ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:feature/setting-up-greylog
Branches Tags
ahuston-0:main ahuston-0:feature/home-config ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/build-cache
Branches Tags
ahuston-0:feature/home-config ahuston-0:main ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes

6 Commits
feature/se ... feature/bu

Author SHA1 Message Date
ahuston-0
474184baa7 add sqlite for restores 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2025-03-10 12:33:33 -04:00
ahuston-0
fd826be6da add token to cache-merge
Some checks failed
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 14s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
2025-03-10 09:49:19 -04:00
ahuston-0
ea16a83c2e add token to cache-merge 2025-03-10 09:48:44 -04:00
ahuston-0
050b4c9b2f reorder oops
All checks were successful
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 27s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Successful in 2m51s
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Successful in 2h16m35s
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Successful in 7m59s
Details
2025-03-10 01:23:20 -04:00
ahuston-0
ea5616416a remove cache max limit 2025-03-10 01:06:56 -04:00
ahuston-0
2a0fe0b106 fix os matrix?
Some checks failed
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 10s
Details
2025-03-10 00:48:57 -04:00
40 changed files with 814 additions and 717 deletions
Expand all files Collapse all files

331
.github/settings.yml vendored
View File

@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra # Have borrowed this config from nix-community/infra
repository: repository:
# See https://developer.github.com/v3/repos/#edit for all available settings. # See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository # The name of the repository. Changing this will rename the repository
name: nix-dotfiles name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra # A short description of the repository that will show up on GitHub
# A URL with more information about the repository description: RAD-Dev Infra
# homepage: "https://nix-community.org"
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests # Labels: define labels for Issues and Pull Requests
# #
labels: labels:
- name: bug - name: bug
color: '#d73a4a' color: '#d73a4a'
description: Something isn't working description: Something isn't working
- name: CI/CD - name: CI/CD
# If including a `#`, make sure to wrap it with quotes! # If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16' color: '#0e8a16'
description: Related to GH Actions or Hydra description: Related to GH Actions or Hydra
- name: documentation - name: documentation
color: '#0075ca' color: '#0075ca'
description: Improvements or additions to documentation description: Improvements or additions to documentation
- name: duplicate - name: duplicate
color: '#cfd3d7' color: '#cfd3d7'
description: This issue or pull request already exists description: This issue or pull request already exists
- name: enhancement - name: enhancement
color: '#a2eeef' color: '#a2eeef'
description: New feature or request description: New feature or request
- name: good first issue - name: good first issue
color: '#7057ff' color: '#7057ff'
description: Good for newcomers description: Good for newcomers
- name: help wanted - name: help wanted
color: '#008672' color: '#008672'
description: Extra attention is needed description: Extra attention is needed
- name: high priority - name: high priority
color: '#BF480A' color: '#BF480A'
description: A major vurnability was detected description: A major vurnability was detected
- name: invalid - name: invalid
color: '#e4e669' color: '#e4e669'
description: This doesn't seem right description: This doesn't seem right
- name: new user - name: new user
color: '#C302A1' color: '#C302A1'
description: A new user was added to the Flake description: A new user was added to the Flake
- name: question - name: question
color: '#d876e3' color: '#d876e3'
description: Further information is requested description: Further information is requested
- name: wontfix - name: wontfix
color: '#ffffff' color: '#ffffff'
description: This will not be worked on description: This will not be worked on
- name: dependencies - name: dependencies
color: '#cb4ed5' color: '#cb4ed5'
description: Used for PR's related to flake.lock updates description: Used for PR's related to flake.lock updates
- name: automated - name: automated
color: '#42b528' color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD) description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests # Milestones: define milestones for Issues and Pull Requests
milestones: milestones:
- title: Go-Live - title: Go-Live
description: >- description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated All requirements for official go-live:
# The state of the milestone. Either `open` or `closed` - Automated testing via Hydra/Actions
state: open - Automated deployments via Hydra/Actions
- title: Jeeves Migration - 90+% testing coverage
description: >- - Functional formatter with custom rules
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository. # Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators: collaborators:
# - username: numtide-bot # - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories. # Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of: # The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push # permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams: teams:
# - name: admin # - name: admin
# The permission to grant the team. Can be one of: # The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository. # * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository. # * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository. # * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin # permission: admin
branches: branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet # not available in the api yet
# `Require merge queue`: true # `Require merge queue`: true
# `Merge method`: Rebase and merge # `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1 # `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1 # `Maximum pull requests to merge`: 1
# defaults: # defaults:
# `Maximum pull requests to build`: 5 # `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes # `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5 # `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true # `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes # `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions - name: main
required_pull_request_reviews: # https://docs.github.com/en/rest/reference/repos#update-branch-protection
# # The number of approvals required. (1-6) # Branch Protection settings. Set to null to disable
required_approving_review_count: 1 protection:
# # Dismiss approved reviews automatically when a new commit is pushed. # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed. # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
require_code_owner_reviews: false required_pull_request_reviews:
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. # # The number of approvals required. (1-6)
# dismissal_restrictions: required_approving_review_count: 1
# users: [] # # Dismiss approved reviews automatically when a new commit is pushed.
# teams: [] dismiss_stale_reviews: true
require_last_push_approval: false # # Blocks merge until code owners have reviewed.
