{ inputs = { disko.inputs.nixpkgs.follows = "nixpkgs"; disko.url = "github:nix-community/disko"; flake-utils.url = "github:numtide/flake-utils"; nix-filter.url = "github:numtide/nix-filter"; gg-chatmix = { url = "github:nilathedragon/gg-chatmix"; inputs.nixpkgs.follows = "nixpkgs"; }; gomod2nix = { url = "github:nix-community/gomod2nix"; inputs.flake-utils.follows = "flake-utils"; inputs.nixpkgs.follows = "nixpkgs"; }; home-manager = { url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; }; impermanence.url = "github:nix-community/impermanence"; krops = { url = "github:Mic92/krops"; inputs.flake-utils.follows = "flake-utils"; inputs.nixpkgs.follows = "nixpkgs"; }; lanzaboote = { url = "github:nix-community/lanzaboote/v0.4.2"; inputs.nixpkgs.follows = "nixpkgs"; }; nix-pre-commit-hooks = { url = "github:cachix/git-hooks.nix/master"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-hardware.url = "github:nixos/nixos-hardware/master"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgsMaster.url = "github:NixOS/nixpkgs/master"; nur.url = "github:nix-community/NUR"; poetry2nix = { url = "github:nix-community/poetry2nix"; inputs.flake-utils.follows = "flake-utils"; inputs.nixpkgs.follows = "nixpkgs"; }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; asterisk-sounds-de = { url = "git+https://git.jalr.de/jalr/asterisk-sounds-de"; inputs = { flake-utils.follows = "flake-utils"; nix-filter.follows = "nix-filter"; nixpkgs.follows = "nixpkgs"; }; }; vesc-tool = { url = "github:vedderb/vesc_tool/master"; inputs.flake-utils.follows = "flake-utils"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self , flake-utils , home-manager , krops , nix-pre-commit-hooks , nixpkgs , nur , ... }@inputs: flake-utils.lib.eachSystem [ "x86_64-linux" ] (system: let pkgs = import nixpkgs { inherit system; }; inherit (pkgs) lib; in { checks = { pre-commit-check = nix-pre-commit-hooks.lib.${system}.run { src = self; hooks = { black.enable = true; deadnix.enable = true; nixpkgs-fmt.enable = true; shellcheck.enable = true; statix = { enable = true; settings.ignore = [ ".direnv" ]; }; }; excludes = [ ".envrc" ]; }; }; devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ black just nixpkgs-fmt shellcheck sops ssh-to-age ]; shellHook = '' ${self.checks.${system}.pre-commit-check.shellHook} ''; }; apps = lib.mapAttrs (_: program: { type = "app"; program = toString program; }) (flake-utils.lib.flattenTree { deploy = lib.recurseIntoAttrs (lib.mapAttrs (hostname: machine: let inherit (krops.packages.${system}) writeCommand; inherit (krops) lib; in writeCommand "deploy-${hostname}" { target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // { extraOptions = [ # force allocation of tty to allow aborting with ^C and to show build progress "-t" ]; }; source = lib.evalSource (lib.singleton { config.file = { path = toString ./.; useChecksum = true; }; }); command = targetPath: '' nixos-rebuild switch --flake ${targetPath}/config -L --keep-going ''; force = true; } ) self.nixosConfigurations); argon2id = let python = pkgs.python3.withPackages (pp: with pp; [ argon2-cffi ]); in pkgs.writeTextFile { name = "argon2id"; text = '' #!${python}/bin/python import getpass from argon2 import PasswordHasher pw = getpass.getpass() ph = PasswordHasher( time_cost=5, memory_cost=2*1024*1024, # in kibibytes parallelism=4, ) print(ph.hash(pw)) ''; executable = true; }; }); }) // { overlays.default = import ./pkgs inputs; nixosConfigurations = nixpkgs.lib.mapAttrs (hostname: { system , extraModules ? [ ] , targetHost ? hostname , nixpkgs ? inputs.nixpkgs }: nixpkgs.lib.nixosSystem { inherit system; specialArgs = { inherit self system; }; modules = let hostDir = ./hosts + "/${hostname}"; in [ (hostDir + "/configuration.nix") ./modules { _module.args = { inherit inputs; custom-utils = import ./custom-utils { inherit (nixpkgs) lib; }; }; } # deployment settings ({ lib, ... }: { options.deployment = { targetHost = lib.mkOption { type = lib.types.str; readOnly = true; internal = true; }; }; config.deployment = { inherit targetHost; }; }) # sops settings ({ lib, config, pkgs, ... }: { sops.defaultSopsFile = hostDir + "/secrets.yaml"; sops.secrets = let secretFile = config.sops.defaultSopsFile; getSecrets = file: builtins.fromJSON (builtins.readFile (pkgs.runCommandNoCC "secretKeys" { } ''${pkgs.yq-go}/bin/yq -o json '[del .sops | .. | select(tag != "!!seq" and tag != "!!map") | path | join("/")]' ${file} > $out'')); secretNames = getSecrets secretFile; secrets = if builtins.pathExists secretFile then lib.listToAttrs (builtins.map (name: lib.nameValuePair name { }) secretNames) else { }; in secrets; }) ] ++ [ { nixpkgs.overlays = [ nur.overlays.default inputs.vesc-tool.overlays.default ]; } home-manager.nixosModules.home-manager inputs.asterisk-sounds-de.nixosModules.default inputs.disko.nixosModules.disko inputs.impermanence.nixosModules.impermanence inputs.lanzaboote.nixosModules.lanzaboote inputs.sops-nix.nixosModules.sops inputs.gg-chatmix.nixosModule ] ++ extraModules; }) (import ./hosts inputs); }; }