fixups

.sops.yaml

@@ -8,6 +8,12 @@ keys:
 
 creation_rules:
 
+  - path_regex: hosts/loki/secrets.ya?ml$
+    key_groups:
+    - age:
+      - *loki
+      pgp:
+      - *gburd
   - path_regex: hosts/common/secrets.ya?ml$
     key_groups:
     - age:

flake.lock

@@ -182,16 +182,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1685599623,
-        "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
+        "lastModified": 1695191928,
+        "narHash": "sha256-yXUtJZQweg6v9G5fXStqkVNwxT4Xf+cux37yBVpaYCY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
+        "rev": "0ed5f9786bba801c59fb53eef497438040acd471",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.05",
         "repo": "home-manager",
         "type": "github"
       }
@@ -298,16 +297,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1686431482,
-        "narHash": "sha256-oPVQ/0YP7yC2ztNsxvWLrV+f0NQ2QAwxbrZ+bgGydEM=",
+        "lastModified": 1694959747,
+        "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d3bb401dcfc5a46ce51cdfb5762e70cc75d082d2",
+        "rev": "970a59bd19eff3752ce552935687100c46e820a5",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.05",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,7 +2,7 @@
   description = "My (Greg Burd's) NixOS configuration";
 
    inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; #nixos-unstable
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
     hardware.url = "github:nixos/nixos-hardware";
     impermanence.url = "github:nix-community/impermanence";
@@ -14,7 +14,7 @@
       inputs.nixpkgs-stable.follows = "nixpkgs";
     };
     home-manager = {
-      url = "github:nix-community/home-manager/release-23.05";
+      url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nh = {
@@ -49,6 +49,7 @@
       inherit lib;
       nixosModules = import ./modules/nixos;
       homeManagerModules = import ./modules/home-manager;
+      templates = import ./templates;
 
       overlays = import ./overlays { inherit inputs outputs; };
       hydraJobs = import ./hydra.nix { inherit inputs outputs; };

hosts/common/optional/encrypted-root.nix

@@ -2,14 +2,6 @@
 let hostname = config.networking.hostName;
 in {
   boot.initrd = {
-    # Enable swap on luks
-    luks.devices."luks-3b6dddfd-5390-441f-a72d-a3b2809204df".device = "/dev/disk/by-uuid/3b6dddfd-5390-441f-a72d-a3b2809204df";
-
-    # Setup encrypted root keyfile
-    luks.devices."luks-3b6dddfd-5390-441f-a72d-a3b2809204df".keyFile = "/crypto_keyfile.bin";
-    secrets = {
-      "/crypto_keyfile.bin" = null;
+    luks.devices."${hostname}".device = "/dev/disk/by-label/${hostname}_crypt";
     };
-  };
-
 }

hosts/common/users/gburd/default.nix

@@ -5,7 +5,7 @@ in
   users.mutableUsers = false;
   users.users.gburd = {
     isNormalUser = true;
-    shell = pkgs.bash;
+    shell = pkgs.fish;
     extraGroups = [
       "wheel"
       "video"

hosts/loki/hardware-configuration.nix

@@ -1,15 +1,14 @@
 {
   imports = [
+    ../common/optional/ephemeral-btrfs.nix
     ../common/optional/encrypted-root.nix
   ];
 
   boot = {
     initrd = {
       availableKernelModules = [ "ahci" "xhci_pci" "nvme" "thunderbolt" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-      luks.devices."luks-fae33851-b8d8-430b-8c6a-cd18675b8252".device = "/dev/disk/by-uuid/fae33851-b8d8-430b-8c6a-cd18675b8252";
+      kernelModules = [ "kvm-amd" ];
     };
-    kernelModules = [ "kvm-intel" ];
-    extraModulePackages = [ ];
     loader = {
       systemd-boot = {
         enable = true;
@@ -19,21 +18,19 @@
     };
   };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/88c63d59-2b86-4336-b8c7-1a4e6da1b443";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2EF0-3AA5";
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-label/ESP";
       fsType = "vfat";
     };
+  };
 
   swapDevices = [{
-    device = "/dev/disk/by-uuid/e7cc3e9c-2acc-4bbd-bc2f-a67a08a94db7";
+    device = "/swap/swapfile";
+    size = 8196;
   }];
 
   nixpkgs.hostPlatform.system = "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
+  hardware.cpu.amd.updateMicrocode = true;
   powerManagement.cpuFreqGovernor = "powersave";
 }

hosts/loki/ssh_host_ed25519_key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdryaTF2JNA+ZhsH1BrUCE7ehgkGCJoUyFb1DJAgZBH