# Required. Require status checks to pass before merging. Set to null to disable require_code_owner_reviews: false
# required_status_checks: # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging. # Required. Require branches to be up to date before merging.
# strict: false # strict: false
# Required. The list of status checks to require in order to merge into this branch # Required. The list of status checks to require in order to merge into this branch
# contexts: # contexts:
# - buildbot/nix-eval # - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true enforce_admins: true
# Disabled for bors to work # Disabled for bors to work
required_linear_history: true required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions: restrictions:
apps: [] apps: []
# TODO: make a buildbot instance # TODO: make a buildbot instance
# users: ["nix-infra-bot"] # users: ["nix-infra-bot"]
teams: [] teams: []

90
.github/workflows/cache-merge.yml vendored Normal file
View File

@ -0,0 +1,90 @@
name: Nix CI
on:
push:
# don't run on tags, run on commits
# https://github.com/orgs/community/discussions/25615
tags-ignore:
- "**"
branches:
- main
merge_group:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
jobs:
# Merge similar `individual` caches
# Purge `individual` caches and old `common` caches
# Save new `common` caches
merge-similar-caches:
name: Merge similar caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- uses: nix-community/cache-nix-action@v6
name: create and purge common cache
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-common-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
- uses: nix-community/cache-nix-action@v6
name: purge some individual caches
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 259200
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
# Check that the `common` cache is restored correctly
merge-similar-caches-check:
name: Check a `common` cache is restored correctly
needs: merge-similar-caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
uses: nix-community/cache-nix-action@v6
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}

135
.github/workflows/flake-health-checks.yml vendored
View File

@ -1,47 +1,94 @@
name: "Check Nix flake" name: "Check Nix flake"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
jobs: jobs:
health-check: health-check:
name: "Perform Nix flake checks" name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
matrix: matrix:
os: [ubuntu-latest] os: [ubuntu-latest]
steps: steps:
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0 - uses: actions/checkout@v4
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }} - run: nix profile install nixpkgs#sqlite
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }} - name: Restore Nix store
skip-push: "true" id: restore
- uses: actions/checkout@v4 uses: nix-community/cache-nix-action@v6
- run: nix flake check --accept-flake-config with:
- run: nix ./utils/attic-push.bash # save a new cache every time `ci.yaml` changes
build-checks: primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
name: "Build nix outputs" # otherwise, restore a common cache if and only if it matches the current `ci.yaml`
runs-on: ${{ matrix.os }} restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
strategy:
matrix: - name: Setup Attic cache
os: [ubuntu-latest] uses: ryanccn/attic-action@v0
steps: with:
- uses: DeterminateSystems/nix-installer-action@main endpoint: ${{ secrets.ATTIC_ENDPOINT }}
- name: Setup Attic cache cache: ${{ secrets.ATTIC_CACHE }}
uses: ryanccn/attic-action@v0 token: ${{ secrets.ATTIC_TOKEN }}
with: skip-push: "true"
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }} - run: nix flake check --accept-flake-config
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true" - run: nix ./utils/attic-push.bash
- uses: actions/checkout@v4
- name: Build all outputs build-checks:
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build . name: "Build nix outputs"
- name: Push to Attic runs-on: ${{ matrix.os }}
run: nix ./utils/attic-push.bash strategy:
continue-on-error: true matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: actions/checkout@v4
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
if: steps.restore.outputs.hit == 'false'
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never

245
.github/workflows/flake-update.yml vendored
View File

@ -1,112 +1,155 @@
name: "Update flakes" name: "Update flakes"
on: on:
repository_dispatch: repository_dispatch:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 12 * * *" - cron: "00 12 * * *"
jobs: jobs:
update_lockfile: update_lockfile:
runs-on: ubuntu-latest runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV - name: Install nix
cat update.log >> $GITHUB_ENV uses: https://github.com/DeterminateSystems/nix-installer-action@main
echo "EOF" >> $GITHUB_ENV
rm update.log - run: nix profile install nixpkgs#sqlite
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
``` - name: Restore Nix store
${{ env.UPDATE_LOG }} id: restore
``` uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
``` - name: Setup Attic cache
${{ steps.read_file.outputs.contents }} uses: ryanccn/attic-action@v0
``` with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
Auto-generated by [update.yml][1] with the help of - name: Get pre-snapshot of evaluations
[create-pull-request][2]. run: nix ./utils/eval-to-drv.sh pre
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml - name: Update flake.lock
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request id: update
- name: Generate PR body run: |
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0 nix flake update 2> >(tee /dev/stderr) | awk '
with: /^• Updated input/ {in_update = 1; print; next}
files: "pr_body.template" in_update && !/^warning:/ {print}
output-filename: "pr_body.md" /^$/ {in_update = 0}
