mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix nix flake check

Browse Source
This commit is contained in:
mjallen18
2026-03-25 16:42:34 -05:00
parent 642cee5dc5
commit ccd413d273
28 changed files with 228 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
checks/pre-commit-hooks/default.nix
View File

@@ -10,7 +10,13 @@ in
pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run { pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run {
src = ../..; src = ../..;
hooks = { hooks = {
pre-commit-hook-ensure-sops.enable = true; pre-commit-hook-ensure-sops = {
enable = true;
excludes = [
"secrets/.*\\.jwe$"
"secrets/.*\\.key$"
];
};
treefmt = { treefmt = {
enable = lib.mkForce true; enable = lib.mkForce true;
settings.fail-on-change = lib.mkForce false; settings.fail-on-change = lib.mkForce false;
@@ -24,6 +30,10 @@ pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run {
}; };
statix = { statix = {
enable = true; enable = true;
args = [
"--config"
(lib.snowfall.fs.get-file "statix.toml")
];
}; };
}; };
} }

15
flake.lock generated
View File

@@ -1435,17 +1435,14 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1774472006, "lastModified": 1774473056,
"narHash": "sha256-PsAau0yCoQDNqFnCxCJhwbYMSYIDQEeE22BEBiJM5uw=", "narHash": "sha256-JeIOcQt7ctjOYxgy4+7ayDmHesHuPaFgbQ1WpcUrm/w=",
"owner": "mjallen18", "path": "/home/admin/dev/snowfall-lib",
"repo": "snowfall-lib", "type": "path"
"rev": "342561701e62e4b57ffb4d52496d16743e16662f",
"type": "github"
}, },
"original": { "original": {
"owner": "mjallen18", "path": "/home/admin/dev/snowfall-lib",
"repo": "snowfall-lib", "type": "path"
"type": "github"
} }
}, },
"sops-nix": { "sops-nix": {

6
flake.nix
View File

@@ -23,7 +23,7 @@
# The name "snowfall-lib" is required due to how Snowfall Lib processes your # The name "snowfall-lib" is required due to how Snowfall Lib processes your
# flake's inputs. Using a personal fork for custom changes. # flake's inputs. Using a personal fork for custom changes.
snowfall-lib = { snowfall-lib = {
url = "github:mjallen18/snowfall-lib"; url = "path:/home/admin/dev/snowfall-lib";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@@ -150,8 +150,10 @@
]; ];
modules.home = with inputs; [ modules.home = with inputs; [
nix-index-database.homeManagerModules.nix-index nix-index-database.homeModules.nix-index
steam-rom-manager.homeManagerModules.default steam-rom-manager.homeManagerModules.default
sops-nix.homeManagerModules.sops
stylix.homeModules.stylix
]; ];
# common darwin modules # common darwin modules

1
homes/x86_64-linux/admin@jallen-nas/default.nix
View File

@@ -1,6 +1,5 @@
{ {
pkgs, pkgs,
config,
lib, lib,
inputs, inputs,
namespace, namespace,

9
lib/versioning/default.nix
View File

@@ -1,11 +1,6 @@
{ {
lib, lib,
inputs,
system ? "aarch64-linux",
}: }:
let
pkgs = inputs.nixpkgs.legacyPackages.${system};
in
let let
inherit (builtins) inherit (builtins)
isAttrs isAttrs
@@ -146,10 +141,6 @@ let
# fetcher == "none": pass-through (e.g., linux version/hash consumed by custom logic) # fetcher == "none": pass-through (e.g., linux version/hash consumed by custom logic)
comp; comp;
# Build a single src from a rendered component spec using the default (lib-level) pkgs.
# Deprecated: prefer mkSrcFromRendered' with an explicit pkgs argument.
mkSrcFromRendered = mkSrcFromRendered' pkgs;
in in
rec { rec {
/* /*

3
modules/darwin/programs/ssh/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }: _: {
{
config = { config = {
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
desktop = { desktop = {

3
modules/home/gpg/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }: _: {
{
programs = { programs = {
gpg = { gpg = {
enable = true; enable = true;

2
modules/home/home/default.nix
View File

@@ -4,12 +4,10 @@
pkgs, pkgs,
namespace, namespace,
hasDestopEnvironment ? true, hasDestopEnvironment ? true,
system,
... ...
}: }:
let let
inherit (lib.${namespace}) enabled; inherit (lib.${namespace}) enabled;
isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
# Non-login / system accounts (root, nixos installer, etc.) should not get # Non-login / system accounts (root, nixos installer, etc.) should not get
# desktop packages, tmux, nh, kdeconnect, nextcloud-client, etc. # desktop packages, tmux, nh, kdeconnect, nextcloud-client, etc.
# Detect them by username so individual host home files are not needed. # Detect them by username so individual host home files are not needed.

