noe/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Reset from zero

Browse source
This commit is contained in:
41666 2023-12-11 18:18:41 -05:00
commit 7520235965
46 changed files with 1783 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.editorconfig Normal file
View file

@ -0,0 +1,7 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
indent_size = 2

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake;

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
result
.sops.keys
.username
.direnv

29
.sops.yaml Normal file
View file

@ -0,0 +1,29 @@
keys: &all
- &op_noe age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd
- &op_noe_2 age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp
- &m_thonkpad age1f5cqspxexkl8f42v5ne47mx6xmm4v00lafdlslq9g79a508e4p9qrku72s
- &m_blueberry age1ts3t7q08cthuwj39juajve2jjk0rw28ljzesnrmnkwd0n7zs49kq7dgxnm
- &m_work-mac age14vsmekuppm4xhp4rthhv9jjgzfv45v39a0q8dsgg6yusw0pjkvaqnr9kq8
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age: *all
- path_regex: secrets/thonkpad/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *op_noe
- *op_noe_2
- *m_thonkpad
- path_regex: secrets/blueberry/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *op_noe
- *op_noe_2
- *m_blueberry
- path_regex: secrets/work-mac/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *op_noe
- *op_noe_2
- *m_work-mac

64
Justfile Normal file
View file

@ -0,0 +1,64 @@
# Build the system config and switch to it when running `just` with no args
default: switch
hostname := `hostname | cut -d "." -f 1`
work_mac_impure := `if [ $(hostname) = "AMERMACC02G65A8MD6T" ]; then echo "--impure"; else echo ""; fi`
# Build the nix-darwin system configuration without switching to it
[macos]
build target_host=hostname flags="":
@echo "Building nix-darwin config..."
nix --extra-experimental-features 'nix-command flakes' build {{work_mac_impure}} ".#darwinConfigurations.{{target_host}}.system" {{flags}}
# Build the nix-darwin config with the --show-trace flag set
[macos]
trace target_host=hostname: (build target_host "--show-trace")
# Build the nix-darwin configuration and switch to it
[macos]
switch target_host=hostname: (build target_host)
@echo "switching to new config for {{target_host}}"
# if macOS updates and overwrites /etc/shells, nix will refuse to update it
sudo mv /etc/shells /tmp/shells.bak
./result/sw/bin/darwin-rebuild switch {{work_mac_impure}} --flake ".#{{target_host}}"
# Reload the skhd (hotkey daemon) service to apply new config. Workaround for config changes not being auto-detected.
[macos]
reload-skhd:
launchctl stop org.nixos.skhd && launchctl start org.nixos.skhd && sleep 1 && skhd -r
# on asahi linux, we need to pass the --impure flag to read in firmware files
rebuild_flags := `if [ -d /boot/asahi ]; then echo "--impure"; else echo ""; fi`
# Build the NixOS configuration without switching to it
[linux]
build target_host=hostname flags="":
nixos-rebuild build --flake .#{{target_host}} {{rebuild_flags}} {{flags}}
# Build the NixOS config with the --show-trace flag set
[linux]
trace target_host=hostname: (build target_host "--show-trace")
# Build the NixOS configuration and switch to it.
[linux]
switch target_host=hostname:
sudo nixos-rebuild switch --flake .#{{target_host}} {{rebuild_flags}}
# Update flake inputs to their latest revisions
update:
nix flake update
# Garbage collect old OS generations and remove stale packages from the nix store
gc generations="5d":
sudo nix-env --delete-generations {{generations}}
sudo nix-store --gc
# Add a machine's age key for SOPS
sops-add machine_name target:
bun tools/onboard-machine.js {{machine_name}} {{target}}
sops updatekeys -y secrets/default.yaml
sops-generate-keys:
sudo cat /etc/ssh/ssh_host_ed25519_key | ssh-to-age --private-key > .sops.keys
cat ~/.ssh/id_ed25519 | ssh-to-age --private-key >> .sops.keys

