2 # Pin down nixpkgs instead of using global, system or user registries.
 
   3 inputs.nixpkgs.url = "github:NixOS/nixpkgs/31a4e2e28bf29fc5ab1f70d28b5dbc2205a638a0";
 
   4 #inputs.nixpkgs.url = "flake:nixpkgs";
 
   5 inputs.flake-utils.url = "github:numtide/flake-utils";
 
   6 inputs.shell = { type = "path"; path = "./shell"; flake = false; };
 
   7 inputs.secrets = { type = "path"; path = "./sec"; flake = false; };
 
   8 inputs.pass = { type = "path"; path = "./pass"; flake = false; };
 
  10   #   sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
 
  11   remoteNixpkgsPatches = [
 
  12     { meta.description = "dstat: fix pluginpath";
 
  13       url = "https://github.com/NixOS/nixpkgs/pull/80151.diff";
 
  14       sha256 = "0jjw2gvp7b7v2n2m2d6yj0gw711j6p9lyjf5ywp2y9ql6905qf4b";
 
  16     { meta.description = "syncoid: fix PATH to let it use sudo";
 
  17       url = "https://github.com/NixOS/nixpkgs/pull/83901.diff";
 
  18       sha256 = "0q2dicmvl3h3hb9xdd870n5hf6lac489p000c7f1r6k70sh2id4l";
 
  20     { meta.description = "sanoid: fix sanoid.conf generation";
 
  21       url = "https://github.com/NixOS/nixpkgs/pull/83904.diff";
 
  22       sha256 = "Sy9wPmL+Lfl7hMEeXYOEMk3KlfdL21aL92v6MiGajds=";
 
  24     { meta.description = "nixos/public-inbox: init";
 
  25       url = "https://github.com/NixOS/nixpkgs/pull/77450.diff";
 
  26       sha256 = "13ikg7chpbf6rrg5sngbdb95q3awhdgl4g8vci42xmqyf208hzzd";
 
  28     { meta.description = "nixos/security.gnupg: provisioning GnuPG-protected secrets through the Nix store";
 
  29       url = "https://github.com/NixOS/nixpkgs/pull/93659.diff";
 
  30       sha256 = "3im5nSrlM32DQUeq0Yp1MHkUcQyLdCGbxfJjgcc9e78=";
 
  32     { meta.description = "nixos/croc: init";
 
  33       url = "https://github.com/NixOS/nixpkgs/pull/93629.diff";
 
  34       sha256 = "sha256-hzs5Z9cYCo6aNFfylB37W+1neejV4/kVyM1QmqVhVww=";
 
  36     { meta.description = "dovecot_fts_xapian: 1.3.1 -> 1.3.3";
 
  37       url = "https://github.com/NixOS/nixpkgs/pull/94938.diff";
 
  38       sha256 = "10bjwcwpvq7nnqdpz0n7c61kb3b27v1abyc80pki7d13jmzzjc04";
 
  40     { meta.description = "transmission: use freeformType on settings";
 
  41       url = "https://github.com/NixOS/nixpkgs/pull/96655.diff";
 
  42       sha256 = "sha256-5TRjz57xKcQuTUkEZ2cBwH6nCXxMfKcAHAogc/gMcjg=";
 
  44     { meta.description = "tor: improve type-checking and hardening";
 
  45       url = "https://github.com/NixOS/nixpkgs/pull/97740.diff";
 
  46       sha256 = "sha256-ojmDxbGtfsvrUCtjkR7ZynayEGNDLwYl2Ea6yLOQpIk=";
 
  49     { meta.description = "nixos/postfix: add sandbox";
 
  50       url = "https://github.com/NixOS/nixpkgs/pull/93305.diff";
 
  51       sha256 = "sha256-KmoaPj8G4kRlwkBKo/giyST8xQfnjX3OJhh68NKNaRI=";
 
  53     { meta.description = "nixos/rspamd: add sandbox";
 
  54       url = "https://github.com/NixOS/nixpkgs/pull/93293.diff";
 
  55       sha256 = "sha256-7OfBzJPeGVhHf4ziYLwOpqaYbElCsjLkT4Y/bbCOPx0=";
 
  58     { meta.description = "nixos/syncoid: split in multiple systemd services";
 
  59       url = "https://github.com/NixOS/nixpkgs/pull/98455.diff";
 
  60       sha256 = "sha256-ukZd0ti3Rh9EVKhjXEdhvIvpekz9bvbeWqLskrkcJkE=";
 
  62     { meta.description = "zerobin: update to v1.0.5";
 
  63       url = "https://github.com/NixOS/nixpkgs/pull/98734.diff";
 
  64       sha256 = "sha256-5aEawomO8c33I4CNDxHONpxalpz3NX37JavNQUCjNIw=";
 
