]> Git — Sourcephile - sourcephile-nix.git/blob - flake.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: update to latest nixpkgs
[sourcephile-nix.git] / flake.nix
1 {
2 # Pin down nixpkgs from github, instead of using global, system or user registries.
3
4 inputs.nixpkgs.url = "github:NixOS/nixpkgs/c47fcb70c6885d6df869934280ebeb715ca7e6fd";
5 #inputs.nixpkgs.url = "flake:nixpkgs";
6 inputs.flake-utils.url = "github:numtide/flake-utils";
7 inputs.home-manager.follows = "julm-nix/home-manager";
8 inputs.julm-nix.url = "git+https://git.hut.sourcephile.fr/~julm/julm-nix?ref=main";
9 #inputs.julm-nix.url = "path:julm-nix"; # XXX: this puts the whole folder in the Nix store
10 inputs.julm-nix.inputs.flake-utils.follows = "flake-utils";
11 inputs.julm-nix.inputs.nixpkgs.follows = "nixpkgs";
12 inputs.nix-doom-emacs.follows = "julm-nix/nix-doom-emacs";
13 inputs.emacs-overlay.follows = "julm-nix/emacs-overlay";
14 inputs.shell = { type = "path"; path = "./shell"; flake = false; };
15 inputs.secrets = { type = "path"; path = "./sec"; flake = false; };
16 inputs.pass = { type = "path"; path = "./pass"; flake = false; };
17 outputs = inputs: let
18 remoteNixpkgsPatches = import nixpkgs/patches.nix;
19 localNixpkgsPatches = [
20 nixpkgs/patches/sourcehut.diff
21 ];
22 originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
23 nixpkgs = originPkgs.applyPatches {
24 name = "nixpkgs-patched";
25 src = inputs.nixpkgs;
26 patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches;
27 postPatch = ''
28 patch=$(printf '%s\n' ${builtins.concatStringsSep " "
29 (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)} |
30 sort | sha256sum | cut -c -7)
31 echo "+patch-$patch" >.version-suffix
32 '';
33 };
34 lib = originPkgs.lib;
35 hosts = builtins.mapAttrs (hostName: hostConfig:
36 let cfg = import hostConfig { inherit inputs hostName; }; in
37 import (nixpkgs + "/nixos/lib/eval-config.nix") (cfg // {
38 specialArgs = {
39 inherit hostName inputs;
40 private = "/root/private"; # Kept out of /nix/store
41 };
42 extraArgs = {
43 hosts = inputs.self.nixosConfigurations;
44 host = inputs.self.nixosConfigurations.${hostName}.extraArgs;
45 } // (cfg.extraArgs or {});
46 modules = cfg.modules ++ [
47 inputs.home-manager.nixosModules.home-manager
48 {
49 home-manager.useGlobalPkgs = true;
50 home-manager.useUserPackages = true;
51 home-manager.verbose = true;
52 home-manager.backupFileExtension = null;
53 home-manager.extraSpecialArgs = {
54 inherit hostName;
55 };
56 }
57 ({ pkgs, ... }: {
58 nix.package = pkgs.nixUnstable;
59 nixpkgs.overlays =
60 import nixpkgs/overlays.nix ++
61 import (inputs.julm-nix + "/nixpkgs/overlays.nix");
62 system.nixos.versionSuffix = ".${
63 lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified)}.${
64 inputs.self.shortRev or "dirty"}";
65 system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
66 # Let 'nixos-version --json' know about the Git revision of this flake.