1
modules/home/programs/code/default.nix
View File

@@ -2,7 +2,6 @@
config, config,
pkgs, pkgs,
system, system,
namespace,
hasDestopEnvironment ? true, hasDestopEnvironment ? true,
... ...
}: }:

1
modules/home/programs/update-checker/default.nix
View File

@@ -1,6 +1,5 @@
{ {
config, config,
namespace,
pkgs, pkgs,
... ...
}: }:

40
modules/nixos/hardware/raspberry-pi/audio.nix
View File

@@ -16,27 +16,25 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
hardware.deviceTree = { hardware.deviceTree = {
overlays = overlays = (
[ ] with pkgs.${namespace};
++ ( (
with pkgs.${namespace}; if (variant == "5") then
( [
if (variant == "5") then {
[ name = "pisound-pi5-overlay";
{ dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts";
name = "pisound-pi5-overlay"; }
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts"; ]
} else
] [
else {
[ name = "pisound-overlay";
{ dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts";
name = "pisound-overlay"; }
dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts"; ]
} )
] );
)
);
}; };
}; };
} }

42
modules/nixos/hardware/raspberry-pi/bluetooth.nix
View File

@@ -16,28 +16,26 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
hardware.deviceTree = { hardware.deviceTree = {
overlays = overlays = (
[ ] if (variant == "5") then
++ ( [
if (variant == "5") then {
[ name = "disable-bt-pi5-overlay";
{ dtsFile = "${
name = "disable-bt-pi5-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts"; ]
} else
] [
else {
[ name = "disable-bt-overlay";
{ dtsFile = "${
name = "disable-bt-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/disable-bt-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/disable-bt-overlay.dts"; ]
} );
]
);
}; };
}; };
} }

2
modules/nixos/hardware/raspberry-pi/config.nix
View File

@@ -19,7 +19,7 @@ let
render-kvs = render-kvs =
kvs: kvs:
let let
render-kv = k: v: if isNull v.value then k else "${k}=${toString v.value}"; render-kv = k: v: if v.value == null then k else "${k}=${toString v.value}";
in in
lib.attrsets.mapAttrsToList render-kv (lib.filterAttrs (_k: v: v.enable) kvs); lib.attrsets.mapAttrsToList render-kv (lib.filterAttrs (_k: v: v.enable) kvs);

5
modules/nixos/hardware/raspberry-pi/default.nix
View File

@@ -451,8 +451,7 @@ in
}; };
nixpkgs.overlays = nixpkgs.overlays =
[ ] (
++ (
if cfg.variant == "5" then if cfg.variant == "5" then
[ [
(_final: prev: { (_final: prev: {
@@ -465,7 +464,7 @@ in
let let
pageSizeFlag = "--with-lg-page"; pageSizeFlag = "--with-lg-page";
in in
(prev.lib.filter (flag: prev.lib.hasPrefix pageSizeFlag flag == false) old.configureFlags) (prev.lib.filter (flag: !(prev.lib.hasPrefix pageSizeFlag flag)) old.configureFlags)
++ [ "${pageSizeFlag}=14" ]; ++ [ "${pageSizeFlag}=14" ];
}); });
}) })

42
modules/nixos/hardware/raspberry-pi/modesetting.nix
View File

@@ -16,28 +16,26 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
hardware.deviceTree = { hardware.deviceTree = {
overlays = overlays = (
[ ] if (variant == "5") then
++ ( [
if (variant == "5") then {
[ name = "vc4-kms-v3d-pi5-overlay";
{ dtsFile = "${
name = "vc4-kms-v3d-pi5-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts"; ]
} else
] [
else {
[ name = "vc4-fkms-v3d-pi4-overlay";
{ dtsFile = "${
name = "vc4-fkms-v3d-pi4-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts"; ]
} );
]
);
}; };
}; };
} }

