diff --git a/.github/actions/install-lix/action.yml b/.github/actions/install-lix/action.yml index 2170b8d..c41afc1 100644 --- a/.github/actions/install-lix/action.yml +++ b/.github/actions/install-lix/action.yml @@ -1,4 +1,4 @@ -# Derived from: https://github.com/isabelroses/dotfiles/blob/9335e5728eaaa9bdcb0d5c3130a5d7c8dddbb6e3/.github/actions/install-lix/action.yml :3 +# Taken from: https://github.com/isabelroses/dotfiles/blob/9335e5728eaaa9bdcb0d5c3130a5d7c8dddbb6e3/.github/actions/install-lix/action.yml :3 name: Install Lix description: "Install Lix for the specified system" @@ -13,5 +13,5 @@ runs: diagnostic-endpoint: "" extra-conf: | experimental-features = flakes nix-command - substituters = https://nix-community.cachix.org https://catppuccin.cachix.org https://cache.nixos.org/ https://cache.tgirl.cloud/tgirlcloud - trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tgirlcloud:vcV9oxS9pLXyeu1dVnBabLalLlw0yJzu6PakQM372t0= + substituters = https://nix-community.cachix.org https://catppuccin.cachix.org https://cache.nixos.org/ + trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= diff --git a/.github/workflows/build-modules.yml b/.github/workflows/build-modules.yml new file mode 100644 index 0000000..413d75a --- /dev/null +++ b/.github/workflows/build-modules.yml @@ -0,0 +1,37 @@ +name: "Nix: build nixos-/home modules" + +on: + workflow_dispatch: + # push: + # paths: + # - "modules/**.nix" + # - "**.lock" + # - ".github/workflows/build-modules.yml" + +jobs: + check-flake: + name: Validate x86_64-linux + runs-on: ubuntu-latest + strategy: + matrix: + outputs: [nixosModules, homeModules] + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.ref_name }} + persist-credentials: false + + - name: Install Lix + uses: ./.github/actions/install-lix + + - name: Setup Attic cache + uses: ryanccn/attic-action@v0.3.2 + with: + endpoint: https://cache.thevoid.cafe + cache: puzzlevision + token: ${{ secrets.ATTIC_TOKEN }} + + - name: Buid flake + run: nix build .#nixosModules.puzzlevision diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index 244096b..08d6f1f 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -7,8 +7,6 @@ on: paths: - "**.nix" - ".github/workflows/check-leaks.yml" - - "**.yaml" - - "**.md" permissions: contents: read diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml index b4e5211..e7a32dd 100644 --- a/.github/workflows/deadnix.yml +++ b/.github/workflows/deadnix.yml @@ -14,8 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@main - - - name: Install Lix + + - name: Install lix uses: ./.github/actions/install-lix - uses: phucleeuwu/deadnix-action@v1 diff --git a/.github/workflows/validate-lock.yml b/.github/workflows/validate-lock.yml deleted file mode 100644 index 220f83a..0000000 --- a/.github/workflows/validate-lock.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: "Nix: validate flake.lock" - -on: - workflow_dispatch: - push: - paths: - - "**.lock" - -jobs: - check-flake: - name: Check Lockfile - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install Lix - uses: ./.github/actions/install-lix - - - name: Check flake.lock - run: nix run github:tgirlcloud/pkgs#locker diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 05c56a9..4f3e1b3 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -16,8 +16,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.ref_name }} + persist-credentials: false - - name: Install Lix + - name: Install Nix uses: ./.github/actions/install-lix - name: Validate Flake diff --git a/README.md b/README.md index df3a877..75910ae 100644 --- a/README.md +++ b/README.md @@ -11,18 +11,22 @@
-## 💡 Why the need for a second version? -At its core, version 2 of my NixOS flake was aimed at improving the following regions of my previous setup: +## 🚧 State of development +All the basic functionality of v2 should be working correctly, including: -- Implementing my own custom library at self.lib, recursively built from the contents of the `lib` directory. +- The custom lib implementation at self.lib, recursively built from the contents of the `lib` directory. - Loading of systems from the `systems` directory, using easy-hosts. - - Archetypes for various systems, as seen in [Jake Hamilton's](https://github.com/jakehamilton) flake. -- Creating users in my systems through a unified NixOS module, with automated home-manager setups derived from the `homes` directory. + - A basic workstation archetype for desktop systems. +- Creating users in your systems through ${self.namespace}.users, +automatically