chayleaf/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
dotfiles/flake.nix
chayleaf 69ce2ffdbc store secrets separate from this flake 
This uses a native plugin (pkgs.nix-plugins) to avoid using --impure,
other options involving secret files are too limited for my use case as
I need eval-time access to secrets. Moving it to a private flake is
another option, but Nix flakes are poorly suited for non-monorepos.
Previously I just renamed .git to .git.bak to make sure Nix pulls the
"private" subdir into store as well, but this new system may be more
robust and can be extended to way be more secure in the future (e.g.
right now I copy the secret .nix files to store, but in general there's
no need to do that).

Of course the main drawback is that now I require a plugin for this
flake to work.
2023-05-26 00:46:38 +07:00

208 lines
8.3 KiB
Nix
Raw Blame History

{
description = "NixOS + Home Manager configuration of chayleaf";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
impermanence.url = "github:nix-community/impermanence";
nur.url = "github:nix-community/NUR";
rust-overlay = {
url = "github:oxalica/rust-overlay";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-gaming = {
url = "github:fufexan/nix-gaming";
inputs.nixpkgs.follows = "nixpkgs";
};
notlua = {
url = "github:chayleaf/notlua/469652092f4f2e951b0db29027b05346b32d8122";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs-22_11.follows = "nixpkgs";
};
};
outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
let
# IRL-related stuff I'd rather not put into git
priv = pkgs:
if builtins.pathExists ./private.nix then (import ./private.nix)
else if builtins.pathExists ./private/default.nix then (import ./private)
# workaround for git flakes not having access to non-checked out files
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs
# yes, this is impure, this is a last ditch effort at getting access to secrets
else import /etc/nixos/private;
# if x has key s, get it. Otherwise return def
getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
# All private config for hostname
getPriv = pkgs: hostname: getOr { } hostname (priv pkgs);
# Private NixOS config for hostname
getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname);
# Private home-manager config for hostname and username
getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname);
# extended lib
lib = nixpkgs.lib // {
quoteListenAddr = addr:
if nixpkgs.lib.hasInfix ":" addr then "[${addr}]" else addr;
};
# can't use callPackage here, idk why; use import instead
overlay = self: super: import ./pkgs {
pkgs = super;
lib = super.lib;
nur = import nur {
pkgs = super;
nurpkgs = super;
};
nix-gaming = nix-gaming.packages.${super.system};
};
# I override some settings down the line, but overlays always stay the same
mkPkgs = config: import nixpkgs (config // {
overlays = (if config?overlays then config.overlays else [ ]) ++ [ overlay ];
});
# this is actual config, it gets processed later
config = {
nixserver = {
modules = [
nixos-mailserver.nixosModules.default
./system/hardware/hp_probook_g0.nix
./system/hosts/nixserver
];
};
router = {
system = "aarch64-linux";
modules = [
./system/hardware/bpi_r3.nix
./system/hosts/router
];
};
nixmsi = rec {
system = "x86_64-linux";
modules = [
nix-gaming.nixosModules.pipewireLowLatency
./system/hardware/msi_delta_15.nix
./system/hosts/nixmsi.nix
];
home.common.enableNixosModule = false;
home.common.extraSpecialArgs = {
notlua = notlua.lib.${system};
};
home.user = [
nur.nixosModules.nur
./home/hosts/nixmsi.nix
];
};
};
in {
overlays.default = overlay;
packages = lib.genAttrs [
"x86_64-linux"
"aarch64-linux"
] (system: let self = overlay self (import nixpkgs { inherit system; }); in self );
# this is the system config part
nixosConfigurations = builtins.mapAttrs (hostname: args @ { system ? "x86_64-linux", modules, nixpkgs ? {}, home ? {}, ... }:
lib.nixosSystem ({
inherit system;
modules = modules ++ [
{ networking.hostName = hostname; }
./system/modules/vfio.nix
./system/modules/ccache.nix
./system/modules/impermanence.nix
./system/modules/common.nix
impermanence.nixosModule
(getPrivSys (import inputs.nixpkgs { inherit system; }) hostname)
({ config, pkgs, ... }: {
nixpkgs.overlays = [ overlay ];
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
nix.registry =
builtins.mapAttrs
(_: v: { flake = v; })
(lib.filterAttrs (_: v: v?outputs) inputs);
# add import'able flakes (like nixpkgs) to nix path
environment.etc = lib.mapAttrs'
(name: value: {
name = "nix/inputs/${name}";
value = { source = value.outPath; };
})
(lib.filterAttrs (_: v: builtins.pathExists "${v}/default.nix") inputs);
nix.nixPath = [ "/etc/nix/inputs" ];
})
] ++ (lib.optionals (home != {} && (getOr true "enableNixosModule" (getOr {} "common" home))) [
# only use NixOS HM module if same nixpkgs as system nixpkgs is used for user
# why? because it seems that HM lacks the option to override pkgs, only change nixpkgs.* settings
home-manager.nixosModules.home-manager
{
home-manager = builtins.removeAttrs (getOr { } "common" home) [ "nixpkgs" "nix" "enableNixosModule" ];
}
{
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = false;
home-manager.users = builtins.mapAttrs (username: modules: {
imports = modules ++ [
{
nixpkgs = getOr { } "nixpkgs" (getOr { } "common" home);
nix = getOr { } "nix" (getOr { } "common" home);
}
({ config, pkgs, lib, ...}: {
nixpkgs.overlays = [ overlay ];
nix.package = lib.mkDefault pkgs.nixFlakes;
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
})
(getPrivUser (import nixpkgs { inherit system; }) hostname username)
];
}) (builtins.removeAttrs home [ "common" ]);
}
]);
specialArgs = {
inherit lib nixpkgs;
hardware = nixos-hardware.nixosModules;
};
} // (builtins.removeAttrs args [ "home" "modules" "nixpkgs" ])))
config;
# for each hostname, for each user, generate an attribute "${user}@${hostname}"
homeConfigurations =
builtins.foldl'
(a: b: a // b)
{ }
(builtins.concatLists
(lib.mapAttrsToList
(hostname: sysConfig:
let
system = if sysConfig?system then sysConfig.system else "x86_64-linux";
common = builtins.removeAttrs (getOr { } "common" sysConfig.home) [ "nixpkgs" "enableNixosModule" ];
pkgs = getOr (mkPkgs { inherit system; }) "pkgs" common;
common' = common // { inherit pkgs; };
in
lib.mapAttrsToList
# this is where actual config takes place
(user: homeConfig: {
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
modules = homeConfig ++ [
(getPrivUser (import nixpkgs { inherit system; }) hostname user)
({ config, pkgs, lib, ... }: {
nixpkgs.overlays = [ overlay ];
nix.package = lib.mkDefault pkgs.nixFlakes;
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
})
];
});
})
(builtins.removeAttrs (getOr { } "home" sysConfig) [ "common" ]))
config));
};
}
Reference in a new issue View git blame Copy permalink