  67   localNixpkgsPatches = [
 
  68     #nixpkgs/patches/zerobin.diff
 
  69     #nixpkgs/patches/gitolite.diff
 
  70     #nixpkgs/patches/tor.diff
 
  71     #nixpkgs/patches/fix-ld-nix.diff
 
  72     #nixpkgs/patches/fix-ld-nix-apparmor.diff
 
  74   originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
 
  75   nixpkgs = originPkgs.applyPatches {
 
  76     name = "nixpkgs-patched";
 
  78     patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches;
 
  80       patch=$(printf '%s\n' ${builtins.concatStringsSep " "
 
  81          (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} |
 
  82         sort | sha256sum | cut -c -7)
 
  83       echo "+patch-$patch" >.version-suffix
 
  87   machines = builtins.mapAttrs (machineName: machineConfig:
 
  88     let cfg = import machineConfig { inherit inputs; }; in
 
  89     import (nixpkgs + "/nixos/lib/eval-config.nix") (cfg // {
 
  91         inherit machineName inputs;
 
  92         machines = inputs.self.nixosConfigurations;
 
  93       } // (cfg.extraArgs or {});
 
  94       modules = cfg.modules ++ [({pkgs, ...}: {
 
  95         nix.registry.nixpkgs.flake = nixpkgs;
 
  96         nix.package = pkgs.nixFlakes;
 
  97         nix.extraOptions = "experimental-features = nix-command flakes";
 
  98         nixpkgs.overlays = import nixpkgs/overlays.nix;
 
  99         system.nixos.versionSuffix = ".${
 
 100           lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
 
 101           inputs.self.shortRev or "dirty"}";
 
 102         system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
 
 103         # Let 'nixos-version --json' know about the Git revision of this flake.
 
 104         system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
 
 105         boot.initrd.network.ssh.hostKeys = [ "/root/initrd/ssh.key" ];
 
 107         system.configurationRevision =
 
 110           else throw "Refusing to build from a dirty Git tree!";
 
 116     # nix -L build .#nixosConfigurations.${machineName}.config.system.build.toplevel
 
 117     nixosConfigurations = machines {
 
 118       losurdo = machines/losurdo.nix;
 
 119       mermet  = machines/mermet.nix;
 
 122   // inputs.flake-utils.lib.eachDefaultSystem (system:
 
 123     #let pkgs = inputs.nixpkgs.legacyPackages.${system}; in
 
 125       pkgs = import nixpkgs {
 
 128         overlays = import nixpkgs/overlays.nix;
 
 131     legacyPackages = pkgs;
 
 132     devShell = import ./shell.nix { inherit inputs pkgs; };
 
 133     apps = builtins.mapAttrs (machineName: { config, ... }: let
 
 134       system = config.system.build.toplevel;
 
 135       keygrip = builtins.getAttr machineName {
 
 136         losurdo = "9AA84E6F6D71F9163C46BF396B141A0806219077";
 
 137         mermet  = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
 
 139       target = "root@${config.networking.hostName}.${config.networking.domain}";
 
 140       nixCopyFlags = ["--substitute-on-destination"];
 
 141       profile = "/nix/var/nix/profiles/system";
 
 143       # Example: nix run .#losurdo.switch
 
 146         program = (pkgs.writeShellScript "switch" ''
 
 149           nix-store --add-root machines/${machineName}.root --indirect --realise ${system}
 
 150           ${pkgs.nixFlakes}/bin/nix copy --to ssh://'${target}' \
 
 151            ${lib.escapeShellArgs nixCopyFlags} ${system}
 
 153           # Send the SSH key of the initrd
 
 154           gpg --decrypt '${config.security.gnupg.store}/initrd/ssh.key.gpg' |
 
 155           ssh '${target}' install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
 
 156           # Send the Wireguard key of the initrd
 
 157           gpg --decrypt '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' |
 
 158           ssh '${target}' install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
 
 160             nix-env --profile '${profile}' --set '${system}' '&&' \
 
 161             '${profile}'/bin/switch-to-configuration switch
 
 164       # Example: nix run .#losurdo.sendkeys
 
 167         program = (pkgs.writeShellScript "sendkeys" ''
 
 171             ${pkgs.gnupg}/bin/gpg-connect-agent --no-autostart --homedir /var/lib/gnupg "'keyinfo --list'" /bye 2>&1 |
 
 172           grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
 
 173                    -e "S KEYINFO ${keygrip} . . . 1 .*" || {
 
 174             # Send the GnuPG root key
 
 175             gpg --decrypt '${config.security.gnupg.store}/root/key.pass.gpg' |
 
 176             gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
 
 178               gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
 
 180             # Send the GnuPG root key's passphrase
 
 181             gpg --decrypt '${config.security.gnupg.store}/root/key.pass.gpg' |
 
 183               gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
 
 187     }) inputs.self.nixosConfigurations;}