From 038372e847e3eff27a9dee9a20643b7f230a3a23 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Sat, 13 Jul 2024 11:46:31 -0700 Subject: [PATCH] feat: attempt to integrate ci from Gensokyo-zone/infrastructure --- .sops.yaml | 12 +++ ci/common.nix | 47 +++++++++++ ci/flake-cron.nix | 61 ++++++++++++++ ci/nix.nix | 8 ++ ci/nodes.nix | 28 +++++++ ci/packages.nix | 17 ++++ ci/secrets.yaml | 96 ++++++++++++++++++++++ flake.lock | 114 +++++++++++++-------------- home/profiles/common/nix.nix | 3 +- home/profiles/graphical/secrets.yaml | 96 ++++++++++++++++++++++ packages/nf-update/default.nix | 10 +++ packages/nf-update/update.sh | 49 ++++++++++++ shells/repo.nix | 3 + 13 files changed, 486 insertions(+), 58 deletions(-) create mode 100644 ci/common.nix create mode 100644 ci/flake-cron.nix create mode 100644 ci/nix.nix create mode 100644 ci/nodes.nix create mode 100644 ci/packages.nix create mode 100644 ci/secrets.yaml create mode 100644 home/profiles/graphical/secrets.yaml create mode 100644 packages/nf-update/default.nix create mode 100644 packages/nf-update/update.sh diff --git a/.sops.yaml b/.sops.yaml index 07100dec..22a6c174 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,6 +27,18 @@ creation_rules: - *mei - *mai - *daiyousei +- path_regex: ci/.*\.yaml + shamir_threshold: 1 + key_groups: + - pgp: + - *kat + age: *age_common +- path_regex: home/[^/]+/.*\.yaml + shamir_threshold: 1 + key_groups: + - pgp: + - *kat + age: *age_common - path_regex: nixos/[^/]+/.*\.yaml shamir_threshold: 1 key_groups: diff --git a/ci/common.nix b/ci/common.nix new file mode 100644 index 00000000..9461318c --- /dev/null +++ b/ci/common.nix @@ -0,0 +1,47 @@ +{ + lib, + channels, + config, + ... +}: { + nixpkgs.args = { + localSystem = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + ci = { + version = "v0.7"; + gh-actions = { + enable = true; + }; + }; + + /*nix.config = { + extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; + #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; + };*/ + + channels = { + nixfiles.path = ../.; + nixpkgs.path = "${channels.nixfiles.inputs.nixpkgs}"; + }; + + ci.gh-actions.checkoutOptions = { + submodules = false; + }; + + cache.cachix = { + arc = { + enable = true; + publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="; + signingKey = null; + }; + kittywitch = { + enable = true; + publicKey = "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="; + signingKey = "mewp"; + }; + }; +} diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix new file mode 100644 index 00000000..b2d3d399 --- /dev/null +++ b/ci/flake-cron.nix @@ -0,0 +1,61 @@ +{ + lib, + channels, + config, + ... +}: +with lib; let + pkgs = channels.nixpkgs; +in { + imports = [ ./common.nix ]; + config = { + name = "flake-update"; + + gh-actions = { + env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; + on = let + paths = [ + "default.nix" # sourceCache + "ci/flake-cron.nix" + config.ci.gh-actions.path + ]; + in { + push = { + inherit paths; + }; + pull_request = { + inherit paths; + }; + schedule = [ + { + cron = "0 0 * * *"; + } + ]; + workflow_dispatch = {}; + }; + jobs.flake-update = { + step.flake-update = { + name = "flake update build"; + order = 500; + run = "nix run .