hosts/loki/ssh_host_rsa_key.pub

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB2YjDJmsiUtHkPWE/Y6tqwtVcJaa/fIY7wYViUwn7bF4+OhC3Su7bN1C8TA5fhgpZWrzZXBMh74lrSG8RkbldGPyAThaUrTxVzzYdJmOvGNldynf19zrzprNFfjHvtTUosz7VTd0yEB7Ih/+5bNs7bDP0oKKoXvGruNwN0hdrDC299ocBAjmpLDXs8vSQoveuEEv8zyHJaOq1Fs9rw7IkTxk2Lj06MLzVD4ebKblQMnJ2xbJ5OEn/f+ktu+XKHGHYSgg+3mI+TEKVrle7INuiidY5fixhYFGp+T+Etj+TM02iIKG/7E0mNS+BmbUl0iWi6uS5PJaCkgW0s8VrtT/fP1L0yd0SwgGrmQAqzeoCjlEBUbzrc8YjJgg+FU4e6YY37f2dQ+FJigdGGAukH0VDYWrlnD0flfQ0KEVNnTo6CqmX/g7BBf88y6HF1BHL4sN73WHeC9FveEHBchtgfjBYf9GT8lYQnDSEisHU6C4Saz0BD3QufLDsjuvpMB+7IzYEkQrIQppRhvDT/buidwLzyBv6F9nUvlaAF9xSANLaie7iFkf+NeTFlOgEKxTTsBb8DwPGVeqHWrIfCNUjHeVgCr1FUIxnVMzIuT3osF3r+Z1NtEhNLxIHur0x8CF74m7mv5+n+0F185VPZDQCCn+6P1Zq4MWTyc22QslZRj/d8Q==

nixpkgs.nix

@@ -1,8 +0,0 @@
-# A nixpkgs instance that is grabbed from the pinned nixpkgs commit in the lock file.
-# This is useful to avoid using channels when using legacy nix commands.
-let lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
-in
-import (fetchTarball {
-  url = "https://github.com/nixos/nixpkgs/archive/${lock.rev}.tar.gz";
-  sha256 = lock.narHash;
-})

templates/c/.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.c]
+ident_style = space
+ident_size = 4
+
+[Makefile*]
+ident_style = tab
+ident_size = 4

templates/c/.gitignore

@@ -0,0 +1,4 @@
+# Nix build
+result
+# make build
+build

templates/c/Makefile

@@ -0,0 +1,42 @@
+PREFIX ?= /usr/local
+BIN_DIR ?= $(PREFIX)/bin
+
+
+TARGET_EXEC ?= foo-bar
+BUILD_DIR ?= ./build
+SRC_DIRS ?= ./src
+
+SRCS := $(shell find $(SRC_DIRS) -name *.cpp -or -name *.c)
+OBJS := $(SRCS:%=$(BUILD_DIR)/%.o)
+DEPS := $(OBJS:.o=.d)
+
+INC_DIRS := $(shell find $(SRC_DIRS) -type d)
+INC_FLAGS := $(addprefix -I,$(INC_DIRS))
+
+CPPFLAGS ?= $(INC_FLAGS) -MMD -MP
+
+$(BUILD_DIR)/$(TARGET_EXEC): $(OBJS)
+	$(CXX) $(OBJS) -o $@ $(LDFLAGS)
+
+# c source
+$(BUILD_DIR)/%.c.o: %.c
+	mkdir -p $(dir $@)
+	$(CC) $(CPPFLAGS) $(CFLAGS) -c $< -o $@
+
+# c++ source
+$(BUILD_DIR)/%.cpp.o: %.cpp
+	mkdir -p $(dir $@)
+	$(CXX) $(CPPFLAGS) $(CXXFLAGS) -c $< -o $@
+
+.PHONY: clean install run
+
+clean:
+	rm -r $(BUILD_DIR)
+
+install: $(BUILD_DIR)/$(TARGET_EXEC)
+	install -Dt $(BIN_DIR) $<
+
+run: $(BUILD_DIR)/$(TARGET_EXEC)
+	./$<
+
+-include $(DEPS)

templates/c/default.nix

@@ -0,0 +1,9 @@
+{ clangStdenv }:
+
+clangStdenv.mkDerivation {
+  pname = "foo-bar";
+  version = "0.1.0";
+
+  src = ./.;
+  makeFlags = [ "PREFIX=$(out)" ];
+}

