commit 44311a2e72fb39a80c28aeb1c2d1f0a77f5c566c Author: Simon Bruder Date: Sun Jul 18 10:08:26 2021 +0200 init diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..8a70e24 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +root = true + +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true +charset = utf-8 + +[*.{json,md,nix,py,sh}] +indent_style = space + +[*.{json,md,nix}] +indent_size = 2 + +[*.{py,sh}] +indent_size = 2 diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..f0d2f59 --- /dev/null +++ b/.envrc @@ -0,0 +1,13 @@ +# if the nix version from the environment does not support flakes, this adds +# nix unstable to the environment +if ! nix flake metadata >/dev/null; then + use_flake() { + watch_file flake.nix + watch_file flake.lock + [ -d "$(direnv_layout_dir)" ] || mkdir "$(direnv_layout_dir)" + eval "$(nix print-dev-env --profile "$(direnv_layout_dir)/flake-profile")" + } + use nix +fi + +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a18ae5c --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# Nix +result* +.direnv + +# automatically generated +.pre-commit-config.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..15af32e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC +creation_rules: + - path_regex: secrets\.yaml$ + key_groups: + - pgp: + - *simon diff --git a/README.md b/README.md new file mode 100644 index 0000000..318b3f3 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# NixOS configurations of the FabLab Bad Windsheim diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..286ca67 --- /dev/null +++ b/flake.lock @@ -0,0 +1,130 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1623875721, + "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "krops": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1597485541, + "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=", + "owner": "Mic92", + "repo": "krops", + "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "krops", + "type": "github" + } + }, + "nix-pre-commit-hooks": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1624971177, + "narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1625333638, + "narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1626489334, + "narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-21.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "krops": "krops", + "nix-pre-commit-hooks": "nix-pre-commit-hooks", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1625936460, + "narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..9377929 --- /dev/null +++ b/flake.nix @@ -0,0 +1,133 @@ +{ + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + + nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; + nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; + nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + + nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05"; + + nixos-hardware.url = "github:nixos/nixos-hardware/master"; + + krops.url = "github:Mic92/krops"; + krops.inputs.flake-utils.follows = "flake-utils"; + krops.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { self + , flake-utils + , krops + , nix-pre-commit-hooks + , nixpkgs + , ... + }@inputs: flake-utils.lib.eachDefaultSystem + (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + inherit (pkgs) lib; + in + rec { + checks = { + pre-commit-check = nix-pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + black.enable = true; + nixpkgs-fmt.enable = true; + shellcheck.enable = true; + }; + }; + }; + + devShell = pkgs.mkShell { + name = "fablab-nixos-config"; + + buildInputs = (with pkgs; [ + black + nixpkgs-fmt + shellcheck + sops + ssh-to-pgp + ]); + + shellHook = '' + find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import + '' + self.checks.${system}.pre-commit-check.shellHook; + }; + + apps = lib.mapAttrs + (name: program: { type = "app"; program = toString program; }) + (flake-utils.lib.flattenTree { + deploy = lib.recurseIntoAttrs (lib.mapAttrs + (hostname: machine: + let + inherit (krops.packages.${system}) writeCommand; + inherit (krops) lib; + in + writeCommand "deploy-${hostname}" { + target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // { + extraOptions = [ + # force allocation of tty to allow aborting with ^C and to show build progress + "-t" + ]; + }; + source = lib.evalSource (lib.singleton { + config.file = { + path = toString ./.; + useChecksum = true; + }; + }); + command = targetPath: '' + nixos-rebuild switch --flake ${targetPath}/config -L --keep-going + ''; + } + ) + self.nixosConfigurations); + + showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" '' + ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }' + ''; + }); + }) // { + overlay = import ./pkgs; + + nixosConfigurations = nixpkgs.lib.mapAttrs + (hostname: { system + , extraModules ? [ ] + , targetHost ? hostname + }: nixpkgs.lib.nixosSystem rec { + inherit system; + + modules = [ + (./machines + "/${hostname}/configuration.nix") + + ./modules + + { + _module.args.inputs = inputs; + } + + # deployment settings + ({ lib, ... }: { + options.deployment = { + targetHost = lib.mkOption { + type = lib.types.str; + readOnly = true; + internal = true; + }; + }; + config.deployment = { + inherit targetHost; + }; + }) + ] ++ (with inputs; [ + sops-nix.nixosModules.sops + ]) ++ extraModules; + }) + (import ./machines inputs); + }; +} diff --git a/keys/users/simon.asc b/keys/users/simon.asc new file mode 100644 index 0000000..d5aa897 --- /dev/null +++ b/keys/users/simon.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0 +wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz +wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt +xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF +6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps +n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T +T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h +pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y +Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC +c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp +SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB +tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV +ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA +Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s +RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk +FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK +qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv +64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe +VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh +znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG +mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4 +VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq +09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE +iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l +13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt +nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4 +e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i +ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm +9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH +VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV +DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR +nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi +JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b +ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4 +elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra +9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF +CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr +3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z +AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB ++UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF +rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+ +Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k +49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR +NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk +MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7 +ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP +dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd +R7VFGCA= +=7eg7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix new file mode 100644 index 0000000..beaf18a --- /dev/null +++ b/machines/default.nix @@ -0,0 +1,5 @@ +{ ... }@inputs: +let + hardware = inputs.nixos-hardware.nixosModules; +in +{ } diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..f7e9be4 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,4 @@ +{ + imports = [ + ]; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..ce16870 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1 @@ +final: prev: { } diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e7b19d8 --- /dev/null +++ b/shell.nix @@ -0,0 +1,11 @@ +{ pkgs ? import { } }: + +pkgs.mkShell { + name = "fablab-nixUnstable-shell"; + + nativeBuildInputs = with pkgs; [ + (pkgs.writeShellScriptBin "nix" '' + exec -a nix ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@" + '') + ]; +}