- name: Save PR body ' > update.log
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }} echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
branch: update-flake-lock cat update.log >> $GITHUB_ENV
delete-branch: true echo "EOF" >> $GITHUB_ENV
pr-labels: | # Labels to be set on the PR
dependencies rm update.log
automated
- name: Push to Attic - name: Get post-snapshot of evaluations
run: nix ./utils/attic-push.bash run: nix ./utils/eval-to-drv.sh post
continue-on-error: true
- name: Print PR number - name: Calculate diff
run: | run: nix ./utils/diff-evals.sh
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" - name: Read diff into environment
run: |
delimiter="$(openssl rand -hex 8)"
{
echo "POSTDIFF<<${delimiter}"
cat post-diff
echo "${delimiter}"
} >> $GITHUB_ENV
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
```
${{ env.UPDATE_LOG }}
```
```
{{ env.POSTDIFF }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions: permissions:
pull-requests: write pull-requests: write
contents: write contents: write

27
.github/workflows/lock-health-checks.yml vendored
View File

@ -1,16 +1,17 @@
name: "Check flake.lock" name: "Check flake.lock"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
jobs: jobs:
health-check: health-check:
name: "Check health of `flake.lock`" name: "Check health of `flake.lock`"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main - uses: DeterminateSystems/flake-checker-action@main
with: with:
fail-mode: true fail-mode: true

45
.github/workflows/nix-fmt.yml vendored
View File

@ -1,25 +1,26 @@
name: "Check Nix formatting" name: "Check Nix formatting"
on: on:
push: push:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
branches: ["main"] branches: ["main"]
merge_group: merge_group:
jobs: jobs:
health-check: health-check:
name: "Perform Nix format checks" name: "Perform Nix format checks"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache - name: Setup Attic cache
uses: ryanccn/attic-action@v0 uses: ryanccn/attic-action@v0
with: with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }} endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }} cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }} token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true" skip-push: "true"
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- run: nix fmt -- --check . - run: nix fmt -- --check .
- name: Push to Attic - name: Push to Attic
run: nix ./utils/attic-push.bash run: nix ./utils/attic-push.bash
continue-on-error: true continue-on-error: true

79
.sops.yaml
View File

@ -1,46 +1,51 @@
keys: keys:
# The PGP keys in keys/ # The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A # Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' # ssh-keygen -A
# cspell:disable # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 # cspell:disable
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable # cspell:enable
servers: &servers servers: &servers
- *palatine-hill - *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml # add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below # then have someone already in the repo run the below
# #
# update keys by executing: sops updatekeys secrets.yaml # update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config # note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules: creation_rules:
- path_regex: users/alice/secrets.*\.yaml$ - path_regex: users/alice/secrets.*\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_alice - *admin_alice
age: age:
- *palatine-hill - *palatine-hill
- *artemision - *artemision
- *artemision-home - *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups: - path_regex: systems/palatine-hill/secrets.*\.yaml$
- pgp: key_groups:
- *admin_alice - pgp:
age: - *admin_alice
- *palatine-hill age:
- path_regex: systems/artemision/secrets.*\.yaml$ - *palatine-hill
key_groups:
- pgp: - path_regex: systems/artemision/secrets.*\.yaml$
- *admin_alice key_groups:
age: - pgp:
- *artemision - *admin_alice
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$ age:
key_groups: - *artemision
- pgp: - path_regex: systems/palatine-hill/docker/wg/.*\.conf$
- *admin_alice key_groups:
age: - pgp:
- *palatine-hill - *admin_alice
age:
- *palatine-hill

9
.vscode/settings.json vendored
View File

@ -1,7 +1,5 @@
{ {
"cSpell.enableFiletypes": [ "cSpell.enableFiletypes": ["nix"],
"nix"
],
"cSpell.words": [ "cSpell.words": [
"aarch", "aarch",
"abmlevel", "abmlevel",
@ -41,7 +39,6 @@
"codezombiech", "codezombiech",
"compactmode", "compactmode",
"Compat", "Compat",
"concat",
"concatLists", "concatLists",
"contentblocking", "contentblocking",
"cookiebanners", "cookiebanners",
@ -154,7 +151,6 @@
"networkd", "networkd",
"networkmanager", "networkmanager",
"newtabpage", "newtabpage",
"nixfmt",
"nixos", "nixos",
"nixpkgs", "nixpkgs",
"nmap", "nmap",
@ -216,8 +212,6 @@
"rofi", "rofi",
"rpool", "rpool",
"rspace", "rspace",
"rsyslog",
"rsyslogd",
"rtkit", "rtkit",
"safebrowsing", "safebrowsing",
"Sandro", "Sandro",
@ -259,7 +253,6 @@
"topstories", "topstories",
"Toqozz", "Toqozz",
"torrenting", "torrenting",
"treefmt",
"twimg", "twimg",
"uaccess", "uaccess",
"ublock", "ublock",

18
docs/CONTRIBUTING.md
View File

@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case | | Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly | | main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use | | feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical | | fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process | | hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues | | urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches | | exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch | | merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process ### Review Process
