mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix nix flake check

Browse Source
This commit is contained in:
mjallen18
2026-03-25 16:42:34 -05:00
parent 642cee5dc5
commit ccd413d273
28 changed files with 228 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
checks/pre-commit-hooks/default.nix
View File

@@ -10,7 +10,13 @@ in
pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run {
src = ../..;
hooks = {
pre-commit-hook-ensure-sops.enable = true;
pre-commit-hook-ensure-sops = {
enable = true;
excludes = [
"secrets/.*\\.jwe$"
"secrets/.*\\.key$"
];
};
treefmt = {
enable = lib.mkForce true;
settings.fail-on-change = lib.mkForce false;
@@ -24,6 +30,10 @@ pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run {
};
statix = {
enable = true;
args = [
"--config"
(lib.snowfall.fs.get-file "statix.toml")
];
};
};
}

15
flake.lock generated
View File

@@ -1435,17 +1435,14 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1774472006,
"narHash": "sha256-PsAau0yCoQDNqFnCxCJhwbYMSYIDQEeE22BEBiJM5uw=",
"owner": "mjallen18",
"repo": "snowfall-lib",
"rev": "342561701e62e4b57ffb4d52496d16743e16662f",
"type": "github"
"lastModified": 1774473056,
"narHash": "sha256-JeIOcQt7ctjOYxgy4+7ayDmHesHuPaFgbQ1WpcUrm/w=",
"path": "/home/admin/dev/snowfall-lib",
"type": "path"
},
"original": {
"owner": "mjallen18",
"repo": "snowfall-lib",
"type": "github"
"path": "/home/admin/dev/snowfall-lib",
"type": "path"
}
},
"sops-nix": {

6
flake.nix
View File

@@ -23,7 +23,7 @@
# The name "snowfall-lib" is required due to how Snowfall Lib processes your
# flake's inputs. Using a personal fork for custom changes.
snowfall-lib = {
url = "github:mjallen18/snowfall-lib";
url = "path:/home/admin/dev/snowfall-lib";
inputs.nixpkgs.follows = "nixpkgs";
};
@@ -150,8 +150,10 @@
];
modules.home = with inputs; [
nix-index-database.homeManagerModules.nix-index
nix-index-database.homeModules.nix-index
steam-rom-manager.homeManagerModules.default
sops-nix.homeManagerModules.sops
stylix.homeModules.stylix
];
# common darwin modules

1
homes/x86_64-linux/admin@jallen-nas/default.nix
View File

@@ -1,6 +1,5 @@
{
pkgs,
config,
lib,
inputs,
namespace,

9
lib/versioning/default.nix
View File

@@ -1,11 +1,6 @@
{
lib,
inputs,
system ? "aarch64-linux",
}:
let
pkgs = inputs.nixpkgs.legacyPackages.${system};
in
let
inherit (builtins)
isAttrs
@@ -146,10 +141,6 @@ let
# fetcher == "none": pass-through (e.g., linux version/hash consumed by custom logic)
comp;
# Build a single src from a rendered component spec using the default (lib-level) pkgs.
# Deprecated: prefer mkSrcFromRendered' with an explicit pkgs argument.
mkSrcFromRendered = mkSrcFromRendered' pkgs;
in
rec {
/*

3
modules/darwin/programs/ssh/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
_: {
config = {
programs.ssh.knownHosts = {
desktop = {

3
modules/home/gpg/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
_: {
programs = {
gpg = {
enable = true;

2
modules/home/home/default.nix
View File

@@ -4,12 +4,10 @@
pkgs,
namespace,
hasDestopEnvironment ? true,
system,
...
}:
let
inherit (lib.${namespace}) enabled;
isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
# Non-login / system accounts (root, nixos installer, etc.) should not get
# desktop packages, tmux, nh, kdeconnect, nextcloud-client, etc.
# Detect them by username so individual host home files are not needed.

