From 8294dbdd0b56e21bb1699069097117c6d0eef225 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 17:43:41 -0400 Subject: [PATCH 1/8] add waybar --- shell.nix | 4 +++ systems/artemision/programs.nix | 1 + users/alice/home.nix | 1 + users/alice/home/hypr/default.nix | 1 + users/alice/home/hypr/hyprland.conf | 7 +++++ users/alice/home/hypr/show-hide.sh | 25 ++++++++++++++++++ users/alice/home/waybar.json | 40 +++++++++++++++++++++++++++++ users/alice/home/waybar.nix | 2 +- users/alice/non-server.nix | 1 + 9 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 users/alice/home/hypr/show-hide.sh create mode 100644 users/alice/home/waybar.json diff --git a/shell.nix b/shell.nix index d39ff96..604d119 100644 --- a/shell.nix +++ b/shell.nix @@ -45,6 +45,10 @@ forEachSystem ( treefmt statix nixfmt-rfc-style + jsonfmt + mdformat + shfmt + yamlfmt ]; }; in diff --git a/systems/artemision/programs.nix b/systems/artemision/programs.nix index 9366934..217e5cc 100644 --- a/systems/artemision/programs.nix +++ b/systems/artemision/programs.nix @@ -42,6 +42,7 @@ kitty kubectl kubernetes-helm + libreoffice-fresh libtool lsof lynis diff --git a/users/alice/home.nix b/users/alice/home.nix index 237ef68..330cae1 100644 --- a/users/alice/home.nix +++ b/users/alice/home.nix @@ -16,6 +16,7 @@ ./home/gammastep.nix ./home/doom ./home/hypr + ./home/waybar.nix ./non-server.nix ]; diff --git a/users/alice/home/hypr/default.nix b/users/alice/home/hypr/default.nix index 04280e6..6fbb2ed 100644 --- a/users/alice/home/hypr/default.nix +++ b/users/alice/home/hypr/default.nix @@ -8,6 +8,7 @@ { xdg.configFile = { "hypr/hyprland.conf".source = ./hyprland.conf; + "hypr/show-hide.sh".source = ./show-hide.sh; }; imports = [ diff --git a/users/alice/home/hypr/hyprland.conf b/users/alice/home/hypr/hyprland.conf index 095df5e..a5dd1ff 100644 --- a/users/alice/home/hypr/hyprland.conf +++ b/users/alice/home/hypr/hyprland.conf @@ -22,6 +22,9 @@ monitor=,preferred,auto,auto # exec-once = waybar & hyprpaper & firefox exec-once = wired & +exec-once = wired +exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service + # Source a file (multi-file configs) # source = ~/.config/hypr/myColors.conf @@ -207,3 +210,7 @@ bind = $mainMod, P, exec, bwm # lock screen bind = $mainMod, L, exec, loginctl lock-session +# hide active window +bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h +# show hide window +bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s diff --git a/users/alice/home/hypr/show-hide.sh b/users/alice/home/hypr/show-hide.sh new file mode 100644 index 0000000..ecbf6c1 --- /dev/null +++ b/users/alice/home/hypr/show-hide.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +stack_file="/tmp/hide_window_pid_stack.txt" + +function hide_window() { + pid=$(hyprctl activewindow -j | jq '.pid') + hyprctl dispatch movetoworkspacesilent "88,pid:$pid" + echo "$pid" >>$stack_file +} + +function show_window() { + pid=$(tail -1 $stack_file && sed -i '$d' $stack_file) + [ -z "$pid" ] && exit + + current_workspace=$(hyprctl activeworkspace -j | jq '.id') + hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid" +} + +if [ -n "$1" ]; then + if [ "$1" == "h" ]; then + hide_window >>/dev/null + else + show_window >>/dev/null + fi +fi diff --git a/users/alice/home/waybar.json b/users/alice/home/waybar.json new file mode 100644 index 0000000..759372e --- /dev/null +++ b/users/alice/home/waybar.json @@ -0,0 +1,40 @@ +[ + { + "height": 20, + "layer": "top", + "position": "top", + "output": [ + "eDP-2", + "eDP-1", + "HDMI-0", + "DP-0" + ], + "hyprland/workspaces": { + "active-only": true, + "all-outputs": false, + "show-special": true, + "move-to-monitor": true, + "format": "{icon} {windows}", + "format-window-separator": " ", + "format-icons": { + "1": "󰎤", + "2": "󰎧", + "3": "󰎪", + "default": "", + "empty": "󱓼", + "urgent": "󱨇" + }, + "persistent-workspaces": { + "1": "HDMI-0" + }, + "on-scroll-down": "hyprctl dispatch workspace e-1", + "on-scroll-up": "hyprctl dispatch workspace e+1", + "window-rewrite": { + "title": "" + }, + "window-rewrite-default": "", + "window-rewrite-separator": " ", + "sort-by": "number" + } + } +] diff --git a/users/alice/home/waybar.nix b/users/alice/home/waybar.nix index 77d6d11..fa9e333 100644 --- a/users/alice/home/waybar.nix +++ b/users/alice/home/waybar.nix @@ -2,6 +2,6 @@ lib.mkIf (!machineConfig.server) { programs.waybar = { enable = true; - #settings = builtins.fromJSON (import ./waybar.json); + settings = builtins.fromJSON (builtins.readFile ./waybar.json); }; } diff --git a/users/alice/non-server.nix b/users/alice/non-server.nix index aa7ab1d..891cac2 100644 --- a/users/alice/non-server.nix +++ b/users/alice/non-server.nix @@ -64,5 +64,6 @@ zathura obsidian libreoffice-qt-fresh + wlr-randr ]; } -- 2.48.1 From 02b8a6bc6c407c3ff91a01b5e2bd8e692367b4cd Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 17:50:03 -0400 Subject: [PATCH 2/8] format json/yml/sh --- .github/settings.yml | 331 +++++++++---------- .github/workflows/flake-health-checks.yml | 89 +++-- .github/workflows/flake-update.yml | 206 ++++++------ .github/workflows/lock-health-checks.yml | 27 +- .github/workflows/nix-fmt.yml | 45 ++- .sops.yaml | 79 +++-- .vscode/settings.json | 4 +- docs/CONTRIBUTING.md | 18 +- docs/sample-setup.sh | 120 ++++--- systems/palatine-hill/attic/sync-attic.bash | 4 +- systems/palatine-hill/docker/watchtower.bash | 4 +- treefmt.toml | 18 + utils/attic-push.bash | 14 +- utils/attic-token.bash | 52 +-- utils/eval-to-drv.sh | 4 +- utils/fetch-docker.sh | 8 +- utils/manual-update.sh | 2 +- utils/sops-mergetool-new.sh | 20 +- utils/sops-mergetool.sh | 22 +- 19 files changed, 522 insertions(+), 545 deletions(-) diff --git a/.github/settings.yml b/.github/settings.yml index 77ccdea..d341abd 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -1,204 +1,173 @@ # Have borrowed this config from nix-community/infra repository: - # See https://developer.github.com/v3/repos/#edit for all available settings. + # See https://developer.github.com/v3/repos/#edit for all available settings. - # The name of the repository. Changing this will rename the repository - name: nix-dotfiles - - # A short description of the repository that will show up on GitHub - description: RAD-Dev Infra - - # A URL with more information about the repository - # homepage: "https://nix-community.org" - - # A comma-separated list of topics to set on the repository - topics: "nixos" - - # Either `true` to make the repository private, or `false` to make it public. - private: false - - # Either `true` to enable issues for this repository, `false` to disable them. - has_issues: true - - # Either `true` to enable projects for this repository, or `false` to disable them. - # If projects are disabled for the organization, passing `true` will cause an API