50
darwin/common.nix Normal file
View file

@ -0,0 +1,50 @@
{ pkgs, lib, inputs, outputs, ...}: let
inherit (inputs) nixpkgs;
in {
imports = [
inputs.sops-nix-darwin.darwinModules.sops
inputs.home-manager.darwinModules.home-manager
];
# pin nixpkgs in the system flake registry to the revision used
# to build the config
nix.registry.nixpkgs.flake = nixpkgs;
nixpkgs.config.allowUnfree = true;
nixpkgs.config.overlays = [
(final: prev: lib.optionalAttrs (prev.stdenv.system == "aarch64-darwin") {
# Add access to x86 packages system is running Apple Silicon
pkgs-x86 = import nixpkgs {
system = "x86_64-darwin";
config.allowUnfree = true;
};
})
];
# Keep nix upgraded
services.nix-daemon.enable = true;
nix.package = pkgs.nix;
# Enable flakes, and enrich apple silicon
nix.extraOptions = ''
experimental-features = nix-command flakes repl-flake
''+ lib.optionalString (pkgs.system == "aarch64-darwin") ''
extra-platforms = x86_64-darwin aarch64-darwin
'';
programs.zsh.enable = true;
programs.fish.enable = true;
environment.shells = [
pkgs.fish
pkgs.zsh
pkgs.bashInteractive
];
users.users.root.shell = pkgs.fish;
#system.configurationRevision = self.rev or self.dirtyRev or null;
system.stateVersion = 4;
security.pam.enableSudoTouchIdAuth = true;
home-manager.extraSpecialArgs = { inherit inputs outputs; };
}

13
darwin/hosts/noe-air/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ pkgs, ... }: {
imports = [
../../common.nix
];
programs.fish.enable = true;
users.users.noe = (import ../../user.nix) "noe" // {
shell = pkgs.fish;
};
home-manager.users.noe = import ../../../home-manager/noe/hosts/noe-air.nix;
}

25
darwin/hosts/work-mac/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, ... }: let
username = builtins.getEnv "USER";
in {
imports = [
../../common.nix
];
users.users.${username} = (import ../../user.nix) username // {
shell = pkgs.fish;
};
home-manager.users.${username} = import ../../../home-manager/noe/hosts/work-mac.nix;
environment.systemPackages =
with pkgs; [
vim
neovim
tfswitch
awscli2
kubectl
jq
nil
direnv
];
}