1
modules/home/programs/code/default.nix
View File

@@ -2,7 +2,6 @@
config,
pkgs,
system,
namespace,
hasDestopEnvironment ? true,
...
}:

1
modules/home/programs/update-checker/default.nix
View File

@@ -1,6 +1,5 @@
{
config,
namespace,
pkgs,
...
}:

40
modules/nixos/hardware/raspberry-pi/audio.nix
View File

@@ -16,27 +16,25 @@ in
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays =
[ ]
++ (
with pkgs.${namespace};
(
if (variant == "5") then
[
{
name = "pisound-pi5-overlay";
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts";
}
]
else
[
{
name = "pisound-overlay";
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts";
}
]
)
);
overlays = (
with pkgs.${namespace};
(
if (variant == "5") then
[
{
name = "pisound-pi5-overlay";
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts";
}
]
else
[
{
name = "pisound-overlay";
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts";
}
]
)
);
};
};
}

42
modules/nixos/hardware/raspberry-pi/bluetooth.nix
View File

@@ -16,28 +16,26 @@ in
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays =
[ ]
++ (
if (variant == "5") then
[
{
name = "disable-bt-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts";
}
]
else
[
{
name = "disable-bt-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-bt-overlay.dts";
}
]
);
overlays = (
if (variant == "5") then
[
{
name = "disable-bt-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts";
}
]
else
[
{
name = "disable-bt-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-bt-overlay.dts";
}
]
);
};
};
}

2
modules/nixos/hardware/raspberry-pi/config.nix
View File

@@ -19,7 +19,7 @@ let
render-kvs =
kvs:
let
render-kv = k: v: if isNull v.value then k else "${k}=${toString v.value}";
render-kv = k: v: if v.value == null then k else "${k}=${toString v.value}";
in
lib.attrsets.mapAttrsToList render-kv (lib.filterAttrs (_k: v: v.enable) kvs);

5
modules/nixos/hardware/raspberry-pi/default.nix
View File

@@ -451,8 +451,7 @@ in
};
nixpkgs.overlays =
[ ]
++ (
(
if cfg.variant == "5" then
[
(_final: prev: {
@@ -465,7 +464,7 @@ in
let
pageSizeFlag = "--with-lg-page";
in
(prev.lib.filter (flag: prev.lib.hasPrefix pageSizeFlag flag == false) old.configureFlags)
(prev.lib.filter (flag: !(prev.lib.hasPrefix pageSizeFlag flag)) old.configureFlags)
++ [ "${pageSizeFlag}=14" ];
});
})

42
modules/nixos/hardware/raspberry-pi/modesetting.nix
View File

@@ -16,28 +16,26 @@ in
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays =
[ ]
++ (
if (variant == "5") then
[
{
name = "vc4-kms-v3d-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts";
}
]
else
[
{
name = "vc4-fkms-v3d-pi4-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts";
}
]
);
overlays = (
if (variant == "5") then
[
{
name = "vc4-kms-v3d-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts";
}
]
else
[
{
name = "vc4-fkms-v3d-pi4-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts";
}
]
);
};
};
}

50
modules/nixos/hardware/raspberry-pi/wifi.nix
View File

@@ -16,32 +16,30 @@ in
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays =
[ ]
++ (
if (variant == "5") then
[
{
name = "disable-wifi-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts";
}
]
else
[
{
name = "disable-wifi-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts";
}
{
name = "wifimac-overlay";
dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts";
}
]
);
overlays = (
if (variant == "5") then
[
{
name = "disable-wifi-pi5-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts";
}
]
else
[
{
name = "disable-wifi-overlay";
dtsFile = "${
pkgs.${namespace}.raspberrypi-overlays
}/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts";
}
{
name = "wifimac-overlay";
dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts";
}
]
);
};
};
}

14
modules/nixos/homeassistant/dashboards/default.nix
View File

@@ -11,15 +11,9 @@ in
imports = [ ./options.nix ];
config = lib.mkIf (cfg.enable && cfg.dashboards != [ ]) {
${namespace}.home.file = lib.genAttrs cfg.dashboards (
dashboard:
let
dashboardFile = "homeassistant/lovelace/${dashboard.title}.yaml";
in
{
text = lib.generators.toYAML { } dashboard;
force = true;
}
);
${namespace}.home.file = lib.genAttrs cfg.dashboards (dashboard: {
text = lib.generators.toYAML { } dashboard;
force = true;
});
};
}