templates/c/flake.nix

@@ -0,0 +1,30 @@
+{
+  description = "Foo Bar C/C++ Project";
+
+  nixConfig = {
+    extra-substituters = [ "https://cache.m7.rs" ];
+    extra-trusted-public-keys = [ "cache.m7.rs:kszZ/NSwE/TjhOcPPQ16IuUiuRSisdiIwhKZCxguaWg=" ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      pkgsFor = nixpkgs.legacyPackages;
+    in
+    rec {
+      packages = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./default.nix { };
+      });
+
+      devShells = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./shell.nix { };
+      });
+
+      hydraJobs = packages;
+    };
+}
+

templates/c/shell.nix

@@ -0,0 +1,10 @@
+{ callPackage, clang-tools }:
+
+let
+  mainPkg = callPackage ./default.nix { };
+in
+mainPkg.overrideAttrs (oa: {
+  nativeBuildInputs = [
+    clang-tools
+  ] ++ (oa.nativeBuildInputs or [ ]);
+})

templates/c/src/main.cpp

@@ -0,0 +1,7 @@
+#include <iostream>
+
+int main() {
+  std::cout << "Hello, World!";
+
+  return 0;
+}

templates/default.nix

@@ -0,0 +1,6 @@
+{
+  c.path = ./c;
+  rust.path = ./rust;
+  haskell.path = ./haskell;
+  node.path = ./node;
+}

templates/haskell/.gitignore

@@ -0,0 +1,6 @@
+# nix build
+result
+# cabal build
+dist-newstyle
+# cabal v1-build
+dist

templates/haskell/app/Main.hs

@@ -0,0 +1,6 @@
+module Main where
+
+import FooBar
+
+main :: IO ()
+main = putStrLn fooBar

templates/haskell/default.nix

@@ -0,0 +1,3 @@
+{ haskellPackages }:
+
+haskellPackages.callCabal2nix "foo-bar" ./. { }

templates/haskell/flake.nix

@@ -0,0 +1,30 @@
+{
+  description = "Foo Bar Haskell Project";
+
+  nixConfig = {
+    extra-substituters = [ "https://cache.m7.rs" ];
+    extra-trusted-public-keys = [ "cache.m7.rs:kszZ/NSwE/TjhOcPPQ16IuUiuRSisdiIwhKZCxguaWg=" ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      pkgsFor = nixpkgs.legacyPackages;
+    in
+    rec {
+      packages = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./default.nix { };
+      });
+
+      devShells = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./shell.nix { };
+      });
+
+      hydraJobs = packages;
+    };
+}
+

templates/haskell/foo-bar.cabal

@@ -0,0 +1,19 @@
+cabal-version:      2.4
+name:               foo-bar
+version:            0.1.0
+license:    MIT
+
+library
+    exposed-modules: FooBar
+    hs-source-dirs:   src
+    default-language: Haskell2010
+    build-depends:
+        base >= 4.15
+
+executable foo-bar
+    main-is:          Main.hs
+    hs-source-dirs:   app
+    default-language: Haskell2010
+    build-depends:
+        base >= 4.15,
+        foo-bar

templates/haskell/shell.nix

@@ -0,0 +1,11 @@
+{ callPackage, haskell-language-server, cabal-install }:
+
+let
+  mainPkg = callPackage ./default.nix { };
+in
+mainPkg.overrideAttrs (oa: {
+  nativeBuildInputs = [
+    cabal-install
+    haskell-language-server
+  ] ++ (oa.nativeBuildInputs or [ ]);
+})

templates/haskell/src/FooBar.hs

@@ -0,0 +1,4 @@
+module FooBar(fooBar) where
+
+fooBar :: String
+fooBar = "Hello, World!"

templates/node/.gitignore

@@ -0,0 +1,3 @@
+result
+build
+node_modules

templates/node/default.nix

@@ -0,0 +1,10 @@
+{ buildNpmPackage }:
+
+buildNpmPackage {
+  pname = "foo-bar";
+  version = "0.1.0";
+
+  src = ./.;
+
+  npmDepsHash = "sha256-ykdiIuGYEUrWitBnV9Z89FZXpnJ3ODms9xiWOEtW+1s=";
+}

templates/node/flake.nix

@@ -0,0 +1,30 @@
+{
+  description = "Foo Bar NodeJS Project";
+
+  nixConfig = {
+    extra-substituters = [ "https://cache.m7.rs" ];
+    extra-trusted-public-keys = [ "cache.m7.rs:kszZ/NSwE/TjhOcPPQ16IuUiuRSisdiIwhKZCxguaWg=" ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      pkgsFor = nixpkgs.legacyPackages;
+    in
+    rec {
+      packages = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./default.nix { };
+      });
+
+      devShells = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./shell.nix { };
+      });
+
+      hydraJobs = packages;
+    };
+}
+

