printf '%s\n' ${
91 builtins.concatStringsSep " " (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)
92 } |
93 sort | sha256sum | cut -c -7)
94 echo "-patch-$patch" >.version-suffix
95 '';
96 };
97 profile = "/nix/var/nix/profiles/system";
98 inherit (inputs.nixpkgs) lib;
99 overlays = import nixpkgs/overlays.nix;
100 #nixosSystem = lib.nixosSystem;
101 nixosSystem = import (nixpkgsPath + "/nixos/lib/eval-config.nix");
102 forAllSystems =
103 f:
104 lib.genAttrs lib.systems.flakeExposed (
105 system:
106 f rec {
107 inherit system;
108 #pkgs = inputs.nixpkgs.legacyPackages.${system};
109 pkgs = import nixpkgsPath {
110 inherit system;
111 overlays = overlays { inherit inputs system; };
112 };
113 }
114 );
115 self =
116 with lib.fileset;
117 toSource {
118 root = ./.;
119 fileset =
120 let
121 exts = [
122 "clear"
123 "conf"
124 "cred"
125 "crt"
126 "css"
127 "el"
128 "hs"
129 "inc"
130 "json"
131 "lua"
132 "nft"
133 "nix"
134 "patch"
135 "pem"
136 "pub"
137 "sh"
138 "theme"
139 "toml"
140 "vim"
141 ];
142 in
143 unions [
144 (fileFilter (file: lib.any file.hasExt exts) ./domains)
145 (fileFilter (file: lib.any file.hasExt exts) ./home-manager)
146 (fileFilter (file: lib.any file.hasExt exts) ./homes)
147 (fileFilter (file: lib.any file.hasExt exts) ./hosts)
148 (fileFilter (file: lib.any file.hasExt exts) ./nixos)
149 (fileFilter (file: lib.any file.hasExt exts) ./nixpkgs)
150 (fileFilter (file: lib.any file.hasExt exts) ./users)
151 ./shell.nix
152 ];
153 };
154 in
155 rec {
156 # nix -L build .#hello
157 packages = forAllSystems ({ pkgs, ... }: pkgs);
158
159 # nix -L build .#nixosConfigurations.oignon.config.system.build.toplevel
160 # nix -L build .#nixosConfigurations.oignon.config.boot.kernelPackages.kernel.configfile
161 # nix -L build .#nixosConfigurations.oignon.pkgs.hello
162 # nix eval --raw .#nixosConfigurations.oignon.config.networking.nftables.ruleset
163 nixosConfigurations =
164 lib.genAttrs
165 (builtins.attrNames (
166 lib.filterAttrs (_n: v: v == "directory") (builtins.readDir (self + "/hosts"))
167 ))
168 (
169 hostName:
170 nixosSystem {
171 system = null;
172 specialArgs = {
173 # Required to avoid infinite recursion
174 # when `inputs` is used in `imports`.