103
modules/nixos/services/crowdsec/default.nix
View File

@@ -10,9 +10,6 @@ let
name = "crowdsec";
cfg = config.${namespace}.services.${name};
ntfyServer = "https://ntfy.mjallen.dev";
ntfyTopic = "crowdsec";
# Build the notification-http plugin binary from the crowdsec source.
# The nixpkgs crowdsec package omits all notification plugin binaries;
# we build just the http one we need.
@@ -223,30 +220,61 @@ let
# a nix store path via -c and never creates that file. Expose the full
# NixOS-generated config (which includes plugin_config via
# settings.general.plugin_config) at the well-known path.
environment.etc."crowdsec/config.yaml" =
let
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
in
{
source = configPath;
mode = "0440";
environment.etc = {
"crowdsec/config.yaml" =
let
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
in
{
source = configPath;
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
# ---------------------------------------------------------------------------
# ntfy notifications via the CrowdSec HTTP notification plugin
# ---------------------------------------------------------------------------
# Place the notification-http binary at the path the NixOS crowdsec module
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
# plugins by their filename — it expects "notification-http" for type=http.
"crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
source = "${crowdsecHttpPlugin}/bin/notification-http";
mode = "0550";
user = "crowdsec";
group = "crowdsec";
};
# ---------------------------------------------------------------------------
# ntfy notifications via the CrowdSec HTTP notification plugin
# ---------------------------------------------------------------------------
# Place the notification-http binary at the path the NixOS crowdsec module
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
# plugins by their filename — it expects "notification-http" for type=http.
environment.etc."crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
source = "${crowdsecHttpPlugin}/bin/notification-http";
mode = "0550";
user = "crowdsec";
group = "crowdsec";
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# This replaces the default "do nothing" profile.
"crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
};
# The ntfy plugin config YAML (with credentials baked in) is managed as a
@@ -260,35 +288,6 @@ let
}"
];
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# This replaces the default "do nothing" profile.
environment.etc."crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
};
};
in

6
modules/nixos/services/matrix/default.nix
View File

@@ -17,12 +17,12 @@ let
sops = {
secrets = {
"jallen-nas/matrix/client-id" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
owner = "matrix-synapse";
group = "matrix-synapse";
};
"jallen-nas/matrix/client-secret" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
owner = "matrix-synapse";
group = "matrix-synapse";
};
@@ -72,7 +72,7 @@ let
listeners = [
{
port = cfg.port;
inherit (cfg) port;
tls = false;
x_forwarded = true;
bind_addresses = [

1
modules/nixos/services/sparky-fitness/default.nix
View File

@@ -9,7 +9,6 @@ let
serverName = "sparky-fitness-server";
frontendName = "sparky-fitness";
dbName = "sparky-fitness-db";
serverCfg = config.${namespace}.services.${serverName};
frontendCfg = config.${namespace}.services.${frontendName};

1
packages/cockpit-podman/default.nix
View File

@@ -1,5 +1,4 @@
{
fetchFromGitHub,
lib,
namespace,
nodejs,

1
packages/system/nebula-sign-cert/default.nix
View File

@@ -1,5 +1,4 @@
{
lib,
writeShellApplication,
nebula,
sops,

6
packages/system/open-remote-ssh/default.nix
View File

@@ -16,12 +16,10 @@ let
in
vscode-utils.buildVscodeMarketplaceExtension {
mktplcRef = {
name = vars.name;
publisher = vars.publisher;
version = vars.version;
inherit (vars) name publisher version;
};
vsix = sources.vsix;
inherit (sources) vsix;
unpackPhase = ''
${lib.getExe pkgs.unzip} -q $src

