Jo
042d026901
Some checks failed
Trufflehog: check for exposed secrets / Run trufflehog (push) Waiting to run
Nix: check for unused code / Run deadnix (push) Waiting to run
Nix: validate flake / Validate x86_64-linux (push) Waiting to run
Nix: build nixos-/home modules / Validate x86_64-linux (push) Has been cancelled
|
||
|---|---|---|
| .github | ||
| homes/x86_64-linux | ||
| lib/module | ||
| modules | ||
| systems/x86_64-nixos | ||
| .gitignore | ||
| .sops.yaml | ||
| CHANGELOG.md | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
✨ Puzzlevision ✨
🚧 State of development
All the basic functionality of v2 should be working correctly, including:
- The custom lib implementation at self.lib, recursively built from the contents of the
libdirectory. - Loading of systems from the
systemsdirectory, using easy-hosts.- A basic workstation archetype for desktop systems.
- Creating users in your systems through ${self.namespace}.users,
automatically maps home-manager configurations from the
homesdirectory to their corresponding users.
Since I am actively using this configuration on my main workstation, things are evolving quickly, leftover issues are actively being resolved and the list of modules is ever-growing. Nonetheless, one should still consider this implementation experimental.
My next goal is to setup an attic binary cache, with a build/release workflow that runs in regular intervals. (similar to isabelroses's workflow setup)
🚀 Deployment
To deploy a system run the following command in your terminal of choice.
sudo nixos-rebuild switch --flake .#hostname --accept-flake-config
If you're interested in a quick way to experiment with this configuration, you may use the following command to build a VM.
sudo nixos-rebuild build-vm --flake .#hostname --accept-flake-config
🔑 Secrets Management
Secrets are managed by the sops-nix nixos/home-manager modules respectively.
- General secrets are stored within the
secretsdirectory. - System specific secrets are stored within their respective
systems/<system_type>/<system_name>/secretsdirectory.
The following command may be used to convert the SSH host key of a new machine to an age key:
nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age'
Additionally, the following command may be used to create a new sops secret file:
nix-shell -p sops --run "sops secrets/example.yaml"
You may also encrypt arbitrary binary formats, like .cfg, using the following command:
Important
The original file location also HAS to match one of the sops creation rules, not just the output. Yes, I know this is stupid, and yes, I've wasted way too much time dealing with this :3
nix-shell -p sops --run "sops -e original_file.cfg > secrets/encrypted_file.cfg"
Lastly, when adding new systems, make sure to update any required secret files with the following command:
nix-shell -p sops --run "sops updatekeys secrets/example.yaml"
👷 CI/CD coverage
Currently, this repository houses 2 workflows, which are executed when pushing to the v2 branch.
↪️ Nix: check for unused code
This workflow can be found in .github/workflows/deadnix.yml,
and should be pretty self-explanatory.
Here's what it does:
- Checks out current branch
- Finds any unused variables/imports etc...
- Creates a new commit, instantly removing any unused code
↪️ Nix: validate flake
This workflow can be found in .github/workflows/validate.yml.
It simply validates a flake using nix flake check.
To be specific, it does the following:
- Checks out current branch
- Installs nix with some experimental features (flakes, nix-command, recursive-nix, pipe-operator)
- Runs
nix flake checkon the codebase
📝 Goals and improvements
The main goals of this rewritten flake are:
- using flake-parts in place of Snowfall lib
- significantly improving the re-usability of all modules
- avoiding anti-patterns, such as
with lib; with lib.${namespace}; - improved secrets management
- keeping external assets closer to their related nix file, e.g. wallpapers in the desktop modules folder
🏗️ Structure
The structure this flake aims to build on is relatively simple to grasp.
flake.nix --> The flake.
/systems --> NixOS configurations for various types of systems, using easy-hosts.
/modules --> Modules that are mapped to their corresponding easy-hosts class (and home modules).
/nixos --> (example) Modules specific to the nixos class configured in easy-hosts.
/homes --> Directory for home-manager configurations, not specific to the system type.
/lib --> A place for custom lib attributes exposed on the flake namespace (lib.puzzlevision.mkOpt).
(more...) --> Additional directories have been considered (e.g. shells), but as of right now, they serve no use to me.
🎨 Credits
Parts of this flake were inspired by the likes of:
and documentations such as:
many thanks to their hard work!