dusk/ark
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/core' into terra

Browse Source
This commit is contained in:
dusk 2021-07-06 20:25:40 +03:00
commit e889566c29
Signed by: dusk
GPG Key ID: 1D8F8FAF2294D6EA
23 changed files with 468 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.github/ISSUE_TEMPLATE/upstream_notice.md vendored Normal file
View File

@ -0,0 +1,16 @@
---
name: Upstream notice (Issues or Changes)
about: Create an upstream notice to help our research
title: '[ <put the upstream project> ]: <topic>'
labels: 'upstream'
assignees: ''
---
## Link
<!-- just place a link to the upstream issue, or PR -->
## Context
<!-- We want to make this as cheap for you as possible.
Context is not required but helpful -->

5
.gitignore vendored
View File

@ -3,3 +3,8 @@ up
hosts/up-*
.direnv
doc/index.html
# Result of flk commands
vm
iso
doi

32
CHANGELOG.md
View File

@ -1,5 +1,33 @@
# Changelog
## [v0.10.0](https://github.com/divnix/devos/tree/v0.10.0) (2021-05-24)
**Implemented enhancements:**
- Providing an interface to nixpkgs.config [\#237](https://github.com/divnix/devos/issues/237)
- Making the user available in profiles [\#230](https://github.com/divnix/devos/issues/230)
- copy evaluation store paths to iso [\#195](https://github.com/divnix/devos/issues/195)
- Extract custom system builds from devosSystem out of lib [\#170](https://github.com/divnix/devos/issues/170)
- Allow setting of channel host-wide [\#117](https://github.com/divnix/devos/issues/117)
- alacritty: CSIu support [\#51](https://github.com/divnix/devos/issues/51)
**Fixed bugs:**
- Cachix timeouts + how to disable nrdxp cachix \(if needed\) [\#294](https://github.com/divnix/devos/issues/294)
- default.nix flake-compat is broken [\#285](https://github.com/divnix/devos/issues/285)
- All suites return "attribute missing" [\#282](https://github.com/divnix/devos/issues/282)
- nix is built two times [\#203](https://github.com/divnix/devos/issues/203)
- fix lib docs [\#166](https://github.com/divnix/devos/issues/166)
**Closed issues:**
- eliminate userFlakeNixOS [\#257](https://github.com/divnix/devos/issues/257)
- devos-as-library [\#214](https://github.com/divnix/devos/issues/214)
**Merged pull requests:**
- Update evalArgs to match the new planned API [\#239](https://github.com/divnix/devos/pull/239)
## [v0.9.0](https://github.com/divnix/devos/tree/v0.9.0) (2021-04-19)
**Implemented enhancements:**
@ -77,6 +105,10 @@
- add github action for cachix build ci [\#59](https://github.com/divnix/devos/issues/59)
## [12052020](https://github.com/divnix/devos/tree/12052020) (2020-12-06)
## [07092020](https://github.com/divnix/devos/tree/07092020) (2020-07-09)
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

5
doc/CONTRIBUTING.md
View File

@ -1,5 +1,8 @@
# Pull Requests
If making a change to core, or adding a feature, please be sure to update the
All development is done in the `develop` branch. Only minor bug-fixes and release
PRs should target `master`.
If making a change to the template, or adding a feature, please be sure to update the
relevant docs. Each directory contains its own README.md, which will
automatically be pulled into the [mdbook](https://devos.divnix.com). The book is
rendered on every change, so the docs should always be up to date.

1
doc/SUMMARY.md
View File

@ -24,6 +24,7 @@
- [up](./flk/up.md)
- [update](./flk/update.md)
- [get](./flk/get.md)
- [doi](./flk/doi.md)
- [iso](./flk/iso.md)
- [install](./flk/install.md)
- [home](./flk/home.md)

