{
-inputs.nixpkgs.url = "github:NixOS/nixpkgs/2b24fa4db8e5f4e3b3873d020b9cd2d3111005af";
+inputs.nixpkgs.url = "github:NixOS/nixpkgs/495b19d5b3e62b4ec7e846bdfb6ef3d9c3b83492";
inputs.flake-utils.url = "github:numtide/flake-utils";
inputs.home-manager.url = "github:nix-community/home-manager";
inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs";
+inputs.doom-emacs.url = "github:hlissner/doom-emacs";
+inputs.doom-emacs.flake = false;
inputs.nix-doom-emacs.url = "github:vlaci/nix-doom-emacs";
inputs.nix-doom-emacs.inputs.nixpkgs.follows = "nixpkgs";
inputs.nix-doom-emacs.inputs.home-manager.follows = "home-manager";
inputs.nix-doom-emacs.inputs.emacs-overlay.follows = "emacs-overlay";
inputs.emacs-overlay.url = "github:nix-community/emacs-overlay/master";
#inputs.pass = { type = "path"; path = "./pass"; flake = false; };
+
outputs = inputs: let
remoteNixpkgsPatches = import nixpkgs/patches.nix;
localNixpkgsPatches = [
patch=$(printf '%s\n' ${builtins.concatStringsSep " "
(map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} |
sort | sha256sum | cut -c -7)
- echo "+patch-$patch" >.version-suffix
+ echo "-patch-$patch" >.version-suffix
'';
};
lib = originPkgs.lib;
(builtins.attrNames (lib.filterAttrs (n: v: v == "directory") (builtins.readDir ./hosts)))
(hostName: nixosSystem rec {
system = "x86_64-linux";
- extraArgs = {
+ specialArgs = {
inherit hostName inputs;
- hosts = inputs.self.nixosConfigurations;
- private = "/root/private"; # Kept out of /nix/store
+ # Encrypted using git-crypt, hence kept out of /nix/store
+ private = "/root/private";
+ # Encrypted using systemd-creds, hence can go into the /nix/store
+ credentials = private/hosts + "/${hostName}/credentials";
};
pkgs = import nixpkgsPath {
inherit system;
overlays = import nixpkgs/overlays.nix;
};
modules = [
+ {
+ config._module.args = {
+ inherit hostName inputs;
+ hosts = inputs.self.nixosConfigurations;
+ };
+ }
+ (import nixos/options.nix)
(import (./hosts + "/${hostName}.nix"))
inputs.nixpkgs.nixosModules.notDetected
inputs.home-manager.nixosModules.home-manager
({ pkgs, ... }: {
- nix.registry.nixpkgs.flake = inputs.nixpkgs;
+ nix.registry.nixpkgs = lib.mkDefault { flake = inputs.nixpkgs; };
nix.package = pkgs.nixFlakes;
nix.extraOptions = "experimental-features = nix-command flakes";
#nixpkgs.overlays = import nixpkgs/overlays.nix;
home-manager.verbose = true;
home-manager.backupFileExtension = null;
home-manager.extraSpecialArgs = {
- inherit hostName;
+ inherit hostName inputs;
};
}
];
overlays = import nixpkgs/overlays.nix;
}; in {
devShell = import ./shell.nix { inherit pkgs inputs system; };
+ apps = builtins.mapAttrs (hostName: { config, ... }: let
+ build = config.system.build;
+ target = "\"\${TARGET:-root@${config.networking.hostName}.${config.networking.domain}}\"";
+ profile = "/nix/var/nix/profiles/system";
+ in rec {
+ # Example: nix run .#aubergine.switch
+ "switch" = {
+ type = "app";
+ program = (pkgs.writeShellScript "switch" (''
+ set -eux
+ set -o pipefail
+
+ chmod -R g-rwx,o-rwx "private/root"
+ trap 'git reset private/root private/hosts/*/root' EXIT
+ git rm -rf --cached --ignore-unmatch private/root private/hosts/*/root # prevent copying to /nix/store
+
+ nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
+ nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
+ nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
+ nix copy --to ssh://${target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
+ ssh ${target} systemctl start nixos-fallback.service ';' \
+ nix-env --profile ${profile} --set '${build.toplevel}' '&&' \
+ ${profile}/bin/switch-to-configuration test
+ ssh ${target} -o ControlPath=none \
+ systemctl stop nixos-fallback.service ';' \
+ ${profile}/bin/switch-to-configuration boot '&&' \
+ nix-env --delete-generations 7d --profile ${profile}
+ ''
+ )).outPath;
+ };
+ }) inputs.self.nixosConfigurations;
}
);
}