maps home-manager configurations from the `homes` directory to their corresponding users. -Since I am actively using this configuration on my main workstation and Server, things have mostly stabilized, -leftover issues are sparse and the list of modules is nearing completion (for my purposes that is). +Since I am actively using this configuration on my main workstation, things are evolving quickly, +leftover issues are actively being resolved and the list of modules is ever-growing. +Nonetheless, one should still consider this implementation experimental. -As such, I personally consider this flake production ready. +My next goal is to setup an attic binary cache, +with a build/release workflow that runs in regular intervals. +(similar to isabelroses's workflow setup) ## 🚀 Deployment To deploy a system run the following command in your terminal of choice. @@ -73,7 +77,7 @@ nix-shell -p sops --run "sops updatekeys secrets/example.yaml" ``` ## 👷 CI/CD coverage -Currently, this repository houses 4 workflows, which are executed when pushing to the v2 branch. +Currently, this repository houses 2 workflows, which are executed when pushing to the v2 branch. #### ↪️ `Nix: check for unused code` This workflow can be found in `.github/workflows/deadnix.yml`, @@ -93,28 +97,15 @@ To be specific, it does the following: 2. Installs nix with some experimental features (flakes, nix-command, recursive-nix, pipe-operator) 3. Runs `nix flake check` on the codebase -#### ↪️ `Nix: validate flake.lock` -This workflow can be found in `.github/workflows/validate-lock.yml`. -It simply scans flake lockfiles for duplicate entries using `nix run github:tgirlcloud/pkgs#locker`. -Under the hood it makes use of the locker lockfile linter, created by the [tgirlcloud](https://github.com/tgirlcloud) team (mostly [isabelroses](https://github.com/isabelroses)). +## 📝 Goals and improvements +The main goals of this rewritten flake are: -To be specific, it does the following: -1. Checks out current branch -2. Installs nix with some experimental features (flakes, nix-command) -3. Runs `nix run github:tgirlcloud/pkgs#locker` on the codebase - -#### ↪️ `Trufflehog: check for exposed secrets` -This workflow can be found in `.github/workflows/check-leaks.yml`. -It runs the Trufflehog security tools on the entire repository, and tries to detect any leaked credentials. -This is a last barrier of defense to minimise damage, in case of an emergency. - -## 📝 Future goals and improvements (2025-07-28) -Some of my future goals for this flake are: - -- Implementing an automated release workflow with semver versioning, e.g. 2.3.0. -- Experimenting with various window-managers, especially Niri, though not set in stone yet. -- Researching performance best-practices for hardware and implementing patches based on those. -- Further refining my usage of the Nix language, through language best-practices and CLI dev tools. +- using flake-parts in place of Snowfall lib +- significantly improving the re-usability of all modules +- avoiding anti-patterns, such as `with lib; with lib.${namespace};` +- improved secrets management +- keeping external assets closer to their related nix file, e.g. wallpapers in +the desktop modules folder ## 🏗️ Structure The structure this flake aims to build on is relatively simple to grasp. @@ -140,6 +131,5 @@ and documentations such as: - [flake-parts](https://flake.parts) - [NixOS and Flakes book](https://nixos-and-flakes.thiscute.world) -- [The official NixOS wiki](https://wiki.nixos.org) many thanks to their hard work! diff --git a/flake.lock b/flake.lock index af0d66b..886aa27 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1753702336, - "narHash": "sha256-IVFUQV6egGQHnm+I183OT+4ct/ka1IWA5u/0A9I/YV4=", + "lastModified": 1753471400, + "narHash": "sha256-HFoF82El1cjuiz5se+SeawMwWseUUtYBimq3Iu6G2D0=", "owner": "catppuccin", "repo": "nix", - "rev": "b32de96c3c5384c83b0f4d741ec58a7f97c9ab11", + "rev": "bc6d2b7b57dd29389538f8c4465e408c07187404", "type": "github" }, "original": { @@ -69,6 +69,24 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -76,11 +94,11 @@ ] }, "locked": { - "lastModified": 1753732062, - "narHash": "sha256-vojVM0SgFP8crFh1LDDXkzaI9/er/1cuRfbNPhfBHyc=", + "lastModified": 1753617834, + "narHash": "sha256-WEVfKrdIdu5CpppJ0Va3vzP0DKlS+ZTLbBjugMO2Drg=", "owner": "nix-community", "repo": "home-manager", - "rev": "f49e872f55e36e67ebcb906ff65f86c7a1538f7c", + "rev": "72cc1e3134a35005006f06640724319caa424737", "type": "github" }, "original": { @@ -89,35 +107,11 @@ "type": "github" } }, - "minegrub-theme": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1752413064, - "narHash": "sha256-bcWxBAAvf5hp0TmMbYrwU4SlBxc5sB/T2VsIBdX1gDk=", - "owner": "Lxtharia", - "repo": "minegrub-theme", - "rev": "040b163268be6e7cf743ba990177525dc47ed944", - "type": "github" - }, - "original": { - "owner": "Lxtharia", - "repo": "minegrub-theme", - "type": "github" - } - }, "nixcord": { "inputs": { "flake-compat": "flake-compat", - "flake-parts": [ - "flake-parts" - ], - "nixpkgs": [ - "nixpkgs" - ] + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1753581565, @@ -135,11 +129,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1753549186, - "narHash": "sha256-Znl7rzuxKg/Mdm6AhimcKynM7V3YeNDIcLjBuoBcmNs=", + "lastModified": 1749494155, + "narHash": "sha256-FG4DEYBpROupu758beabUk9lhrblSf5hnv84v1TLqMc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17f6bd177404d6d43017595c5264756764444ab8", + "rev": "88331c17ba434359491e8d5889cce872464052c2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1753429684, + "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", "type": "github" }, "original": { @@ -149,23 +174,36 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "catppuccin": "catppuccin", "easy-hosts": "easy-hosts", "flake-parts": "flake-parts", "home-manager": "home-manager", - "minegrub-theme": "minegrub-theme", "nixcord": "nixcord", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1752544651, diff --git a/flake.nix b/flake.nix index 972e9fd..44ab739 100644 --- a/flake.nix +++ b/flake.nix @@ -21,11 +21,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; easy-hosts.url = "github:tgirlcloud/easy-hosts"; - - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + sops-nix.url = "github:Mic92/sops-nix"; flake-parts = { url = "github:hercules-ci/flake-parts"; @@ -44,13 +40,6 @@ nixcord = { url = "github:kaylorben/nixcord"; - inputs.flake-parts.follows = "flake-parts"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - minegrub-theme = { - url = "github:Lxtharia/minegrub-theme"; - inputs.nixpkgs.follows = "nixpkgs"; }; }; diff --git a/modules/flake/default.nix b/modules/flake/default.nix index bc8eafb..1edda45 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -3,6 +3,9 @@ # Automagically imports libs from "/lib/lib-name" and exposes them to the `flake.lib` output. ./lib.nix + # Exposes nixosModules and homeModules on flake outputs. + ./modules.nix + # Automagically imports systems from "/systems/arch-classname/system-name". ./systems.nix ]; diff --git a/modules/flake/modules.nix b/modules/flake/modules.nix new file mode 100644 index 0000000..a9448b8 --- /dev/null +++ b/modules/flake/modules.nix @@ -0,0 +1,15 @@ +{ self, ... }: +{ + flake = { + # TODO: figure out why this isn't working correctly + nixosModules.puzzlevision = self.lib.mkModule { + class = "nixos"; + modules = self.lib.dirToModuleList ../nixos; + }; + + homeModules.puzzlevision = self.lib.mkModule { + class = "home"; + modules = self.lib.dirToModuleList ../home; + }; + }; +} diff --git a/modules/flake/systems.nix b/modules/flake/systems.nix index 346ff1d..6819c18 100644 --- a/modules/flake/systems.nix +++ b/modules/flake/systems.nix @@ -18,7 +18,6 @@ (lib.optionals (class == "nixos") [ inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops - inputs.minegrub-theme.nixosModules.default ]) ++ (self.lib.dirToModuleList ../${class}); # Import modules based on current classname. }; diff --git a/systems/x86_64-nixos/puzzlevision/default.nix b/systems/x86_64-nixos/puzzlevision/default.nix index 20f3332..f897aa2 100644 --- a/systems/x86_64-nixos/puzzlevision/default.nix +++ b/systems/x86_64-nixos/puzzlevision/default.nix @@ -34,13 +34,17 @@ archetypes.laptop.enable = true; }; + networking.extraHosts = '' + 127.0.0.1 dev.bl-projekte.de + ''; + # Configure 8GB SWAP partition - swapDevices = [ - { - device = "/swapfile"; - size = 8 * 1024; - } - ]; + # swapDevices = [ + # { + # device = "/swapfile"; + # size = 8 * 1024; + # } + # ]; boot = { # Configure additional kernel modules. @@ -51,19 +55,8 @@ blacklistedKernelModules = [ "rtw88_8821ce" # Block the default network-card driver. ]; - - # Grub configuration - loader.grub = { - # Minecraft bootloader theme - minegrub-theme = { - enable = true; - splash = "100% Flakes!"; - background = "background_options/1.18 - [Caves And Cliffs 2].png"; - boot-options-count = 4; - }; - }; }; networking.hostName = "puzzlevision"; - system.stateVersion = "25.11"; + system.stateVersion = "25.05"; }