4
darwin/user.nix Normal file
View file

@ -0,0 +1,4 @@
username: {
name = username;
home = "/Users/${username}";
}

564
flake.lock generated Normal file
View file

@ -0,0 +1,564 @@
{
"nodes": {
"apple-silicon": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1700436815,
"narHash": "sha256-+txRDmFuI/dW/ZmacfDrqSsKiWTNLmRygej25u2ojNM=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "14b327ca47703c376ebb82ba16dc42ca2baa57d8",
"type": "github"
},
"original": {
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"base16-schemes": {
"flake": false,
"locked": {
"lastModified": 1689473676,
"narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=",
"owner": "tinted-theming",
"repo": "base16-schemes",
"rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-schemes",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"firefox-addons": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1702267377,
"narHash": "sha256-l1wYWeqicyizoMS/yrBFR55wMg4bCrzW/MABSreBDM8=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "8d8f9c2d34ba23bcb692baac247e2dc3d0e2c2ad",
"type": "gitlab"
},
"original": {
"dir": "pkgs/firefox-addons",
"owner": "rycee",
"repo": "nur-expressions",
"type": "gitlab"
}
},
"flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1629284811,
"narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixvim",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1702203126,
"narHash": "sha256-4BhN2Vji19MzRC7SUfPZGmtZ2WZydQeUk/ogfRBIZMs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "defbb9c5857e157703e8fc7cf3c2ceb01cb95883",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-colors": {
"inputs": {
"base16-schemes": "base16-schemes",
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1695388192,
"narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=",
"owner": "misterio77",
"repo": "nix-colors",
"rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c",
"type": "github"
},
"original": {
"owner": "misterio77",
"repo": "nix-colors",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1700419998,
"narHash": "sha256-aXh4adx9x9RlRMSykzR+bY8AOVjcwMEJO1ZeQROwbcE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "12a0ade5e458984675b9789a4b260ebabdd2d1ab",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"rev": "12a0ade5e458984675b9789a4b260ebabdd2d1ab",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1694911725,
"narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "819180647f428a3826bfc917a54449da1e532ce0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1702233072,
"narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1702148972,
"narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1692492726,
"narHash": "sha256-rld5qm2B4oRkDwcPD+yOSyTrZQdfCR6mzJGGkecjvTs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5e63e8bbc46bc4fc22254da1edaf42fc7549c18a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1627814220,
"narHash": "sha256-P+MDgdZw2CBk9X1ZZaUgHgN+32pTfLFf3XVIBOXirI4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ab5b6828af26215bf2646c31961da5d3749591ef",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1702029940,
"narHash": "sha256-qM3Du0perpLesh5hr87mVPZ79McMUKIWUH7EQMh2kWo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e9ef8a102c555da4f8f417fe5cf5bd539d8a38b7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1692463654,
"narHash": "sha256-F8hZmsQINI+S6UROM4jyxAMbQLtzE44pI8Nk6NtMdao=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ca3c9ac9f4cdd4bea19f592b32bb59b74ab7d783",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-unstable"
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1702303976,
"narHash": "sha256-xOsTE50vcY3WQ1SPzGq0RaFauUMYdOylqlRXv8LoDzg=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "7fbb9240de5f9c72f096dba0c8554f1eed053322",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixvim",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1702319163,
"narHash": "sha256-LBLXEzGE5MjYg+7aLj+uzGs5adBsiDMDbfid//yiiJM=",
"owner": "nix-community",
"repo": "nur",
"rev": "621aae944d776922f3ac9f74b478464a73353660",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nur",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1700922917,
"narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"apple-silicon": "apple-silicon",
"darwin": "darwin",
"firefox-addons": "firefox-addons",
"home-manager": "home-manager",
"nix-colors": "nix-colors",
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"nixvim": "nixvim",
"nur": "nur",
"sops-nix": "sops-nix",
"sops-nix-darwin": "sops-nix-darwin"
}
},
"rust-overlay": {
"flake": false,
"locked": {
"lastModified": 1686795910,
"narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1702177193,
"narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix-darwin": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1692658736,
"narHash": "sha256-kucyW+sryHf2buyAFFWQHQMsqkYYHSvvYqr/DvwQukY=",
"owner": "Kloenk",
"repo": "sops-nix",
"rev": "c0864759e5d3f5899195fd9debaeda48e08d47d8",
"type": "github"
},
"original": {
"owner": "Kloenk",
"ref": "darwin",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

143
flake.nix Normal file
View file

@ -0,0 +1,143 @@
{
description = "Your new nix config";
inputs = {
# Nixpkgs (usually unstable)
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# Home manager
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
# Darwin & Apple Silicon tools
darwin = {
url = "github:lnl7/nix-darwin";
inputs.nixpkgs.follows = "nixpkgs";
};
apple-silicon.url = "github:tpwrules/nixos-apple-silicon";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix-darwin.url = "github:Kloenk/sops-nix?ref=darwin";
nix-colors.url = "github:misterio77/nix-colors";
nixvim = {
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nur.url = "github:nix-community/nur";
firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
};
outputs = { self, nixpkgs, home-manager, ... }@inputs:
let
inherit (self) outputs;
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
"i686-linux"
"x86_64-linux"
"aarch64-darwin"
"x86_64-darwin"
];
mkNixos = modules: nixpkgs.lib.nixosSystem {
inherit modules;
specialArgs = { inherit inputs outputs; };
};
mkDarwin = system: modules: inputs.darwin.lib.darwinSystem {
inherit modules system inputs;
specialArgs = { inherit inputs outputs; };
};
mkHome = modules: pkgs: home-manager.lib.homeManagerConfiguration {
inherit modules pkgs;
extraSpecialArgs = { inherit inputs outputs; };
};
in
rec {
# Your custom packages
# Acessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system:
let pkgs = nixpkgs.legacyPackages.${system};
in import ./pkgs { inherit pkgs; }
);
# Devshell for bootstrapping
# Acessible through 'nix develop' or 'nix-shell' (legacy)
devShells = forAllSystems (system:
let pkgs = nixpkgs.legacyPackages.${system};
in import ./shell.nix { inherit pkgs; }
);
# Your custom packages and modifications, exported as overlays
overlays = import ./overlays { inherit inputs; };
# Reusable nixos modules you might want to export
# These are usually stuff you would upstream into nixpkgs
nixosModules = import ./modules/nixos;
# Reusable home-manager modules you might want to export
# These are usually stuff you would upstream into home-manager
homeManagerModules = import ./modules/home-manager;
# Reusable nix-darwin packages you might want to export
# These are usually hacks!
darwinModules = import ./modules/darwin;
# NixOS configuration entrypoint
# Available through 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = {
# T480
thonkpad = mkNixos [ ./nixos/hosts/thonkpad ];
# Blueberry Lab
blueberry = mkNixos [ ./nixos/hosts/blueberry ];
# 2015 MBP
#echo = mkNixos [ ./nixos/hosts/echo ];
# 2013 MBP
#who =
# Pi4B Xbox Hacking
#xxx = mkNixos [
# PlanetSide Stack
#watermelon =
# Akkoma (sapphic.engineer)
#pineapple =
# Web Services
#honeydew =
# Workers
#tangerine =
# Pi3B Audio Streamer
#audiofox =
# Router
#nekomata =
# just give me a machine THANKS
#lab =
};
darwinConfigurations = {
noe-air = mkDarwin "aarch64-darwin" [ ./darwin/hosts/noe-air ];
AMERMACC02G65A8MD6T = mkDarwin "x86_64-darwin" [ ./darwin/hosts/work-mac ];
};
# Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = {
# TODO: add generic standalone home-manager config
};
};
}

