]> Git — Sourcephile - sourcephile-nix.git/blob - flake.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
+dev/update(losurdo)(postfix): rename sslKey and sslCert
[sourcephile-nix.git] / flake.nix
1 {
2 inputs = {
3 doom-emacs.follows = "julm-nix/doom-emacs";
4 home-manager.follows = "julm-nix/home-manager";
5 julm-nix.url = "git+file:///home/julm/work/sourcephile/nix/julm-nix?ref=main";
6 nixpkgs.follows = "julm-nix/nixpkgs";
7 git-hooks.follows = "julm-nix/git-hooks";
8 };
9
10 outputs =
11 inputs:
12 let
13 remoteNixpkgsPatches = import (inputs.julm-nix + "/nixpkgs/patches.nix");
14 localNixpkgsPatches = [
15 #nixpkgs/patches/systemd-coredump.diff
16 "${inputs.julm-nix}/nixpkgs/patches/openvpn/0001-nixos-netns-init-module-to-manage-network-namespaces.patch"
17 "${inputs.julm-nix}/nixpkgs/patches/openvpn/0002-nixos-openvpn-add-netns-support.patch"
18 "${inputs.julm-nix}/nixpkgs/patches/syncoid/0001-nixos-sanoid-add-utilities-useful-to-syncoid.patch"
19 "${inputs.julm-nix}/nixpkgs/patches/syncoid/0002-nixos-syncoid-use-DynamicUser.patch"
20 ];
21 originPkgs = inputs.nixpkgs.legacyPackages."x86_64-linux";
22 nixpkgsPath = originPkgs.applyPatches {
23 name = "nixpkgs-patched";
24 src = inputs.nixpkgs;
25 patches = map originPkgs.fetchpatch remoteNixpkgsPatches ++ localNixpkgsPatches;
26 postPatch = ''
27 patch=$(printf '%s\n' ${
28 builtins.concatStringsSep " " (map (p: p.sha256) remoteNixpkgsPatches ++ localNixpkgsPatches)
29 } |
30 sort | sha256sum | cut -c -7)
31 echo "-patch-$patch" >.version-suffix
32 '';
33 };
34 profile = "/nix/var/nix/profiles/system";
35 inherit (inputs.nixpkgs) lib;
36 overlays =
37 system:
38 [
39 (finalPkgs: previousPkgs: { })
40 ]
41 ++ import (inputs.julm-nix + "/nixpkgs/overlays.nix")
42 ++ import nixpkgs/overlays.nix;
43 #nixosSystem = lib.nixosSystem;
44 nixosSystem = import (nixpkgsPath + "/nixos/lib/eval-config.nix");
45 forAllSystems =
46 f:
47 lib.genAttrs lib.systems.flakeExposed (
48 system:
49 f rec {
50 inherit system;
51 #pkgs = inputs.nixpkgs.legacyPackages.${system};
52 pkgs = import nixpkgsPath {
53 inherit system;
54 overlays = overlays system;
55 };
56 }
57 );
58 in
59 {
60 # nix -L build .#hello
61 packages = forAllSystems (args: with args; pkgs);
62
63 # nix -L build .#nixosConfigurations.mermet.config.system.build.toplevel
64 # nix -L build .#nixosConfigurations.mermet.config.boot.kernelPackages.kernel.configfile
65 # nix -L build .#nixosConfigurations.mermet.pkgs.hello
66 # nix eval --raw .#nixosConfigurations.mermet.config.networking.nftables.ruleset
67 nixosConfigurations =
68 lib.genAttrs
69 (builtins.attrNames (
70 lib.filterAttrs (_n: v: v == "directory") (builtins.readDir (inputs.self + "/hosts"))
71 ))
72 (
73 hostName:
74 nixosSystem {
75 system = null;
76 specialArgs = {
77 # Required to avoid infinite recursion
78 # when `inputs` is used in `imports`.
