ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feature/waybar #15

Merged
ahuston-0 merged 8 commits from feature/waybar into main 2025-03-15 22:43:03 -04:00
Conversation 1 Commits 8 Files Changed 33 +630 -564
33 changed files with 630 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
.github/settings.yml vendored
View File

@ -4,60 +4,44 @@ repository:
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
@ -104,53 +88,39 @@ labels:
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: Go-Live
description: >-
All requirements for official go-live:
- Automated testing via Hydra/Actions
- Automated deployments via Hydra/Actions
- 90+% testing coverage
- Functional formatter with custom rules
- palatine-hill is fully stable, enough so that jeeves can be migrated
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
@ -165,7 +135,6 @@ branches:
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable

1
.github/workflows/flake-health-checks.yml vendored
View File

@ -5,7 +5,6 @@ on:
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"

4
.github/workflows/flake-update.yml vendored
View File

@ -65,7 +65,6 @@ jobs:
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
@ -76,7 +75,6 @@ jobs:
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
@ -84,7 +82,6 @@ jobs:
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
@ -98,7 +95,6 @@ jobs:
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR

1
.github/workflows/lock-health-checks.yml vendored
View File

@ -5,7 +5,6 @@ on:
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"

1
.github/workflows/nix-fmt.yml vendored
View File

@ -5,7 +5,6 @@ on:
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"

5
.sops.yaml
View File

@ -1,7 +1,6 @@
keys:
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
@ -11,10 +10,8 @@ keys:
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
servers: &servers
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
@ -29,14 +26,12 @@ creation_rules:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:

4
.vscode/settings.json vendored
View File

@ -1,5 +1,7 @@
{
"cSpell.enableFiletypes": ["nix"],
"cSpell.enableFiletypes": [
"nix"
],
"cSpell.words": [
"aarch",
"abmlevel",

12
docs/CONTRIBUTING.md
View File

@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process

2
docs/sample-setup.sh
View File

@ -54,8 +54,6 @@ if [ $PROCEED != "Y" ]; then
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt

17
flake.lock generated
View File

@ -441,17 +441,18 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1741842650,
"narHash": "sha256-gyA3ngXZroBeWdrVsM+bL63hQMUheYCrC+V78TEgBeU=",
"lastModified": 1740981371,
"narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b1f2198021490b51fb92b8b09db97b9ba2a7b4ce",
"rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
"type": "github"
},
"original": {
"narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
"type": "github"
}
},
@ -472,16 +473,16 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1735563628,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"lastModified": 1741862977,
"narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}

5
flake.nix
View File

@ -25,8 +25,9 @@
flake-parts.url = "github:hercules-ci/flake-parts";
nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
systems.url = "github:nix-systems/default";
# attic = {

4
shell.nix
View File

@ -45,6 +45,10 @@ forEachSystem (
treefmt
statix
nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
];
};
in

6
systems/artemision/configuration.nix
View File

@ -32,7 +32,7 @@
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
useSystemdBoot = true;
default = true;
};
@ -88,6 +88,10 @@
programs.adb.enable = true;
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
sops = {
defaultSopsFile = ./secrets.yaml;
#secrets = {

1
systems/artemision/programs.nix
View File

@ -42,6 +42,7 @@
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis

2
systems/palatine-hill/docker/watchtower.bash
View File

@ -6,7 +6,7 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
label="$1"
label_val="$2"
if (( $# != 2 )); then
if (($# != 2)); then
echo "usage: $0 label label_value"
fi

18
treefmt.toml
View File

@ -12,3 +12,21 @@ command = "nixfmt"
#options = []
# Glob pattern of files to include
includes = [ "*.nix" ]
[formatter.jsonfmt]
command = "jsonfmt"
excludes = []
includes = ["*.json"]
options = ["-w"]
[formatter.shfmt]
command = "shfmt"
excludes = []
includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
options = ["-i", "2", "-s", "-w"]
[formatter.yamlfmt]
command = "yamlfmt"
excludes = []
includes = ["*.yaml", "*.yml"]
options = ["-formatter","indent=4"]

1
users/alice/home.nix
View File

@ -16,6 +16,7 @@
./home/gammastep.nix
./home/doom
./home/hypr
./home/waybar.nix
./non-server.nix
];

1
users/alice/home/hypr/default.nix
View File

@ -8,6 +8,7 @@
{
xdg.configFile = {
"hypr/hyprland.conf".source = ./hyprland.conf;
"hypr/show-hide.sh".source = ./show-hide.sh;
};
imports = [

8
users/alice/home/hypr/hypridle.nix
View File

@ -18,14 +18,14 @@
listener = [
{
timeout = 150; # 2.5min.
on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "brightnessctl -r"; # monitor backlight restore.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
}
# turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
{
timeout = 150; # 2.5min.
on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
}
{
timeout = 300; # 5min

7
users/alice/home/hypr/hyprland.conf
View File

@ -22,6 +22,9 @@ monitor=,preferred,auto,auto
# exec-once = waybar & hyprpaper & firefox
exec-once = wired &
exec-once = wired
exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
# Source a file (multi-file configs)
# source = ~/.config/hypr/myColors.conf
@ -207,3 +210,7 @@ bind = $mainMod, P, exec, bwm
# lock screen
bind = $mainMod, L, exec, loginctl lock-session
# hide active window
bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
# show hide window
bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

