diff options
| -rw-r--r-- | flake.nix | 15 | ||||
| -rw-r--r-- | flake/ci.nix | 8 | ||||
| -rw-r--r-- | flake/configs.nix | 28 | ||||
| -rw-r--r-- | flake/default.nix | 1 | ||||
| -rw-r--r-- | flake/dev.nix | 4 | ||||
| -rw-r--r-- | hosts/atlas/default.nix | 46 | ||||
| -rw-r--r-- | hosts/common.nix | 87 | ||||
| -rw-r--r-- | hosts/default.nix | 248 | ||||
| -rw-r--r-- | hosts/p-body/default.nix | 42 | ||||
| -rw-r--r-- | modules/server/default.nix | 25 | ||||
| -rw-r--r-- | modules/server/secrets.nix | 25 | ||||
| -rw-r--r-- | modules/server/services/default.nix | 5 | ||||
| -rw-r--r-- | modules/server/services/hercules.nix | 61 | ||||
| -rw-r--r-- | secrets/hosts/atlas/userPassword.age (renamed from secrets/hosts/atlas/atlasPassword.age) | 0 | ||||
| -rw-r--r-- | secrets/hosts/p-body/userPassword.age (renamed from secrets/hosts/p-body/pbodyPassword.age) | bin | 666 -> 666 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 4 | ||||
| -rw-r--r-- | users/default.nix | 34 |
17 files changed, 340 insertions, 293 deletions
@@ -6,7 +6,7 @@ "https://getchoo.cachix.org" # personal cache "https://nix-community.cachix.org" # nix-community "https://hercules-ci.cachix.org" # hercules-ci - "https://wurzelpfropf.cachix.org" # rage-nix + "https://wurzelpfropf.cachix.org" # ragenix ]; extra-trusted-public-keys = [ "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" @@ -19,12 +19,11 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-22.11"; nixpkgsUnstable.url = "nixpkgs/nixos-unstable"; - # this is just to avoid having multiple versions in flake.lock flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; - # ditto + # this is just to avoid having multiple versions in flake.lock flake-utils.url = "github:numtide/flake-utils"; flake-parts = { url = "github:hercules-ci/flake-parts"; @@ -93,6 +92,12 @@ }; }; - outputs = inputs @ {flake-parts, ...}: - flake-parts.lib.mkFlake {inherit inputs;} {imports = [./flake];}; + outputs = inputs: + inputs.flake-parts.lib.mkFlake {inherit inputs;} { + imports = [ + ./flake + ./hosts + ./users + ]; + }; } diff --git a/flake/ci.nix b/flake/ci.nix index 3959260..91dc397 100644 --- a/flake/ci.nix +++ b/flake/ci.nix @@ -1,6 +1,6 @@ { - inputs, self, + inputs, ... }: let inherit (inputs) hercules-ci-effects nixpkgs; @@ -20,7 +20,11 @@ in { }; herculesCI = let - inherit (import (hercules-ci-effects + "/vendor/hercules-ci-agent/default-herculesCI-for-flake.nix")) flakeToOutputs; + inherit + (import + (hercules-ci-effects + "/vendor/hercules-ci-agent/default-herculesCI-for-flake.nix")) + flakeToOutputs + ; in rec { ciSystems = [ "x86_64-linux" diff --git a/flake/configs.nix b/flake/configs.nix deleted file mode 100644 index 9660616..0000000 --- a/flake/configs.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - inputs, - self, - ... -}: let - inherit (inputs) nixinate openwrt-imagebuilder; - inherit ((inputs.getchoo.lib inputs).configs) mapHMUsers mapHosts; -in { - flake = { - nixosConfigurations = mapHosts ../hosts; - - nixosModules.getchoo = import ../modules; - }; - - perSystem = { - pkgs, - system, - ... - }: { - apps = (nixinate.nixinate.${system} self).nixinate; - - legacyPackages.homeConfigurations = mapHMUsers system ../users; - - packages = { - turret = pkgs.callPackage ../hosts/_turret {inherit openwrt-imagebuilder;}; - }; - }; -} diff --git a/flake/default.nix b/flake/default.nix index a479898..29c6c63 100644 --- a/flake/default.nix +++ b/flake/default.nix @@ -1,6 +1,5 @@ _: { imports = [ - ./configs.nix ./ci.nix ./dev.nix ]; diff --git a/flake/dev.nix b/flake/dev.nix index 700c795..223f1d8 100644 --- a/flake/dev.nix +++ b/flake/dev.nix @@ -3,7 +3,7 @@ inputs, ... }: let - inherit (inputs) pre-commit-hooks ragenix; + inherit (inputs) pre-commit-hooks; in { perSystem = { pkgs, @@ -12,7 +12,7 @@ in { }: { checks = { pre-commit-check = pre-commit-hooks.lib.