From 0eeabc63b5fda20f5c9d749d76ee37e3ad082045 Mon Sep 17 00:00:00 2001 From: maralorn Date: Wed, 1 Feb 2023 03:10:48 +0100 Subject: [PATCH] Break system --- flake.lock | 81 ++++++++++++------- flake.nix | 28 ++++++- home-manager/roles/mode-switching.nix | 2 +- nixos/machines/zeus/configuration.nix | 4 +- .../machines/zeus/hardware-configuration.nix | 25 ++++-- nixos/roles/default.nix | 14 ---- overlays/10-previews.nix | 8 +- overlays/private.nix | 1 - private | 2 +- private.nix | 37 --------- 10 files changed, 102 insertions(+), 100 deletions(-) delete mode 100644 overlays/private.nix delete mode 100644 private.nix diff --git a/flake.lock b/flake.lock index 1470ab28..c8343faf 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -66,11 +66,11 @@ ] }, "locked": { - "lastModified": 1673362319, - "narHash": "sha256-Pjp45Vnj7S/b3BRpZEVfdu8sqqA6nvVjvYu59okhOyI=", + "lastModified": 1674771137, + "narHash": "sha256-Zpk1GbEsYrqKmuIZkx+f+8pU0qcCYJoSUwNz1Zk+R00=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "82c16f1682cf50c01cb0280b38a1eed202b3fe9f", + "rev": "7c7a8bce3dffe71203dcd4276504d1cb49dfe05f", "type": "github" }, "original": { @@ -114,13 +114,29 @@ "type": "github" } }, - "nixpkgs": { + "nixos-stable": { "locked": { - "lastModified": 1673796341, - "narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=", + "lastModified": 1675154384, + "narHash": "sha256-gUXzyTS3WsO3g2Rz0qOYR2a26whkyL2UfTr1oPH9mm8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6dccdc458512abce8d19f74195bb20fdb067df50", + "rev": "0218941ea68b4c625533bead7bbb94ccce52dceb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1675115703, + "narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44", "type": "github" }, "original": { @@ -130,22 +146,6 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1672580127, - "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0874168639713f547c05947c76124f78441ea46c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-22.05", - "repo": "nixpkgs", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": "flake-compat", @@ -154,14 +154,16 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": [ + "nixos-stable" + ] }, "locked": { - "lastModified": 1673627351, - "narHash": "sha256-oppRxEg/7ICcG67ErBvu1UlXt3su6zMcNoQmKaHPs5I=", + "lastModified": 1675169698, + "narHash": "sha256-C1wFiyJ+4SRvIsFkdMIN1Fa+58APmyTGKWpX9EKOehM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "496e4505c2ddf5f205242eae8064d7d89cd976c0", + "rev": "ce4efeec34c6eb35ba07b8fceaae87d6b46c1c5f", "type": "github" }, "original": { @@ -174,8 +176,25 @@ "inputs": { "agenix": "agenix", "flake-parts": "flake-parts", + "nixos-stable": "nixos-stable", "nixpkgs": "nixpkgs", - "pre-commit-hooks-nix": "pre-commit-hooks-nix" + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "secrets": "secrets" + } + }, + "secrets": { + "locked": { + "lastModified": 1675214458, + "narHash": "sha256-79JdedIoZ0QpLSB4m0jlTLXEtVex7LNJuEAun43sHyI=", + "ref": "refs/heads/main", + "rev": "147bf3431575832da87e6a587aca2641f7df0187", + "revCount": 166, + "type": "git", + "url": "ssh://git@hera.m-0.eu/config-secrets" + }, + "original": { + "type": "git", + "url": "ssh://git@hera.m-0.eu/config-secrets" } } }, diff --git a/flake.nix b/flake.nix index 067e93d1..e6e89482 100644 --- a/flake.nix +++ b/flake.nix @@ -5,15 +5,20 @@ }; inputs = { + secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets"; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; pre-commit-hooks-nix = { url = "github:cachix/pre-commit-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs = { + nixpkgs-stable.follows = "nixos-stable"; + nixpkgs.follows = "nixpkgs"; + }; }; }; @@ -27,6 +32,27 @@ inputs.pre-commit-hooks-nix.flakeModule ]; systems = ["x86_64-linux"]; + flake.nixosConfigurations = { + zeus = inputs.nixos-stable.lib.nixosSystem { + modules = [ + (inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus") + ./nixos/machines/zeus/configuration.nix + inputs.secrets.nixosModules.secrets + inputs.agenix.nixosModules.default + ({pkgs, ...}: { + nixpkgs.overlays = [ + (self: super: + { + unstable = nixpkgs.legacyPackages.x86_64-linux; + nixpkgs-channel = "nixos-stable"; + home-manager-channel = "home-manager-stable"; + } + // inputs.secrets.private) + ]; + }) + ]; + }; + }; perSystem = { self', inputs', diff --git a/home-manager/roles/mode-switching.nix b/home-manager/roles/mode-switching.nix index 9302ede7..5cfd4b63 100644 --- a/home-manager/roles/mode-switching.nix +++ b/home-manager/roles/mode-switching.nix @@ -19,7 +19,7 @@ in { echo "Running update-modes …" ${updateModes}/bin/update-modes echo "Running update-system …" - /run/wrappers/bin/sudo -A /run/current-system/sw/bin/update-system + /run/wrappers/bin/sudo -A /run/current-system/sw/bin/nixos-rebuild switch echo "Maintenance finished." ''; activateMode = pkgs.writeHaskellScript {name = "activate-mode";} '' diff --git a/nixos/machines/zeus/configuration.nix b/nixos/machines/zeus/configuration.nix index 044b7820..547f5167 100644 --- a/nixos/machines/zeus/configuration.nix +++ b/nixos/machines/zeus/configuration.nix @@ -6,9 +6,8 @@ }: let wireguard = import ../../../common/wireguard.nix; inherit (config.m-0) hosts prefix; - inherit (import ../../../nix/sources.nix) nixos-hardware nixos-unstable; + inherit (import ../../../nix/sources.nix) nixos-hardware; inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing; - vpn = (import ../../../private.nix).privateValue (_: _: {}) "vpn"; in { imports = [ "${nixos-hardware}/common/gpu/amd/sea-islands" @@ -21,7 +20,6 @@ in { ../../roles/display-server.nix #../../roles/boot-key.nix ../../roles/standalone - (vpn "zeus") ]; fileSystems = let diff --git a/nixos/machines/zeus/hardware-configuration.nix b/nixos/machines/zeus/hardware-configuration.nix index 6b50bd2a..a85feae0 100644 --- a/nixos/machines/zeus/hardware-configuration.nix +++ b/nixos/machines/zeus/hardware-configuration.nix @@ -7,9 +7,7 @@ pkgs, modulesPath, ... -}: let - nixos-uuid = "47552982-2abf-45c6-8c5c-d33091ce3f5a"; -in { +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; @@ -25,20 +23,20 @@ in { }; fileSystems."/disk" = { - device = "/dev/disk/by-uuid/${nixos-uuid}"; + device = "/dev/disk/by-uuid/47552982-2abf-45c6-8c5c-d33091ce3f5a"; fsType = "btrfs"; }; boot.initrd.luks.devices."crypted-nixos".device = "/dev/disk/by-uuid/2518e0e0-c263-40bc-b378-419832dc62cc"; fileSystems."/nix" = { - device = "/dev/disk/by-uuid/${nixos-uuid}"; + device = "/dev/disk/by-uuid/47552982-2abf-45c6-8c5c-d33091ce3f5a"; fsType = "btrfs"; options = ["subvol=nix"]; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/${nixos-uuid}"; + device = "/dev/disk/by-uuid/47552982-2abf-45c6-8c5c-d33091ce3f5a"; fsType = "btrfs"; options = ["subvol=boot"]; }; @@ -49,4 +47,19 @@ in { }; swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp34s0.useDHCP = lib.mkDefault true; + # networking.interfaces.m0wire.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.cdark.net.