11
doc/concepts/hosts.md
View File

@ -6,13 +6,14 @@ of these hosts, devos automatically imports every _.nix_ file inside this
directory to the mentioned attribute set, applying the projects defaults to
each. The only hard requirement is that the file contain a valid NixOS module.
As an example, a file `hosts/system.nix` will be available via the flake
output `nixosConfigurations.system`. You can have as many hosts as you want
and all of them will be automatically imported based on their name.
As an example, a file `hosts/system.nix` or `hosts/system/default.nix` will
be available via the flake output `nixosConfigurations.system`. You can have
as many hosts as you want and all of them will be automatically imported based
on their name.
For each host, the configuration automatically sets the `networking.hostName`
attribute to the name of the file minus the _.nix_ extension. This is for
convenience, since `nixos-rebuild` automatically searches for a configuration
attribute to the folder name or name of the file minus the _.nix_ extension. This
is for convenience, since `nixos-rebuild` automatically searches for a configuration
matching the current systems hostname if one is not specified explicitly.
You can set channels, systems, and add extra modules to each host by editing the

7
doc/concepts/overrides.md
View File

@ -27,10 +27,11 @@ You can also pull modules from other channels. All modules have access to the
`modulesPath` for each channel as `<channelName>ModulesPath`. And you can use
`disabledModules` to remove modules from the current channel.
Pulling the zsh module from the `latest` channel:
To pull zsh module from the `latest` channel this code can be placed in any module, whether its your host file, a profile, or a module in ./modules etc:
```nix
{ latestModulesPath }: {
modules = [ "${latestModulesPath}/programs/zsh/zsh.nix" ];
{ latestModulesPath }:
{
imports = [ "${latestModulesPath}/programs/zsh/zsh.nix" ];
disabledModules = [ "programs/zsh/zsh.nix" ];
}
```

43
doc/concepts/profiles.md
View File

@ -8,34 +8,29 @@ separation of concerns.
If you need guidance, a community [branch](https://github.com/divnix/devos/tree/community/profiles)
is maintained to help get up to speed on their usage.
## Constraints
For the sake of consistency, a profile should always be defined in a
___default.nix___ containing a [nixos module config][config].
A profile's directory is used for quick modularization of
[interelated bits](./profiles.md#subprofiles).
## Creation
Profiles are created with the `rakeLeaves` function which recursively collects
`.nix` files from within a folder. The recursion stops at folders with a `default.nix`
in them. You end up with an attribute set with leaves(paths to profiles) or
nodes(attrsets leading to more nodes or leaves).
A profile is used for quick modularization of [interelated bits](./profiles.md#subprofiles).
> ##### _Notes:_
> * For _declaring_ module options, there's the [modules](../outputs/modules.md) directory.
> * This directory takes inspiration from
> [upstream](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/profiles)
> .
> * Sticking to a simple [spec][spec] has refreshing advantages.
> [hercules-ci](../integrations/hercules.md) expects all profiles to be
> defined in a ___default.nix___, allowing them to be built automatically when
> added. Congruently, [suites](suites.md) expect ___default.nix___ to avoid
> having to manage their paths manually.
## Subprofiles
Profiles can also define subprofiles. They follow the same constraints outlined
above. A good top level profile should be a high level concern, such as your
personal development environment while the subprofiles should be more focused
program configurations such as your text editor, and shell configs. This way,
you can either pull in the whole development profile, or pick and choose
individual programs.
### Nested profiles
Profiles can be nested in attribute sets due to the recursive nature of `rakeLeaves`.
This can be useful to have a set of profiles created for a specific purpose. It is
sometimes useful to have a `common` profile that has high level concerns related
to all its sister profiles.
### Example
profiles/develop/default.nix:
profiles/develop/common.nix:
```nix
{
imports = [ ./zsh ];
@ -43,7 +38,7 @@ profiles/develop/default.nix:
}
```
profiles/develop/zsh/default.nix:
profiles/develop/zsh.nix:
```nix
{ ... }:
{
@ -52,6 +47,16 @@ profiles/develop/zsh/default.nix:
}
```
The examples above will end up with a profiles set like this:
```nix
{
develop = {
common = ./profiles/develop/common.nix;
zsh = ./profiles/develop/zsh.nix;
};
}
```
## Conclusion
Profiles are the most important concept in DevOS. They allow us to keep our
Nix expressions self contained and modular. This way we can maximize reuse

