diff --git a/.github/actions/install-lix/action.yml b/.github/actions/install-lix/action.yml index c41afc1..2170b8d 100644 --- a/.github/actions/install-lix/action.yml +++ b/.github/actions/install-lix/action.yml @@ -1,4 +1,4 @@ -# Taken from: https://github.com/isabelroses/dotfiles/blob/9335e5728eaaa9bdcb0d5c3130a5d7c8dddbb6e3/.github/actions/install-lix/action.yml :3 +# Derived from: https://github.com/isabelroses/dotfiles/blob/9335e5728eaaa9bdcb0d5c3130a5d7c8dddbb6e3/.github/actions/install-lix/action.yml :3 name: Install Lix description: "Install Lix for the specified system" @@ -13,5 +13,5 @@ runs: diagnostic-endpoint: "" extra-conf: | experimental-features = flakes nix-command - substituters = https://nix-community.cachix.org https://catppuccin.cachix.org https://cache.nixos.org/ - trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + substituters = https://nix-community.cachix.org https://catppuccin.cachix.org https://cache.nixos.org/ https://cache.tgirl.cloud/tgirlcloud + trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tgirlcloud:vcV9oxS9pLXyeu1dVnBabLalLlw0yJzu6PakQM372t0= diff --git a/.github/workflows/build-modules.yml b/.github/workflows/build-modules.yml deleted file mode 100644 index 413d75a..0000000 --- a/.github/workflows/build-modules.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: "Nix: build nixos-/home modules" - -on: - workflow_dispatch: - # push: - # paths: - # - "modules/**.nix" - # - "**.lock" - # - ".github/workflows/build-modules.yml" - -jobs: - check-flake: - name: Validate x86_64-linux - runs-on: ubuntu-latest - strategy: - matrix: - outputs: [nixosModules, homeModules] - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{ github.ref_name }} - persist-credentials: false - - - name: Install Lix - uses: ./.github/actions/install-lix - - - name: Setup Attic cache - uses: ryanccn/attic-action@v0.3.2 - with: - endpoint: https://cache.thevoid.cafe - cache: puzzlevision - token: ${{ secrets.ATTIC_TOKEN }} - - - name: Buid flake - run: nix build .#nixosModules.puzzlevision diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index 08d6f1f..244096b 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -7,6 +7,8 @@ on: paths: - "**.nix" - ".github/workflows/check-leaks.yml" + - "**.yaml" + - "**.md" permissions: contents: read diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml index e7a32dd..b4e5211 100644 --- a/.github/workflows/deadnix.yml +++ b/.github/workflows/deadnix.yml @@ -14,8 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@main - - - name: Install lix + + - name: Install Lix uses: ./.github/actions/install-lix - uses: phucleeuwu/deadnix-action@v1 diff --git a/.github/workflows/validate-lock.yml b/.github/workflows/validate-lock.yml new file mode 100644 index 0000000..220f83a --- /dev/null +++ b/.github/workflows/validate-lock.yml @@ -0,0 +1,22 @@ +name: "Nix: validate flake.lock" + +on: + workflow_dispatch: + push: + paths: + - "**.lock" + +jobs: + check-flake: + name: Check Lockfile + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Lix + uses: ./.github/actions/install-lix + + - name: Check flake.lock + run: nix run github:tgirlcloud/pkgs#locker diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4f3e1b3..05c56a9 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -16,11 +16,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.ref_name }} - persist-credentials: false - - name: Install Nix + - name: Install Lix uses: ./.github/actions/install-lix - name: Validate Flake diff --git a/README.md b/README.md index 75910ae..df3a877 100644 --- a/README.md +++ b/README.md @@ -11,22 +11,18 @@
-## 🚧 State of development -All the basic functionality of v2 should be working correctly, including: +## 💡 Why the need for a second version? +At its core, version 2 of my NixOS flake was aimed at improving the following regions of my previous setup: -- The custom lib implementation at self.lib, recursively built from the contents of the `lib` directory. +- Implementing my own custom library at self.lib, recursively built from the contents of the `lib` directory. - Loading of systems from the `systems` directory, using easy-hosts. - - A basic workstation archetype for desktop systems. -- Creating users in your systems through ${self.namespace}.users, -automatically maps home-manager configurations from the `homes` directory to their corresponding users. + - Archetypes for various systems, as seen in [Jake Hamilton's](https://github.com/jakehamilton) flake. +- Creating users in my systems through