#nf-update"; + env = { + CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; + NF_UPDATE_GIT_COMMIT = "1"; + NF_UPDATE_CACHIX_PUSH = "1"; + NF_CONFIG_ROOT = "\${{ github.workspace }}"; + }; + }; + }; + }; + + jobs = { + flake-update = { ... }: { + imports = [ ./packages.nix ]; + }; + }; + + ci.gh-actions.checkoutOptions = { + fetch-depth = 0; + }; + }; +} diff --git a/ci/nix.nix b/ci/nix.nix new file mode 100644 index 00000000..e7f3f5ef --- /dev/null +++ b/ci/nix.nix @@ -0,0 +1,8 @@ +{ + ci = { + workflowConfigs = [ + "nodes.nix" + "flake-cron.nix" + ]; + }; +} diff --git a/ci/nodes.nix b/ci/nodes.nix new file mode 100644 index 00000000..97341248 --- /dev/null +++ b/ci/nodes.nix @@ -0,0 +1,28 @@ +{ + lib, + config, + channels, + env, + ... +}: +with lib; { + imports = [ ./common.nix ]; + config = { + name = "nodes"; + + jobs = let + enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems; + mkSystemJob = name: system: nameValuePair "${name}" { + tasks.system = { + inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel; + warn = system.config.ci.allowFailure; + }; + }; + systemJobs = mapAttrs' mkSystemJob enabledSystems; + in { + packages = { ... }: { + imports = [ ./packages.nix ]; + }; + } // systemJobs; + }; +} diff --git a/ci/packages.nix b/ci/packages.nix new file mode 100644 index 00000000..323043c2 --- /dev/null +++ b/ci/packages.nix @@ -0,0 +1,17 @@ +{ + lib, + config, + channels, + ... +}: let + inherit (channels.nixfiles) packages legacyPackages; +in { + tasks = { + devShell.inputs = with packages.x86_64-linux; [ + deploy-rs + terraform tflint + alejandra deadnix statix + ssh-to-age + ]; + }; +} diff --git a/ci/secrets.yaml b/ci/secrets.yaml new file mode 100644 index 00000000..f53bd4ab --- /dev/null +++ b/ci/secrets.yaml @@ -0,0 +1,96 @@ +CACHIX_AUTH_TOKEN: ENC[AES256_GCM,data:oezH26CAPPAXFvbtqlmEfa/X6XADQHCoObajgoaUKB8cdtI6mVnsZfmYNVgcyQzmyPhcKcqG7X1d0SYNuJW1dI2eByKvWSWUwY5N2f0994/Hd1NB3s7E3dq1EZtkZqDyFJMSchQT7xkJtEMqzdQnQhL3Au2zaP0+m6hhmkxqIet6H1Yu4n+hGBkunzF26l0VTPsPiek=,iv:ODlzphfJOsrPp0Vb/vABkES74a2wbesrRFQKGeCY2Qs=,tag:/wAItpFQmQ4KNT0ZNo1ehg==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRERhQVk0RTVDdUR6bXVm + NVZjanNwV2d1bm1xbDZvMHZpNEpkRHBSL1M4ClpLdFhEM0JhNTlTMkFjd040OUZF + Vjl3aFlLMUxKeGRuZTNXYmxDRG54YUUKLS0tIFVVWGgvZGJ3d2JtQTYzcUZuRUM3 + bThmek1aUG1pb3VBZXMxNXZIZEdyd1kKeOSUooXs//DJBhJlIssaozUhnPy4X8Ty + RGgvKAp7/fE0Z1WMV8h7w4vsplSr4aocU49CH/QcdAlARdqF4as9sA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdjV4VkdhdXVlUVN3MzNr + bW5Xb09vRFBtSTBWM2EvRHA0NS9kZTl4dFc4CjBCWlJ1NUp0MmQ5Z3FRWm5sanZs + UFdxSjl4ZWx3MWVZa3ZVT2ZEdC9NUkEKLS0tIEd0MUNRQStsSkVyTXBSRUt1Tms4 + azBYYm5aU0hKOTEzV0FuNVF3ZHcyS3MKbHbT+cPPJ4XGWIgj/zxci9A88Ak60ja4 + /2lBlLsVCUHmFEoHXueizAypcVhp+WwfbGdva3VWfCTMmYnzcdEv6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSTFBeUVMMVFuNURCa2tH + bUJVQ2hrSVREeUdPZ0d3NmREZXFtSmxnRnhZCnRXbCtVR3VxMXludzBWMmw1ZFBS + WW54dzNDamRkUjc0cWcyQ2RpaGNua2cKLS0tIG1VVDd1VFNLdHl4cmhiRnk0S1A1 + dm5vVVBrM1NYb3cxbU9STXBBMDdDSUkKy+ZNL/eYnqtagB3oom0xEXxihYqGz2w3 + RJ2dQEQSPshuyMzC6AsV8nbaQhX6aNw+cgDSqX0E9G7+mBjWFSjEgw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3STBnbDQ2K1ltVFZ4WjdG + bk1aMlY2NDFYWWZPcDgvL1VWT0YzdTc5eEdFCmxUejZkUG1BaVhHeU92cldLQVE5 + UlNMb3pvdU5RY0V0KzExSDBKQVJLZkUKLS0tIDhxKzljTCsrVE9YRnNaMDF5WFBl + eGRWMnNqbFIvakhoVURYOFNrK2IrYlEKvFp1izuR11CBDTMdOKe5MMx/+hfg5zo8 + bo09Ep3XzO++ZXmevtUOVKGKd+D2hstEZxi0Vfr6yp8iI8sAG/46yw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTk9FclJyeUxuNkJmTUFM + YVBLOEZqbXIyWXAxMk9pYnVvSXBjQTNhUGs0CmJ0NGJWenl5ZStHcXRubjdieHo0 + QzhRdDZYV0xlU2N5dnpxWURNamN2aGcKLS0tIFRGc3ZJVnp3SnZtLy8ydVBQVUsy + STNxaHcyc3NINHFMR1F3OGg1a1liWW8KgVgMTA/Ut+xaLFmEP8EwSJ0oFVIEqh5n + PSD3ciDdx8t+2mzCvpTBZiH52jarZmBEhZhMYxwd301uS3uVUW5sGg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBckh5OC83b1JDY3lCVnFS + LzFRVElBTFVsWU5jMEkwbVlUTlpnaUl1L2pzCk9uNktBTEtFYUpHUCs0ODZrcGRp + WEdZenRMRFNhd256KzdINjYwZ25YaDQKLS0tIElGWkpBeXBqWXVha2NiczFzaUV4 + NzJKWndUUlRTZ3NlYS9qam1xZ0xUakEKciZwpzQBxPz75xIPUIIsS4+YWXAWqIl5 + MYURy5G8uMzzRlHK/CJ0OI53kjsj/MTkDy247gKX+lig7bXHnuYJ1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOXlDOE50bE1jRG5aZHRu + aDhoK2UxZzNobFEzN3drVmNlQmZoR0FBRlVVCmRhNStBRGkyaEkrYWJweDZBcWVL + Z2RDcjlyMk5zRTdOYi9zbjBGandCZEkKLS0tIExNcjByeXJxSkg5UGZLRWJSQ29Y + S1dxenc5M3ZhMTR3SEpqR3FxT20rdGMK4YtZe6NDBx5/LM6rbGuoXLrBEicOhDSx + azOPjHWLN+B2JdgBpemI9NDOfBWL+t/VGx00w40PUq7FsCYdoBmHtQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-13T18:21:10Z" + mac: ENC[AES256_GCM,data:6vjYEY6WsfXGHxryL3ypqlmRGbsgEse0WohV9N4Oepl+NDsmhsXraeSJsfQNwDgXHc7Hk6n7ORTeogXeVABMpeYZyOJnbzzfm5recAaXtB8Jq2yDC69KvS4Xuk9WzqmacLieeaZ5K1vET4hD0q52cBJtvRzgmJ2SAfEyXIeucO0=,iv:mzMAOI+aTzuGfQ4qyMTIv2QYYbXcaKcx9Wlfv7aY0CY=,tag:kwwdh7Ic0UtYqYJ1y6VqPw==,type:str] + pgp: + - created_at: "2024-07-13T18:20:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UARAAiGNgIcZG1LnGi0DyBiLVagxNUhpS4iatKgdHosBUUWWk + DjPnAseCrhSLMxciRjrDwnDKjFFMeIS54m1h4wsAgI8g08E0vkskcsU2PmFQ9IK4 + dUBsvf/0vC4Q5cabagZb/jmtOS3RPHnXk2uNePR3p2AN38qBNhvaLVn1QS0hOQNx + OReUKvaBGmb1Yi9lafxb0k0h7FQ7s8rNatvKvrbr7aeVHBKSWRX3Rjsy0/wl5Amd + pcubaFOolp4DGPIaT7l4cRE+ZoiPJ4RGWHHHW0zt1KD6PYSorgGnz4Want/1lEJK + 18L2Jw0KuLzpYl9ndSMKeYBxQM7jmMbLWE+V9zElSXAvR/q+WS5vWt2Ua8ps1MxE + 4FRupXidI0/VL2F3nX4xE+LhY6RtPFAUcaFHAsUa8H7Yd/kbpflD/t14u8cMvABA + TEwLZkKP/PUtLbYkzOts4p7lFvduVKjRPc2mO1os2Mbtw8LljPgMlncoJ0zbeZ4y + eZRbXEiYjCFlXN/rYgmkVMrAK/LzgXPYPG4CD2q/IQkWMVXvWuFLNegTs/oxiJMG + kO56ewlVvcVynjBxTnPAA2fOtK65FVw6WVAWCK5NdnWzVPwohdQ8wpZbzOymSyU9 + Nu3Q04gI513quQhJxbf0SbUDodes02Vmoe4eMJfs3sIZgx2UCQfRdXkcifjfgnfS + XgFLEn0LsMfsPcni5E6/3ti2jYJqnDBP4C8fh3jt/pKkEqGjPhuaAMaMfXST9idH + p05AkFfPcj5kknVIVf9/gJoSSzqfzyPKHbebq/+yHcpxn4oJlFCKpMJw39PmQLU= + =FTkp + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/flake.lock b/flake.lock index 2f74946f..2350c59a 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "arcexprs": { "flake": false, "locked": { - "lastModified": 1719854708, - "narHash": "sha256-EUjNXcLW6cN0UY89kkfncC/cVO0CY6qIUfKmlse/gLg=", + "lastModified": 1720471472, + "narHash": "sha256-2mq+DpPirJ+0M6fxQYTaXiI7Z+CdKSXjTxoy93stX1g=", "owner": "arcnmx", "repo": "nixexprs", - "rev": "5165118a5c43addcaace24579f0e62f5d1a792a7", + "rev": "0067d9ff3aa5ce2f4e3c64a534494aa2700fcff1", "type": "github" }, "original": { @@ -129,11 +129,11 @@ ] }, "locked": { - "lastModified": 1719845423, - "narHash": "sha256-ZLHDmWAsHQQKnmfyhYSHJDlt8Wfjv6SQhl2qek42O7A=", + "lastModified": 1720845312, + "narHash": "sha256-yPhAsJTpyoIPQZJGC8Fw8W2lAXyhLoTn+HP20bmfkfk=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "ec12b88104d6c117871fad55e931addac4626756", + "rev": "5ce8503cf402cf76b203eba4b7e402bea8e44abc", "type": "github" }, "original": { @@ -308,11 +308,11 @@ ] }, "locked": { - "lastModified": 1719992360, - "narHash": "sha256-SRq0ZRkqagqpMGVf4z9q9CIWRbPYjO7FTqSJyWh7nes=", + "lastModified": 1720734513, + "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", "owner": "nix-community", "repo": "home-manager", - "rev": "36e2f9da91ce8b63a549a47688ae60d47c50de4b", + "rev": "90ae324e2c56af10f20549ab72014804a3064c7f", "type": "github" }, "original": { @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1718450675, - "narHash": "sha256-jpsns6buS4bK+1sF8sL8AaixAiCRjA+nldTKvcwmvUs=", + "lastModified": 1720108799, + "narHash": "sha256-AxRkTJlbB8r7aG6gvc7IaLhc2T9TO4/8uqanKRxukBQ=", "owner": "hyprwm", "repo": "hyprcursor", - "rev": "66d5b46ff94efbfa6fa3d1d1b66735f1779c34a6", + "rev": "a5c0d57325c5f0814c39110a70ca19c070ae9486", "type": "github" }, "original": { @@ -370,11 +370,11 @@ ] }, "locked": { - "lastModified": 1719949580, - "narHash": "sha256-Ht6ZUjQ6HO9vllB0CxeGgLYUzZCw9Q/2Aaq21Og+3hM=", + "lastModified": 1720880492, + "narHash": "sha256-mzkonDtAmLxtvqd8p6ooR0NOFUcisM7l/j3uf/eZ8zU=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "8bb75a223db3ea9471d05d74fbed3328334a9f78", + "rev": "45c48984236d7a682a1941b147f8ae489ac9a1e6", "type": "github" }, "original": { @@ -417,11 +417,11 @@ ] }, "locked": { - "lastModified": 1717881852, - "narHash": "sha256-XeeVoKHQgfKuXoP6q90sUqKyl7EYy3ol2dVZGM+Jj94=", + "lastModified": 1720381373, + "narHash": "sha256-lyC/EZdHULsaAKVryK11lgHY9u6pXr7qR4irnxNWC7k=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "ec6938c66253429192274d612912649a0cfe4d28", + "rev": "5df0174fd09de4ac5475233d65ffc703e89b82eb", "type": "github" }, "original": { @@ -444,11 +444,11 @@ ] }, "locked": { - "lastModified": 