diff --git a/flake.lock b/flake.lock index 1061c82..46922dc 100644 --- a/flake.lock +++ b/flake.lock @@ -133,7 +133,57 @@ "type": "github" } }, + "clan-core": { + "inputs": { + "disko": "disko", + "flake-parts": [ + "flake-parts" + ], + "git-hooks": "git-hooks", + "nixos-generators": "nixos-generators", + "nixos-images": "nixos-images", + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": "sops-nix", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1716757238, + "narHash": "sha256-8voKL5nTtf7TX8pZvE9VMzSAzsQ+xFrDrEqvYpw2/yY=", + "ref": "refs/heads/main", + "rev": "6e9f1515d3f3a5ffb5a89a2a28d6014ea0022948", + "revCount": 2850, + "type": "git", + "url": "https://git.clan.lol/clan/clan-core" + }, + "original": { + "type": "git", + "url": "https://git.clan.lol/clan/clan-core" + } + }, "disko": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716394172, + "narHash": "sha256-B+pNhV8GFeCj9/MoH+qtGqKbgv6fU4hGaw2+NoYYtB0=", + "owner": "nix-community", + "repo": "disko", + "rev": "23c63fb09334c3e8958b57e2ddc3870b75b9111d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "disko_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -153,7 +203,7 @@ "type": "github" } }, - "disko_2": { + "disko_3": { "inputs": { "nixpkgs": [ "nixos-anywhere", @@ -251,6 +301,26 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixos-anywhere", @@ -413,6 +483,22 @@ "type": "github" } }, + "git-hooks": { + "flake": false, + "locked": { + "lastModified": 1716413087, + "narHash": "sha256-nSTIB7JeJGBGsvtqlyfhUByh/isyK1nfOq2YMxUOFJQ=", + "owner": "fricklerhandwerk", + "repo": "git-hooks", + "rev": "99a78fcf7dc03ba7b1d5c00af109c1e28ced3490", + "type": "github" + }, + "original": { + "owner": "fricklerhandwerk", + "repo": "git-hooks", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -565,14 +651,45 @@ "type": "github" } }, + "nixlib": { + "locked": { + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-2311": { + "locked": { + "lastModified": 1715818734, + "narHash": "sha256-WvAJWCwPj/6quKcsgsvQYyZRxV8ho/yUzj0HZQ34DVU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "95742536dc6debb5a8b8b78b27001c38f369f1e7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixos-anywhere": { "inputs": { - "disko": "disko_2", - "flake-parts": "flake-parts", - "nixos-images": "nixos-images", + "disko": "disko_3", + "flake-parts": "flake-parts_2", + "nixos-images": "nixos-images_2", "nixos-stable": "nixos-stable", "nixpkgs": "nixpkgs_5", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1715150548, @@ -588,6 +705,28 @@ "type": "github" } }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716123454, + "narHash": "sha256-U2o4UPM/UsEyIX2p11+YEQgR9HY3PmjZ2mRl/x5e4xo=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "a63e0c83dd83fe28cc571b97129e13373436bd82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1716173274, @@ -604,6 +743,28 @@ } }, "nixos-images": { + "inputs": { + "nixos-2311": "nixos-2311", + "nixos-unstable": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716132123, + "narHash": "sha256-rATSWbPaKQfZGaemu0tHL2xfCzVIVwpuTjk+KSBC+k4=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "8c9cab8c44434c12dafc465fbf61a710c5bceb08", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, + "nixos-images_2": { "inputs": { "nixos-2311": [ "nixos-anywhere", @@ -1027,8 +1188,10 @@ }, "root": { "inputs": { - "disko": "disko", + "clan-core": "clan-core", + "disko": "disko_2", "dns": "dns", + "flake-parts": "flake-parts", "grocy-scanner": "grocy-scanner", "home-manager": "home-manager", "home-manager-utils": "home-manager-utils", @@ -1051,7 +1214,7 @@ "retiolum": "retiolum", "secrets": "secrets", "smoke": "smoke", - "sops-nix": "sops-nix", + "sops-nix": "sops-nix_2", "srvos": "srvos", "srvos_nixpkgs": [ "srvos", @@ -1119,6 +1282,30 @@ } }, "sops-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ], + "nixpkgs-stable": [ + "clan-core" + ] + }, + "locked": { + "lastModified": 1716087663, + "narHash": "sha256-zuSAGlx8Qk0OILGCC2GUyZ58/SJ5R3GZdeUNQ6IS0fQ=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "0bf1808e70ce80046b0cff821c019df2b19aabf5", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { "inputs": { "nixpkgs": "nixpkgs_9", "nixpkgs-stable": "nixpkgs-stable" @@ -1239,6 +1426,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715940852, + "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "nixos-anywhere", diff --git a/flake.nix b/flake.nix index 8be438e..bf6a7a0 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,16 @@ url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main"; flake = false; }; + + flake-parts.url = "github:hercules-ci/flake-parts"; + flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + + clan-core = { + url = "git+https://git.clan.lol/clan/clan-core"; + inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable. + inputs.flake-parts.follows = "flake-parts"; + }; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-legacy_2105.url = "github:nixos/nixpkgs/nixos-21.05"; nixpkgs-legacy_2205.url = "github:nixos/nixpkgs/nixos-22.05"; @@ -88,10 +98,12 @@ }; outputs = - { self + inputs@{ self + , clan-core , disko , dns #, doom-emacs-nix + , flake-parts , grocy-scanner , home-manager , home-manager-utils @@ -113,22 +125,23 @@ , private_assets , retiolum , secrets - , srvos - , srvos_nixpkgs , smoke , sops-nix + , srvos + , srvos_nixpkgs , stylix , taskshell }: - let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; + let + #system = "x86_64-linux"; + + #pkgs = nixpkgs.legacyPackages.