a unified NixOS module, with automated home-manager setups derived from the `homes` directory. -Since I am actively using this configuration on my main workstation, things are evolving quickly, -leftover issues are actively being resolved and the list of modules is ever-growing. -Nonetheless, one should still consider this implementation experimental. +Since I am actively using this configuration on my main workstation and Server, things have mostly stabilized, +leftover issues are sparse and the list of modules is nearing completion (for my purposes that is). -My next goal is to setup an attic binary cache, -with a build/release workflow that runs in regular intervals. -(similar to isabelroses's workflow setup) +As such, I personally consider this flake production ready. ## 🚀 Deployment To deploy a system run the following command in your terminal of choice. @@ -77,7 +73,7 @@ nix-shell -p sops --run "sops updatekeys secrets/example.yaml" ``` ## 👷 CI/CD coverage -Currently, this repository houses 2 workflows, which are executed when pushing to the v2 branch. +Currently, this repository houses 4 workflows, which are executed when pushing to the v2 branch. #### ↪️ `Nix: check for unused code` This workflow can be found in `.github/workflows/deadnix.yml`, @@ -97,15 +93,28 @@ To be specific, it does the following: 2. Installs nix with some experimental features (flakes, nix-command, recursive-nix, pipe-operator) 3. Runs `nix flake check` on the codebase -## 📝 Goals and improvements -The main goals of this rewritten flake are: +#### ↪️ `Nix: validate flake.lock` +This workflow can be found in `.github/workflows/validate-lock.yml`. +It simply scans flake lockfiles for duplicate entries using `nix run github:tgirlcloud/pkgs#locker`. +Under the hood it makes use of the locker lockfile linter, created by the [tgirlcloud](https://github.com/tgirlcloud) team (mostly [isabelroses](https://github.com/isabelroses)). -- using flake-parts in place of Snowfall lib -- significantly improving the re-usability of all modules -- avoiding anti-patterns, such as `with lib; with lib.${namespace};` -- improved secrets management -- keeping external assets closer to their related nix file, e.g. wallpapers in -the desktop modules folder +To be specific, it does the following: +1. Checks out current branch +2. Installs nix with some experimental features (flakes, nix-command) +3. Runs `nix run github:tgirlcloud/pkgs#locker` on the codebase + +#### ↪️ `Trufflehog: check for exposed secrets` +This workflow can be found in `.github/workflows/check-leaks.yml`. +It runs the Trufflehog security tools on the entire repository, and tries to detect any leaked credentials. +This is a last barrier of defense to minimise damage, in case of an emergency. + +## 📝 Future goals and improvements (2025-07-28) +Some of my future goals for this flake are: + +- Implementing an automated release workflow with semver versioning, e.g. 2.3.0. +- Experimenting with various window-managers, especially Niri, though not set in stone yet. +- Researching performance best-practices for hardware and implementing patches based on those. +- Further refining my usage of the Nix language, through language best-practices and CLI dev tools. ## 🏗️ Structure The structure this flake aims to build on is relatively simple to grasp. @@ -131,5 +140,6 @@ and documentations such as: - [flake-parts](https://flake.parts) - [NixOS and Flakes book](https://nixos-and-flakes.thiscute.world) +- [The official NixOS wiki](https://wiki.nixos.org) many thanks to their hard work! diff --git a/flake.lock b/flake.lock index 886aa27..af0d66b 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1753471400, - "narHash": "sha256-HFoF82El1cjuiz5se+SeawMwWseUUtYBimq3Iu6G2D0=", + "lastModified": 1753702336, + "narHash": "sha256-IVFUQV6egGQHnm+I183OT+4ct/ka1IWA5u/0A9I/YV4=", "owner": "catppuccin", "repo": "nix", - "rev": "bc6d2b7b57dd29389538f8c4465e408c07187404", + "rev": "b32de96c3c5384c83b0f4d741ec58a7f97c9ab11", "type": "github" }, "original": { @@ -69,24 +69,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -94,11 +76,11 @@ ] }, "locked": { - "lastModified": 1753617834, - "narHash": "sha256-WEVfKrdIdu5CpppJ0Va3vzP0DKlS+ZTLbBjugMO2Drg=", + "lastModified": 1753732062, + "narHash": "sha256-vojVM0SgFP8crFh1LDDXkzaI9/er/1cuRfbNPhfBHyc=", "owner": "nix-community", "repo": "home-manager", - "rev": "72cc1e3134a35005006f06640724319caa424737", + "rev": "f49e872f55e36e67ebcb906ff65f86c7a1538f7c", "type": "github" }, "original": { @@ -107,11 +89,35 @@ "type": "github" } }, + "minegrub-theme": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752413064, + "narHash": "sha256-bcWxBAAvf5hp0TmMbYrwU4SlBxc5sB/T2VsIBdX1gDk=", + "owner": "Lxtharia", + "repo": "minegrub-theme", + "rev": "040b163268be6e7cf743ba990177525dc47ed944", + "type": "github" + }, + "original": { + "owner": "Lxtharia", + "repo": "minegrub-theme", + "type": "github" + } + }, "nixcord": { "inputs": { "flake-compat": "flake-compat", - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs" + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1753581565, @@ -129,42 +135,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749494155, - "narHash": "sha256-FG4DEYBpROupu758beabUk9lhrblSf5hnv84v1TLqMc=", + "lastModified": 1753549186, + "narHash": "sha256-Znl7rzuxKg/Mdm6AhimcKynM7V3YeNDIcLjBuoBcmNs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88331c17ba434359491e8d5889cce872464052c2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1753429684, - "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", + "rev": "17f6bd177404d6d43017595c5264756764444ab8", "type": "github" }, "original": { @@ -174,36 +149,23 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "catppuccin": "catppuccin", "easy-hosts": "easy-hosts", "flake-parts": "flake-parts", "home-manager": "home-manager", + "minegrub-theme": "minegrub-theme", "nixcord": "nixcord", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1752544651, diff --git a/flake.nix b/flake.nix index 44ab739..972e9fd 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,11 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; easy-hosts.url = "github:tgirlcloud/easy-hosts"; - sops-nix.url = "github:Mic92/sops-nix"; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; flake-parts = { url = "github:hercules-ci/flake-parts"; @@ -40,6 +44,13 @@ nixcord = { url = "github:kaylorben/nixcord"; + inputs.flake-parts.follows = "flake-parts"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + minegrub-theme = { + url = "github:Lxtharia/minegrub-theme"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; diff --git a/modules/flake/default.nix b/modules/flake/default.nix index 1edda45..bc8eafb 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -3,9 +3,6 @@ # Automagically imports libs from "/lib/lib-name" and exposes them to the `flake.lib` output. ./lib.nix - # Exposes nixosModules and homeModules on flake outputs. - ./modules.nix - # Automagically imports systems from "/systems/arch-classname/system-name". ./systems.nix ]; diff --git a/modules/flake/modules.nix b/modules/flake/modules.nix deleted file mode 100644 index a9448b8..0000000 --- a/modules/flake/modules.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ self, ... }: -{ - flake = { - # TODO: figure out why this isn't working correctly - nixosModules.puzzlevision = self.lib.mkModule { - class = "nixos"; - modules = self.lib.dirToModuleList ../nixos; - }; - - homeModules.puzzlevision = self.lib.mkModule { - class = "home"; - modules = self.lib.dirToModuleList ../home; - }; - }; -} diff --git a/modules/flake/systems.nix b/modules/flake/systems.nix index 6819c18..346ff1d 100644 --- a/modules/flake/systems.nix +++ b/modules/flake/systems.nix @@ -18,6 +18,7 @@ (lib.optionals (class == "nixos") [ inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops + inputs.minegrub-theme.nixosModules.default ]) ++ (self.lib.dirToModuleList ../${class}); # Import modules based on current classname. }; diff --git a/systems/x86_64-nixos/puzzlevision/default.nix b/systems/x86_64-nixos/puzzlevision/default.nix index f897aa2..20f3332 100644 --- a/systems/x86_64-nixos/puzzlevision/default.nix +++ b/systems/x86_64-nixos/puzzlevision/default.nix @@ -34,17 +34,13 @@ archetypes.laptop.enable = true; }; - networking.extraHosts = '' - 127.0.0.1 dev.bl-projekte.de - ''; - # Configure 8GB SWAP partition - # swapDevices = [ - # { - # device = "/swapfile"; - # size = 8 * 1024; - # } - # ]; + swapDevices = [ + { + device = "/swapfile"; + size = 8 * 1024; + } + ]; boot = { # Configure additional kernel modules. @@ -55,8 +51,19 @@ blacklistedKernelModules = [ "rtw88_8821ce" # Block the default network-card driver. ]; + + # Grub configuration + loader.grub = { + # Minecraft bootloader theme + minegrub-theme = { + enable = true; + splash = "100% Flakes!"; + background = "background_options/1.18 - [Caves And Cliffs 2].png"; + boot-options-count = 4; + }; + }; }; networking.hostName = "puzzlevision"; - system.stateVersion = "25.05"; + system.stateVersion = "25.11"; }