error. - has_projects: true - - # Either `true` to enable the wiki for this repository, `false` to disable it. - has_wiki: false - - # Either `true` to enable downloads for this repository, `false` to disable them. - has_downloads: false - - # Updates the default branch for this repository. - default_branch: main - - # Either `true` to allow squash-merging pull requests, or `false` to prevent - # squash-merging. - allow_squash_merge: true - - # Either `true` to allow merging pull requests with a merge commit, or `false` - # to prevent merging pull requests with merge commits. - allow_merge_commit: false - - # Either `true` to allow rebase-merging pull requests, or `false` to prevent - # rebase-merging. - allow_rebase_merge: true - - # Either `true` to enable automatic deletion of branches on merge, or `false` to disable - delete_branch_on_merge: true - - # Either `true` to enable automated security fixes, or `false` to disable - # automated security fixes. - enable_automated_security_fixes: true - - # Either `true` to enable vulnerability alerts, or `false` to disable - # vulnerability alerts. - enable_vulnerability_alerts: true - - allow_auto_merge: true + # The name of the repository. Changing this will rename the repository + name: nix-dotfiles + # A short description of the repository that will show up on GitHub + description: RAD-Dev Infra + # A URL with more information about the repository + # homepage: "https://nix-community.org" + # A comma-separated list of topics to set on the repository + topics: "nixos" + # Either `true` to make the repository private, or `false` to make it public. + private: false + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: true + # Either `true` to enable projects for this repository, or `false` to disable them. + # If projects are disabled for the organization, passing `true` will cause an API error. + has_projects: true + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: false + # Updates the default branch for this repository. + default_branch: main + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + # Either `true` to enable automatic deletion of branches on merge, or `false` to disable + delete_branch_on_merge: true + # Either `true` to enable automated security fixes, or `false` to disable + # automated security fixes. + enable_automated_security_fixes: true + # Either `true` to enable vulnerability alerts, or `false` to disable + # vulnerability alerts. + enable_vulnerability_alerts: true + allow_auto_merge: true # Labels: define labels for Issues and Pull Requests # labels: - - name: bug - color: '#d73a4a' - description: Something isn't working - - name: CI/CD - # If including a `#`, make sure to wrap it with quotes! - color: '#0e8a16' - description: Related to GH Actions or Hydra - - name: documentation - color: '#0075ca' - description: Improvements or additions to documentation - - name: duplicate - color: '#cfd3d7' - description: This issue or pull request already exists - - name: enhancement - color: '#a2eeef' - description: New feature or request - - name: good first issue - color: '#7057ff' - description: Good for newcomers - - name: help wanted - color: '#008672' - description: Extra attention is needed - - name: high priority - color: '#BF480A' - description: A major vurnability was detected - - name: invalid - color: '#e4e669' - description: This doesn't seem right - - name: new user - color: '#C302A1' - description: A new user was added to the Flake - - name: question - color: '#d876e3' - description: Further information is requested - - name: wontfix - color: '#ffffff' - description: This will not be worked on - - name: dependencies - color: '#cb4ed5' - description: Used for PR's related to flake.lock updates - - name: automated - color: '#42b528' - description: PR was automatically generated (through a bot or CI/CD) - + - name: bug + color: '#d73a4a' + description: Something isn't working + - name: CI/CD + # If including a `#`, make sure to wrap it with quotes! + color: '#0e8a16' + description: Related to GH Actions or Hydra + - name: documentation + color: '#0075ca' + description: Improvements or additions to documentation + - name: duplicate + color: '#cfd3d7' + description: This issue or pull request already exists + - name: enhancement + color: '#a2eeef' + description: New feature or request + - name: good first issue + color: '#7057ff' + description: Good for newcomers + - name: help wanted + color: '#008672' + description: Extra attention is needed + - name: high priority + color: '#BF480A' + description: A major vurnability was detected + - name: invalid + color: '#e4e669' + description: This doesn't seem right + - name: new user + color: '#C302A1' + description: A new user was added to the Flake + - name: question + color: '#d876e3' + description: Further information is requested + - name: wontfix + color: '#ffffff' + description: This will not be worked on + - name: dependencies + color: '#cb4ed5' + description: Used for PR's related to flake.lock updates + - name: automated + color: '#42b528' + description: PR was automatically generated (through a bot or CI/CD) # Milestones: define milestones for Issues and Pull Requests milestones: - - title: Go-Live - description: >- - All requirements for official go-live: - - Automated testing via Hydra/Actions - - Automated deployments via Hydra/Actions - - 90+% testing coverage - - Functional formatter with custom rules - - palatine-hill is fully stable, enough so that jeeves can be migrated - # The state of the milestone. Either `open` or `closed` - state: open - - title: Jeeves Migration - description: >- - Test common use-cases for Jeeves - - Quadro GPU support - - Multi-GPU support - - Plex support - - Docker support - - ZFS support - - + - title: Go-Live + description: >- + All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated + # The state of the milestone. Either `open` or `closed` + state: open + - title: Jeeves Migration + description: >- + Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support # Collaborators: give specific users access to this repository. # See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options collaborators: - # - username: numtide-bot - # Note: `permission` is only valid on organization-owned repositories. - # The permission to grant the collaborator. Can be one of: - # * `pull` - can pull, but not push to or administer this repository. - # * `push` - can pull and push, but not administer this repository. - # * `admin` - can pull, push and administer this repository. - # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. - # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. - # permission: push +# - username: numtide-bot +# Note: `permission` is only valid on organization-owned repositories. +# The permission to grant