${system}; inherit (nixpkgs) lib; - meta = { nixpackages ? nixpkgs }: rec { + meta = rec { system = "x86_64-linux"; - pkgs = import nixpackages { + pkgs = import nixpkgs { inherit system; config.allowUnfree = true; config.permittedInsecurePackages = [ @@ -163,42 +176,24 @@ inherit private_assets; assets = ./nixos/assets; }; + }; - # todo : why redefine it? - # Mic92 means, is not needed anymore - nixosSystem = args: - (lib.makeOverridable lib.nixosSystem) - (lib.recursiveUpdate args { - modules = - args.modules - ++ [ - { - config.nixpkgs.pkgs = lib.mkDefault args.pkgs; - config.nixpkgs.localSystem = lib.mkDefault args.pkgs.stdenv.hostPlatform; - } - ]; - }); - - nixosConfigurationSetup = + clanSetup = { name - , host ? "${name}.private" + , host , modules - , nixpackages ? nixpkgs - }: - nixosSystem { - inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs; - modules = modules ++ defaultModules ++ [ - { - _module.args.nixinate = { - host = host; - sshUser = "root"; - buildOn = "remote"; # valid args are "local" or "remote" - substituteOnTarget = false; # if buildOn is "local" then it will substitute on the target, "-s" - #hermetic = false; # ??? don't know what this is - nixOptions = [ "--max-jobs 1" ]; - }; - } + #, nixpackages ? meta.nixpkgs + }: { + + clan.networking.targetHost = lib.mkDefault "root@${host}"; + clanCore.machineIcon = null; # Optional, a path to an image file + + #nixpkgs.pkgs = nixpackages; + nixpkgs.pkgs = meta.pkgs; + nixpkgs.hostPlatform = meta.system; + + imports = modules ++ defaultModules ++ [ { imports = [ ./nixos/machines/${name}/configuration.nix @@ -228,25 +223,26 @@ # ''; # }; # }) - { - nix.settings.substituters = [ "https://cache.nixos.org/" ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - # no channesl needed this way - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; - } - { + ({ pkgs, ... }: + { + nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # no channesl needed this way + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + }) + ({ pkgs, ... }: { boot.tmp.useTmpfs = lib.mkDefault true; - environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${system} ]; + environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${pkgs.system} ]; imports = [ permown.nixosModules.permown - disko.nixosModules.disko + #disko.nixosModules.disko kmonad.nixosModules.default grocy-scanner.nixosModule ]; - } + }) ]; - homeManagerModules = { config, ... }: { + homeManagerModules = { pkgs, config, ... }: { imports = [ home-manager.nixosModules.home-manager stylix.nixosModules.stylix @@ -290,29 +286,33 @@ }; sopsModule = name: { lib, ... }: { - imports = [ sops-nix.nixosModules.sops ]; + #imports = [ sops-nix.nixosModules.sops ]; sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml"; }; in - { - devShells.${system}.default = - pkgs.mkShell { - buildInputs = [ - nixpkgs-fmt.defaultPackage.${system} - nixos-anywhere.packages.${system}.nixos-anywhere - ]; - }; - apps = nixinate.nixinate.x86_64-linux self; + flake-parts.lib.mkFlake { inherit inputs; } ({ self, pkgs, ... }: { + # We define our own systems below. you can still use this to add system specific outputs to your flake. + # See: https://flake.parts/getting-started + systems = [ ]; - nixosConfigurations = - { - sternchen = nixosConfigurationSetup { + # import clan-core modules + imports = [ + clan-core.flakeModules.default + ]; + + # Define your clan + clan = { + # Clan wide settings. (Required) + clanName = "gummybears"; # Ensure to choose a unique name. + specialArgs = meta.specialArgs; + + machines = { + sternchen = clanSetup { name = "sternchen"; - #host = "sternchen.secret"; - #host = "192.168.178.25"; - host = "sternchen"; + #host = "sternchen.secure"; + host = "192.168.178.25"; modules = [ nixos-hardware.nixosModules.lenovo-thinkpad-x220 homeManagerModules @@ -335,76 +335,121 @@ }) ]; }; - cream = nixosConfigurationSetup - { - name = "cream"; - modules = [ - nixos-hardware.nixosModules.framework-12th-gen-intel - retiolum.nixosModules.retiolum - private_assets.nixosModules.cream - homeManagerModules - { home-manager.users.mainUser.gui.enable = true; } - { - home-manager.users.mainUser = import ./nixos/homes/palo; - home-manager.users.root = import ./nixos/homes/root; - } - ]; - }; - cherry = nixosConfigurationSetup - { - name = "cherry"; - modules = [ - nixos-hardware.nixosModules.framework-13th-gen-intel - homeManagerModules - { home-manager.users.mainUser.gui.enable = true; } - { - home-manager.users.mainUser = import ./nixos/homes/palo; - home-manager.users.root = import ./nixos/homes/root; - } - ]; - }; - chungus = nixosConfigurationSetup - { - name = "chungus"; - modules = [ - homeManagerModules - retiolum.nixosModules.retiolum - private_assets.nixosModules.chungus - { - home-manager.users.mainUser = import ./nixos/homes/palo; - home-manager.users.root = import ./nixos/homes/root; - } - ]; - }; - orbi = nixosConfigurationSetup - { - name = "orbi"; - host = "95.216.66.212"; - modules = [ - homeManagerModules - srvos.nixosModules.hardware-hetzner-online-intel - srvos.nixosModules.server - srvos.nixosModules.mixins-terminfo - #{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } - { - home-manager.users.mainUser = import ./nixos/homes/palo; - home-manager.users.root = import ./nixos/homes/root; - } - ]; - }; - robi = nixosConfigurationSetup - { - name = "robi"; - modules = [ - homeManagerModules - #{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } - { - home-manager.users.mainUser = import ./nixos/homes/palo; - home-manager.users.root = import ./nixos/homes/root; - } - ]; - }; + + cream = clanSetup { + name = "cream"; + host = "cream.private"; + modules = [ + nixos-hardware.nixosModules.framework-12th-gen-intel + retiolum.nixosModules.retiolum + private_assets.nixosModules.cream + homeManagerModules + { home-manager.users.mainUser.gui.enable = true; } + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; + + cherry = clanSetup { + name = "cherry"; + host = "cherry.private"; + modules = [ + nixos-hardware.nixosModules.framework-13th-gen-intel + homeManagerModules + { home-manager.users.mainUser.gui.enable = true; } + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; + + chungus = clanSetup { + name = "chungus"; + host = "chungus.private"; + modules = [ + homeManagerModules + retiolum.nixosModules.retiolum + private_assets.nixosModules.chungus + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; + + orbi = clanSetup { + name = "orbi"; + host = "orbi.private"; + # host = "95.216.66.212"; + modules = [ + homeManagerModules + srvos.nixosModules.hardware-hetzner-online-intel + srvos.nixosModules.server + srvos.nixosModules.mixins-terminfo + { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; + + robi = clanSetup { + name = "robi"; + host = "robi.private"; + modules = [ + homeManagerModules + { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } + { + home-manager.users.mainUser = import ./nixos/homes/palo; + home-manager.users.root = import ./nixos/homes/root; + } + ]; + }; }; - }; + + }; + + }); + } + +# devShells.${system}.default = +# pkgs.mkShell { +# buildInputs = [ +# nixpkgs-fmt.defaultPackage.${system} +# nixos-anywhere.packages.${system}.nixos-anywhere +# ]; +# }; + +#apps = nixinate.nixinate.x86_64-linux self; + +# packages = with nixpkgs.lib; { +# ${system} = +# let +# vms = mapAttrs' +# (host: sys: { +# name = "vm-${host}"; +# value = sys.config.system.build.vm; +# }) +# self.nixosConfigurations; +# sds = mapAttrs' +# (host: sys: { +# name = "sd-${host}"; +# value = sys.config.system.build.sdImage; +# }) +# (filterAttrs +# (n: hasAttrByPath [ "config" "system" "build" "sdImage" ]) +# self.nixosConfigurations); +# in +# vms // sds; +# }; + +# nixosConfigurations = +# }; + + diff --git a/nixos/components/yubikey.nix b/nixos/components/yubikey.nix index 5f61ed8..b91c46f 100644 --- a/nixos/components/yubikey.nix +++ b/nixos/components/yubikey.nix @@ -14,14 +14,7 @@ with lib; config = mkIf config.components.yubikey.enable { services.pcscd.enable = true; - services.udev.packages = [ - - pkgs.yubikey-personalization - - # additional services, but I just want gpg - # pkgs.libu2f-host - - ]; + services.udev.packages = [ pkgs.yubikey-personalization ]; environment.systemPackages = [ @@ -43,24 +36,26 @@ with lib; ]; - ## managed by home-manager now - #environment.shellInit = '' - # export GPG_TTY="$(tty)" - # gpg-connect-agent /bye - # export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" - #''; - #programs = { - # ssh.startAgent = false; - # gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - #}; ## managed by home-manager now - #security.pam.u2f.enable = true; - #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; - #sops.secrets.yubikey_u2fAuthFile = { }; + environment.shellInit = '' + export GPG_TTY="$(tty)" + gpg-connect-agent /bye + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + ''; + + programs = { + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; + + ## managed by home-manager now + security.pam.u2f.enable = true; + security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; + sops.secrets.yubikey_u2fAuthFile = { }; }; }