17
doc/concepts/suites.md
View File

@ -1,18 +1,11 @@
# Suites
Suites provide a mechanism for users to easily combine and name collecitons of
profiles. For good examples, check out the suites defined in the community
[branch](https://github.com/divnix/devos/blob/community/suites/default.nix).
profiles. For good examples, check out the suites defined in the community branch.
In the future, we will use suites as a mechanism for deploying various machine
types which don't depend on hardware, such as vm's and containers.
They are defined with the `suites` argument in either `home` or `nixos` namespace.
Suites should be passed as a function that take profiles as an argument.
The profiles are passed based on the folder names and list passed to the relevant
`profiles` argument. In the template's flake.nix `profiles` is set as
`[ ./profiles ./users ]` and that corresponds to the `{ profiles, users }` argument
pattern.
`suites` are defined in the `importables` argument in either the `home` or `nixos`
namespace. They are a special case of an `importable` which get passed as a special
argument (one that can be use in an `imports` line) to your hosts. All lists defined
in `suites` are flattened and type-checked as paths.
## Definition
```nix

23
doc/concepts/users.md
View File

@ -23,11 +23,23 @@ your users. For a fully fleshed out example, check out the developers personal
```
## Home Manager
Home Manager support follows the same principles as regular nixos configurations.
Home Manager support follows the same principles as regular nixos configurations,
it even gets its own namespace in your `flake.nix` as `home`.
All modules defined in [user modules][modules-list] will be imported to
Home Manager. All profiles are availabe in [suites][suites] as userProfiles.
The `userSuites` output will be available in your Home Manager Configuration as
the special argument, `suites`.
Home Manager.
User profiles can be collected in a similar fashion as system ones into a `suites`
argument that gets passed to your home-manager users.
### Example
```nix
{
home-manager.users.nixos = { suites, ... }: {
imports = suites.base;
};
}
```
## External Usage
You can easily use the defined home-manager configurations outside of NixOS
@ -56,5 +68,4 @@ nix build "github:divnix/devos#homeConfigurations.nixos@NixOS.home.activationPac
```
[home-manager]: https://nix-community.github.io/home-manager
[suites]: https://github.com/divnix/devos/tree/core/suites/default.nix
[modules-list]: https://github.com/divnix/devos/tree/core/modules/module-list.nix
[modules-list]: https://github.com/divnix/devos/tree/core/users/modules/module-list.nix

10
doc/flk/doi.md Normal file
View File

@ -0,0 +1,10 @@
# DigitalOcean
Now you can [create a droplet](https://cloud.digitalocean.com/droplets/new) using your custom image.
Making a DigitalOcean compatible image for `hosts/NixOS.nix` is as simple as:
```sh
flk doi NixOS
```
This works for any file matching `hosts/*.nix` excluding `default.nix`.

87
doc/lib.md
View File

@ -1,87 +0,0 @@
# Lib
The lib directory mirrors the upstream concepts of [`nixpkgs:./lib`][nixpkgs-lib],
[`nixpkgs:./nixos/lib`][nixpkgs-nixos-lib] and [`nixpkgs:./pkgs/pkgs-lib`][nixpkgs-pkgs-lib],
but also occasionally [`nixpkgs:./pkgs/build-support`][nixpkgs-pkgs-build-support].
All functions defined in lib can be accessed in modules and packages as `ourlib`.
For example:
- you want to add a library function that depends on some packages
and use it throughout your devos environment: place it into `./lib`
as if you would place it into [`nixpkgs:./pkgs/pkgs-lib`][nixpkgs-pkgs-lib].
- you want to add library functions that don't depend on `pkgs`: place
them into `./lib` as if you would place them into [`nixpkgs:./lib`][nixpkgs-lib].
- need to try out a newish custom build support: place it here before
upstreaming into [`nixpkgs:./pkgs/build-support`][nixpkgs-pkgs-build-support].
- you want to reutilize certain module configuration functions or helpers:
place them into `./lib` as if you would place them into [`nixpkgs:./nixos/lib`][nixpkgs-nixos-lib].
Once your library grows, we recoomend you start organizing them into subfolders
analogous `nixpkgs`:
| `nixpkgs` | `devos` |
| ---------------------- | ------------------ |
| `./lib` | `./lib` |
| `./pkgs/pkgs-lib` | `./lib/pkgs-lib` |
| `./nixos/lib` | `./lib/nixos-lib` |
| `./pkgs/build-support` | `./lib/pkgs-build` |
## Example
lib/nixos-lib/mkCustomI3BindSym/default.nix:
```nix
{ pkgs, writers, ... }:
{ name, cmd, workspace, baseKey }:
let
isWorkspaceEmpty = writers.writePython3 "is-workspace-empty" {
libraries = [ pkgs.python3Packages.i3ipc ];
} (builtins.readFile ./is-workspace-empty.py);
ws = builtins.toString workspace;
in
''
# ${name}
#bindsym ${baseKey}+${ws} workspace ${ws}; exec ${cmd}
bindsym ${baseKey}+${ws} workspace ${ws}; exec bash -c "${isWorkspaceEmpty} && ${cmd}"
''
```
lib/nixos-lib/mkCustomI3BindSym/is-workspace-empty.py:
```python
# returns 0/1 if current workspace is empty/non-empty
import i3ipc
i3 = i3ipc.Connection()
tree = i3.get_tree()
def current_workspace():
return tree.find_focused().workspace()
if current_workspace().leaves():
print("Error current workspace is not empty")
exit(1)
exit(0)
```
lib/default.nix:
```nix
{ nixos, pkgs, ... }:
# ...
{
# ...
mkCustomI3BindSym = pkgs.callPackage ./nixos-lib/mkCustomI3BindSym { };
}
```
[nixpkgs-lib]: https://github.com/NixOS/nixpkgs/tree/master/lib
[nixpkgs-pkgs-lib]: https://github.com/NixOS/nixpkgs/tree/master/pkgs/pkgs-lib
[nixpkgs-pkgs-build-support]: https://github.com/NixOS/nixpkgs/tree/master/pkgs/build-support
[nixpkgs-nixos-lib]: https://github.com/NixOS/nixpkgs/tree/master/nixos/lib

200
doc/mkFlakeOptions.md
View File

@ -40,7 +40,7 @@ nix flake
*_Default_*
```
"inputs.<name>"
"self.inputs.<name>"
```
@ -81,6 +81,56 @@ attribute set or path convertible to it
## devshell
Modules to include in your devos shell. the `modules` argument
will be exported under the `devshellModules` output
*_Type_*:
submodule
*_Default_*
```
{}
```
## devshell.externalModules
modules to include that won't be exported
meant importing modules from external flakes
*_Type_*:
list of valid module or path convertible to its or anything convertible to it
*_Default_*
```
[]
```
## devshell.modules
modules to include in all hosts and export to devshellModules output
*_Type_*:
list of path to a modules or anything convertible to it or path convertible to it
*_Default_*
```
[]
```
## home
hosts, modules, suites, and profiles for home-manager
@ -103,7 +153,7 @@ meant importing modules from external flakes
*_Type_*:
list of valid module or path convertible to its
list of valid module or path convertible to its or anything convertible to it
*_Default_*
@ -114,6 +164,34 @@ list of valid module or path convertible to its
## home.importables
Packages of paths to be passed to modules as `specialArgs`.
*_Type_*:
attribute set
*_Default_*
```
{}
```
## home.importables.suites
collections of profiles
*_Type_*:
attribute set of list of paths or anything convertible to its
## home.modules
modules to include in all hosts and export to homeModules output
@ -131,10 +209,17 @@ list of path to a modules or anything convertible to it or path convertible to i
## home.profiles
profile folders that can be collected into suites
the name of the argument passed to suites is based
on the folder name.
[ ./profiles ] => { profiles }:
WARNING: The 'suites' and `profiles` options have been deprecated, you can now create
both with the importables option. `rakeLeaves` can be used to create profiles and
by passing a module or `rec` set to `importables`, suites can access profiles.
Example:
```
importables = rec {
profiles = digga.lib.importers.rakeLeaves ./profiles;
suites = with profiles; { };
}
```
See https://github.com/divnix/digga/pull/30 for more details
*_Type_*:
@ -150,31 +235,23 @@ list of paths
## home.suites
Function that takes profiles and returns suites for this config system
These can be accessed through the 'suites' special argument.
WARNING: The 'suites' and `profiles` options have been deprecated, you can now create
both with the importables option. `rakeLeaves` can be used to create profiles and
by passing a module or `rec` set to `importables`, suites can access profiles.
Example:
```
importables = rec {
profiles = digga.lib.importers.rakeLeaves ./profiles;
suites = with profiles; { };