9
users/alice/home/hypr/hyprlock.nix
View File

@ -11,7 +11,8 @@
settings = {
general = {
immediate_render = true;
no_fade_in = true;
# disabling as config doesn't exist
#no_fade_in = true;
};
background = {
monitor = "";
@ -54,7 +55,8 @@
dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
dots_center = false;
dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
dots_fade_time = 200; # Milliseconds until a dot fully fades in
# disabling as config doesn't exist
# dots_fade_time = 200; # Milliseconds until a dot fully fades in
dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
# disabling due to stylix
# outer_color = "rgb(151515)";
@ -70,7 +72,8 @@
#fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
fail_transition = 300; # transition time in ms between normal outer_color and fail_color
# disabling as config doesn't exist
#fail_transition = 300; # transition time in ms between normal outer_color and fail_color
capslock_color = -1;
numlock_color = -1;
bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

25
users/alice/home/hypr/show-hide.sh Normal file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env bash
stack_file="/tmp/hide_window_pid_stack.txt"
function hide_window() {
pid=$(hyprctl activewindow -j | jq '.pid')
hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
echo "$pid" >>$stack_file
}
function show_window() {
pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
[ -z "$pid" ] && exit
current_workspace=$(hyprctl activeworkspace -j | jq '.id')
hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
}
if [ -n "$1" ]; then
if [ "$1" == "h" ]; then
hide_window >>/dev/null
else
show_window >>/dev/null
fi
fi

40
users/alice/home/waybar.json Normal file
View File

@ -0,0 +1,40 @@
[
{
"height": 20,
"layer": "top",
"position": "top",
"output": [
"eDP-2",
"eDP-1",
"HDMI-0",
"DP-0"
],
"hyprland/workspaces": {
"active-only": true,
"all-outputs": false,
"show-special": true,
"move-to-monitor": true,
"format": "{icon} {windows}",
"format-window-separator": " ",
"format-icons": {
"1": "󰎤",
"2": "󰎧",
"3": "󰎪",
"default": "",
"empty": "󱓼",
"urgent": "󱨇"
},
"persistent-workspaces": {
"1": "HDMI-0"
},
"on-scroll-down": "hyprctl dispatch workspace e-1",
"on-scroll-up": "hyprctl dispatch workspace e+1",
"window-rewrite": {
"title<Steam>": ""
},
"window-rewrite-default": "",
"window-rewrite-separator": " ",
"sort-by": "number"
}
}
]

2
users/alice/home/waybar.nix
View File

@ -2,6 +2,6 @@
lib.mkIf (!machineConfig.server) {
programs.waybar = {
enable = true;
#settings = builtins.fromJSON (import ./waybar.json);
settings = builtins.fromJSON (builtins.readFile ./waybar.json);
};
}

1
users/alice/non-server.nix
View File

@ -64,5 +64,6 @@
zathura
obsidian
libreoffice-qt-fresh
wlr-randr
];
}

12
utils/attic-push.bash
View File

@ -11,18 +11,16 @@ set -e
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size \
| jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
| jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
nix_paths=$(nix path-info --json --all --closure-size |
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000
for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
do
part=( "${nix_path_array[@]:i:batchsize}" )
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
part=("${nix_path_array[@]:i:batchsize}")
attic push nix-cache "${part[@]}"
done

12
utils/attic-token.bash
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
if (( $# != 3 )); then
if (($# != 3)); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
fi
@ -10,25 +10,25 @@ cache_pattern="$2"
token_type="$3"
case $token_type in
"cache-creator")
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1

4
utils/fetch-docker.sh
View File

@ -18,6 +18,6 @@ images=(
)
IFS=","
while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done<<< "${images[@]}"
done <<<"${images[@]}"

20
utils/sops-mergetool-new.sh
View File

@ -2,7 +2,10 @@
# Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"; local_="$2"; remote="$3"; merged="$4"
base="$1"
local_="$2"
remote="$3"
merged="$4"
# Load the mergetool scripts
TOOL_MODE=merge
@ -20,7 +23,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit () {
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@ -30,12 +33,12 @@ handle_trap_exit () {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool
@ -48,7 +51,7 @@ MERGED="$merged_decrypted"
BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script
check_unchanged () {
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@ -61,5 +64,4 @@ check_unchanged () {
run_merge_tool "${mergetool}" true
# Re-encrypt content
sops --encrypt "$merged_decrypted" > "$merged"
sops --encrypt "$merged_decrypted" >"$merged"

22
utils/sops-mergetool.sh
View File

@ -6,7 +6,10 @@ set -x
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"; local_="$2"; remote="$3"; merged="$4"
base="$1"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
@ -18,7 +21,7 @@ echo "$merged"
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
exit 1
fi
@ -32,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit () {
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@ -42,13 +45,13 @@ handle_trap_exit () {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
@ -66,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged () {
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@ -82,5 +85,4 @@ merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" > "$merged"
sops --encrypt "$merged_decrypted" >"$merged"