13
home-manager/features/direnv.nix Normal file
View file

@ -0,0 +1,13 @@
{ pkgs, lib, ... }: {
programs.direnv = {
enable = true;
enableBashIntegration = true;
#enableFishIntegration = lib.mkDefault true;
#enableZshIntegration = lib.mkDefault true;
nix-direnv.enable = true;
};
programs.zsh.enable = true;
programs.fish.enable = true;
programs.bash.enable = true;
}

7
home-manager/features/git.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, ... }: {
programs.git = {
enable = true;
userName = "noe";
userEmail = "git@kat.cafe";
};
}

34
home-manager/noe/common/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ inputs, outputs, lib, ... }:
{
imports = [
inputs.sops-nix.homeManagerModules.sops
../../features/direnv.nix
../../features/git.nix
] ++ (builtins.attrValues outputs.homeManagerModules);
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
inputs.nur.overlay
];
config = {
allowUnfree = true;
allowUnfreePredicate = (_: true);
};
};
home = {
sessionVariables = {
EDITOR = "nvim";
TERMINAL = lib.mkDefault "kitty";
COLORTERM = lib.mkDefault "truecolor";
BROWSER = lib.mkDefault "firefox";
};
};
programs.home-manager.enable = true;
home.stateVersion = "24.05";
}

10
home-manager/noe/common/home-user.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }:
let
inherit (pkgs.stdenv) isDarwin;
in
{
home = {
username = "noe";
homeDirectory = if isDarwin then "/Users/noe" else "/home/noe";
};
}

11
home-manager/noe/common/work-user.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, ... }:
let
inherit (pkgs.stdenv) isDarwin;
username = builtins.getEnv "USER";
in
{
home = {
inherit username;
homeDirectory = if isDarwin then "/Users/${username}" else "/home/${username}";
};
}

6
home-manager/noe/hosts/noe-air.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }: {
imports = [
../common
../common/home-user.nix
];
}

6
home-manager/noe/hosts/thonkpad.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }: {
imports = [
../common
../common/home-user.nix
];
}

6
home-manager/noe/hosts/work-mac.nix Normal file
View file

@ -0,0 +1,6 @@
username: {
imports = [
../common
../common/work-user.nix
];
}

3
modules/darwin/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
}

3
modules/home-manager/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
}

3
modules/nixos/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
pod = import ./pod.nix;
}

59
modules/nixos/pod.nix Normal file
View file

@ -0,0 +1,59 @@
{ pkgs, config, lib, ... }:
let
cfg = config.pods;
podOpts = with lib; {
container = mkOption {
type = types.attrsOf (types.submodule ({ options = podContainerOpts; }));
};
exportPorts = mkOption {
type = types.listOf types.str;
};
routes = mkOption {
type = types.attrsOf (types.submodule ({ options = routeOpts; }));
};
};
podContainerOpts = with lib; {
image = mkOption {
type = types.str;
};
ports = mkOption {
type = types.listOf types.str;
};
environment = mkOption {
type = types.attrsOf types.str;
};
secrets = mkOption {
type = types.attrsOf types.path;
};
volumes = mkOption {
type = types.attrsOf types.str;
};
};
routeOpts = with lib; {
port = mkOption {
type = types.str;
};
};
in {
options.pods = with lib; {
enable = mkEnableOption "Enable pod support";
pods = mkOption {
type = types.attrsOf (types.submodule ({ options = podOpts; }));
};
};
config = lib.mkIf cfg.enable {
}
}