25
statix.toml Normal file
View File

@@ -0,0 +1,25 @@
# Disable lint rules that generate excessive false-positives or noise.
#
# manual_inherit / manual_inherit_from: very high volume of style suggestions.
# useless_parens: many intentional parentheses for readability.
# empty_pattern: { ... }: is a valid and readable no-arg pattern.
# unquoted_uri: false-positives inside shell heredocs in Nix strings.
# useless_has_attr: if/has-attr patterns are sometimes clearer.
# repeated_keys: intentionally split across sections for readability/context.
disabled = [
"manual_inherit",
"manual_inherit_from",
"useless_parens",
"empty_pattern",
"unquoted_uri",
"useless_has_attr",
"repeated_keys",
]
# Exclude files where statix's parser fails on complex shell-in-Nix content.
ignore = [
"modules/home/programs/update-checker/default.nix",
"modules/home/programs/waybar/scripts/weather.nix",
"modules/home/programs/waybar/scripts/media.nix",
"qemu.nix",
]

2
systems/aarch64-linux/macbook-pro-nixos/filesystems.nix
View File

@@ -1,4 +1,4 @@
{ ... }:
_:
let
defaultNetworkShareOptions = [
"sec=none"

46
systems/x86_64-linux/jallen-nas/services.nix
View File

@@ -7,12 +7,31 @@ let
nasData = "/media/nas/main";
in
{
systemd.network.wait-online.enable = false;
# Force tailscaled to use nftables (Critical for clean nftables-only systems)
# This avoids the "iptables-compat" translation layer issues.
systemd.services.tailscaled.serviceConfig.Environment = [
"TS_DEBUG_FIREWALL_MODE=nftables"
];
systemd = {
network.wait-online.enable = false;
services = {
# Force tailscaled to use nftables (Critical for clean nftables-only systems)
# This avoids the "iptables-compat" translation layer issues.
tailscaled.serviceConfig.Environment = [
"TS_DEBUG_FIREWALL_MODE=nftables"
];
# Pre-create extensions and grant superuser-owned objects that the sparkyfitness
# role cannot manage itself. Appended to postgresql-setup.service which already
# runs as the postgres superuser after the DB is confirmed ready.
#
# 1. pg_stat_statements requires superuser to CREATE EXTENSION.
# 2. The extension installs functions owned by the postgres superuser; the
# sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
# pre-grant them here before the app's grantPermissions() runs.
postgresql-setup.script = lib.mkAfter ''
psql -d sparkyfitness -c "
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
"
'';
};
};
networking.nftables.enable = true;
boot.initrd.systemd.network.wait-online.enable = false;
@@ -168,19 +187,4 @@ in
};
# Pre-create extensions and grant superuser-owned objects that the sparkyfitness
# role cannot manage itself. Appended to postgresql-setup.service which already
# runs as the postgres superuser after the DB is confirmed ready.
#
# 1. pg_stat_statements requires superuser to CREATE EXTENSION.
# 2. The extension installs functions owned by the postgres superuser; the
# sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
# pre-grant them here before the app's grantPermissions() runs.
systemd.services.postgresql-setup.script = lib.mkAfter ''
psql -d sparkyfitness -c "
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
"
'';
}

8
systems/x86_64-linux/matt-nixos/sops.nix
View File

@@ -6,7 +6,7 @@
}:
let
user = config.${namespace}.user.name;
desktopSopsFile = (lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml");
desktopSopsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml";
in
{
# Permission modes are in octal representation (same as chmod),
@@ -32,7 +32,7 @@ in
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
inherit (config.users.users."${user}") group;
};
"desktop/hass_token" = {
@@ -65,13 +65,13 @@ in
"ssh-keys-public/desktop-nixos" = {
mode = "0644";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
inherit (config.users.users."${user}") group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-private/desktop-nixos" = {
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
inherit (config.users.users."${user}") group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-public/desktop-nixos-root" = {

5
treefmt.nix
View File

@@ -37,7 +37,10 @@
statix.enable = false;
stylua.enable = false;
taplo.enable = false;
yamlfmt.enable = true;
yamlfmt = {
enable = true;
excludes = [ "secrets/*.yaml" ];
};
};
settings = {