templates/node/package-lock.json

@@ -0,0 +1,52 @@
+{
+  "name": "foo-bar",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "foo-bar",
+      "version": "0.1.0",
+      "license": "MIT",
+      "bin": {
+        "foo-bar": "build/index.js"
+      },
+      "devDependencies": {
+        "@types/node": "^20.1.2",
+        "typescript": "^5.0.4",
+        "typescript-language-server": "^3.3.2"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "20.1.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.1.2.tgz",
+      "integrity": "sha512-CTO/wa8x+rZU626cL2BlbCDzydgnFNgc19h4YvizpTO88MFQxab8wqisxaofQJ/9bLGugRdWIuX/TbIs6VVF6g==",
+      "dev": true
+    },
+    "node_modules/typescript": {
+      "version": "5.0.4",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
+      "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
+      "dev": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=12.20"
+      }
+    },
+    "node_modules/typescript-language-server": {
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/typescript-language-server/-/typescript-language-server-3.3.2.tgz",
+      "integrity": "sha512-jzun53CIkTbpAki0nP+hk5baGW+86SNNlVhyIj2ZUy45zUkCnmoetWuAtfRRQYrlIr8x4QB3ymGJPuwDQSd/ew==",
+      "dev": true,
+      "bin": {
+        "typescript-language-server": "lib/cli.mjs"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    }
+  }
+}

templates/node/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "foo-bar",
+  "version": "0.1.0",
+  "description": "Foo-bar node program",
+  "bin": {
+    "foo-bar": "build/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "start": "npm run build && node build/index.js"
+  },
+  "author": "",
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^20.1.2",
+    "typescript": "^5.0.4",
+    "typescript-language-server": "^3.3.2"
+  }
+}

templates/node/shell.nix

@@ -0,0 +1,16 @@
+{ callPackage, writeShellScriptBin }:
+
+let
+  mainPkg = callPackage ./default.nix { };
+  npxAlias = name: writeShellScriptBin name "npx ${name} \"$@\"";
+in
+mainPkg.overrideAttrs (oa: {
+  nativeBuildInputs = [
+    (npxAlias "tsc")
+    (npxAlias "tsserver")
+  ] ++ (oa.nativeBuildInputs or [ ]);
+
+  shellHook = ''
+    npm install
+  '';
+})

templates/node/src/index.ts

@@ -0,0 +1 @@
+console.log("Hello world!")

templates/node/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "es2016",
+    "lib": ["es6"],
+    "module": "commonjs",
+    "rootDir": "src",
+    "resolveJsonModule": true,
+    "allowJs": true,
+    "outDir": "build",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "skipLibCheck": true
+  }
+}

templates/rust/.gitignore

@@ -0,0 +1,2 @@
+build
+target

templates/rust/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "foo-bar"
+version = "0.1.0"

templates/rust/Cargo.toml

@@ -0,0 +1,5 @@
+[package]
+name = "foo-bar"
+version = "0.1.0"
+license = "MIT"
+edition = "2021"

templates/rust/default.nix

@@ -0,0 +1,9 @@
+{ rustPlatform }:
+
+rustPlatform.buildRustPackage {
+  pname = "foo-bar";
+  version = "0.1.0";
+
+  src = ./.;
+  cargoLock.lockFile = ./Cargo.lock;
+}

templates/rust/flake.nix

@@ -0,0 +1,30 @@
+{
+  description = "Foo Bar Rust Project";
+
+  nixConfig = {
+    extra-substituters = [ "https://cache.m7.rs" ];
+    extra-trusted-public-keys = [ "cache.m7.rs:kszZ/NSwE/TjhOcPPQ16IuUiuRSisdiIwhKZCxguaWg=" ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      pkgsFor = nixpkgs.legacyPackages;
+    in
+    rec {
+      packages = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./default.nix { };
+      });
+
+      devShells = forAllSystems (system: {
+        default = pkgsFor.${system}.callPackage ./shell.nix { };
+      });
+
+      hydraJobs = packages;
+    };
+}
+

templates/rust/shell.nix

@@ -0,0 +1,13 @@
+{ callPackage, rust-analyzer, rustfmt, clippy }:
+
+let
+  mainPkg = callPackage ./default.nix { };
+in
+mainPkg.overrideAttrs (oa: {
+  nativeBuildInputs = [
+    # Additional rust tooling
+    rust-analyzer
+    rustfmt
+    clippy
+  ] ++ (oa.nativeBuildInputs or [ ]);
+})

templates/rust/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}