}
```
See https://github.com/divnix/digga/pull/30 for more details
*_Type_*:
function that evaluates to a(n) attrs or path convertible to it
*_Default_*
```
"<function>"
```
## inputs
inputs for this flake
used to set channel defaults and create registry
*_Type_*:
attribute set of nix flakes
@ -236,7 +313,7 @@ meant importing modules from external flakes
*_Type_*:
list of valid module or path convertible to its
list of valid module or path convertible to its or anything convertible to it
*_Default_*
@ -343,11 +420,46 @@ null
## nixos.importables
Packages of paths to be passed to modules as `specialArgs`.
*_Type_*:
attribute set
*_Default_*
```
{}
```
## nixos.importables.suites
collections of profiles
*_Type_*:
attribute set of list of paths or anything convertible to its
## nixos.profiles
profile folders that can be collected into suites
the name of the argument passed to suites is based
on the folder name.
[ ./profiles ] => { profiles }:
WARNING: The 'suites' and `profiles` options have been deprecated, you can now create
both with the importables option. `rakeLeaves` can be used to create profiles and
by passing a module or `rec` set to `importables`, suites can access profiles.
Example:
```
importables = rec {
profiles = digga.lib.importers.rakeLeaves ./profiles;
suites = with profiles; { };
}
```
See https://github.com/divnix/digga/pull/30 for more details
*_Type_*:
@ -363,17 +475,39 @@ list of paths
## nixos.suites
Function that takes profiles and returns suites for this config system
These can be accessed through the 'suites' special argument.
WARNING: The 'suites' and `profiles` options have been deprecated, you can now create
both with the importables option. `rakeLeaves` can be used to create profiles and
by passing a module or `rec` set to `importables`, suites can access profiles.
Example:
```
importables = rec {
profiles = digga.lib.importers.rakeLeaves ./profiles;
suites = with profiles; { };
}
```
See https://github.com/divnix/digga/pull/30 for more details
*_Type_*:
function that evaluates to a(n) attrs or path convertible to it
## outputsBuilder
builder for flake system-spaced outputs
The builder gets passed an attrset of all channels
*_Type_*:
function that evaluates to a(n) attrs
*_Default_*
```
"<function>"
"channels: { }"
```

3
doc/outputs/pkgs.md
View File

@ -7,8 +7,7 @@ The only minor difference is that, instead of adding the `callPackage` call to
`all-packages.nix`, you just add it the the _default.nix_ in this directory,
which is defined as a simple overlay.
This overlay is set as the default `overlay` output attribute for the flake.
And all the packages are exported via `packages.<system>.<pkg-name>`, for all
All the packages are exported via `packages.<system>.<pkg-name>`, for all
the supported systems listed in the package's `meta.platforms` attribute.
And, as usual, every package in the overlay is also available to any NixOS

110
doc/secrets.md
View File

@ -1,18 +1,110 @@
# Secrets
Secrets are managed using [git-crypt][git-crypt] so you can keep your flake in
a public repository like GitHub without exposing your password or other
sensitive data.
Secrets are managed using [git-crypt][git-crypt] and [agenix][agenix]
so you can keep your flake in a public repository like GitHub without
exposing your password or other sensitive data.
By default, everything in the secrets folder is automatically encrypted. Just
be sure to run `git-crypt init` before putting anything in here.
## Agenix
Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets
within the nix store because it is world-readable.
Most NixOS modules have the ability to set options to files in the system, outside
the nix store, that contain sensitive information. You can use [agenix][agenix]
to easily setup those secret files declaratively.
[agenix][agenix] encrypts secrets and stores them as .age files in your repository.
Age files are encrypted with multiple ssh public keys, so any host or user with a
matching ssh private key can read the data. The [age module][age module] will add those
encrypted files to the nix store and decrypt them on activation to `/run/secrets`.