1719873906, - "narHash": "sha256-0dy2hT1Q4PaFah8QxJkOfXGLuG7Ehq5Hi5pNhOpXd/A=", + "lastModified": 1720707332, + "narHash": "sha256-OpUjVqJIxuouqUMmOAQI63XEOVk5EYyHwFVWdyrUdC8=", "owner": "hyprwm", "repo": "hyprlock", - "rev": "88b9ce48ed0c561c44c3a09cd6cef0e1bebaf59f", + "rev": "b407128caeb551ae808cf8d0fb653a252a271709", "type": "github" }, "original": { @@ -493,11 +493,11 @@ ] }, "locked": { - "lastModified": 1719316102, - "narHash": "sha256-dmRz128j/lJmMuTYeCYPfSBRHHQO3VeH4PbmoyAhHzw=", + "lastModified": 1720545076, + "narHash": "sha256-Pxacc2uoxI00koXp5+CyNqHOTQlqNlK0rlRHDBHX4+g=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "1f6bbec5954f623ff8d68e567bddcce97cd2f085", + "rev": "6174a2a25f4e216c0f1d0c4278adc23c476b1d09", "type": "github" }, "original": { @@ -568,11 +568,11 @@ ] }, "locked": { - "lastModified": 1719067853, - "narHash": "sha256-mAnZG/eQy72Fp1ImGtqCgUrDumnR1rMZv2E/zgP4U74=", + "lastModified": 1720215857, + "narHash": "sha256-JPdL+Qul+jEueAn8CARfcWP83eJgwkhMejQYfDvrgvU=", "owner": "hyprwm", "repo": "hyprwayland-scanner", - "rev": "914f083741e694092ee60a39d31f693d0a6dc734", + "rev": "d5fa094ca27e0039be5e94c0a80ae433145af8bb", "type": "github" }, "original": { @@ -591,11 +591,11 @@ ] }, "locked": { - "lastModified": 1713139346, - "narHash": "sha256-GlRonqewugWqLK96LPZ0X+bdnQNuOqfVdQZiY2DQkvk=", + "lastModified": 1720893836, + "narHash": "sha256-rIwKRl1wmOoIyKPTAzOEvoyUm/roIo3QfJOcVg9Q8N0=", "owner": "kittywitch", "repo": "konawall-py", - "rev": "e3bf98deafef4876230253622fce04272af38d13", + "rev": "936050d035788198b9c7d7e44b3acceb3d18e35a", "type": "github" }, "original": { @@ -674,11 +674,11 @@ ] }, "locked": { - "lastModified": 1719969940, - "narHash": "sha256-ONh73rQPE476fUzQReW2LYBT4FTE51iIy6vUV8NEA/M=", + "lastModified": 1720834054, + "narHash": "sha256-gpUgy1XJGw8PZuRQlGwxoriIP+8jgUf2Ho9/g6meQHQ=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "2fbed82e0e1f8dee8fe6a34c26cdc17237e7101c", + "rev": "526acd22f4ac06182ad4ec6346f5c6008590dbab", "type": "github" }, "original": { @@ -694,11 +694,11 @@ ] }, "locked": { - "lastModified": 1719832725, - "narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=", + "lastModified": 1720334033, + "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "2917972ed34ce292309b3a4976286f8b5c08db27", + "rev": "685e40e1348007d2cf76747a201bab43d86b38cb", "type": "github" }, "original": { @@ -709,11 +709,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1719895800, - "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=", + "lastModified": 1720737798, + "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "6e253f12b1009053eff5344be5e835f604bb64cd", + "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", "type": "github" }, "original": { @@ -724,11 +724,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1720542800, + "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "feb2849fdeb70028c70d73b848214b00d324a497", "type": "github" }, "original": { @@ -756,11 +756,11 @@ }, "nur": { "locked": { - "lastModified": 1720010855, - "narHash": "sha256-tF36DiquJP8Ow9QwphDYEjZtBfhkiZOKybUSMnM47wg=", + "lastModified": 1720891420, + "narHash": "sha256-NGqWtKIVF6zSDaYS6YepdLIQ4LLhBMPit5UsX7X5B5M=", "owner": "nix-community", "repo": "NUR", - "rev": "642b5070e3fa9f0be118fd46c741a4313231be22", + "rev": "ecde873d238284ccb47675c15436b55f6d6ec285", "type": "github" }, "original": { @@ -779,11 +779,11 @@ ] }, "locked": { - "lastModified": 1719875930, - "narHash": "sha256-jQmdWLxRP6BzOxRF8hQEhDD7UKw7UrnYbmaAPOSaXWY=", + "lastModified": 1720863765, + "narHash": "sha256-Q+LSZm9w1htVrRDY1d+0T8rBdifA/6JnAWuBMneGCCE=", "owner": "pjones", "repo": "plasma-manager", - "rev": "7e062fcd669e261fb06cf54fe0ef2e46c3db8e83", + "rev": "40fa15eceeda6f3fb539367ccee462fa06a4d760", "type": "github" }, "original": { @@ -935,11 +935,11 @@ ] }, "locked": { - "lastModified": 1719873517, - "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", + "lastModified": 1720479166, + "narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a11224af8d824935f363928074b4717ca2e280db", + "rev": "67035a355b1d52d2d238501f8cc1a18706979760", "type": "github" }, "original": { @@ -1058,11 +1058,11 @@ ] }, "locked": { - "lastModified": 1719220171, - "narHash": "sha256-xywM6JoGT8AwfoOFJBTv8GRlvNu8LYqqqMS/OQ6uCgE=", + "lastModified": 1720787015, + "narHash": "sha256-U3IqoGmIzBKEJ0ihRQ10GRRtdoDBI6Oxl6aiGbUA59A=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "269411cfed6aab694e46f719277c972de96177bb", + "rev": "371b5076d718f7f637d3959d0203061f06af1263", "type": "github" }, "original": { @@ -1087,11 +1087,11 @@ ] }, "locked": { - "lastModified": 1719942321, - "narHash": "sha256-Mb6EdUtgujTNTY6oRLxM/ZCyWUrk+p3V6XcJZ1hSUe4=", + "lastModified": 1720194466, + "narHash": "sha256-Rizg9efi6ue95zOp0MeIV2ZedNo+5U9G2l6yirgBUnA=", "owner": "hyprwm", "repo": "xdg-desktop-portal-hyprland", - "rev": "c5b30938710d6c599f3f5cd99a3ffac35381fb0f", + "rev": "b9b97e5ba23fe7bd5fa4df54696102e8aa863cf6", "type": "github" }, "original": { diff --git a/home/profiles/common/nix.nix b/home/profiles/common/nix.nix index 03c1d950..0c96f838 100644 --- a/home/profiles/common/nix.nix +++ b/home/profiles/common/nix.nix @@ -1,7 +1,8 @@ _: { + # TODO: add the same treatment as the other nix gc script nix.gc = { automatic = true; frequency = "weekly"; persistent = true; }; -} \ No newline at end of file +} diff --git a/home/profiles/graphical/secrets.yaml b/home/profiles/graphical/secrets.yaml new file mode 100644 index 00000000..0cd75238 --- /dev/null +++ b/home/profiles/graphical/secrets.yaml @@ -0,0 +1,96 @@ +GITHUB_ACCESS_TOKEN: ENC[AES256_GCM,data:rTepYBEOtj8lrUE4naBBGl1wHUqp/hVBVTaoBp+rhrctRZAWeXzp029pI6Knh495MWbkyr1FHNTtBEW4Id9M1Ip52R7LPxU5xRwCQPmU5zVhU65LGo3j2cv2IzJm,iv:/Y1/B458a/r3P5O8tizaoxWrUths5e8ThakJgB1SfR0=,tag:4H8wB2GbFW/7OAfXG8DHmw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZVFONnJKcXAwWTM0V1dz + dXNHMlF2dmNQK3QzejFIWVBxTHlkTW82WW1FClh5VkhEbVRobk9Ybk1INXMvRkNN + TzdhV2M5K2l2aVlRc3pqclJZaUJVckEKLS0tIG1vVGdia2U1ZjU1UENKQ1dZVDdy + ME5NSnAzRXlzVG1hd1d6SnBWMnRVM0EKcUhYMSWzmqygU222jm+USXbguHrxZpGh + ShIV1DuP+XI4kytS8BvqIeK6ZA8UR2XNiqAjaFAMdOaH/C158VW3AQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYVpHQmRvWHhGSzd1UnUz + S0U2aWRrWWVXKy9ITmppRkFpSXVZSzIwd3drCkw1V1NhTFkrMWlVbTdpTExnblRT + NHI1TXEvcHFNT0FkdHd2djMyRzBUR2cKLS0tIG1pOTZ6MUtSNWZxM290YTZWYVZJ + VVBNUHp0L21ISUlQT3k4NXBoNGpBVVEKKEcZpu1iIHnIMsRo7CTmxbpqVcSaRsuH + IJkcyvuds4ioBAJBZ9fD0eXjbE5OhYEjehjiEq9s2fD/9ZtTATkl4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcmZUVTJlNlpVeGcvdThs + bkJLWGVydjZNc3FuTGZaYVdLNDRHOEVHc0ZzCnp5bytHOTdqamZpa3Z4SjFTcU5T + Z0lxdTQ3bHNSMWY3MnRyc01Dbm5NQ2sKLS0tIDgyc1gvNFFEZHBKYjhwa3YwY1Bk + SC9sVzB0cHR2cG92WTVudlQ2a2doUDAKyFGQ0ej+FRrss4vug/IqdGt34anaocjO + /ynoYURJwJMwIFo8p/ZUjNvTJBRQp1FYWqfgtb4JbhhP4GQyohox/A== + -----END AGE ENCRYPTED FILE----- + - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZDB3S2hucnRMOXNZQytD + U3NYMDEvM2ZvRjZRWlZuZk5nbTFjZ0dUeFJJClRERnduN1JmdGtta0FUdSswWVFi + Skx6Mkg3TFRVcldQdFhhWUw4S210RWsKLS0tIDhlcnh3bXdFUjFHcU9RMkNhSHB3 + bzltNTMzRUdrUzFDcTJGRjVOcWhrWU0KU2u9GSgWJOcHjhFfQ3akcwPPaUvp3zw1 + Ar1Nd8V1QKhzV4OpaxlNsKe5LN5GREn/0VLA7Be2ZT2Llt5xQHyLNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFZGdDNseTBsR0hoRCt4 + am5NNTkxRm9sMzd2OFlpYzkxNEh0NytveWhzCmI2cWdpcTZiSmg0RWFHT01aWm5L + aGtGekE2bzFqTCs3L0lsVVREV3FTNVkKLS0tIHJYT2FCejF1K0lzT1poaDdBQnM1 + OGxtY0hXenhEby85eXRvUk00TnVmb28KP6wFZlj78VJIfX9VSGYKjk/K/IkOzmhd + +MIKuKGf0Wmn6likWhZod0Yid6Nq3NzRniPSdKa9rETmPi3Qn9xQ5Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTG0zTlc1YTBkaFBiSkh2 + RTNiV0h6L2dmaG5oOFMxdFo5TzNqV2hlUTN3ClM5a1VFRXlSamlJNTZ2a3F5dFlE + RTJQQTUvUlRHMDU5aXhGaUxISkt3ckEKLS0tIHlIS0dXRHFEeEpNK1YzU2U2MDZ3 + TGxkYXpKaVovWFZoNjRGWlRLdkp4eE0KuMSO1pukDuyokQ/5Ym3ZJ24HRb+WGEmQ + aLxB7n2Y95M+ms5WXXoL2ps5FzKixJAXBRli6/RDtn9Mh1ihT9bkzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RlFRRU1wTEUvR0JpZHZM + NU53eWtLRk9PU2dBWWpJMjBLNWpxa0hxTWxJCmJ3dlpZTW5Ickl0TGhkdWxJdkF4 + VXhCZ3lseERXWmh0ODEvdGRWOXpVOE0KLS0tIDE4VjdKT2pZQTM0ZTlqZ3UzU251 + bXpCZHFWMTRSUHhWMUZPczh1Rlkzd2sKuESLATRUMwgJp/XJiNLD44MoacDAjqrM + 1pp9+2hsws9d3Em/gJj59Yn2GTT0gpNvKXqXeFp1vpm64oOK0GNZWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-13T18:22:26Z" + mac: ENC[AES256_GCM,data:k9ml5lzn3OYlJVXFMtJ71dj2FaOZ27BSBPqtLr2ExUKDZUc9AkMTt1DOxQAOIpVmzJdWicVkqFTszfqi03+oPQ11/WZnNFC8FzF4v96LTQ4/OCgVm+ZQhovPV0haw3oZEYHi6tKbtM5BDW++ibjawWOyWQGKL4ZLF+MQEjB0GMU=,iv:w0U2bwC9Th6y24AQBeYx/IaJXROItBPbfPRtWrYEYr0=,tag:92QiGpY2jwszXffW4V9hBw==,type:str] + pgp: + - created_at: "2024-07-13T18:22:05Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//Z1oKJXSEb+J4BqDvNnpb5yYkb8OU/8VXshMjqJNOcUat + FlQZGLum8PvU0tjQOBQ/wC2AALgCSyJTncmygy18oqFZJ5BEbWmoD17bLLtPd7u8 + WLyAFoCaHTu5v6C3nQ7k/VZsLWokkNeekic9SR1gKErV48nU8kZMdAVxEEV2hPpL + 4JvgCbtsVBLoZm6QHJEPZ4K9PnFJzFC9SRhOP9jbVdwVGAnFPhP2yuBql/kCacTa + WwtdD7RQbQoMLLF/Jz4Ca7SbZfe2CxpzTJ+/B+IKC/ta0XPH1MiBKS4adoTTDqLp + 6rCobxLqvCizt53PUAwf5w4xf2OKSjZ6cj0QeVsHZanZZyI+ypnGNrqUS/07QtHU + vLX8Tskoh7LkvK9frwEngvfCI0eCe4/he+RTMVn0KxPdA9ObRvrnDdYNiasVFevI + NkR1wXe27TyVRPcY4fXNsh4GwZ+aSusPZp+jRp4WQRKfb+QQ0D5Jme/wpXccQgqc + TGmFpXtFAtz06LpJrPq2kx1/M9javPg0UDA8oyP35a+F3d9odSQsViJ95CexxqJb + zbAiPlt3GQTOwK+bjprGQPtNQ+qiwlI2fJWXFxBTTKQviQqV4ut+efwSnPAoIZqO + IKrRvLRgFMmxGJTjaApCIzNlc4OGZrWu1JQ/HWrwaCAJiwdAyjBG0V7fT+RXlM3S + XgH2qGwTGzIsT5MZDSEWHSfyiezStna+xHSwOcGpJauvgYFsKZtufxqpYnVu4+f9 + Zffy5F+LpdO4qTHrZdKzPw9CxxS86t99MCFNkUIbo8u4gazqJM90LRnOok6qx1I= + =hP+o + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/packages/nf-update/default.nix b/packages/nf-update/default.nix new file mode 100644 index 00000000..d56a4f37 --- /dev/null +++ b/packages/nf-update/default.nix @@ -0,0 +1,10 @@ +{ + wrapShellScriptBin, + pkgs, +}: +wrapShellScriptBin "nf-update" ./update.sh { + depsRuntimePath = with pkgs; [ + git + cachix + ]; +} diff --git a/packages/nf-update/update.sh b/packages/nf-update/update.sh new file mode 100644 index 00000000..4a826468 --- /dev/null +++ b/packages/nf-update/update.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +set -eu + +if [[ -n ${CACHIX_SIGNING_KEY-} ]]; then + export NF_UPDATE_CACHIX_PUSH=1 +fi + +cd "$NF_CONFIG_ROOT" + +nix flake update "$@" + +if [[ -n $(git status --porcelain ./flake.lock) ]]; then + git -P diff ./flake.lock +else + echo "no source changes" >&2 + exit +fi + +echo "checking that nodes still build..." >&2 +if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then + export NF_ACTIONS_TEST_OUTLINK=${NF_ACTIONS_TEST_OUTLINK-result} +fi +nf-actions-test -L + +if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then + cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK}"*/ & + CACHIX_PUSH=$! +fi + +if [[ -z ${NF_UPDATE_GIT_COMMIT-} ]]; then + exit +fi + +if [[ -n $(git diff --staged) ]]; then + echo "git working tree dirty, refusing to commit..." >&2 + exit 1 +fi + +git add flake.lock +env \ +GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch \ + GIT_{COMMITTER,AUTHOR}_NAME="flake cron job" \ +git commit --message="chore(ci): flake update" + +if [[ ${GITHUB_REF-} = refs/heads/${NF_UPDATE_BRANCH-main} ]]; then + git push origin HEAD:${NF_UPDATE_BRANCH-main} +fi + +wait ${CACHIX_PUSH-} diff --git a/shells/repo.nix b/shells/repo.nix index 0dd5070d..822666f7 100644 --- a/shells/repo.nix +++ b/shells/repo.nix @@ -2,6 +2,7 @@ pkgs, inputs, std, + lib, ... }: with pkgs; let @@ -10,6 +11,7 @@ with pkgs; let repoShell = mkShell { nativeBuildInputs = [ + nf-update fd # fd, better fine! ripgrep # rg, better grep! sops @@ -23,6 +25,7 @@ with pkgs; let '')) repo.darwinConfigurations); shellHook = '' + export CI_PLATFORM="impure" sops echo -e "\e[39m\e[1m$USER@$REPO_HOSTNAME - \e[35m''$(realpath --relative-to=../ ./nixos/)\e[0m" echo -e "\e[35mRunning alejandra\e[0m"