69
nixos/base.nix Normal file
View file

@ -0,0 +1,69 @@
# Things every machine will have...
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
inputs.home-manager.nixosModules.home-manager
./users/noe.nix
./features/sops.nix
];
boot.tmp.cleanOnBoot = true;
# Set ET
time.timeZone = lib.mkDefault "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
home-manager.extraSpecialArgs = { inherit inputs outputs; };
# A very fishy fish.
programs.fish = {
enable = true;
};
programs.git.enable = true;
users.defaultUserShell = pkgs.fish;
services.openssh.enable = lib.mkDefault true;
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
config = {
allowUnfree = true;
};
};
nix = {
gc.automatic = true;
settings = {
experimental-features = "nix-command flakes";
#auto-optimize-store = true;
};
};
# system.copySystemConfiguration = true;
}

19
nixos/client.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }: {
imports = [
./base.nix
./features/fonts.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_zen;
environment.systemPackages = with pkgs; [
firefox
curl
btop
htop
neofetch
];
}

20
nixos/features/fonts.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, ... }: {
fonts = {
packages = with pkgs; [
atkinson-hyperlegible
(nerdfonts.override { fonts = [ "FiraCode" ]; })
];
fontDir.enable = true;
enableDefaultPackages = true;
fontconfig.defaultFonts = {
sansSerif = [ "Atkinson Hyperlegible" ];
serif = [ "Atkinson Hyperlegible" ];
monospace = [ "FiraCode Nerd Font" "Fira Code" ];
};
};
}

18
nixos/features/podman.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, ... }: {
virtualisation = {
docker.enable = false;
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
defaultNetwork.settings.ipv6_enabled = true;
};
};
networking.firewall = {
# interfaces.podman0.allowedUDPPorts = [ 53 ];
trustedInterfaces = [ "podman0" ];
};
}

9
nixos/features/sops.nix Normal file
View file

@ -0,0 +1,9 @@
{ inputs, ... }: {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ../../secrets/default.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.secrets.default = {};
}

12
nixos/features/sound.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, config, ... }: {
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}

4
nixos/features/systemd-boot.nix Normal file
View file

@ -0,0 +1,4 @@
{ pkgs, config, ... }: {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
}

5
nixos/features/tailscale.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
services.tailscale = {
enable = true;
};
}

9
nixos/features/wifi.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }: {
networking.networkmanager = {
enable = true;
};
# TODO: WiFi password automation
}

22
nixos/features/xfce.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, ... }: {
imports = [
./sound.nix
];
services.xserver = {
enable = true;
displayManager = {
sddm.enable = true;
defaultSession = "xfce";
};
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
layout = "us";
xkbVariant = "";
};
}

55
nixos/hosts/blueberry/default.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, ... }: {
imports = [
./hardware-configuration.nix
../../server.nix
../../features/systemd-boot.nix
../../features/podman.nix
];
networking.hostName = "blueberry";
system.stateVersion = "23.05";
services.qemuGuest.enable = true;
sops.secrets."saerro/database/url" = {
sopsFile = ../../../secrets/blueberry/default.yaml;
};
sops.secrets."saerro/database/password" = {
sopsFile = ../../../secrets/blueberry/default.yaml;
};
sops.secrets."saerro/ws_addr" = {
sopsFile = ../../../secrets/blueberry/default.yaml;
};
pods.enable = true;
pods.pods.saerro = {
routes = let
route = { port = "8003"; };
in {
"saerro.ps2.live" = route;
"saerro-new.ps2.live" = route;
};
exportPorts = [
"0.0.0.0:8003:8003"
];
containers = {
api = {
image = "ghcr.io/genudine/saerro/api:latest";
environment = {
PORT = "8003";
WEBSOCKET_HEALTHCHECK = "http://127.0.0.1:8004/healthz";
};
secrets = {
DATABASE_ADDR = config.sops.secrets."saerro/database/url".path;
};
ports = [
"8003:8003";
];
};
};
};
}

