nixos-configuration/flake.nix

{
  inputs = {
    disko.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko";

    flake-utils.url = "github:numtide/flake-utils";

    gomod2nix.inputs.flake-utils.follows = "flake-utils";
    gomod2nix.inputs.nixpkgs.follows = "nixpkgs";
    gomod2nix.url = "github:nix-community/gomod2nix";

    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager/release-24.11";

    impermanence.url = "github:nix-community/impermanence";

    krops.inputs.flake-utils.follows = "flake-utils";
    krops.inputs.nixpkgs.follows = "nixpkgs";
    krops.url = "github:Mic92/krops";

    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";

    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
    nix-pre-commit-hooks.url = "github:cachix/git-hooks.nix/master";

    nixos-hardware.url = "github:nixos/nixos-hardware/master";

    nixpkgs.url = "github:nixos/nixpkgs/release-24.11";

    nixpkgsMaster.url = "github:NixOS/nixpkgs/master";

    nur.url = "github:nix-community/NUR";

    poetry2nix.inputs.flake-utils.follows = "flake-utils";
    poetry2nix.inputs.nixpkgs.follows = "nixpkgs";
    poetry2nix.url = "github:nix-community/poetry2nix";

    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
  };
  outputs =
    { self
    , flake-utils
    , gomod2nix
    , home-manager
    , krops
    , nix-pre-commit-hooks
    , nixpkgs
    , nur
    , poetry2nix
    , ...
    }@inputs: flake-utils.lib.eachSystem [
      "x86_64-linux"
    ]
      (system:
      let
        pkgs = import nixpkgs { inherit system; };
        inherit (pkgs) lib;
      in
      {
        checks = {
          pre-commit-check = nix-pre-commit-hooks.lib.${system}.run {
            src = self;
            hooks = {
              black.enable = true;
              nixpkgs-fmt.enable = true;
              shellcheck.enable = true;
              statix = {
                enable = true;
                settings.ignore = [ ".direnv" ];
              };
            };
          };
        };
        devShells.default = pkgs.mkShell {
          buildInputs = (with pkgs; [
            black
            just
            nixpkgs-fmt
            shellcheck
            sops
            ssh-to-age
          ]);

          shellHook = ''
            ${self.checks.${system}.pre-commit-check.shellHook}
          '';
        };

        apps = lib.mapAttrs
          (name: program: { type = "app"; program = toString program; })
          (flake-utils.lib.flattenTree {
            deploy = lib.recurseIntoAttrs (lib.mapAttrs
              (hostname: machine:
                let
                  inherit (krops.packages.${system}) writeCommand;
                  inherit (krops) lib;
                in
                writeCommand "deploy-${hostname}" {
                  target = lib.mkTarget "root@${machine.config.deployment.targetHost}" // {
                    extraOptions = [
                      # force allocation of tty to allow aborting with ^C and to show build progress
                      "-t"
                    ];
                  };
                  source = lib.evalSource (lib.singleton {
                    config.file = {
                      path = toString ./.;
                      useChecksum = true;
                    };
                  });
                  command = targetPath: ''
                    nixos-rebuild switch --flake ${targetPath}/config -L --keep-going
                  '';
                  force = true;
                }
              )
              self.nixosConfigurations);
            argon2id =
              let
                python = pkgs.python3.withPackages (pp: with pp; [
                  argon2-cffi
                ]);
              in
              pkgs.writeTextFile {
                name = "argon2id";
                text = ''
                  #!${python}/bin/python
                  import getpass
                  from argon2 import PasswordHasher
                  pw = getpass.getpass()
                  ph = PasswordHasher(
                      time_cost=5,
                      memory_cost=2*1024*1024, # in kibibytes
                      parallelism=4,
                  )
                  print(ph.hash(pw))
                '';
                executable = true;
              };
          });
      }) // {
      overlays.default = import ./pkgs inputs;

      nixosConfigurations = nixpkgs.lib.mapAttrs
        (hostname: { system
                   , extraModules ? [ ]
                   , targetHost ? hostname
                   , nixpkgs ? inputs.nixpkgs
                   }: nixpkgs.lib.nixosSystem rec {
          inherit system;
          specialArgs = { inherit self system; };

          modules = [
            (./hosts + "/${hostname}/configuration.nix")

            ./modules

            {
              _module.args = {
                inputs = inputs;
                custom-utils = import ./custom-utils { lib = nixpkgs.lib; };
              };
            }

            # deployment settings
            ({ lib, ... }: {
              options.deployment = {
                targetHost = lib.mkOption {
                  type = lib.types.str;
                  readOnly = true;
                  internal = true;
                };
              };
              config.deployment = {
                inherit targetHost;
              };
            })
          ] ++ [
            { nixpkgs.overlays = [ nur.overlays.default ]; }
            home-manager.nixosModules.home-manager
            inputs.disko.nixosModules.disko
            inputs.impermanence.nixosModules.impermanence
            inputs.lanzaboote.nixosModules.lanzaboote
            inputs.sops-nix.nixosModules.sops
          ] ++ extraModules;
        })
        (import ./hosts inputs);
    };
}