175 inherit inputs;
176 };
177 modules = [
178 nixos/default.nix
179 ./hosts.nix
180 (import (self + "/hosts/${hostName}.nix"))
181 inputs.lanzaboote.nixosModules.lanzaboote
182 inputs.home-manager.nixosModules.home-manager
183 (
184 { config, ... }:
185 let
186 inherit (config.nixpkgs.hostPlatform) system;
187 pkgs-unstable = import inputs.nixpkgs-unstable.outPath {
188 inherit system;
189 overlays = overlays { inherit inputs system; };
190 };
191 pkgs-unstable-latest = import inputs.nixpkgs-unstable-latest.outPath {
192 inherit system;
193 overlays = overlays { inherit inputs system; };
194 };
195 in
196 {
197 _module.args = {
198 inherit hostName pkgs-unstable pkgs-unstable-latest;
199 hosts = nixosConfigurations;
200 host = nixosConfigurations.${hostName}._module.args;
201 };
202 nixpkgs = {
203 overlays = overlays {
204 inherit inputs;
205 inherit (config.nixpkgs.hostPlatform) system;
206 };
207 config.permittedInsecurePackages = [
208 # Still needed for chatty
209 # See https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802%3E
210 # and https://gitlab.gnome.org/World/Chatty/-/issues/932
211 "olm-3.2.16"
212 ];
213 config.allowUnfreePredicate =
214 pkg:
215 builtins.elem (lib.getName pkg) [
216 "anydesk"
217 "canon-cups-ufr2"
218 "cudatoolkit"
219 "geogebra"
220 "hplip"
221 "memtest86-efi"
222 "nvidia-settings"
223 "nvidia-x11"
224 ];
225 };
226 home-manager = {
227 useGlobalPkgs = true;
228 useUserPackages = true;
229 verbose = true;
230 #force = true;
231 backupFileExtension = "old";
232 extraSpecialArgs = {
233 inherit
234 inputs
235 hostName
236 pkgs-unstable
237 pkgs-unstable-latest
238 ;
239 };
240 };
241 }
242 )
243 ];
244 }
245 );
246
247 # nix -L develop or direnv allow
248 devShells = forAllSystems (
249 { pkgs, system, ... }:
250 {
251 default = pkgs.callPackage (self + "/shell.nix") {
252 inherit
253 pkgs
254 inputs
255 system
256 nixpkgsPath
257 ;
258 inherit (checks.${system}.git-hooks-check) shellHook;
259 };
260 }
261 );
262
263 # nix -L run .#oignon.switch
264 apps = forAllSystems (
265 { pkgs, system, ... }:
266 with builtins;
267 mapAttrs (
268 hostName:
269 { config, ... }:
270 let
271 inherit (config.system) build;
272 scriptApp = scriptName: ps: script: {
273 type = "app";
274 program =
275 (pkgs.writeShellScript "${hostName}-${scriptName}" ''
276 export PATH="${lib.makeBinPath ([ pkgs.coreutils ] ++ ps)}:$PATH"
277 set -eux
278 ${script}
279 '').outPath;
280 };
281 in
282 {
283 # Example: nix run .#aubergine.switch
284 "switch" = scriptApp "switch" [ ] ''
285 shopt -s globstar
286
287 chmod -R g-rwx,o-rwx **/*.gpg
288 trap 'git reset **/*.gpg' EXIT
289 git rm -rf --cached --ignore-unmatch **/*.gpg # prevent copying to /nix/store
290
291 nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
292 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
293
294 nix copy --to "ssh://${config.install.target}?''${targetStore-}"${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
295
296 if ssh ${config.install.target} set -x ';' \
297 systemctl reset-failed nixos-fallback '2>/dev/null' ';' \
298 test "''${NO_NIXOS_FALLBACK:+set}" '||' \
299 systemd-run -u nixos-fallback --description=nixos-fallback /bin/sh -xc '''\'''
300 PATH=${
301 with pkgs;
302 lib.makeBinPath [
303 coreutils
304 nix
305 systemd
306 ]
307 }
308 sleep $((10 * 60))
309 ${profile}/bin/switch-to-configuration switch
310 systemctl reboot
311 '\'''' '&&' \
312 ${build.toplevel}/bin/switch-to-configuration test
313 then
314 ssh ${config.install.target} -o ControlPath=none set -x ';' \
315 systemctl stop nixos-fallback.service ';' \
316 nix-env --profile ${profile} --set '${build.toplevel}' ';' \
317 ${build.toplevel}/bin/switch-to-configuration boot '&&' \
318 nix-env --delete-generations 7d --profile ${profile}
319 else
320 tput rev
321 echo WARNING: switch-to-configuration was not registered at boot
322 tput sgr0
323 ssh ${config.install.target} -o ControlPath=none set -x ';' \
324 systemctl stop nixos-fallback.service
325 false
326 fi
327 '';
328 }
329 ) nixosConfigurations
330 );
331
332 # nix flake check
333 checks = forAllSystems (
334 args: with args; {
335 git-hooks-check = inputs.git-hooks.lib.${system}.run {
336 src = self;
337 hooks = {
338 nixfmt-rfc-style.enable = true;
339 };
340 };
341 }
342 );
343 };
344 }
julm's NixOS and home-manager configs