@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged - Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue - All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR - The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened - If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a to either re-review the PR or to revert and replace the fix with a
permanent solution permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have - Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed a priority of `High` and an estimate tagged. Start and end date are not needed

118
docs/sample-setup.sh
View File

@ -1,9 +1,9 @@
#!/usr/bin/env nix #!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash #! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes set -o pipefail # don't hide errors within pipes
PROCEED="N" PROCEED="N"
@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME" FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly" echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
if [ $CREATEPARTS = "Y" ]; then if [ $CREATEPARTS = "Y" ]; then
# Create partition table # Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part # Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1" sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part # Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100% sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv" LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2" sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART" sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create lvm part # Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART" sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART" sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay sudo pvdisplay
# Create volume group # Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART" sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP" sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay sudo vgdisplay
# Create swap part on LVM # Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH" sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi fi
# Create home part on LVM, leaving plenty of room for snapshots # Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH" sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix # Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH" sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create nix part on LVM # Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH" sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi fi
# Mount partitions # Mount partitions
@ -114,7 +116,7 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero # Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap" sudo swapon "/dev/$VOLGROUP/swap"
fi fi
# Clone the repo # Clone the repo
@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub" cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then if [ $SOPS == "Y" ]; then
# Create ssh host-keys # Create ssh host-keys
sudo ssh-keygen -A sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down # Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}') AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age') AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml" sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name # Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml" sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules # Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted # TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$ - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups: key_groups:
- pgp: *$OWNERORADMINS - pgp: *$OWNERORADMINS
age: age:
- *$MACHINENAME - *$MACHINENAME
EOF EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml" sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi fi
read -r -p "press enter to continue" read -r -p "press enter to continue"

131
flake.lock generated
View File

@ -78,11 +78,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1742449434, "lastModified": 1740974607,
"narHash": "sha256-UVz7NhPzbEWey6mMJU3Jwjqfbp0xH0iKZDuoRjhZEN0=", "narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "1b0b14b56353040142e0ef5b0ab37743bbbf4ab4", "rev": "093c063a23aa38f31082a554f03899127750aee3",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -95,11 +95,11 @@
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1741628778, "lastModified": 1739223196,
"narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=", "narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80", "rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -127,11 +127,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1741352980, "lastModified": 1740872218,
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -232,11 +232,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741379162, "lastModified": 1737465171,
"narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=", "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc", "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742447757, "lastModified": 1740845322,
"narHash": "sha256-Q0KXcHQmum8L6IzGhhkVhjFMKY6BvYa/rhmLP26Ws8o=", "narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "94605dcadefeaff6b35c8931c9f38e4f4dc7ad0a", "rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -332,11 +332,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742213523, "lastModified": 1740923452,
"narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=", "narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "bd81329944be53b0ffb99e05864804b95f1d7c65", "rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -352,11 +352,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742174123, "lastModified": 1740886574,