37
nixos/hosts/blueberry/hardware-configuration.nix Normal file
View file

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/cc75594b-3158-455a-9230-b634128713ae";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1FFC-3FAC";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

15
nixos/hosts/thonkpad/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, config, pkgs, outputs, ... }: {
imports = [
./hardware-configuration.nix
../../client.nix
../../features/wifi.nix
../../features/xfce.nix
../../features/tailscale.nix
];
home-manager.users.noe = import ../../../home-manager/noe/hosts/thonkpad.nix;
networking.hostName = "thonkpad";
system.stateVersion = "24.05";
}

38
nixos/hosts/thonkpad/hardware-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8b2ea978-a219-4634-ad9e-80c31edc7787";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/9C1A-EB83";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

163
nixos/hosts/thonkpad/orig.nix Normal file
View file

@ -0,0 +1,163 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
../../client.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_zen;
networking.hostName = "thonkpad"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# Enable networking
networking.networkmanager.enable = true;
services.tailscale = {
enable = true;
};
# Set your time zone.
time.timeZone = "America/New_York";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
# Enable the X11 windowing system.
# Configure keymap in X11
services.xserver = {
enable = true;
displayManager = {
defaultSession = "xfce";
sddm.enable = true;
#sddm.wayland.enable = true;
};
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
layout = "us";
xkbVariant = "";
};
# Enable CUPS to print documents.
#services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.noe = {
isNormalUser = true;
description = "noe";
extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [
firefox
];
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
curl
kitty
git
zsh
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
fonts = {
packages = with pkgs; [
atkinson-hyperlegible
(nerdfonts.override { fonts = [ "FiraCode" ]; })
];
fontDir.enable = true;
enableDefaultPackages = true;
fontconfig.defaultFonts = {
sansSerif = [ "Atkinson Hyperlegible" ];
serif = [ "Atkinson Hyperlegible" ];
monospace = [ "FiraCode Nerd Font" "Fira Code" ];
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
}

20
nixos/server.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, pkgs, ... }: {
imports = [
./base.nix
./features/tailscale.nix
];
services.openssh.settings.PasswordAuthentication = false;
system.autoUpgrade = {
enable = true;
allowReboot = true;
rebootWindow = {
lower = "05:00";
upper = "07:00";
};
};
}

28
nixos/users/noe.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, ... }: {
users.users.noe = {
hashedPasswordFile = config.sops.secrets."users/noe/password".path;
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrjnDY3hlN3cOCMBpcoh4GWdnG5nc9ZeOXJ7MtJVL3I''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs6/s+973H28jOrvN0zr1eayT+thrs61l1qV7uFhw8I''
];
};
environment.systemPackages = [ pkgs.nixos-rebuild ];
security.sudo.extraRules = [
{
users = [ "noe" ];
commands = [
{ command = "${pkgs.nixos-rebuild}/bin/nixos-rebuild"; options = [ "NOPASSWD" "SETENV" ]; }
{ command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" "SETENV" ]; }
{ command = "${pkgs.systemd}/bin/systemctl"; options = [ "NOPASSWD" "SETENV" ]; }
{ command = "/run/current-system/sw/bin/shutdown"; options = [ "NOPASSWD" "SETENV" ]; }
{ command = "/run/current-system/sw/bin/reboot"; options = [ "NOPASSWD" "SETENV" ]; }
];
}
];
sops.secrets."users/noe/password".neededForUsers = true;
}

8
nixpkgs.nix Normal file
View file

@ -0,0 +1,8 @@
# A nixpkgs instance that is grabbed from the pinned nixpkgs commit in the lock file
# This is useful to avoid using channels when using legacy nix commands
let lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
in
import (fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${lock.rev}.tar.gz";
sha256 = lock.narHash;
})

