init

2021-07-18 10:08:26 +02:00 · 2021-07-18 10:08:26 +02:00 · 44311a2e72
commit 44311a2e72
12 changed files with 379 additions and 0 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,16 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+
+[*.{json,md,nix,py,sh}]
+indent_style = space
+
+[*.{json,md,nix}]
+indent_size = 2
+
+[*.{py,sh}]
+indent_size = 2
--- a/.envrc
+++ b/.envrc
@ -0,0 +1,13 @@
+# if the nix version from the environment does not support flakes, this adds
+# nix unstable to the environment
+if ! nix flake metadata >/dev/null; then
+	use_flake() {
+		watch_file flake.nix
+		watch_file flake.lock
+		[ -d "$(direnv_layout_dir)" ] || mkdir "$(direnv_layout_dir)"
+		eval "$(nix print-dev-env --profile "$(direnv_layout_dir)/flake-profile")"
+	}
+	use nix
+fi
+
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,6 @@
+# Nix
+result*
+.direnv
+
+# automatically generated
+.pre-commit-config.yaml
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+creation_rules:
+  - path_regex: secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
--- a/README.md
+++ b/README.md
@ -0,0 +1 @@
+# NixOS configurations of the FabLab Bad Windsheim
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,130 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1623875721,
+        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "krops": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1597485541,
+        "narHash": "sha256-+fqI9qh7zpC2WxinFZlaiDsbvMb/IJxFIiGfdA/xLps=",
+        "owner": "Mic92",
+        "repo": "krops",
+        "rev": "c3a1ffab03e8cfbb7ff532bdfa10b26b3dc76911",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "krops",
+        "type": "github"
+      }
+    },
+    "nix-pre-commit-hooks": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1624971177,
+        "narHash": "sha256-Amf/nBj1E77RmbSSmV+hg6YOpR+rddCbbVgo5C7BS0I=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "397f0713d007250a2c7a745e555fa16c5dc8cadb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "master",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1625333638,
+        "narHash": "sha256-M6J9RN60XJyv6nUfDFCwnz5aVjhe8+GJnV8Q9VpdQQQ=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "41775780a0b6b32b3d32dcc32bb9bc6df809062d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1626489334,
+        "narHash": "sha256-WcQDF/JB3yWfO7E37M6rlUCKkqcMwG2UiWz+2Vsib9Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b2f87e0043aaf3f0f05cc983bd6aa80a616b8352",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-21.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "krops": "krops",
+        "nix-pre-commit-hooks": "nix-pre-commit-hooks",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1625936460,
+        "narHash": "sha256-U6xlITKrYuhlHWe+poACaz4GJl3ZVN1BSUqZe2gFg+g=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "ec2800174de5a7be8ec5b144819af2c7de77abe2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,133 @@
+{
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+
+    nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
+    nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
+    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
+
+    nixos-hardware.url = "github:nixos/nixos-hardware/master";
+
+    krops.url = "github:Mic92/krops";
+    krops.inputs.flake-utils.follows = "flake-utils";
+    krops.inputs.nixpkgs.follows = "nixpkgs";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    { self
+    , flake-utils
+    , krops
+    , nix-pre-commit-hooks
+    , nixpkgs
+    , ...
+    }@inputs: flake-utils.lib.eachDefaultSystem
+      (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+        inherit (pkgs) lib;
+      in
+      rec {
+        checks = {
+          pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            hooks = {
+              black.enable = true;
+              nixpkgs-fmt.enable = true;
+              shellcheck.enable = true;
+            };
+          };
+        };
+
+        devShell = pkgs.mkShell {
+          name = "fablab-nixos-config";
+
+          buildInputs = (with pkgs; [
+            black
+            nixpkgs-fmt
+            shellcheck
+            sops
+            ssh-to-pgp
+          ]);
+
+          shellHook = ''
+            find ${./keys} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
+          '' + self.checks.${system}.pre-commit-check.shellHook;
+        };
+
+        apps = lib.mapAttrs
+          (name: program: { type = "app"; program = toString program; })
+          (flake-utils.lib.flattenTree {
+            deploy = lib.recurseIntoAttrs (lib.mapAttrs
+              (hostname: machine:
+                let
+                  inherit (krops.packages.${system}) writeCommand;
+                  inherit (krops) lib;
+                in
+                writeCommand "deploy-${hostname}" {
+                  target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
+                    extraOptions = [
+                      # force allocation of tty to allow aborting with ^C and to show build progress
+                      "-t"
+                    ];
+                  };
+                  source = lib.evalSource (lib.singleton {
+                    config.file = {
+                      path = toString ./.;
+                      useChecksum = true;
+                    };
+                  });
+                  command = targetPath: ''
+                    nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
+                  '';
+                }
+              )
+              self.nixosConfigurations);
+
+            showKeyFingerprint = pkgs.writeShellScript "show-key-fingerprint" ''
+              ${pkgs.gnupg}/bin/gpg --with-fingerprint --with-colons --show-key "keys/''${1}.asc" | awk -F: '$1 == "fpr" { print $10; exit }'
+            '';
+          });
+      }) // {
+      overlay = import ./pkgs;
+
+      nixosConfigurations = nixpkgs.lib.mapAttrs
+        (hostname: { system
+                   , extraModules ? [ ]
+                   , targetHost ? hostname
+                   }: nixpkgs.lib.nixosSystem rec {
+          inherit system;
+
+          modules = [
+            (./machines + "/${hostname}/configuration.nix")
+
+            ./modules
+
+            {
+              _module.args.inputs = inputs;
+            }
+
+            # deployment settings
+            ({ lib, ... }: {
+              options.deployment = {
+                targetHost = lib.mkOption {
+                  type = lib.types.str;
+                  readOnly = true;
+                  internal = true;
+                };
+              };
+              config.deployment = {
+                inherit targetHost;
+              };
+            })
+          ] ++ (with inputs; [
+            sops-nix.nixosModules.sops
+          ]) ++ extraModules;
+        })
+        (import ./machines inputs);
+    };
+}
--- a/keys/users/simon.asc
+++ b/keys/users/simon.asc
@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0
+wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz
+wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt
+xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF
+6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps
+n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T
+T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h
+pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y
+Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC
+c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp
+SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB
+tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV
+ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA
+Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s
+RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk
+FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK
+qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv
+64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe
+VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh
+znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG
+mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4
+VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq
+09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE
+iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l
+13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt
+nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4
+e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i
+ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm
+9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH
+VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV
+DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR
+nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi
+JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b
+ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4
+elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra
+9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF
+CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr
+3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z
+AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB
+UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF
+rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+
+Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k
+49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR
+NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk
+MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7
+ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP
+dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd
+R7VFGCA=
+=7eg7
+-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -0,0 +1,5 @@
+{ ... }@inputs:
+let
+  hardware = inputs.nixos-hardware.nixosModules;
+in
+{ }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,4 @@
+{
+  imports = [
+  ];
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -0,0 +1 @@
+final: prev: { }
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1,11 @@
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.mkShell {
+  name = "fablab-nixUnstable-shell";
+
+  nativeBuildInputs = with pkgs; [
+    (pkgs.writeShellScriptBin "nix" ''
+      exec -a nix ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@"
+    '')
+  ];
+}
				`@ -0,0 +1 @@`
				`# NixOS configurations of the FabLab Bad Windsheim`