"narHash": "sha256-pDNzMoR6m1ZSJToZQ6XDTLVSdzIzmFl1b8Pc3f7iV6Y=", "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "2cfb4e1ca32f59dd2811d7a6dd5d4d1225f0955c", "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -388,11 +388,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742217219, "lastModified": 1740947705,
"narHash": "sha256-pLRjj0jTL1TloB0ptEwVF51IJJX8a17dSxg+gqiWb30=", "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "83900d5154d840dfae1e0367c5290f59b9dccf03", "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -403,11 +403,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1742376361, "lastModified": 1740646007,
"narHash": "sha256-VFMgJkp/COvkt5dnkZB4D2szVdmF6DGm5ZdVvTUy61c=", "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "daaae13dff0ecc692509a1332ff9003d9952d7a9", "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -426,11 +426,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742419596, "lastModified": 1741017582,
"narHash": "sha256-+Bw1HR4oX6vUbCMhwWbW+Nr20F+UesNdUd7b17s3ESE=", "narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
"owner": "SuperSandro2000", "owner": "SuperSandro2000",
"repo": "nixos-modules", "repo": "nixos-modules",
"rev": "82491ff311152b87fe7cfbdaf545f727e0750aa9", "rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -441,11 +441,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1742450798, "lastModified": 1740981371,
"narHash": "sha256-lfOAAaX68Ed7R6Iy2nbFAkGj6B8kHBp3nqZhgZjxR5c=", "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b64ec1944ea40d9f3920f938e17ed39a9978c6c7", "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -457,31 +457,28 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1740877520, "lastModified": 1740872140,
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
"type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
"type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1742268799, "lastModified": 1735563628,
"narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "da044451c6a70518db5b730fe277b70f494188f1", "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -496,11 +493,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1741693509, "lastModified": 1740408283,
"narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=", "narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "5479646b2574837f1899da78bdf9a48b75a9fb27", "rev": "496a4a11162bdffb9a7b258942de138873f019f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -520,11 +517,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742300892, "lastModified": 1740915799,
"narHash": "sha256-QmF0proyjXI9YyZO9GZmc7/uEu5KVwCtcdLsKSoxPAI=", "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "ea26a82dda75bee6783baca6894040c8e6599728", "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -562,11 +559,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742437918, "lastModified": 1740969088,
"narHash": "sha256-Vflb6KJVDikFcM9E231mRN88uk4+jo7BWtaaQMifthI=", "narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "f03085549609e49c7bcbbee86a1949057d087199", "rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -582,11 +579,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742406979, "lastModified": 1739262228,
"narHash": "sha256-r0aq70/3bmfjTP+JZs4+XV5SgmCtk1BLU4CQPWGtA7o=", "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "1770be8ad89e41f1ed5a60ce628dd10877cb3609", "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -623,11 +620,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1742422444, "lastModified": 1740959323,
"narHash": "sha256-Djg5uMhIDPdFOZ7kTrqNlHaAqcx/4rp7BofZLsUHkLY=", "narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "f122d70925ca44e5ee4216661769437ab36a6a3f", "rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -703,11 +700,11 @@
"tinted-schemes": { "tinted-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1741468895, "lastModified": 1740351358,
"narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=", "narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "schemes", "repo": "schemes",
"rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991", "rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -719,11 +716,11 @@
"tinted-tmux": { "tinted-tmux": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1740877430, "lastModified": 1740272597,
"narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=", "narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-tmux", "repo": "tinted-tmux",
"rev": "d48ee86394cbe45b112ba23ab63e33656090edb4", "rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
flake.nix
View File

@ -26,8 +26,7 @@
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable"; #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
# attic = { # attic = {

4
modules/update.nix
View File

@ -10,10 +10,10 @@
}; };
system.autoUpgrade = { system.autoUpgrade = {
enable = lib.mkDefault true; enable = lib.mkDefault false;
flags = [ "--accept-flake-config" ]; flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h"; randomizedDelaySec = "1h";
persistent = true; persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git"; flake = "github:RAD-Development/nix-dotfiles";
}; };
} }

4
shell.nix
View File

@ -45,10 +45,6 @@ forEachSystem (
treefmt treefmt
statix statix
nixfmt-rfc-style nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
]; ];
}; };
in in

7
systems/artemision/configuration.nix
View File

@ -32,7 +32,7 @@
}; };
boot = { boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6; kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
useSystemdBoot = true; useSystemdBoot = true;
default = true; default = true;
}; };
@ -83,14 +83,11 @@
users.users.alice.extraGroups = [ "calibre-web" ]; users.users.alice.extraGroups = [ "calibre-web" ];
system.autoUpgrade.enable = false;
system.stateVersion = "24.05"; system.stateVersion = "24.05";
programs.adb.enable = true; programs.adb.enable = true;
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
#secrets = { #secrets = {