the collaborator. Can be one of: +# * `pull` - can pull, but not push to or administer this repository. +# * `push` - can pull and push, but not administer this repository. +# * `admin` - can pull, push and administer this repository. +# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. +# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. +# permission: push # See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options teams: - # - name: admin - # The permission to grant the team. Can be one of: - # * `pull` - can pull, but not push to or administer this repository. - # * `push` - can pull and push, but not administer this repository. - # * `admin` - can pull, push and administer this repository. - # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. - # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. - # permission: admin - +# - name: admin +# The permission to grant the team. Can be one of: +# * `pull` - can pull, but not push to or administer this repository. +# * `push` - can pull and push, but not administer this repository. +# * `admin` - can pull, push and administer this repository. +# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions. +# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access. +# permission: admin branches: - # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection + # gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection - # not available in the api yet - # `Require merge queue`: true - # `Merge method`: Rebase and merge - # `Maximum pull requests to build`: 1 - # `Maximum pull requests to merge`: 1 - # defaults: - # `Maximum pull requests to build`: 5 - # `Minimum pull requests to merge`: 1 or 5 minutes - # `Maximum pull requests to merge`: 5 - # `Only merge non-failing pull requests`: true - # `Consider check failed after`: 60 minutes + # not available in the api yet + # `Require merge queue`: true + # `Merge method`: Rebase and merge + # `Maximum pull requests to build`: 1 + # `Maximum pull requests to merge`: 1 + # defaults: + # `Maximum pull requests to build`: 5 + # `Minimum pull requests to merge`: 1 or 5 minutes + # `Maximum pull requests to merge`: 5 + # `Only merge non-failing pull requests`: true + # `Consider check failed after`: 60 minutes + - name: main + # https://docs.github.com/en/rest/reference/repos#update-branch-protection + # Branch Protection settings. Set to null to disable + protection: + # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. - - name: main - # https://docs.github.com/en/rest/reference/repos#update-branch-protection - # Branch Protection settings. Set to null to disable - protection: - # Required. Require at least one approving review on a pull request, before merging. Set to null to disable. - - # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions - required_pull_request_reviews: - # # The number of approvals required. (1-6) - required_approving_review_count: 1 - # # Dismiss approved reviews automatically when a new commit is pushed. - dismiss_stale_reviews: true - # # Blocks merge until code owners have reviewed. - require_code_owner_reviews: false - # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. - # dismissal_restrictions: - # users: [] - # teams: [] - require_last_push_approval: false - # Required. Require status checks to pass before merging. Set to null to disable - # required_status_checks: + # these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions + required_pull_request_reviews: + # # The number of approvals required. (1-6) + required_approving_review_count: 1 + # # Dismiss approved reviews automatically when a new commit is pushed. + dismiss_stale_reviews: true + # # Blocks merge until code owners have reviewed. + require_code_owner_reviews: false + # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories. + # dismissal_restrictions: + # users: [] + # teams: [] + require_last_push_approval: false + # Required. Require status checks to pass before merging. Set to null to disable + # required_status_checks: # Required. Require branches to be up to date before merging. # strict: false # Required. The list of status checks to require in order to merge into this branch # contexts: # - buildbot/nix-eval - # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. - enforce_admins: true - # Disabled for bors to work - required_linear_history: true - # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. - restrictions: - apps: [] - # TODO: make a buildbot instance - # users: ["nix-infra-bot"] - teams: [] + # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable. + enforce_admins: true + # Disabled for bors to work + required_linear_history: true + # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable. + restrictions: + apps: [] + # TODO: make a buildbot instance + # users: ["nix-infra-bot"] + teams: [] diff --git a/.github/workflows/flake-health-checks.yml b/.github/workflows/flake-health-checks.yml index 4035df0..c0cea76 100644 --- a/.github/workflows/flake-health-checks.yml +++ b/.github/workflows/flake-health-checks.yml @@ -1,48 +1,47 @@ name: "Check Nix flake" on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - merge_group: - + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: jobs: - health-check: - name: "Perform Nix flake checks" - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest] - steps: - - uses: DeterminateSystems/nix-installer-action@main - - name: Setup Attic cache - uses: ryanccn/attic-action@v0 - with: - endpoint: ${{ secrets.ATTIC_ENDPOINT }} - cache: ${{ secrets.ATTIC_CACHE }} - token: ${{ secrets.ATTIC_TOKEN }} - skip-push: "true" - - uses: actions/checkout@v4 - - run: nix flake check --accept-flake-config - - run: nix ./utils/attic-push.bash - build-checks: - name: "Build nix outputs" - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest] - steps: - - uses: DeterminateSystems/nix-installer-action@main - - name: Setup Attic cache - uses: ryanccn/attic-action@v0 - with: - endpoint: ${{ secrets.ATTIC_ENDPOINT }} - cache: ${{ secrets.ATTIC_CACHE }} - token: ${{ secrets.ATTIC_TOKEN }} - skip-push: "true" - - uses: actions/checkout@v4 - - name: Build all outputs - run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build . - - name: Push to Attic - run: nix ./utils/attic-push.bash - continue-on-error: true + health-check: + name: "Perform Nix flake checks" + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest] + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - run: nix flake check --accept-flake-config + - run: nix ./utils/attic-push.bash + build-checks: + name: "Build nix outputs" + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest] + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - name: Build all outputs + run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build . + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml index 1d2127f..b50bb41 100644 --- a/.github/workflows/flake-update.yml +++ b/.github/workflows/flake-update.yml @@ -1,116 +1,112 @@ name: "Update flakes" on: - repository_dispatch: - workflow_dispatch: - schedule: - - cron: "00 12 * * *" + repository_dispatch: + workflow_dispatch: + schedule: + - cron: "00 12 * * *" jobs: - update_lockfile: - runs-on: ubuntu-latest - #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Install nix - uses: https://github.com/DeterminateSystems/nix-installer-action@main - - name: Setup Attic cache - uses: ryanccn/attic-action@v0 - with: - endpoint: ${{ secrets.ATTIC_ENDPOINT }} - cache: ${{ secrets.ATTIC_CACHE }} - token: ${{ secrets.ATTIC_TOKEN }} - skip-push: "true" - - name: Get pre-snapshot of evaluations - run: nix ./utils/eval-to-drv.sh pre - - name: Update flake.lock - id: update - run: | - nix flake update 2> >(tee /dev/stderr) | awk ' - /^• Updated input/ {in_update = 1; print; next} - in_update && !