${system}.run { - src = ./.; + src = ./..; hooks = { actionlint.enable = true; alejandra.enable = true; diff --git a/hosts/atlas/default.nix b/hosts/atlas/default.nix index 69390a5..d8e4077 100644 --- a/hosts/atlas/default.nix +++ b/hosts/atlas/default.nix @@ -1,15 +1,19 @@ { config, - hercules-ci-agent, pkgs, ... }: { imports = [ ./hardware-configuration.nix - hercules-ci-agent.nixosModules.agent-service ]; - getchoo.server.enable = true; + _module.args.nixinate = { + host = "164.152.17.183"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; boot = { cleanTmpDir = true; @@ -17,41 +21,7 @@ loader.efi.canTouchEfiVariables = true; }; - environment.systemPackages = [ - hercules-ci-agent.packages.aarch64-linux.hercules-ci-cli - ]; - networking.hostName = "atlas"; - nix = { - settings = { - trusted-users = ["atlas" "nix-ssh"]; - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" - ]; - - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" - ]; - }; - }; - - services = { - hercules-ci-agent = { - enable = true; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - }; - system.stateVersion = "22.11"; users.users = let @@ -64,7 +34,7 @@ extraGroups = ["wheel"]; isNormalUser = true; shell = pkgs.bash; - passwordFile = config.age.secrets.atlasPassword.path; + passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; }; diff --git a/hosts/common.nix b/hosts/common.nix new file mode 100644 index 0000000..df9e6f0 --- /dev/null +++ b/hosts/common.nix @@ -0,0 +1,87 @@ +{ + inputs, + self, +}: let + inherit (inputs) getchoo home-manager nixpkgs nixpkgsUnstable nur ragenix; +in { + personal = { + system = "x86_64-linux"; + builder = nixpkgsUnstable.lib.nixosSystem; + + dir = ./.; + + modules = [ + ragenix.nixosModules.default + home-manager.nixosModules.home-manager + nur.nixosModules.nur + + self.nixosModules.getchoo + ../users/seth + + { + age = { + identityPaths = ["/etc/age/key"]; + secrets = let + baseDir = "${self}/secrets/shared"; + in { + rootPassword.file = "${baseDir}/rootPassword.age"; + sethPassword.file = "${baseDir}/sethPassword.age"; + }; + }; + + nixpkgs = { + overlays = [nur.overlay getchoo.overlays.default]; + config.allowUnfree = true; + }; + + nix = { + registry = { + getchoo.flake = getchoo; + nixpkgs.flake = nixpkgsUnstable; + }; + + settings = { + trusted-substituters = [ + "https://getchoo.cachix.org" + "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" + "https://wurzelpfropf.cachix.org" + ]; + + trusted-public-keys = [ + "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + ]; + }; + }; + + getchoo.nixos.enable = true; + system.stateVersion = "23.05"; + } + ]; + + specialArgs = inputs; + }; + + server = { + builder = nixpkgs.lib.nixosSystem; + + dir = ./.; + + modules = [ + ragenix.nixosModules.default + ../modules/base + ../modules/nixos + ../modules/server + + { + getchoo.server.enable = true; + nix.registry.nixpkgs.flake = nixpkgs; + } + ]; + + specialArgs = inputs; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 60e84e9..78dfb4f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,191 +1,95 @@ -inputs: -with inputs; let - common = { - system = "x86_64-linux"; - builder = nixpkgsUnstable.lib.nixosSystem; - - modules = [ - ragenix.nixosModules.default - home-manager.nixosModules.home-manager - nur.nixosModules.nur - - self.nixosModules.getchoo - "${self}/users/seth" - - { - age = { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/shared/rootPassword.age"; - sethPassword.file = "${self}/secrets/shared/sethPassword.age"; - }; - }; - - nixpkgs = { - overlays = [nur.overlay getchoo.overlays.default]; - config.allowUnfree = true; - }; - - nix = { - registry = { - getchoo.flake = getchoo; - nixpkgs.flake = nixpkgsUnstable; - }; - - settings = { - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" +{ + inputs, + self, + ... +}: let + inherit (import ./common.nix {inherit inputs self;}) personal server; +in { + flake = { + nixosConfigurations = { + glados = with personal; + builder { + inherit specialArgs system; + modules = with inputs; + modules + ++ [ + ./glados + nixos-hardware.nixosModules.common-cpu-amd-pstate + nixos-hardware.nixosModules.common-gpu-nvidia-nonprime + nixos-hardware.nixosModules.common-pc-ssd + lanzaboote.nixosModules.lanzaboote ]; + }; - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + glados-wsl = with personal; + builder { + inherit specialArgs system; + modules = with inputs; + modules + ++ [ + ./glados-wsl + nixos-wsl.nixosModules.wsl ]; - }; }; - getchoo.nixos.enable = true; - system.stateVersion = "23.05"; - } - ]; + atlas = with server; + builder { + inherit specialArgs; + system = "aarch64-linux"; + modules = with inputs; + modules + ++ [ + ./atlas + hercules-ci-agent.nixosModules.agent-service - specialArgs = {}; - }; -in { - glados = { - inherit (common) builder specialArgs system; - modules = - common.modules - ++ [ - nixos-hardware.nixosModules.common-cpu-amd-pstate - nixos-hardware.nixosModules.common-gpu-nvidia-nonprime - nixos-hardware.nixosModules.common-pc-ssd - lanzaboote.nixosModules.lanzaboote - ]; - }; - glados-wsl = { - inherit (common) builder specialArgs system; - modules = - common.modules - ++ [ - nixos-wsl.nixosModules.wsl - ]; - }; - atlas = { - builder = nixpkgs.lib.nixosSystem; - inherit (common) specialArgs; - system = "aarch64-linux"; - - modules = [ - ragenix.nixosModules.default - "${self}/modules/base" - "${self}/modules/nixos" - "${self}/modules/server" - - { - age = let - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - in { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/hosts/atlas/rootPassword.age"; - atlasPassword.file = "${self}/secrets/hosts/atlas/atlasPassword.age"; - - binaryCache = { - file = "${self}/secrets/hosts/atlas/binaryCache.age"; + getchoo.server = { + secrets.enable = true; + services.hercules-ci = { + enable = true; + secrets.enable = true; + }; + }; } - // hercArgs; + ]; + }; - clusterToken = - { - file = "${self}/secrets/hosts/atlas/clusterToken.age"; - } - // hercArgs; + p-body = with server; + builder { + inherit specialArgs; + modules = with inputs; + modules + ++ [ + ./p-body + hercules-ci-agent.nixosModules.agent-service + guzzle_api.nixosModules.guzzle_api - secretsJson = { - file = "${self}/secrets/hosts/atlas/secretsJson.age"; + getchoo.server = { + secrets.enable = true; + services.hercules-ci = { + enable = true; + secrets.enable = true; + }; + }; } - // hercArgs; - }; + ]; + system = "x86_64-linux"; }; + }; - nix.registry.nixpkgs.flake = nixpkgs; - - _module.args.nixinate = { - host = "164.152.17.183"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; + nixosModules.getchoo = import ../modules; }; - p-body = { - builder = nixpkgs.lib.nixosSystem; - inherit (common) specialArgs system; - - modules = [ - ragenix.nixosModules.default - guzzle_api.nixosModules.guzzle_api - "${self}/modules/base" - "${self}/modules/nixos" - "${self}/modules/server" - - { - age = let - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - in { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/hosts/p-body/rootPassword.age"; - pbodyPassword.file = "${self}/secrets/hosts/p-body/pbodyPassword.age"; - - binaryCache = - { - file = "${self}/secrets/hosts/p-body/binaryCache.age"; - } - // hercArgs; - clusterToken = - { - file = "${self}/secrets/hosts/p-body/clusterToken.age"; - } - // hercArgs; + perSystem = { + pkgs, + system, + ... + }: { + apps = (inputs.nixinate.nixinate.