wg-intra: polish
[julm/julm-nix.git] / flake.nix
index e4f4fc611cb52377049c5e954c772e2325fc4b1a..68ddbca9dca84b23e9f599c14bbbc372b3d0d5b5 100644 (file)
--- a/flake.nix
+++ b/flake.nix
@@ -1,8 +1,10 @@
 {
-inputs.nixpkgs.url = "github:NixOS/nixpkgs/2b24fa4db8e5f4e3b3873d020b9cd2d3111005af";
+inputs.nixpkgs.url = "github:NixOS/nixpkgs/495b19d5b3e62b4ec7e846bdfb6ef3d9c3b83492";
 inputs.flake-utils.url = "github:numtide/flake-utils";
 inputs.home-manager.url = "github:nix-community/home-manager";
 inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs";
+inputs.doom-emacs.url = "github:hlissner/doom-emacs";
+inputs.doom-emacs.flake = false;
 inputs.nix-doom-emacs.url = "github:vlaci/nix-doom-emacs";
 inputs.nix-doom-emacs.inputs.nixpkgs.follows = "nixpkgs";
 inputs.nix-doom-emacs.inputs.home-manager.follows = "home-manager";
@@ -10,6 +12,7 @@ inputs.nix-doom-emacs.inputs.flake-utils.follows = "flake-utils";
 inputs.nix-doom-emacs.inputs.emacs-overlay.follows = "emacs-overlay";
 inputs.emacs-overlay.url = "github:nix-community/emacs-overlay/master";
 #inputs.pass = { type = "path"; path = "./pass"; flake = false; };
+
 outputs = inputs: let
   remoteNixpkgsPatches = import nixpkgs/patches.nix;
   localNixpkgsPatches = [
@@ -23,7 +26,7 @@ outputs = inputs: let
       patch=$(printf '%s\n' ${builtins.concatStringsSep " "
          (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} |
         sort | sha256sum | cut -c -7)
-      echo "+patch-$patch" >.version-suffix
+      echo "-patch-$patch" >.version-suffix
     '';
   };
   lib = originPkgs.lib;
@@ -34,10 +37,12 @@ outputs = inputs: let
     (builtins.attrNames (lib.filterAttrs (n: v: v == "directory") (builtins.readDir ./hosts)))
     (hostName: nixosSystem rec {
       system = "x86_64-linux";
-      extraArgs = {
+      specialArgs = {
         inherit hostName inputs;
-        hosts = inputs.self.nixosConfigurations;
-        private = "/root/private"; # Kept out of /nix/store
+        # Encrypted using git-crypt, hence kept out of /nix/store
+        private = "/root/private";
+        # Encrypted using systemd-creds, hence can go into the /nix/store
+        credentials = private/hosts + "/${hostName}/credentials";
       };
       pkgs = import nixpkgsPath {
         inherit system;
@@ -45,11 +50,18 @@ outputs = inputs: let
         overlays = import nixpkgs/overlays.nix;
       };
       modules = [
+        {
+          config._module.args = {
+            inherit hostName inputs;
+            hosts = inputs.self.nixosConfigurations;
+          };
+        }
+        (import nixos/options.nix)
         (import (./hosts + "/${hostName}.nix"))
         inputs.nixpkgs.nixosModules.notDetected
         inputs.home-manager.nixosModules.home-manager
         ({ pkgs, ... }: {
-          nix.registry.nixpkgs.flake = inputs.nixpkgs;
+          nix.registry.nixpkgs = lib.mkDefault { flake = inputs.nixpkgs; };
           nix.package = pkgs.nixFlakes;
           nix.extraOptions = "experimental-features = nix-command flakes";
           #nixpkgs.overlays = import nixpkgs/overlays.nix;
@@ -74,7 +86,7 @@ outputs = inputs: let
           home-manager.verbose = true;
           home-manager.backupFileExtension = null;
           home-manager.extraSpecialArgs = {
-            inherit hostName;
+            inherit hostName inputs;
           };
         }
       ];
@@ -89,6 +101,37 @@ outputs = inputs: let
       overlays = import nixpkgs/overlays.nix;
     }; in {
       devShell = import ./shell.nix { inherit pkgs inputs system; };
+      apps = builtins.mapAttrs (hostName: { config, ... }: let
+        build = config.system.build;
+        target = "\"\${TARGET:-root@${config.networking.hostName}.${config.networking.domain}}\"";
+        profile = "/nix/var/nix/profiles/system";
+        in rec {
+        # Example: nix run .#aubergine.switch
+        "switch" = {
+          type = "app";
+          program = (pkgs.writeShellScript "switch" (''
+            set -eux
+            set -o pipefail
+
+            chmod -R g-rwx,o-rwx "private/root"
+            trap 'git reset private/root private/hosts/*/root' EXIT
+            git rm -rf --cached --ignore-unmatch private/root private/hosts/*/root # prevent copying to /nix/store
+
+            nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
+            nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
+            nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
+            nix copy --to ssh://${target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
+            ssh ${target} systemctl start nixos-fallback.service ';' \
+              nix-env --profile ${profile} --set '${build.toplevel}' '&&' \
+              ${profile}/bin/switch-to-configuration test
+            ssh ${target} -o ControlPath=none \
+              systemctl stop nixos-fallback.service ';' \
+              ${profile}/bin/switch-to-configuration boot '&&' \
+              nix-env --delete-generations 7d --profile ${profile}
+            ''
+          )).outPath;
+        };
+      }) inputs.self.nixosConfigurations;
     }
   );
 }