/^warning:/ {print} - /^$/ {in_update = 0} - ' > update.log + update_lockfile: + runs-on: ubuntu-latest + #if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install nix + uses: https://github.com/DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - name: Get pre-snapshot of evaluations + run: nix ./utils/eval-to-drv.sh pre + - name: Update flake.lock + id: update + run: | + nix flake update 2> >(tee /dev/stderr) | awk ' + /^• Updated input/ {in_update = 1; print; next} + in_update && !/^warning:/ {print} + /^$/ {in_update = 0} + ' > update.log - echo "UPDATE_LOG<> $GITHUB_ENV - cat update.log >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + echo "UPDATE_LOG<> $GITHUB_ENV + cat update.log >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV - rm update.log - - name: Get post-snapshot of evaluations - run: nix ./utils/eval-to-drv.sh post - - name: Calculate diff - run: nix ./utils/diff-evals.sh - - name: Read file contents - id: read_file - uses: guibranco/github-file-reader-action-v2@latest - with: - path: "post-diff" - - name: Write PR body template - uses: https://github.com/DamianReeves/write-file-action@v1.3 - with: - path: pr_body.template - contents: | - - The following Nix Flake inputs were updated: + rm update.log + - name: Get post-snapshot of evaluations + run: nix ./utils/eval-to-drv.sh post + - name: Calculate diff + run: nix ./utils/diff-evals.sh + - name: Read file contents + id: read_file + uses: guibranco/github-file-reader-action-v2@latest + with: + path: "post-diff" + - name: Write PR body template + uses: https://github.com/DamianReeves/write-file-action@v1.3 + with: + path: pr_body.template + contents: | + - The following Nix Flake inputs were updated: - ``` - ${{ env.UPDATE_LOG }} - ``` + ``` + ${{ env.UPDATE_LOG }} + ``` - ``` - ${{ steps.read_file.outputs.contents }} - ``` + ``` + ${{ steps.read_file.outputs.contents }} + ``` - Auto-generated by [update.yml][1] with the help of - [create-pull-request][2]. + Auto-generated by [update.yml][1] with the help of + [create-pull-request][2]. - [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml - [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request + [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml + [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request + - name: Generate PR body + uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0 + with: + files: "pr_body.template" + output-filename: "pr_body.md" + - name: Save PR body + id: pr_body + uses: juliangruber/read-file-action@v1 + with: + path: "pr_body.md" + - name: Remove temporary files + run: | + rm pr_body.template + rm pr_body.md + rm pre.json + rm post.json + rm post-diff + - name: Create Pull Request + id: create-pull-request + # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645 + uses: https://nayeonie.com/ahuston-0/create-pull-request@main + with: + token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + body: ${{ steps.pr_body.outputs.content }} + author: '"github-actions[bot]" ' + title: 'automated: Update `flake.lock`' + commit-message: | + automated: Update `flake.lock` - - name: Generate PR body - uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0 - with: - files: "pr_body.template" - output-filename: "pr_body.md" - - name: Save PR body - id: pr_body - uses: juliangruber/read-file-action@v1 - with: - path: "pr_body.md" - - - name: Remove temporary files - run: | - rm pr_body.template - rm pr_body.md - rm pre.json - rm post.json - rm post-diff - - - name: Create Pull Request - id: create-pull-request - # uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645 - uses: https://nayeonie.com/ahuston-0/create-pull-request@main - with: - token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} - body: ${{ steps.pr_body.outputs.content }} - author: '"github-actions[bot]" ' - title: 'automated: Update `flake.lock`' - commit-message: | - automated: Update `flake.lock` - - ${{ steps.pr_body.outputs.content }} - - branch: update-flake-lock - delete-branch: true - pr-labels: | # Labels to be set on the PR - dependencies - automated - - name: Push to Attic - run: nix ./utils/attic-push.bash - continue-on-error: true - - name: Print PR number - run: | - echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}." - echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + ${{ steps.pr_body.outputs.content }} + branch: update-flake-lock + delete-branch: true + pr-labels: | # Labels to be set on the PR + dependencies + automated + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true + - name: Print PR number + run: | + echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}." + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" permissions: - pull-requests: write - contents: write + pull-requests: write + contents: write diff --git a/.github/workflows/lock-health-checks.yml b/.github/workflows/lock-health-checks.yml index 360b2a4..38734e2 100644 --- a/.github/workflows/lock-health-checks.yml +++ b/.github/workflows/lock-health-checks.yml @@ -1,17 +1,16 @@ name: "Check flake.lock" on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - merge_group: - + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: jobs: - health-check: - name: "Check health of `flake.lock`" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/flake-checker-action@main - with: - fail-mode: true + health-check: + name: "Check health of `flake.lock`" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/flake-checker-action@main + with: + fail-mode: true diff --git a/.github/workflows/nix-fmt.yml b/.github/workflows/nix-fmt.yml index 189148d..f94cbea 100644 --- a/.github/workflows/nix-fmt.yml +++ b/.github/workflows/nix-fmt.yml @@ -1,26 +1,25 @@ name: "Check Nix formatting" on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - merge_group: - + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: jobs: - health-check: - name: "Perform Nix format checks" - runs-on: ubuntu-latest - steps: - - uses: DeterminateSystems/nix-installer-action@main - - name: Setup Attic cache - uses: ryanccn/attic-action@v0 - with: - endpoint: ${{ secrets.ATTIC_ENDPOINT }} - cache: ${{ secrets.ATTIC_CACHE }} - token: ${{ secrets.ATTIC_TOKEN }} - skip-push: "true" - - uses: actions/checkout@v4 - - run: nix fmt -- --check . - - name: Push to Attic - run: nix ./utils/attic-push.bash - continue-on-error: true + health-check: + name: "Perform Nix format checks" + runs-on: ubuntu-latest + steps: + - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Attic cache + uses: ryanccn/attic-action@v0 + with: + endpoint: ${{ secrets.ATTIC_ENDPOINT }} + cache: ${{ secrets.ATTIC_CACHE }} + token: ${{ secrets.ATTIC_TOKEN }} + skip-push: "true" + - uses: actions/checkout@v4 + - run: nix fmt -- --check . + - name: Push to Attic + run: nix ./utils/attic-push.bash + continue-on-error: true diff --git a/.sops.yaml b/.sops.yaml index 6df52aa..332a93d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,51 +1,46 @@ keys: - # The PGP keys in keys/ - - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 - - # Generate AGE keys from SSH keys with: - # ssh-keygen -A - # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - # cspell:disable - - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc + # The PGP keys in keys/ + - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 + # Generate AGE keys from SSH keys with: + # ssh-keygen -A + # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' + # cspell:disable + - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 + - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej - - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - # cspell:enable - + - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh + # cspell:enable servers: &servers - - *palatine-hill - + - *palatine-hill # add new users by executing: sops users//secrets.yaml # then have someone already in the repo run the below # # update keys by executing: sops updatekeys secrets.yaml # note: add .* before \.yaml if you'd like to use the mergetool config creation_rules: - - path_regex: users/alice/secrets.*\.yaml$ - key_groups: - - pgp: - - *admin_alice - age: - - *palatine-hill - - *artemision - - *artemision-home - - - path_regex: systems/palatine-hill/secrets.*\.yaml$ - key_groups: - - pgp: - - *admin_alice - age: - - *palatine-hill - - - path_regex: systems/artemision/secrets.*\.yaml$ - key_groups: - - pgp: - - *admin_alice - age: - - *artemision - - path_regex: systems/palatine-hill/docker/wg/.*\.conf$ - key_groups: - - pgp: - - *admin_alice - age: - - *palatine-hill + - path_regex: users/alice/secrets.*\.yaml$ + key_groups: + - pgp: + - *admin_alice + age: + - *palatine-hill + - *artemision + - *artemision-home + - path_regex: systems/palatine-hill/secrets.*\.yaml$ + key_groups: + - pgp: + - *admin_alice + age: + - *palatine-hill + - path_regex: systems/artemision/secrets.*\.yaml$ + key_groups: + - pgp: + - *admin_alice + age: + - *artemision + - path_regex: systems/palatine-hill/docker/wg/.*\.conf$ + key_groups: + - pgp: + - *admin_alice + age: + - *palatine-hill diff --git a/.vscode/settings.json b/.vscode/settings.json index d678307..1a5f894 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,7 @@ { - "cSpell.enableFiletypes": ["nix"], + "cSpell.enableFiletypes": [ + "nix" + ], "cSpell.words": [ "aarch", "abmlevel", diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 79f6931..04b76e6 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -40,12 +40,12 @@ and will eventually trip a check when merging to main. | Branch Name | Use Case | |------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | main | protected branch which all machines pull from, do not try to push directly | -| feature/\ | \ is a new feature added to the repo, for personal or common use | -| fixup/\ | \ is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical | -| hotfix/\ | \ is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process | -| urgent/\ | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues | -| exp/\ | \ is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches | -| merge/\ | \ is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch | +| feature/\ | \ is a new feature added to the repo, for personal or common use | +| fixup/\ | \ is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical | +| hotfix/\ | \ is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process | +| urgent/\ | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues | +| exp/\ | \ is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches | +| merge/\ | \ is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch | ### Review Process @@ -94,11 +94,11 @@ rules. PR has been tested on at least one machine - Issues which bypass the quorum process must have a second reviewer tagged - All critical issues which bypass the approval process must have an RCA issue - opened and the RCA logged into the `inc/` folder + opened and the RCA logged into the `inc/` folder - The second reviewer has 2 weeks to retroactively review and approve the PR - If the retro does not happen in the given window, an issue shall be opened - to either re-review the PR or to revert and replace the fix with a - permanent solution + to either re-review the PR or to revert and replace the fix with a + permanent solution - Critical issues must be tagged to `Nix Flake Features` project, and must have a priority of `High` and an estimate tagged. Start and end date are not needed diff --git a/docs/sample-setup.sh b/docs/sample-setup.sh index 8216a47..bb278dc 100644 --- a/docs/sample-setup.sh +++ b/docs/sample-setup.sh @@ -1,9 +1,9 @@ #!