1
systems/artemision/desktop.nix
View File

@ -7,7 +7,6 @@
hyprland = { hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
withUWSM = true;
}; };
hyprlock.enable = true; hyprlock.enable = true;
gnupg.agent = { gnupg.agent = {

3
systems/artemision/programs.nix
View File

@ -18,6 +18,8 @@
croc croc
deadnix deadnix
direnv direnv
discord
discord-canary
easyeffects easyeffects
eza eza
fanficfare fanficfare
@ -42,7 +44,6 @@
kitty kitty
kubectl kubectl
kubernetes-helm kubernetes-helm
libreoffice-fresh
libtool libtool
lsof lsof
lynis lynis

4
systems/palatine-hill/attic/sync-attic.bash
View File

@ -2,9 +2,9 @@
#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
sync_directories=( sync_directories=(
/ZFS/ZFS-primary/hydra /ZFS/ZFS-primary/hydra
) )
for dir in "${sync_directories[@]}"; do for dir in "${sync_directories[@]}"; do
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \; find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
done done

6
systems/palatine-hill/docker/act-runner.nix
View File

@ -23,7 +23,6 @@ in
"${act_path}/stable-latest-main/config.yaml:/config.yaml" "${act_path}/stable-latest-main/config.yaml:/config.yaml"
"${act_path}/stable-latest-main/data:/data" "${act_path}/stable-latest-main/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";
@ -46,7 +45,6 @@ in
"${act_path}/stable-latest-1/config.yaml:/config.yaml" "${act_path}/stable-latest-1/config.yaml:/config.yaml"
"${act_path}/stable-latest-1/data:/data" "${act_path}/stable-latest-1/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";
@ -69,7 +67,6 @@ in
"${act_path}/stable-latest-2/config.yaml:/config.yaml" "${act_path}/stable-latest-2/config.yaml:/config.yaml"
"${act_path}/stable-latest-2/data:/data" "${act_path}/stable-latest-2/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";
@ -92,7 +89,6 @@ in
"${act_path}/stable-latest-3/config.yaml:/config.yaml" "${act_path}/stable-latest-3/config.yaml:/config.yaml"
"${act_path}/stable-latest-3/data:/data" "${act_path}/stable-latest-3/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";
@ -115,7 +111,6 @@ in
"${act_path}/stable-latest-4/config.yaml:/config.yaml" "${act_path}/stable-latest-4/config.yaml:/config.yaml"
"${act_path}/stable-latest-4/data:/data" "${act_path}/stable-latest-4/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";
@ -138,7 +133,6 @@ in
"${act_path}/stable-latest-5/config.yaml:/config.yaml" "${act_path}/stable-latest-5/config.yaml:/config.yaml"
"${act_path}/stable-latest-5/data:/data" "${act_path}/stable-latest-5/data:/data"
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
"/nix:/nix"
]; ];
environment = { environment = {
CONFIG_FILE = "/config.yaml"; CONFIG_FILE = "/config.yaml";

22
systems/palatine-hill/docker/default.nix
View File

@ -31,47 +31,47 @@
default-address-pools = [ default-address-pools = [
{ {
base = "169.254.2.0/23"; base = "169.254.2.0/23";
size = 28; size = "28";
} }
{ {
base = "169.254.4.0/22"; base = "169.254.4.0/22";
size = 28; size = "28";
} }
{ {
base = "169.254.8.0/21"; base = "169.254.8.0/21";
size = 28; size = "28";
} }
{ {
base = "169.254.16.0/20"; base = "169.254.16.0/20";
size = 28; size = "28";
} }
{ {
base = "169.254.32.0/19"; base = "169.254.32.0/19";
size = 28; size = "28";
} }
{ {
base = "169.254.64.0/18"; base = "169.254.64.0/18";
size = 28; size = "28";
} }
{ {
base = "169.254.128.0/18"; base = "169.254.128.0/18";
size = 28; size = "28";
} }
{ {
base = "169.254.192.0/19"; base = "169.254.192.0/19";
size = 28; size = "28";
} }
{ {
base = "169.254.224.0/20"; base = "169.254.224.0/20";
size = 28; size = "28";
} }
{ {
base = "169.254.240.0/21"; base = "169.254.240.0/21";
size = 28; size = "28";
} }
{ {
base = "169.254.248.0/22"; base = "169.254.248.0/22";
size = 28; size = "28";
} }
]; ];
mtu = 9000; mtu = 9000;

2
systems/palatine-hill/docker/nextcloud.nix
View File

@ -100,7 +100,7 @@ in
}; };
"docker/collabora" = { "docker/collabora" = {
owner = "www-data"; owner = "www-data";
restartUnits = [ "docker-collabora-code.service" ]; restartUnits = [ "docker-collabora.service" ];
}; };
}; };
}; };

4
systems/palatine-hill/docker/watchtower.bash
View File

@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
label="$1" label="$1"
label_val="$2" label_val="$2"
if (($# != 2)); then if (( $# != 2 )); then
echo "usage: $0 label label_value" echo "usage: $0 label label_value"
fi fi
containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}") containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

18
treefmt.toml
View File

@ -12,21 +12,3 @@ command = "nixfmt"
#options = [] #options = []
# Glob pattern of files to include # Glob pattern of files to include
includes = [ "*.nix" ] includes = [ "*.nix" ]
[formatter.jsonfmt]
command = "jsonfmt"
excludes = []
includes = ["*.json"]
options = ["-w"]
[formatter.shfmt]
command = "shfmt"
excludes = []
includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
options = ["-i", "2", "-s", "-w"]
[formatter.yamlfmt]
command = "yamlfmt"
excludes = []
includes = ["*.yaml", "*.yml"]
options = ["-formatter","indent=4"]

1
users/alice/home.nix
View File

@ -16,7 +16,6 @@
./home/gammastep.nix ./home/gammastep.nix
./home/doom ./home/doom
./home/hypr ./home/hypr
./home/waybar.nix
./non-server.nix ./non-server.nix
]; ];

1
users/alice/home/hypr/default.nix
View File

@ -8,7 +8,6 @@
{ {
xdg.configFile = { xdg.configFile = {
"hypr/hyprland.conf".source = ./hyprland.conf; "hypr/hyprland.conf".source = ./hyprland.conf;
"hypr/show-hide.sh".source = ./show-hide.sh;
}; };
imports = [ imports = [

8
users/alice/home/hypr/hypridle.nix
View File

@ -18,14 +18,14 @@
listener = [ listener = [
{ {
timeout = 150; # 2.5min. timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor. on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore. on-resume = "brightnessctl -r"; # monitor backlight restore.