${system} self).nixinate; - secretsJson = - { - file = "${self}/secrets/hosts/p-body/secretsJson.age"; - } - // hercArgs; - }; - }; - - nix.registry.nixpkgs.flake = nixpkgs; - - _module.args.nixinate = { - host = "167.99.145.73"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; + packages = { + turret = pkgs.callPackage ./_turret {inherit (inputs) openwrt-imagebuilder;}; + }; }; } diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 1cb6acb..56ba2a6 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -1,40 +1,23 @@ { config, guzzle_api, - hercules-ci-agent, modulesPath, pkgs, ... }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") - hercules-ci-agent.nixosModules.agent-service ]; - getchoo.server.enable = true; - - environment.systemPackages = [ - hercules-ci-agent.packages.x86_64-linux.hercules-ci-cli - ]; + _module.args.nixinate = { + host = "167.99.145.73"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; networking.hostName = "p-body"; - nix.settings = { - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" - ]; - - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" - ]; - - trusted-users = ["p-body"]; - }; services = { #caddy = { @@ -108,15 +91,6 @@ # }; #}; - hercules-ci-agent = { - enable = true; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - guzzle-api = { enable = true; url = "http://167.99.145.73"; @@ -143,7 +117,7 @@ extraGroups = ["wheel"]; isNormalUser = true; shell = pkgs.bash; - passwordFile = config.age.secrets.pbodyPassword.path; + passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; }; diff --git a/modules/server/default.nix b/modules/server/default.nix index cce7625..9692a82 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -9,6 +9,11 @@ in { options.getchoo.server.enable = mkEnableOption "enable server configuration"; + imports = [ + ./secrets.nix + ./services + ]; + config = mkIf cfg.enable { getchoo = { base = { @@ -34,7 +39,25 @@ in { }; }; - nix.gc.options = "--delete-older-than 7d --max-freed 50G"; + nix = { + gc.options = "--delete-older-than 7d --max-freed 50G"; + settings = { + trusted-users = ["${config.networking.hostName}"]; + trusted-substituters = [ + "https://getchoo.cachix.org" + "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" + "https://wurzelpfropf.cachix.org" + ]; + + trusted-public-keys = [ + "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + ]; + }; + }; programs = { git.enable = mkDefault true; diff --git a/modules/server/secrets.nix b/modules/server/secrets.nix new file mode 100644 index 0000000..c0290cd --- /dev/null +++ b/modules/server/secrets.