/usr/bin/env nix #! nix shell nixpkgs#bash nixpkgs#git --command bash -set -o errexit # abort on nonzero exitstatus -set -o nounset # abort on unbound variable -set -o pipefail # don't hide errors within pipes +set -o errexit # abort on nonzero exitstatus +set -o nounset # abort on unbound variable +set -o pipefail # don't hide errors within pipes PROCEED="N" @@ -50,60 +50,58 @@ GITBASE="systems" FEATUREBRANCH="feature/adding-$MACHINENAME" if [ $PROCEED != "Y" ]; then - echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly" - lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT + echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly" + lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT fi - - if [ $CREATEPARTS = "Y" ]; then - # Create partition table - sudo parted "/dev/$DRIVE" -- mklabel gpt + # Create partition table + sudo parted "/dev/$DRIVE" -- mklabel gpt - # Create boot part - sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB - sudo parted "/dev/$DRIVE" -- set 1 esp on - sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1" + # Create boot part + sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB + sudo parted "/dev/$DRIVE" -- set 1 esp on + sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1" - # Create luks part - sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100% - sudo parted "/dev/$DRIVE" -- set 2 lvm on - - LUKSPART="nixos-pv" - sudo cryptsetup luksFormat "/dev/${DRIVE}p2" - sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART" + # Create luks part + sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100% + sudo parted "/dev/$DRIVE" -- set 2 lvm on - # Create lvm part - sudo pvcreate "/dev/mapper/$LUKSPART" - sudo pvresize "/dev/mapper/$LUKSPART" - sudo pvdisplay + LUKSPART="nixos-pv" + sudo cryptsetup luksFormat "/dev/${DRIVE}p2" + sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART" - # Create volume group - sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART" - sudo vgchange -a y "$VOLGROUP" - sudo vgdisplay + # Create lvm part + sudo pvcreate "/dev/mapper/$LUKSPART" + sudo pvresize "/dev/mapper/$LUKSPART" + sudo pvdisplay - # Create swap part on LVM - if [ $SWAPSIZE != 0 ]; then - sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap - sudo mkswap -L NIXSWAP -c "$SWAPPATH" - fi + # Create volume group + sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART" + sudo vgchange -a y "$VOLGROUP" + sudo vgdisplay - # Create home part on LVM, leaving plenty of room for snapshots - sudo lvcreate -l 50%FREE "$VOLGROUP" -n home - sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH" + # Create swap part on LVM + if [ $SWAPSIZE != 0 ]; then + sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap + sudo mkswap -L NIXSWAP -c "$SWAPPATH" + fi - # Create root part on LVM, keeping in mind most data will be on /home or /nix - sudo lvcreate -L 5G "$VOLGROUP" -n root - sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH" + # Create home part on LVM, leaving plenty of room for snapshots + sudo lvcreate -l 50%FREE "$VOLGROUP" -n home + sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH" - # Create nix part on LVM - sudo lvcreate -L 100G "$VOLGROUP" -n nix-store - sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH" + # Create root part on LVM, keeping in mind most data will be on /home or /nix + sudo lvcreate -L 5G "$VOLGROUP" -n root + sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH" - sudo lvdisplay + # Create nix part on LVM + sudo lvcreate -L 100G "$VOLGROUP" -n nix-store + sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH" - lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT + sudo lvdisplay + + lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT fi # Mount partitions @@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot # Enable swap if SWAPSIZE is non-zero if [ $SWAPSIZE != 0 ]; then - sudo swapon "/dev/$VOLGROUP/swap" + sudo swapon "/dev/$VOLGROUP/swap" fi # Clone the repo @@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter cat "$DOTS/id_ed25519_ghdeploy.pub" if [ $SOPS == "Y" ]; then - # Create ssh host-keys - sudo ssh-keygen -A - sudo mkdir -p /mnt/etc/ssh - sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh + # Create ssh host-keys + sudo ssh-keygen -A + sudo mkdir -p /mnt/etc/ssh + sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh - # Get line where AGE comment is and insert new AGE key two lines down - AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}') - AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age') - sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml" + # Get line where AGE comment is and insert new AGE key two lines down + AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}') + AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age') + sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml" - # Add server name - SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') - sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml" + # Add server name + SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') + sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml" - # Add creation rules - CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') - # TODO: below was not working when last attempted - read -r -d '' PATHRULE <<-EOF + # Add creation rules + CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}') + # TODO: below was not working when last attempted + read -r -d '' PATHRULE <<-EOF - path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$ key_groups: - pgp: *$OWNERORADMINS age: - *$MACHINENAME EOF - sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml" + sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml" fi read -r -p "press enter to continue" diff --git a/systems/palatine-hill/attic/sync-attic.bash b/systems/palatine-hill/attic/sync-attic.bash index 7e99877..57ecdd0 100644 --- a/systems/palatine-hill/attic/sync-attic.bash +++ b/systems/palatine-hill/attic/sync-attic.bash @@ -2,9 +2,9 @@ #! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash sync_directories=( - /ZFS/ZFS-primary/hydra + /ZFS/ZFS-primary/hydra ) for dir in "${sync_directories[@]}"; do - find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \; + find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \; done diff --git a/systems/palatine-hill/docker/watchtower.bash b/systems/palatine-hill/docker/watchtower.bash index 902b5d1..0065c25 100644 --- a/systems/palatine-hill/docker/watchtower.bash +++ b/systems/palatine-hill/docker/watchtower.bash @@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th label="$1" label_val="$2" -if (( $# != 2 )); then - echo "usage: $0 label label_value" +if (($# != 2)); then + echo "usage: $0 label label_value" fi containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}") diff --git a/treefmt.toml b/treefmt.toml index 44785d5..940009c 100644 --- a/treefmt.toml +++ b/treefmt.toml @@ -12,3 +12,21 @@ command = "nixfmt" #options = [] # Glob pattern of files to include includes = [ "*.nix" ] + +[formatter.jsonfmt] +command = "jsonfmt" +excludes = [] +includes = ["*.json"] +options = ["-w"] + +[formatter.shfmt] +command = "shfmt" +excludes = [] +includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"] +options = ["-i", "2", "-s", "-w"] + +[formatter.yamlfmt] +command = "yamlfmt" +excludes = [] +includes = ["*.yaml", "*.yml"] +options = ["-formatter","indent=4"] diff --git a/utils/attic-push.bash b/utils/attic-push.bash index 0c15588..01aa79f 100755 --- a/utils/attic-push.bash +++ b/utils/attic-push.bash @@ -11,18 +11,16 @@ set -e # | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') # retrieve all paths -nix_paths=$(nix path-info --json --all --closure-size \ - | jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \ - | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') - +nix_paths=$(nix path-info --json --all --closure-size | + jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' | + jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g') readarray -t nix_path_array < <(echo "$nix_paths") batchsize=1000 -for((i=0; i < ${#nix_path_array[@]}; i+=batchsize)) -do - part=( "${nix_path_array[@]:i:batchsize}" ) +for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do + part=("${nix_path_array[@]:i:batchsize}") - attic push nix-cache "${part[@]}" + attic push nix-cache "${part[@]}" done diff --git a/utils/attic-token.bash b/utils/attic-token.bash index 650ca5b..f069375 100755 --- a/utils/attic-token.bash +++ b/utils/attic-token.bash @@ -1,8 +1,8 @@ #!