} }
# turn off keyboard backlight, comment out this section if you dont have a keyboard backlight. # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
{ {
timeout = 150; # 2.5min. timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight. on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight. on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
} }
{ {
timeout = 300; # 5min timeout = 300; # 5min

7
users/alice/home/hypr/hyprland.conf
View File

@ -22,9 +22,6 @@ monitor=,preferred,auto,auto
# exec-once = waybar & hyprpaper & firefox # exec-once = waybar & hyprpaper & firefox
exec-once = wired & exec-once = wired &
exec-once = wired
exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
# Source a file (multi-file configs) # Source a file (multi-file configs)
# source = ~/.config/hypr/myColors.conf # source = ~/.config/hypr/myColors.conf
@ -210,7 +207,3 @@ bind = $mainMod, P, exec, bwm
# lock screen # lock screen
bind = $mainMod, L, exec, loginctl lock-session bind = $mainMod, L, exec, loginctl lock-session
# hide active window
bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
# show hide window
bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

9
users/alice/home/hypr/hyprlock.nix
View File

@ -11,8 +11,7 @@
settings = { settings = {
general = { general = {
immediate_render = true; immediate_render = true;
# disabling as config doesn't exist no_fade_in = true;
#no_fade_in = true;
}; };
background = { background = {
monitor = ""; monitor = "";
@ -55,8 +54,7 @@
dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0 dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
dots_center = false; dots_center = false;
dots_rounding = -1; # -1 default circle, -2 follow input-field rounding dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
# disabling as config doesn't exist dots_fade_time = 200; # Milliseconds until a dot fully fades in
# dots_fade_time = 200; # Milliseconds until a dot fully fades in
dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default). dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
# disabling due to stylix # disabling due to stylix
# outer_color = "rgb(151515)"; # outer_color = "rgb(151515)";
@ -72,8 +70,7 @@
#fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
# disabling as config doesn't exist fail_transition = 300; # transition time in ms between normal outer_color and fail_color
#fail_transition = 300; # transition time in ms between normal outer_color and fail_color
capslock_color = -1; capslock_color = -1;
numlock_color = -1; numlock_color = -1;
bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above) bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

25
users/alice/home/hypr/show-hide.sh
View File

@ -1,25 +0,0 @@
#!/usr/bin/env bash
stack_file="/tmp/hide_window_pid_stack.txt"
function hide_window() {
pid=$(hyprctl activewindow -j | jq '.pid')
hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
echo "$pid" >>$stack_file
}
function show_window() {
pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
[ -z "$pid" ] && exit
current_workspace=$(hyprctl activeworkspace -j | jq '.id')
hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
}
if [ -n "$1" ]; then
if [ "$1" == "h" ]; then
hide_window >>/dev/null
else
show_window >>/dev/null
fi
fi

40
users/alice/home/waybar.json
View File

@ -1,40 +0,0 @@
[
{
"height": 20,
"layer": "top",
"position": "top",
"output": [
"eDP-2",
"eDP-1",
"HDMI-0",
"DP-0"
],
"hyprland/workspaces": {
"active-only": true,
"all-outputs": false,
"show-special": true,
"move-to-monitor": true,
"format": "{icon} {windows}",
"format-window-separator": " ",
"format-icons": {
"1": "󰎤",
"2": "󰎧",
"3": "󰎪",
"default": "",
"empty": "󱓼",
"urgent": "󱨇"
},
"persistent-workspaces": {
"1": "HDMI-0"
},
"on-scroll-down": "hyprctl dispatch workspace e-1",
"on-scroll-up": "hyprctl dispatch workspace e+1",
"window-rewrite": {
"title<Steam>": ""
},
"window-rewrite-default": "",
"window-rewrite-separator": " ",
"sort-by": "number"
}
}
]

2
users/alice/home/waybar.nix
View File

@ -2,6 +2,6 @@
lib.mkIf (!machineConfig.server) { lib.mkIf (!machineConfig.server) {
programs.waybar = { programs.waybar = {
enable = true; enable = true;
settings = builtins.fromJSON (builtins.readFile ./waybar.json); #settings = builtins.fromJSON (import ./waybar.json);
}; };
} }

1
users/alice/non-server.nix
View File

@ -64,6 +64,5 @@
zathura zathura
obsidian obsidian
libreoffice-qt-fresh libreoffice-qt-fresh
wlr-randr
]; ];
} }

7
users/alice/secrets.yaml
View File

@ -8,7 +8,6 @@ alice:
attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str] attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str] attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str] attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -42,8 +41,8 @@ sops:
ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6 ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q== 7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-18T22:08:52Z" lastmodified: "2025-01-26T04:17:36Z"
mac: ENC[AES256_GCM,data:3Hr8FyzfZvvtyusqdDOjggDGFlBwyOq2VND+/jtNbY5i5JPK+qTkamn98IKkcHSPooaIVzEAek91fZDo90mYRhCzEwfbLATmFXPHsZHUg+5nD8VzcNUWQDb2/ey4RPhzTMtXfY9v9wdIcTdBKYKSZ61puptSX8nJ2S74ag6B5AY=,iv:J+VxUvwWE496DqTsVXdlpxgkf8zGT9uDvt6RLrmc0n0=,tag:X2Qg3DDzOTBDqo+6eQPHvw==,type:str] mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
pgp: pgp:
- created_at: "2024-09-05T06:10:22Z" - created_at: "2024-09-05T06:10:22Z"
enc: |- enc: |-
@ -58,4 +57,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.3

14
utils/attic-push.bash
View File

@ -11,16 +11,18 @@ set -e
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') # | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths # retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size | nix_paths=$(nix path-info --json --all --closure-size \
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' | | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths") readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000 batchsize=1000
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
part=("${nix_path_array[@]:i:batchsize}") do
part=( "${nix_path_array[@]:i:batchsize}" )
attic push nix-cache "${part[@]}" attic push nix-cache "${part[@]}"