### Setup
All hosts must have openssh enabled, this is done by default in the core profile.
You need to populate your `secrets/secrets.nix` with the proper ssh public keys.
Be extra careful to make sure you only add public keys, you should never share a
private key!!
secrets/secrets.nix:
```nix
let
system = "<system ssh key>";
user = "<user ssh key>";
allKeys = [ system user ];
in
```
On most systems, you can get your systems ssh public key from `/etc/ssh/ssh_host_ed25519_key.pub`. If
this file doesn't exist you likely need to enable openssh and rebuild your system.
Your users ssh public key is probably stored in `~/.ssh/id_ed25519.pub` or
`~/.ssh/id_rsa.pub`. If you haven't generated a ssh key yet, be sure do so:
```sh
ssh-keygen -t ed25519
```
> ##### _Note:_
> Currently, there is [no mechanism][secrets-issue] in nix to deploy secrets
> within the nix/store so, if they end up in the nix/store after deployment, they
> will be world readable on that machine.
>
> The author of devos intends to implement a workaround for this situation in
> the near future, but for the time being, simple be aware of this.
> The underlying tool used by agenix, rage, doesn't work well with password protected
> ssh keys. So if you have lots of secrets you might have to type in your password many
> times.
### Secrets
You will need the `agenix` command to create secrets. DevOS conveniently provides that
in the devShell, so just run `nix develop` whenever you want to edit secrets. Make sure
to always run `agenix` while in the `secrets/` folder, so it can pick up your `secrets.nix`.
To create secrets, simply add lines to your `secrets/secrets.nix`:
```
let
...
allKeys = [ system user ];
in
{
"secret.age".publicKeys = allKeys;
}
```
That would tell agenix to create a `secret.age` file that is encrypted with the `system`
and `user` ssh public key.
Then go into the `secrets` folder and run:
```sh
agenix -e secret.age
```
This will create the `secret.age`, if it doesn't already exist, and allow you to edit it.
If you ever change the `publicKeys` entry of any secret make sure to rekey the secrets:
```sh
agenix --rekey
```
### Usage
Once you have your secret file encrypted and ready to use, you can utilize the [age module][age module]
to ensure that your secrets end up in `/run/secrets`.
In any profile that uses a NixOS module that requires a secret you can enable a particular secret like so:
```nix
{ self, ... }:
{
age.secrets.mysecret.file = "${self}/secrets/mysecret.age";
}
```
Then you can just pass the path `/run/secrets/mysecret` to the module.
You can make use of the many options provided by the age module to customize where and how
secrets get decrypted. You can learn about them by looking at the
[age module][age module].
> ##### _Note:_
> You can take a look at the [agenix repository][agenix] for more information
> about the tool.
[git-crypt]: https://github.com/AGWA/git-crypt
[agenix]: https://github.com/ryantm/agenix
[age module]: https://github.com/ryantm/agenix/blob/master/modules/age.nix
[secrets-issue]: https://github.com/NixOS/nix/issues/8

11
doc/tests.md
View File

@ -5,22 +5,19 @@ NixOS offers some incredibly powerful tools to write tests for your
configuration, and, optionally, run them in
[CI](./integrations/hercules.md).
## Lib Tests
You can easily write tests for your own library functions in the
lib/___tests/lib.nix___ file and they will be run on every `nix flake check` or
during a CI run.
## Unit Tests
Unit tests are can be created from regular derivations, and they can do
Unit tests can be created from regular derivations, and they can do
almost anything you can imagine. By convention, it is best to test your
packages during their [check phase][check]. All packages and their tests will
be built during CI.
## Integration Tests
All your profiles defined in suites will be tested in a NixOS VM.
You can write integration tests for one or more NixOS VMs that can,
optionally, be networked together, and yes, it's as awesome as it sounds!
Be sure to use the `mkTest` function, in the [___tests/default.nix___][default]
Be sure to use the `mkTest` function from digga, `digga.lib.pkgs-lib.mkTest`
which wraps the official [testing-python][testing-python] function to ensure