/usr/bin/env bash -if (( $# != 3 )); then - echo "usage: $0 " - exit 1 +if (($# != 3)); then + echo "usage: $0 " + exit 1 fi cache="$1" @@ -10,27 +10,27 @@ cache_pattern="$2" token_type="$3" case $token_type in - "cache-creator") - atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \ - --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \ - --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \ - --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern" - ;; - "admin") - atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \ - --push "$cache_pattern" --configure-cache "$cache_pattern" \ - --configure-cache-retention "$cache_pattern" - ;; - "writer") - atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \ - --push "$cache_pattern" - ;; - "reader") - atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern" - ;; - *) - echo "invalid token type: $token_type" - echo "available options: cache-creator, admin, writer, reader" - exit 1 - ;; +"cache-creator") + atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \ + --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \ + --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \ + --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern" + ;; +"admin") + atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \ + --push "$cache_pattern" --configure-cache "$cache_pattern" \ + --configure-cache-retention "$cache_pattern" + ;; +"writer") + atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \ + --push "$cache_pattern" + ;; +"reader") + atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern" + ;; +*) + echo "invalid token type: $token_type" + echo "available options: cache-creator, admin, writer, reader" + exit 1 + ;; esac diff --git a/utils/eval-to-drv.sh b/utils/eval-to-drv.sh index 81a06cc..49634b4 100755 --- a/utils/eval-to-drv.sh +++ b/utils/eval-to-drv.sh @@ -8,8 +8,8 @@ set -v set -e if [ "$#" -ne 1 ]; then - echo "$0 (pre|post)" - exit 1 + echo "$0 (pre|post)" + exit 1 fi script_path=$(dirname "$(readlink -f $0)") diff --git a/utils/fetch-docker.sh b/utils/fetch-docker.sh index 67264bc..637b3c6 100755 --- a/utils/fetch-docker.sh +++ b/utils/fetch-docker.sh @@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path") # relpath is the relative path to the parent_path where you want the file written # format: ,,,, images=( - "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix" + "nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix" ) IFS="," while read -r name tag arch os relpath; do - nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath" - git --no-pager diff "$parent_path/$relpath" -done<<< "${images[@]}" + nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath" + git --no-pager diff "$parent_path/$relpath" +done <<<"${images[@]}" diff --git a/utils/manual-update.sh b/utils/manual-update.sh index ed5c5ca..96fe9cb 100755 --- a/utils/manual-update.sh +++ b/utils/manual-update.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -set -e +set -e set -v set -x diff --git a/utils/sops-mergetool-new.sh b/utils/sops-mergetool-new.sh index 6896976..fc425c9 100755 --- a/utils/sops-mergetool-new.sh +++ b/utils/sops-mergetool-new.sh @@ -2,7 +2,10 @@ # Rename CLI parameters to friendlier names # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver -base="$1"; local_="$2"; remote="$3"; merged="$4" +base="$1" +local_="$2" +remote="$3" +merged="$4" # Load the mergetool scripts TOOL_MODE=merge @@ -20,7 +23,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" # If anything goes wrong, then delete our decrypted files -handle_trap_exit () { +handle_trap_exit() { rm $base_decrypted || true rm $local_decrypted || true rm $remote_decrypted || true @@ -30,12 +33,12 @@ handle_trap_exit () { trap handle_trap_exit EXIT # Decrypt our file contents -sops --decrypt --show-master-keys "$base" > "$base_decrypted" -sops --decrypt --show-master-keys "$local_" > "$local_decrypted" -sops --decrypt --show-master-keys "$remote" > "$remote_decrypted" +sops --decrypt --show-master-keys "$base" >"$base_decrypted" +sops --decrypt --show-master-keys "$local_" >"$local_decrypted" +sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" # Create a merge-diff to compare against -git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted" +git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" cp "$merged_decrypted" "$backup_decrypted" # Set up variables for the mergetool @@ -48,7 +51,7 @@ MERGED="$merged_decrypted" BACKUP="$backup_decrypted" # Override `check_unchanged` with a custom script -check_unchanged () { +check_unchanged() { # If the contents haven't changed, then fail if test "$MERGED" -nt "$BACKUP"; then return 0 @@ -61,5 +64,4 @@ check_unchanged () { run_merge_tool "${mergetool}" true # Re-encrypt content -sops --encrypt "$merged_decrypted" > "$merged" - +sops --encrypt "$merged_decrypted" >"$merged" diff --git a/utils/sops-mergetool.sh b/utils/sops-mergetool.sh index d337a2b..591562e 100755 --- a/utils/sops-mergetool.sh +++ b/utils/sops-mergetool.sh @@ -6,7 +6,10 @@ set -x # Rename our variables to friendlier equivalents # https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver -base="$1"; local_="$2"; remote="$3"; merged="$4" +base="$1" +local_="$2" +remote="$3" +merged="$4" echo "$base" echo "$local_" @@ -18,7 +21,7 @@ echo "$merged" mergetool="$(git config --get merge.tool)" GIT_DIR="$(git --exec-path)" if test "$mergetool" = ""; then - echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool \`" 1>&2 + echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool `' 1>&2 exit 1 fi @@ -32,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}" backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" # If anything goes wrong, then delete our decrypted files -handle_trap_exit () { +handle_trap_exit() { rm $base_decrypted || true rm $local_decrypted || true rm $remote_decrypted || true @@ -42,13 +45,13 @@ handle_trap_exit () { trap handle_trap_exit EXIT # Decrypt our file contents -sops --decrypt --show-master-keys "$base" > "$base_decrypted" -sops --decrypt --show-master-keys "$local_" > "$local_decrypted" -sops --decrypt --show-master-keys "$remote" > "$remote_decrypted" +sops --decrypt --show-master-keys "$base" >"$base_decrypted" +sops --decrypt --show-master-keys "$local_" >"$local_decrypted" +sops --decrypt --show-master-keys "$remote" >"$remote_decrypted" # Create a merge-diff to compare against set +e -git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted" +git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted" set -e cp "$merged_decrypted" "$backup_decrypted" @@ -66,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib" source "$GIT_DIR/mergetools/$mergetool" # Override `check_unchanged` with a custom script -check_unchanged () { +check_unchanged() { # If the contents haven't changed, then fail if test "$MERGED" -nt "$BACKUP"; then return 0 @@ -82,5 +85,4 @@ merge_cmd set -eu # Re-encrypt content -sops --encrypt "$merged_decrypted" > "$merged" - +sops --encrypt "$merged_decrypted" >"$merged" -- 2.48.1 From c30f65c17e519d9f4ecca1d251722b40d9c1edf4 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 18:04:46 -0400 Subject: [PATCH 3/8] switch hypridle over to using nixpkgs path Signed-off-by: ahuston-0 --- users/alice/home/hypr/hypridle.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/users/alice/home/hypr/hypridle.nix b/users/alice/home/hypr/hypridle.nix index 1d6341f..12359f2 100644 --- a/users/alice/home/hypr/hypridle.nix +++ b/users/alice/home/hypr/hypridle.nix @@ -18,14 +18,14 @@ listener = [ { timeout = 150; # 2.5min. - on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor. - on-resume = "brightnessctl -r"; # monitor backlight restore. + on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor. + on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore. } # turn off keyboard backlight, comment out this section if you dont have a keyboard backlight. { timeout = 150; # 2.5min. - on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight. - on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight. + on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight. + on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight. } { timeout = 300; # 5min -- 2.48.1 From d825b594f8dd4593fd2c0ff23e7a659d5be25ee1 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 18:10:15 -0400 Subject: [PATCH 4/8] add graphics corruption fix https://gitlab.freedesktop.org/drm/amd/-/issues/2075 https://community.frame.work/t/responded-severe-artifacts-and-poor-performance-with-dgpu/46470/21 --- systems/artemision/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/systems/artemision/configuration.nix b/systems/artemision/configuration.nix index 07d8b51..8fee882 100644 --- a/systems/artemision/configuration.nix +++ b/systems/artemision/configuration.nix @@ -88,6 +88,10 @@ programs.adb.enable = true; + environment.variables = { + "KWIN_DRM_NO_DIRECT_SCANOUT" = "1"; + }; + sops = { defaultSopsFile = ./secrets.yaml; #secrets = { -- 2.48.1 From 7aded1fb40e524100e9c672abfa50d49f1d52ec5 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 19:24:29 -0400 Subject: [PATCH 5/8] comment out invalid hyprlock settings --- users/alice/home/hypr/hyprlock.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/users/alice/home/hypr/hyprlock.nix b/users/alice/home/hypr/hyprlock.nix index 7bd68a0..e02b05c 100644 --- a/users/alice/home/hypr/hyprlock.nix +++ b/users/alice/home/hypr/hyprlock.nix @@ -11,7 +11,8 @@ settings = { general = { immediate_render = true; - no_fade_in = true; + # disabling as config doesn't exist + #no_fade_in = true; }; background = { monitor = ""; @@ -54,7 +55,8 @@ dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0 dots_center = false; dots_rounding = -1; # -1 default circle, -2 follow input-field rounding - dots_fade_time = 200; # Milliseconds until a dot fully fades in + # disabling as config doesn't exist + # dots_fade_time = 200; # Milliseconds until a dot fully fades in dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default). # disabling due to stylix # outer_color = "rgb(151515)"; @@ -70,7 +72,8 @@ #fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color fail_text = "$FAIL ($ATTEMPTS)"; # can be set to empty fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears - fail_transition = 300; # transition time in ms between normal outer_color and fail_color + # disabling as config doesn't exist + #fail_transition = 300; # transition time in ms between normal outer_color and fail_color capslock_color = -1; numlock_color = -1; bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above) -- 2.48.1 From c0a3734f3b5613c3c05454067fa89a8522d47764 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 13 Mar 2025 19:26:47 -0400 Subject: [PATCH 6/8] re-enable non-LTS linux --- systems/artemision/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systems/artemision/configuration.nix b/systems/artemision/configuration.nix index 8fee882..2390ab1 100644 --- a/systems/artemision/configuration.nix +++ b/systems/artemision/configuration.nix @@ -32,7 +32,7 @@ }; boot = { - kernelPackages = lib.mkForce pkgs.linuxPackages_6_6; + #kernelPackages = lib.mkForce pkgs.linuxPackages_6_6; useSystemdBoot = true; default = true; }; -- 2.48.1 From 62960bda7cddf4206954079ff914c4ea9b360b35 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 14 Mar 2025 08:48:53 -0400 Subject: [PATCH 7/8] ping nixpkgs before the flickering started on artemision, update stable --- flake.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 51e55b0..3b25b38 100644 --- a/flake.nix +++ b/flake.nix @@ -25,8 +25,9 @@ flake-parts.url = "github:hercules-ci/flake-parts"; nixos-hardware.url = "github:NixOS/nixos-hardware"; #nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; systems.url = "github:nix-systems/default"; # attic = { -- 2.48.1 From 544129cef532e0c52c2db7304f40a6490e3fe203 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Sat, 15 Mar 2025 22:21:02 -0400 Subject: [PATCH 8/8] pin flake.lock --- flake.lock | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 839639c..54f154d 100644 --- a/flake.lock +++ b/flake.lock @@ -441,17 +441,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741842650, - "narHash": "sha256-gyA3ngXZroBeWdrVsM+bL63hQMUheYCrC+V78TEgBeU=", + "lastModified": 1740981371, + "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b1f2198021490b51fb92b8b09db97b9ba2a7b4ce", + "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae", "type": "github" }, "original": { + "narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=", "owner": "nixos", - "ref": "nixos-unstable-small", "repo": "nixpkgs", + "rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae", "type": "github" } }, @@ -472,16 +473,16 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", + "lastModified": 1741862977, + "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", + "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } -- 2.48.1