67 system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
68 boot.initrd.network.ssh.hostKeys = [ "/root/initrd/ssh.key" ];
69 security.gnupg.agent.enable = true;
70 security.gnupg.store = inputs.pass + "/hosts/${hostName}";
71 /*
72 system.configurationRevision =
73 if inputs.self ? rev
74 then inputs.self.rev
75 else throw "Refusing to build from a dirty Git tree!";
76 */
77 programs.ssh.knownHosts = {
78 carotte = {
79 hostNames = [ "carotte" "carotte.sourcephile.fr" ];
80 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnnS0w9zm5KuWwlfJu+qEXC0asESQySPp76szyMTE3J";
81 };
82 mermet = {
83 hostNames = [ "mermet" "mermet.sourcephile.fr" ];
84 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvKN2sIpH782MFjaOpcty1Hs/T/TPNJpXI08H3O3oxl";
85 };
86 losurdo = {
87 hostNames = [ "losurdo" "losurdo.sourcephile.fr" ];
88 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAq1T0Dxozt4RPylvWrUmeuejiG+n/owb3ucnWP9F";
89 };
90 };
91 })
92 ];
93 }));
94 in
95 {
96 # Example: nix -L build .#nixosConfigurations.losurdo.config.system.build.toplevel
97 # Example: nix eval .#nixosConfigurations.losurdo.config.networking.hostName
98 nixosConfigurations = hosts {
99 carotte = hosts/carotte.nix;
100 losurdo = hosts/losurdo.nix;
101 mermet = hosts/mermet.nix;
102 };
103 #nixosModule = import nixos/modules.nix;
104 }
105 // inputs.flake-utils.lib.eachDefaultSystem (system:
106 #let pkgs = inputs.nixpkgs.legacyPackages.${system}; in
107 let
108 pkgs = import nixpkgs {
109 inherit system;
110 overlays =
111 import nixpkgs/overlays.nix ++
112 import (inputs.julm-nix + "/nixpkgs/overlays.nix");
113 };
114 in {
115 legacyPackages = pkgs;
116 devShell = import ./shell.nix { inherit inputs pkgs; };
117 apps = builtins.mapAttrs (hostName: { config, ... }: let
118 build = config.system.build;
119 target = "\"\${TARGET:-root@${config.networking.hostName}.${config.networking.domain}}\"";
120 profile = "/nix/var/nix/profiles/system";
121 in rec {
122 # Example: nix run .#losurdo.switch
123 "switch" = {
124 type = "app";
125 program = (pkgs.writeShellScript "switch" ''
126 set -eux
127 set -o pipefail
128 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
129 nix copy --to ssh://${target} --substitute-on-destination ${build.toplevel}
130 ${sendkeys.program}
131 # Send the SSH key of the initrd
132 test ! -e '${config.security.gnupg.store}/initrd/ssh.key.gpg' ||
133 gpg --decrypt '${config.security.gnupg.store}/initrd/ssh.key.gpg' |
134 ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
135 # Send the Wireguard key of the initrd
136 test ! -e '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' ||
137 gpg --decrypt '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' |
138 ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
139 ssh ${target} \
140 nix-env --profile '${profile}' --set '${build.toplevel}' '&&' \
141 '${profile}'/bin/switch-to-configuration switch
142 '').outPath;
143 };
144 # Example: nix run .#carotte.install-sd
145 "install-sd" = {
146 type = "app";
147 program = (pkgs.writeShellScript "install-sd" ''
148 export PATH="$PATH:${with pkgs; lib.makeBinPath [coreutils zstd]}"
149 set -eux
150 set -o pipefail
151 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.sdImage}
152 unzstd --stdout ${build.sdImage}/sd-image/*.img.zst |
153 sudo -k dd conv=notrunc oflag=direct,sync status=progress of="''${1:-/dev/mmcblk0}"
154
155 '').outPath;
156 };
157 # Example: nix run .#losurdo.sendkeys
158 "sendkeys" = {
159 type = "app";
160 #program = config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys";
161 program = (pkgs.writeShellScript "sendkeys" ''
162 set -eux
163 ${pkgs.bash}/bin/bash -eux ${config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys"}
164 '').outPath;
165 };
166 }) inputs.self.nixosConfigurations;}
167 );
168 }
NixOS configurations for Sourcephile's infrastructure