diff options
| author | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2025-09-07 13:52:20 +1000 |
|---|---|---|
| committer | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2025-09-07 14:25:57 +1000 |
| commit | 7c4275017db7b31da2bd9299c83e28ead981b5ed (patch) | |
| tree | afdc249ed376beeeec53d9deaff8962d47b6f7c9 /flake.nix | |
| parent | b2c0cf27604f421258077156d18d7ed45d32228f (diff) | |
wip1
Diffstat (limited to 'flake.nix')
| -rw-r--r-- | flake.nix | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f898318 --- /dev/null +++ b/flake.nix @@ -0,0 +1,87 @@ +{ + inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/25.05"; + inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs-stable"; + inputs.nixos-facter-modules.url = "github:numtide/nixos-facter-modules"; + inputs.sops-nix.url = "github:Mic92/sops-nix"; + inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs-stable"; + inputs.nixos-anywhere.url = "github:nix-community/nixos-anywhere"; + inputs.nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs-stable"; + + outputs = + { + nixpkgs-stable, + nixpkgs-unstable, + disko, + nixos-facter-modules, + sops-nix, + nixos-anywhere, + ... + }: + let + systems = [ + "x86_64-linux" + "x86_64-darwin" + "aarch64-linux" + "aarch64-darwin" + ]; + in + { + nixosConfigurations.kj-laptop01 = nixpkgs-unstable.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./kj-laptop01/configuration.nix + nixos-facter-modules.nixosModules.facter + sops-nix.nixosModules.sops + { + config.facter.reportPath = ./kj-laptop01/facter.json; + } + ]; + }; + + formatter = nixpkgs-stable.lib.genAttrs systems ( + system: nixpkgs-stable.legacyPackages.${system}.nixfmt-tree + ); + + apps = nixpkgs-stable.lib.genAttrs systems (system: + let + pkgs = nixpkgs-stable.legacyPackages.${system}; + + install-script = pkgs.writers.writeRubyBin "install" { + libraries = []; + } /* ruby */ '' + require 'tmpdir' + require 'open3' + require 'json' + require 'fileutils' + + system_flake = ARGV[0] + ENV['SOPS_AGE_KEY_FILE'] ||= File.expand_path("~/.config/sops/age/keys.txt") + sops_exe = "${pkgs.sops}/bin/sops" + nixos_anywhere_exe = "${pkgs.nixos-anywhere}/bin/nixos-anywhere" + + secret_data_raw, status = Open3.capture2(sops_exe, "decrypt", "--output-type", "json", "#{system_flake}/secrets.yaml") + raise "Failed to decrypt secrets.yaml" unless status.success? + secret_data = JSON.parse(secret_data_raw) + + Dir.mktmpdir("secrets") do |secret_dir| + FileUtils.mkdir_p(File.join(secret_dir, 'copy_dir/etc/ssh')) + File.write(File.join(secret_dir, 'copy_dir/etc/ssh/ssh_host_ed25519_key'), secret_data["ssh_host_key_ed25519"]) + File.write(File.join(secret_dir, 'luks_passphrase'), secret_data["luks_passphrase"]) + + system nixos_anywhere_exe, "--disk-encryption-keys", File.join(secret_dir, 'luks_passphrase'), + "--extra-files", File.join(secret_dir, 'copy_dir'), "--flake", ".##{system_flake}", *ARGV[1..-1], + exception: true + end + ''; + in + { + install = { + type = "app"; + program = "${install-script}/bin/install"; + }; + }); + }; +} |