33
overlays/default.nix Normal file
View file

@ -0,0 +1,33 @@
# This file defines overlays
{ inputs, ... }:
{
# This one brings our custom packages from the 'pkgs' directory
additions = final: _prev: {
# nest everything under a namespace that's not likely to collide
# with anything in nixpkgs
local-pkgs = import ../pkgs { pkgs = final; };
};
# This one contains whatever you want to overlay
# You can change versions, add patches, set compilation flags, anything really.
# https://nixos.wiki/wiki/Overlays
modifications = final: prev: {
# example = prev.example.overrideAttrs (oldAttrs: rec {
# ...
# });
};
unstable-packages = final: _prev: {
# use 'pkgs.unstable'
unstable = import inputs.nixpkgs-unstable {
system = final.system;
config.allowUnfree = true;
};
# use 'pkgs.stable'
stable = import inputs.nixpkgs-stable {
system = final.system;
config.allowUnfree = true;
};
};
}

2
pkgs/default.nix Normal file
View file

@ -0,0 +1,2 @@
{ pkgs ? (import ../nixpkgs.nix) { } }: rec {
}

42
secrets/default.yaml Normal file
View file

@ -0,0 +1,42 @@
users:
noe:
password: ENC[AES256_GCM,data:+FlVNBkfm8ogTcWlbY9sR4uvWCbX+dBQ8jtXpsNwdvmTN3ibE6ZAx6XbNG1tbfMpCKYHzvgTLyJB6oHCx3gd+RXESB4fqvsxKLA=,iv:SIvnnQhTD5V1myug5OcLr0b4kaT9vg/3nKtpXyunhQM=,tag:HY43Ap9J5ByW4m7+XqcBZQ==,type:str]
ssh_key: ENC[AES256_GCM,data:jn0M4WTw+ZWpQTfEFInU0YxcPD2yfpBjq+uUKsd/Wii96mlXcXUYXVaCZGHbv8qBpvAuIrFuKL8ZMEB03XRwtYNdBA1OwEWvrH7qMmI8ikjgSO3emoGbmzfNtzz4srTYU6TUMpmdDpxfMYUz3Q4MMNI9eEQlEEtMxLiwPBW+5HovkmtIzRJYproW+1b+ZRPKg8U9oT1LBrY0iNgm4qesZlzQ0YG9BiKYhXUdfXMlaiITLmDtucEkogTZsbscsyeqoblzRrKEL/sTf5q1WVsXoOuAdhb5soJtdACu5bVPRFCTNYm/XRbxJN4iqZ2PD6H3eMtK4VFLkG8mdU+DJB8mTv1ZeACIdeZu81BG/wjWfrdHjBjwN5oPD9lodFJASzk1XfHAvyHlYyuiGKj1ODe28RI+KQ5giCE3GoGnm1YprWBmCQMdf2Wr/RVFnPfEn2/miWml/b7sLQ6AylE7aEQfBO9FaU29TBNRhucsrA+/Mh/tfRw/io+sOVYT4QFx8obmT7Q=,iv:nTMAFWmCi/lcvVWVM3PWujmmnoKpDvr+Yv1Wp4kwdS8=,tag:OjwaupTDKzekQ0en21v8MA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRkJDOUZDaUVHTnNsNW9y
eE1DVXVXNUpEOGpsVnZQVkFTUFdvTjlUWUZnCndvVTlId3hGNnZzbXc2YW5MTFY3
TXZabTdoU3p0UVgybUZBdWFJbmUva2MKLS0tIGlNaGJWczlUVGgzYkUyb043WVRT
a3V2d2FjT0JCN0Q0RTZEcnpZZXdlaGsKO7LKi/0hup/vBootyE56eP08flFoILYo
Dp0RU5GaSlTRv5ZbLanML1ocrUJp2TBy8NcGqCywCMChN9PzeGVGGQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1f5cqspxexkl8f42v5ne47mx6xmm4v00lafdlslq9g79a508e4p9qrku72s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRW9IZEJ5SUthM3FsSFZy
ZVc2TGk4SjhKanlkN2owMUN3L2ZST0FmQ0djCitIQ0RaOFhoSGdWZnp4cWZPR0pj
TjdidlBaOUFLYndONExzWTJvUVgydUkKLS0tIEw5eDJTMXVnc2VlcHRvdmR4Y0Vz
Y1ZpMGFXZVl3UE5yU1VlcjdsWEtETmcKo6RNsXqER4K+M9BpRiL+13Lj67iY6Kxk
7xTcxNzzk5aXaVT8iUfKuh6fITr23CDfBVRgIw59AKINtQfCeofxdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ts3t7q08cthuwj39juajve2jjk0rw28ljzesnrmnkwd0n7zs49kq7dgxnm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRUNtbnA5ZjBxNkpQdFVs
ejc0Z1huVkNNWVA3amczMzNqMVQ2NThwNDM4Cjc5a2lXckM5NWdva1BqbFFXdnhD
dTYxZlp1VEFaK1hGSVc5QmUrMzl6VTQKLS0tIHhQYUlYSkRSVTNxa3hWS0plWG50
WG92WDdZYXZjZEhGWFZpVmpTTTVUc00KLYBVIJj3hm75/qtApgUCDRHxT8m+qy3x
ymdV0aKTMmam9/POlDeKTvj+GNx/gZ0cWH8cmRCjSMstp3DgG0/Hzw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-10T04:05:10Z"
mac: ENC[AES256_GCM,data:73XfD7acH2PkT3DCO33tOkrdpdur8g7NkkXJp9OvRvqwdregVos++TmabA6/akrrRFPJkWwI2/Y5WZQjWzIkFWsFnzj0cl0Dv0sT69YrhpsidiaNMUbyIt+D29T0s4AIvccCjh64HSXJjWRPzLawIypJSQkkTzbQkIDsC2n6T98=,iv:s9Fn3CSllkRXM4qD70kHdveCnoRzOh70YNXjMTxcBqM=,tag:SKm6CwT1517DH6ldWpgVpg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