that the system is setup exactly as it is for a bare DevOS system. There are
already great resources for learning how to use these tests effectively,

34
flake.lock
View File

@ -1,5 +1,25 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"latest"
]
},
"locked": {
"lastModified": 1620877075,
"narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"cachix": {
"locked": {
"lastModified": 1624474106,
@ -118,6 +138,7 @@
},
"original": {
"owner": "divnix",
"ref": "master",
"repo": "digga",
"type": "github"
}
@ -191,11 +212,11 @@
]
},
"locked": {
"lastModified": 1625384440,
"narHash": "sha256-WnDK+LZioER6eeC8Sm7GPvbiS6XPyUqn+qtc2lvjLHo=",
"lastModified": 1625516974,
"narHash": "sha256-hq4eAl7wJoGwjtHCdqItjb81XgjVL5K79NX3jSmNRMA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ac319fd3149b23a3ad8ee24cb2def6e67acf194c",
"rev": "97d183e2e466808f5d7cd1c838815bedd88f37fe",
"type": "github"
},
"original": {
@ -296,11 +317,11 @@
},
"nixos": {
"locked": {
"lastModified": 1625281901,
"narHash": "sha256-DkZDtTIPzhXATqIps2ifNFpnI+PTcfMYdcrx/oFm00Q=",
"lastModified": 1625366435,
"narHash": "sha256-29ZJQBmJ9p2IienoYXCT/qq8sf+rfOvXWfeqVLZOh0E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "09c38c29f2c719cd76ca17a596c2fdac9e186ceb",
"rev": "20887e4bbfdae3aed6bfa1f53ddf138ee325515e",
"type": "github"
},
"original": {
@ -438,6 +459,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"ci-agent": "ci-agent",
"darwin": "darwin",
"digga": "digga",

25
flake.nix
View File

@ -6,7 +6,7 @@
nixos.url = "nixpkgs/nixos-unstable";
nixpkgs.follows = "nixos";
latest.url = "nixpkgs";
digga.url = "github:divnix/digga";
digga.url = "github:divnix/digga/master";
ci-agent = {
url = "github:hercules-ci/hercules-ci-agent";
@ -18,6 +18,8 @@
home.inputs.nixpkgs.follows = "nixos";
naersk.url = "github:nmattia/naersk";
naersk.inputs.nixpkgs.follows = "latest";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "latest";
nixos-hardware.url = "github:nixos/nixos-hardware";
pkgs.url = "path:./pkgs";
@ -33,7 +35,19 @@
};
};
outputs = inputs@{ self, pkgs, digga, nixos, ci-agent, home, nixos-hardware, nur, nixosPersistence, nixpkgsWayland, nixEvalLsp, ... }:
outputs =
{ self
, pkgs
, digga
, nixos
, ci-agent
, home
, nixos-hardware
, nur
, agenix
, nixosPersistence, nixpkgsWayland, nixEvalLsp
, ...
} @ inputs:
digga.lib.mkFlake {
inherit self inputs;
@ -54,6 +68,7 @@
(final: prev: {
inherit (nixEvalLsp.packages.${prev.system}) nix-eval-lsp;
})
agenix.overlay
];
};
latest = { };
@ -77,6 +92,7 @@
ci-agent.nixosModules.agent-profile
home.nixosModules.home-manager
nixosPersistence.nixosModules.impermanence
agenix.nixosModules.age
./modules/customBuilds.nix
];
};
@ -106,6 +122,10 @@
};
};
devshell.externalModules = { pkgs, ... }: {
packages = [ pkgs.agenix ];
};
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
@ -113,7 +133,6 @@
defaultTemplate = self.templates.flk;
templates.flk.path = ./.;
templates.flk.description = "flk template";
}
;
}

5
modules/customBuilds.nix
View File

@ -10,7 +10,6 @@ in
system.build = {
iso = (mkBuild (diggaLib.modules.isoConfig {
inherit self;
inherit (self) inputs;
fullHostConfig = config;
})).config.system.build.isoImage;
@ -26,5 +25,9 @@ in
}
];
})).config.home-manager.users;
digitalOcean = (mkBuild ({ modulesPath, ... }: {
imports = [ "${modulesPath}/virtualisation/digital-ocean-image.nix" ];
})).config.system.build.digitalOceanImage;
};
}

1
overlays/overrides.nix
View File

@ -7,6 +7,7 @@ channels: final: prev: {
discord
element-desktop
manix
rage
nixpkgs-fmt
qutebrowser
signal-desktop

6
profiles/core/default.nix
View File

@ -167,5 +167,11 @@ in
home-manager.useGlobalPkgs = true;
users.mutableUsers = false;
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
openFirewall = lib.mkDefault false;
};
services.earlyoom.enable = true;
}

1
secrets/.gitattributes vendored
View File

@ -1,3 +1,4 @@
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
secrets.nix !filter !diff
README.md !filter !diff

9
secrets/secrets.nix Normal file
View File

@ -0,0 +1,9 @@
let
# set ssh public keys here for your system and user
system = "";
user = "";
allKeys = [ system user ];
in
{
"secret.age".publicKeys = allKeys;
}