79 inherit inputs;
80 };
81 modules = [
82 nixos/default.nix
83 (inputs.julm-nix + "/nixos/default.nix")
84 (inputs.self + "/hosts/${hostName}.nix")
85 (
86 { config, ... }:
87 {
88 _module.args = {
89 inherit hostName;
90 hosts = inputs.self.nixosConfigurations;
91 host = inputs.self.nixosConfigurations.${hostName}._module.args;
92 info = import ./info.nix;
93 };
94 nixpkgs.overlays = overlays config.nixpkgs.hostPlatform.system;
95 #nixpkgs.buildPlatform = "x86_64-linux";
96 nixpkgs.config.allowUnfreePredicate =
97 pkg:
98 builtins.elem (lib.getName pkg) [
99 "canon-cups-ufr2"
100 "hplip"
101 ];
102 }
103 )
104 inputs.nixpkgs.nixosModules.notDetected
105 inputs.home-manager.nixosModules.home-manager
106 {
107 home-manager.useGlobalPkgs = true;
108 home-manager.useUserPackages = true;
109 home-manager.verbose = true;
110 home-manager.backupFileExtension = null;
111 home-manager.extraSpecialArgs = {
112 inherit hostName inputs;
113 };
114 }
115 {
116 programs.ssh.knownHosts = {
117 carotte = {
118 extraHostNames = [
119 "carotte"
120 "carotte.sourcephile.fr"
121 ];
122 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnnS0w9zm5KuWwlfJu+qEXC0asESQySPp76szyMTE3J";
123 };
124 mermet = {
125 extraHostNames = [
126 "mermet"
127 "mermet.sourcephile.fr"
128 ];
129 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvKN2sIpH782MFjaOpcty1Hs/T/TPNJpXI08H3O3oxl";
130 };
131 losurdo = {
132 extraHostNames = [
133 "losurdo"
134 "losurdo.sourcephile.fr"
135 ];
136 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAq1T0Dxozt4RPylvWrUmeuejiG+n/owb3ucnWP9F";
137 };
138 };
139 }
140 ];
141 }
142 );
143
144 # nix -L develop or direnv allow
145 devShell = forAllSystems (
146 { pkgs, system, ... }:
147 pkgs.callPackage ./shell.nix {
148 inherit
149 pkgs
150 inputs
151 system
152 nixpkgsPath
153 ;
154 inherit (inputs.self.checks.${system}.git-hooks-check) shellHook;
155 }
156 );
157
158 # nix -L run .#mermet.switch
159 apps = forAllSystems (
160 { pkgs, system, ... }:
161 with builtins;
162 mapAttrs (
163 hostName:
164 { config, pkgs, ... }:
165 let
166 inherit (config.system) build;
167 scriptApp = scriptName: ps: script: {
168 type = "app";
169 program =
170 (pkgs.writeShellScript "${hostName}-${scriptName}" ''
171 export PATH="${lib.makeBinPath ([ pkgs.buildPackages.coreutils ] ++ ps)}:$PATH"
172 set -eux
173 ${script}
174 '').outPath;
175 };
176 in
177 {
178 # Example: nix run .#mermet.switch
179 "switch" = scriptApp "switch" [ ] (''
180 set -o pipefail
181 shopt -s globstar
182
183 chmod -R g-rwx,o-rwx **/*.gpg
184 trap 'git reset **/*.gpg' EXIT
185 git rm -rf --cached --ignore-unmatch **/*.gpg # prevent copying to /nix/store
186
187 nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
188 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
189
190 nix copy --to ssh://${config.install.target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
191
192 ${config.security.initrd.install}
193
194 if ssh ${config.install.target} set -x ';' \
195 systemctl reset-failed nixos-fallback '2>/dev/null' ';' \
196 test "''${NO_NIXOS_FALLBACK:+set}" '||' \
197 systemd-run -u nixos-fallback --description=nixos-fallback /bin/sh -xc '''\'''
198 PATH=${
199 with pkgs;
200 lib.makeBinPath [
201 coreutils
202 nix
203 systemd
204 ]
205 }
206 sleep $((10 * 60))
207 ${profile}/bin/switch-to-configuration switch
208 systemctl reboot
209 '\'''' '&&' \
210 ${build.toplevel}/bin/switch-to-configuration test
211 then
212 ssh ${config.install.target} -o ControlPath=none set -x ';' \
213 systemctl stop nixos-fallback.service ';' \
214 nix-env --profile ${profile} --set '${build.toplevel}' ';' \
215 ${build.toplevel}/bin/switch-to-configuration boot '&&' \
216 nix-env --delete-generations 7d --profile ${profile}
217 else
218 tput rev
219 echo WARNING: switch-to-configuration was not registered at boot
220 tput sgr0
221 ssh ${config.install.target} -o ControlPath=none set -x ';' \
222 systemctl stop nixos-fallback.service
223 false
224 fi
225 '');
226 # Example: nix run .#carotte.install-sd
227 # DELETEME: quite useless, better to use nixos-install
228 "install-sd" = scriptApp "install-sd" [ pkgs.zstd ] ''
229 set -o pipefail
230 nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.sdImage}
231 unzstd --stdout ${build.sdImage}/sd-image/*.img.zst |
232 sudo -k dd conv=notrunc oflag=direct,sync status=progress of="''${1:-/dev/mmcblk0}"
233 '';
234 }
235 ) inputs.self.nixosConfigurations
236 );
237
238 # nix flake check
239 checks = forAllSystems (
240 args: with args; {
241 git-hooks-check = inputs.git-hooks.lib.${system}.run {
242 src = inputs.self;
243 hooks = {
244 nixfmt-rfc-style.enable = true;
245 };
246 };
247 }
248 );
249
250 };
251 }
NixOS configurations for Sourcephile's infrastructure