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.getchoo.server.secrets; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.server.secrets = { + enable = mkEnableOption "enable secret management"; + }; + + config.age = let + baseDir = "${self}/secrets/hosts/${config.networking.hostName}"; + in + mkIf cfg.enable { + identityPaths = ["/etc/age/key"]; + + secrets = { + rootPassword.file = "${baseDir}/rootPassword.age"; + userPassword.file = "${baseDir}/userPassword.age"; + }; + }; +} diff --git a/modules/server/services/default.nix b/modules/server/services/default.nix new file mode 100644 index 0000000..68271b1 --- /dev/null +++ b/modules/server/services/default.nix @@ -0,0 +1,5 @@ +_: { + imports = [ + ./hercules.nix + ]; +} diff --git a/modules/server/services/hercules.nix b/modules/server/services/hercules.nix new file mode 100644 index 0000000..782e5a8 --- /dev/null +++ b/modules/server/services/hercules.nix @@ -0,0 +1,61 @@ +{ + config, + hercules-ci-agent, + lib, + pkgs, + self, + ... +}: let + cfg = config.getchoo.server.services.hercules-ci; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.server.services.hercules-ci = { + enable = mkEnableOption "enable hercules-ci"; + secrets.enable = mkEnableOption "manage secrets for hercules-ci"; + }; + + config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/secrets/hosts/${config.networking.hostName}"; + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + in + mkIf cfg.secrets.enable { + binaryCache = + { + file = "${baseDir}/binaryCache.age"; + } + // hercArgs; + + clusterToken = + { + file = "${baseDir}/clusterToken.age"; + } + // hercArgs; + + secretsJson = + { + file = "${baseDir}/secretsJson.age"; + } + // hercArgs; + }; + + environment.systemPackages = [ + hercules-ci-agent.packages.${pkgs.stdenv.hostPlatform.system}.hercules-ci-cli + ]; + + services = { + hercules-ci-agent = { + enable = true; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + }; +} diff --git a/secrets/hosts/atlas/atlasPassword.age b/secrets/hosts/atlas/userPassword.age index 18d5bb5..18d5bb5 100644 --- a/secrets/hosts/atlas/atlasPassword.age +++ b/secrets/hosts/atlas/userPassword.age diff --git a/secrets/hosts/p-body/pbodyPassword.age b/secrets/hosts/p-body/userPassword.age Binary files differindex e11140a..e11140a 100644 --- a/secrets/hosts/p-body/pbodyPassword.age +++ b/secrets/hosts/p-body/userPassword.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0087acc..a7602ab 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,13 +11,13 @@ in { "shared/sethPassword.age".publicKeys = main; "hosts/atlas/rootPassword.age".publicKeys = keys; - "hosts/atlas/atlasPassword.age".publicKeys = keys; + "hosts/atlas/userPassword.age".publicKeys = keys; "hosts/atlas/binaryCache.age".publicKeys = keys; "hosts/atlas/clusterToken.age".publicKeys = keys; "hosts/atlas/secretsJson.age".publicKeys = keys; "hosts/p-body/rootPassword.age".publicKeys = keys; - "hosts/p-body/pbodyPassword.age".publicKeys = keys; + "hosts/p-body/userPassword.age".publicKeys = keys; "hosts/p-body/binaryCache.age".publicKeys = keys; "hosts/p-body/clusterToken.age".publicKeys = keys; "hosts/p-body/secretsJson.age".publicKeys = keys; diff --git a/users/default.nix b/users/default.nix index 3fe9d4a..3fba13c 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,11 +1,29 @@ -system: inputs: -with inputs; { - seth = { - pkgs = import nixpkgsUnstable { - inherit system; - overlays = [nur.overlay getchoo.overlays.default]; +{inputs, ...}: let + inherit (inputs) getchoo home-manager nixpkgsUnstable nur; +in { + perSystem = {system, ...}: { + legacyPackages.homeConfigurations = let + inherit (home-manager.lib) homeManagerConfiguration; + modules = [ + { + programs.home-manager.enable = true; + } + ]; + + extraSpecialArgs = inputs; + + pkgs = import nixpkgsUnstable { + inherit system; + overlays = [nur.overlay getchoo.overlays.default]; + }; + + mkHMUser = username: + homeManagerConfiguration { + inherit pkgs extraSpecialArgs; + modules = modules ++ ["./${username}"]; + }; + in { + seth = mkHMUser "seth"; }; - modules = []; - extraSpecialArgs = {}; }; } |