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; } diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 5ea30c66..e04c4762 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -19,7 +19,6 @@ in { ]; imports = [ - (builtins.getFlake "github:ryantm/agenix").nixosModules.default (networkingModule "firewall-iptables") (networkingModule "firewall-nftables") (networkingModule "firewall") @@ -31,11 +30,6 @@ in { ./admin.nix ]; - age.secrets = (import ../../private/secret-config.nix).module-config { - inherit (config.networking) hostName; - inherit lib; - }; - i18n = { defaultLocale = "en_DK.UTF-8"; supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"]; @@ -154,9 +148,6 @@ in { (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"); }; - system.activationScripts = - lib.mkIf (!pkgs.withSecrets) {text = "echo No secrets loaded!; exit 1;";}; - nix = { settings = { substituters = lib.mkAfter ( @@ -225,11 +216,6 @@ in { }; }; programs = { - command-not-found.dbPath = "${ - builtins.fetchTarball { - url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; - } - }/programs.sqlite"; git.config.init.defaultBranch = "main"; ssh = { extraConfig = pkgs.privateValue "" "ssh-config"; diff --git a/overlays/10-previews.nix b/overlays/10-previews.nix index bc6fc14a..e762191a 100644 --- a/overlays/10-previews.nix +++ b/overlays/10-previews.nix @@ -1,13 +1,11 @@ self: super: let - unstable = import super.sources.nixos-unstable {}; sources = builtins.fromJSON (builtins.readFile ../nix/sources.json); myFlake = name: (builtins.getFlake "git+ssh://git@hera.m-0.eu/${name}?rev=${sources.${name}.rev}&ref=main").packages.x86_64-linux; in { - inherit unstable; - unstableHaskellPackages = unstable.haskellPackages; - unstableGhc = unstable.ghc; + unstableHaskellPackages = self.unstable.haskellPackages; + unstableGhc = self.unstable.ghc; inherit - (unstable) + (self.unstable) nix home-assistant cabal2nix diff --git a/overlays/private.nix b/overlays/private.nix deleted file mode 100644 index e8c2730e..00000000 --- a/overlays/private.nix +++ /dev/null @@ -1 +0,0 @@ -_: _: import ../private.nix diff --git a/private b/private index f9f1726c..147bf343 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit f9f1726c785cbed1f676ef481ae77dbeccf60810 +Subproject commit 147bf3431575832da87e6a587aca2641f7df0187 diff --git a/private.nix b/private.nix deleted file mode 100644 index 22d02678..00000000 --- a/private.nix +++ /dev/null @@ -1,37 +0,0 @@ -let - persistPath = "/disk/persist/maralorn"; - hasPersistDisk = builtins.pathExists persistPath; - privateExists = builtins.pathExists private/submodule-is-checked-out; - var = "WITH_SECRETS"; - explicitUsePrivate = builtins.getEnv var == "true"; - explicitNotUsePrivate = builtins.getEnv var == "false"; - usePrivate = !explicitNotUsePrivate && (explicitUsePrivate || privateExists); - withSecrets = - builtins.trace - ( - if usePrivate - then assert privateExists; "Building _with_ secrets!" - else "Building _without_ secrets!" - ) - usePrivate; -in { - inherit withSecrets; - privatePath = name: let - path = "${ - if hasPersistDisk - then persistPath - else "/home/maralorn" - }/git/config/private/${name}"; - in - if withSecrets - then assert builtins.pathExists (./private + "/${name}"); path - else path; - privateValue = default: name: - if withSecrets - then import (./private + "/${name}.nix") - else default; - privateFile = name: - if withSecrets - then ./private + "/${name}" - else builtins.toFile "missing-secret-file-${builtins.replaceStrings ["/"] [""] name}" ""; -}