From 44311a2e72fb39a80c28aeb1c2d1f0a77f5c566c Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sun, 18 Jul 2021 10:08:26 +0200 Subject: [PATCH] init --- .editorconfig | 16 ++++++ .envrc | 13 +++++ .gitignore | 6 ++ .sops.yaml | 7 +++ README.md | 1 + flake.lock | 130 ++++++++++++++++++++++++++++++++++++++++++ flake.nix | 133 +++++++++++++++++++++++++++++++++++++++++++ keys/users/simon.asc | 52 +++++++++++++++++ machines/default.nix | 5 ++ modules/default.nix | 4 ++ pkgs/default.nix | 1 + shell.nix | 11 ++++ 12 files changed, 379 insertions(+) create mode 100644 .editorconfig create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 .sops.yaml create mode 100644 README.md create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 keys/users/simon.asc create mode 100644 machines/default.nix create mode 100644 modules/default.nix create mode 100644 pkgs/default.nix create mode 100644 shell.nix diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..8a70e24 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +root = true + +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true +charset = utf-8 + +[*.{json,md,nix,py,sh}] +indent_style = space + +[*.{json,md,nix}] +indent_size = 2 + +[*.{py,sh}] +indent_size = 2 diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..f0d2f59 --- /dev/null +++ b/.envrc @@ -0,0 +1,13 @@ +# if the nix version from the environment does not support flakes, this adds +# nix unstable to the environment +if ! nix flake metadata >/dev/null; then + use_flake() { + watch_file flake.nix + watch_file flake.lock + [ -d "$(direnv_layout_dir)" ] || mkdir "$(direnv_layout_dir)" + eval "$(nix print-dev-env --profile "$(direnv_layout_dir)/flake-profile")" + } + use nix +fi + +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a18ae5c --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# Nix +result* +.direnv + +# automatically generated +.pre-commit-config.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..15af32e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC +creation_rules: + - path_regex: secrets\.yaml$ + key_groups: + - pgp: + - *simon diff --git a/README.md b/README.md new file mode 100644 index 0000000..318b3f3 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# NixOS configurations of the FabLab Bad Windsheim diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..286ca67 --- /dev/null +++ b/flake.lock @@ -0,0 +1,130 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1623875721, + "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "krops": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1597485541, + "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=", + "owner": "Mic92", + "repo": "krops", + "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "krops", + "type": "github" + } + }, + "nix-pre-commit-hooks": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1624971177, + "narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "master", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1625333638, + "narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1626489334, + "narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-21.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "krops": "krops", + "nix-pre-commit-hooks": "nix-pre-commit-hooks", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1625936460, + "narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..9377929 --- /dev/null +++ b/flake.nix @@ -0,0 +1,133 @@ +{ + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + + nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; + nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; + nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + + nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05"; + + nixos-hardware.url = "github:nixos/nixos-hardware/master"; + + krops.url = "github:Mic92/krops"; + krops.inputs.flake-utils.follows = "flake-utils"; + krops.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { self + , flake-utils + , krops + , nix-pre-commit-hooks + , nixpkgs + , ... + }@inputs: flake-utils.lib.eachDefaultSystem + (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + inherit (pkgs) lib; + in + rec { + checks = { + pre-commit-check = nix-pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + black.enable = true; + nixpkgs-fmt.enable = true; + shellcheck.enable = true; + }; + }; + }; + + devShell = pkgs.mkShell { + name = "fablab-nixos-config"; + + buildInputs = (with pkgs; [ + black + nixpkgs-fmt + shellcheck + sops + ssh-to-pgp + ]); + + shellHook = '' + find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import + '' + self.checks.${system}.pre-commit-check.shellHook; + }; + + apps = lib.mapAttrs + (name: program: { type = "app"; program = toString program; }) + (flake-utils.lib.flattenTree { + deploy = lib.recurseIntoAttrs (lib.mapAttrs + (hostname: machine: + let + inherit (krops.packages.${system}) writeCommand; + inherit (krops) lib; + in + writeCommand "deploy-${hostname}" { + target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // { + extraOptions = [ + # force allocation of tty to allow aborting with ^C and to show build progress + "-t" + ]; + }; + source = lib.evalSource (lib.singleton { + config.file = { + path = toString ./.; + useChecksum = true; + }; + }); + command = targetPath: '' + nixos-rebuild switch --flake ${targetPath}/config -L --keep-going + ''; + } + ) + self.nixosConfigurations); + + showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" '' + ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }' + ''; + }); + }) // { + overlay = import ./pkgs; + + nixosConfigurations = nixpkgs.lib.mapAttrs + (hostname: { system + , extraModules ? [ ] + , targetHost ? hostname + }: nixpkgs.lib.nixosSystem rec { + inherit system; + + modules = [ + (./machines + "/${hostname}/configuration.nix") + + ./modules + + { + _module.args.inputs = inputs; + } + + # deployment settings + ({ lib, ... }: { + options.deployment = { + targetHost = lib.mkOption { + type = lib.types.str; + readOnly = true; + internal = true; + }; + }; + config.deployment = { + inherit targetHost; + }; + }) + ] ++ (with inputs; [ + sops-nix.nixosModules.sops + ]) ++ extraModules; + }) + (import ./machines inputs); + }; +} diff --git a/keys/users/simon.asc b/keys/users/simon.asc new file mode 100644 index 0000000..d5aa897 --- /dev/null +++ b/keys/users/simon.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0 +wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz +wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt +xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF +6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps +n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T +T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h +pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y +Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC +c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp +SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB +tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV +ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA +Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s +RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk +FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK +qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv +64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe +VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh +znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG +mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4 +VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq +09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE +iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l +13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt +nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4 +e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i +ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm +9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH +VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV +DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR +nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi +JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b +ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4 +elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra +9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF +CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr +3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z +AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB ++UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF +rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+ +Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k +49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR +NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk +MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7 +ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP +dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd +R7VFGCA= +=7eg7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix new file mode 100644 index 0000000..beaf18a --- /dev/null +++ b/machines/default.nix @@ -0,0 +1,5 @@ +{ ... }@inputs: +let + hardware = inputs.nixos-hardware.nixosModules; +in +{ } diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..f7e9be4 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,4 @@ +{ + imports = [ + ]; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..ce16870 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1 @@ +final: prev: { } diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e7b19d8 --- /dev/null +++ b/shell.nix @@ -0,0 +1,11 @@ +{ pkgs ? import { } }: + +pkgs.mkShell { + name = "fablab-nixUnstable-shell"; + + nativeBuildInputs = with pkgs; [ + (pkgs.writeShellScriptBin "nix" '' + exec -a nix ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@" + '') + ]; +}