19
shell.nix Normal file
View file

@ -0,0 +1,19 @@
# Shell for bootstrapping flake-enabled nix and home-manager
# You can enter it through 'nix develop' or (legacy) 'nix-shell'
{ pkgs ? (import ./nixpkgs.nix) { } }: {
default = pkgs.mkShell {
# Enable experimental features without having to specify the argument
NIX_CONFIG = "experimental-features = nix-command flakes";
nativeBuildInputs = with pkgs; [
nix
home-manager
git
just
sops
age
ssh-to-age
bun
];
};
}

71
tools/onboard-machine.js Normal file
View file

@ -0,0 +1,71 @@
import { dirname, resolve, relative } from "path"
import { parseDocument, stringify, } from "yaml"
const [, script, name, host] = process.argv
const sopsFilePath = resolve(dirname(script), "../.sops.yaml")
const sopsFile = await Bun.file(sopsFilePath).text()
const sopsConfig = parseDocument(sopsFile)
//
// STEP 1: Get the remote key, convert to age key
//
const remoteKeyProc = Bun.spawn(`ssh-keyscan -t ed25519 ${host}`.split(" "), {
stderr: null,
})
const sshToAgeProc = Bun.spawn(["ssh-to-age"], {
stdin: await new Response(remoteKeyProc.stdout).arrayBuffer()
})
const ageKey = (await new Response(sshToAgeProc.stdout).text()).trim()
//
// STEP 2: Add to keys
//
const keysNode = sopsConfig.get("keys")
let keys = keysNode.items
// remove keynode if it exists
keys = keys.filter(i => i.anchor !== `m_${name}`)
// create the new key node
const newNode = sopsConfig.createNode(ageKey)
newNode.anchor = `m_${name}`
keys = [...keys, newNode]
keysNode.items = keys
sopsConfig.set("keys", keysNode)
//
// STEP 3: Add machine to creation_rules
//
const pathRegex = `secrets/${name}/[^/]+\\.(yaml|json|env|ini)$`
const opsAnchors = keys.filter(i => i.anchor.startsWith("op_")).map(i => sopsConfig.createAlias(i))
//console.log({opsAnchors})
const creationRuleTemplate = ({
path_regex: pathRegex,
key_groups: [
{
age: [
...opsAnchors,
sopsConfig.createAlias(newNode)
]
}
]
})
// Remove old creation_rules entry
const creationRules = sopsConfig.get("creation_rules").items.filter(i => i.get("path_regex") !== pathRegex)
const creationRulesNode = sopsConfig.createNode(creationRules)
creationRulesNode.add(creationRuleTemplate)
sopsConfig.set("creation_rules", creationRulesNode)
await Bun.write(sopsFilePath, sopsConfig.toString())
console.log(`Finished. Added ${name} with key ${ageKey} to ${relative(dirname(script), sopsFilePath)}.`)