done done

52
utils/attic-token.bash
View File

@ -1,8 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
if (($# != 3)); then if (( $# != 3 )); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>" echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1 exit 1
fi fi
cache="$1" cache="$1"
@ -10,27 +10,27 @@ cache_pattern="$2"
token_type="$3" token_type="$3"
case $token_type in case $token_type in
"cache-creator") "cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \ atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \ --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \ --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern" --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;; ;;
"admin") "admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \ atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \ --push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --configure-cache-retention "$cache_pattern"
;; ;;
"writer") "writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \ atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --push "$cache_pattern"
;; ;;
"reader") "reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern" atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;; ;;
*) *)
echo "invalid token type: $token_type" echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader" echo "available options: cache-creator, admin, writer, reader"
exit 1 exit 1
;; ;;
esac esac

4
utils/eval-to-drv.sh
View File

@ -8,8 +8,8 @@ set -v
set -e set -e
if [ "$#" -ne 1 ]; then if [ "$#" -ne 1 ]; then
echo "$0 (pre|post)" echo "$0 (pre|post)"
exit 1 exit 1
fi fi
script_path=$(dirname "$(readlink -f $0)") script_path=$(dirname "$(readlink -f $0)")

8
utils/fetch-docker.sh
View File

@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
# relpath is the relative path to the parent_path where you want the file written # relpath is the relative path to the parent_path where you want the file written
# format: <image name>,<image tag>,<image architecture>,<os>,<relpath> # format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
images=( images=(
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix" "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
) )
IFS="," IFS=","
while read -r name tag arch os relpath; do while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath" nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath" git --no-pager diff "$parent_path/$relpath"
done <<<"${images[@]}" done<<< "${images[@]}"

20
utils/sops-mergetool-new.sh
View File

@ -2,10 +2,7 @@
# Rename CLI parameters to friendlier names # Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1" base="$1"; local_="$2"; remote="$3"; merged="$4"
local_="$2"
remote="$3"
merged="$4"
# Load the mergetool scripts # Load the mergetool scripts
TOOL_MODE=merge TOOL_MODE=merge
@ -23,7 +20,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files # If anything goes wrong, then delete our decrypted files
handle_trap_exit() { handle_trap_exit () {
rm $base_decrypted || true rm $base_decrypted || true
rm $local_decrypted || true rm $local_decrypted || true
rm $remote_decrypted || true rm $remote_decrypted || true
@ -33,12 +30,12 @@ handle_trap_exit() {
trap handle_trap_exit EXIT trap handle_trap_exit EXIT
# Decrypt our file contents # Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted" sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted" sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against # Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted" cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool # Set up variables for the mergetool
@ -51,7 +48,7 @@ MERGED="$merged_decrypted"
BACKUP="$backup_decrypted" BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script # Override `check_unchanged` with a custom script
check_unchanged() { check_unchanged () {
# If the contents haven't changed, then fail # If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then if test "$MERGED" -nt "$BACKUP"; then
return 0 return 0
@ -64,4 +61,5 @@ check_unchanged() {
run_merge_tool "${mergetool}" true run_merge_tool "${mergetool}" true
# Re-encrypt content # Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged" sops --encrypt "$merged_decrypted" > "$merged"

22
utils/sops-mergetool.sh
View File

@ -6,10 +6,7 @@ set -x
# Rename our variables to friendlier equivalents # Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1" base="$1"; local_="$2"; remote="$3"; merged="$4"
local_="$2"
remote="$3"
merged="$4"
echo "$base" echo "$base"
echo "$local_" echo "$local_"
@ -21,7 +18,7 @@ echo "$merged"
mergetool="$(git config --get merge.tool)" mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)" GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2 echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1 exit 1
fi fi
@ -35,7 +32,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files # If anything goes wrong, then delete our decrypted files
handle_trap_exit() { handle_trap_exit () {
rm $base_decrypted || true rm $base_decrypted || true
rm $local_decrypted || true rm $local_decrypted || true
rm $remote_decrypted || true rm $remote_decrypted || true
@ -45,13 +42,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT trap handle_trap_exit EXIT
# Decrypt our file contents # Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted" sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted" sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against # Create a merge-diff to compare against
set +e set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e set -e
cp "$merged_decrypted" "$backup_decrypted" cp "$merged_decrypted" "$backup_decrypted"
@ -69,7 +66,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool" source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script # Override `check_unchanged` with a custom script
check_unchanged() { check_unchanged () {
# If the contents haven't changed, then fail # If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then if test "$MERGED" -nt "$BACKUP"; then
return 0 return 0
@ -85,4 +82,5 @@ merge_cmd
set -eu set -eu
# Re-encrypt content # Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged" sops --encrypt "$merged_decrypted" > "$merged"