50
modules/nixos/hardware/raspberry-pi/wifi.nix
View File

@@ -16,32 +16,30 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
hardware.deviceTree = { hardware.deviceTree = {
overlays = overlays = (
[ ] if (variant == "5") then
++ ( [
if (variant == "5") then {
[ name = "disable-wifi-pi5-overlay";
{ dtsFile = "${
name = "disable-wifi-pi5-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts"; ]
} else
] [
else {
[ name = "disable-wifi-overlay";
{ dtsFile = "${
name = "disable-wifi-overlay"; pkgs.${namespace}.raspberrypi-overlays
dtsFile = "${ }/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts";
pkgs.${namespace}.raspberrypi-overlays }
}/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts"; {
} name = "wifimac-overlay";
{ dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts";
name = "wifimac-overlay"; }
dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts"; ]
} );
]
);
}; };
}; };
} }

14
modules/nixos/homeassistant/dashboards/default.nix
View File

@@ -11,15 +11,9 @@ in
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = lib.mkIf (cfg.enable && cfg.dashboards != [ ]) { config = lib.mkIf (cfg.enable && cfg.dashboards != [ ]) {
${namespace}.home.file = lib.genAttrs cfg.dashboards ( ${namespace}.home.file = lib.genAttrs cfg.dashboards (dashboard: {
dashboard: text = lib.generators.toYAML { } dashboard;
let force = true;
dashboardFile = "homeassistant/lovelace/${dashboard.title}.yaml"; });
in
{
text = lib.generators.toYAML { } dashboard;
force = true;
}
);
}; };
} }

103
modules/nixos/services/crowdsec/default.nix
View File

@@ -10,9 +10,6 @@ let
name = "crowdsec"; name = "crowdsec";
cfg = config.${namespace}.services.${name}; cfg = config.${namespace}.services.${name};
ntfyServer = "https://ntfy.mjallen.dev";
ntfyTopic = "crowdsec";
# Build the notification-http plugin binary from the crowdsec source. # Build the notification-http plugin binary from the crowdsec source.
# The nixpkgs crowdsec package omits all notification plugin binaries; # The nixpkgs crowdsec package omits all notification plugin binaries;
# we build just the http one we need. # we build just the http one we need.
@@ -223,30 +220,61 @@ let
# a nix store path via -c and never creates that file. Expose the full # a nix store path via -c and never creates that file. Expose the full
# NixOS-generated config (which includes plugin_config via # NixOS-generated config (which includes plugin_config via
# settings.general.plugin_config) at the well-known path. # settings.general.plugin_config) at the well-known path.
environment.etc."crowdsec/config.yaml" = environment.etc = {
let "crowdsec/config.yaml" =
execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1; let
configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart); execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1;
in configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart);
{ in
source = configPath; {
mode = "0440"; source = configPath;
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
# ---------------------------------------------------------------------------
# ntfy notifications via the CrowdSec HTTP notification plugin
# ---------------------------------------------------------------------------
# Place the notification-http binary at the path the NixOS crowdsec module
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches
# plugins by their filename — it expects "notification-http" for type=http.
"crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable {
source = "${crowdsecHttpPlugin}/bin/notification-http";
mode = "0550";
user = "crowdsec"; user = "crowdsec";
group = "crowdsec"; group = "crowdsec";
}; };
# --------------------------------------------------------------------------- # CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# ntfy notifications via the CrowdSec HTTP notification plugin # This replaces the default "do nothing" profile.
# --------------------------------------------------------------------------- "crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
# Place the notification-http binary at the path the NixOS crowdsec module name: default_ip_remediation
# hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches filters:
# plugins by their filename — it expects "notification-http" for type=http. - Alert.Remediation == true && Alert.GetScope() == "Ip"
environment.etc."crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable { decisions:
source = "${crowdsecHttpPlugin}/bin/notification-http"; - type: ban
mode = "0550"; duration: 4h
user = "crowdsec"; notifications:
group = "crowdsec"; - ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
}; };
# The ntfy plugin config YAML (with credentials baked in) is managed as a # The ntfy plugin config YAML (with credentials baked in) is managed as a
@@ -260,35 +288,6 @@ let
}" }"
]; ];
# CrowdSec profiles.yaml: route every alert to the ntfy plugin.
# This replaces the default "do nothing" profile.
environment.etc."crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable {
text = ''
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- ntfy_plugin
on_success: break
'';
mode = "0440";
user = "crowdsec";
group = "crowdsec";
};
}; };
}; };
in in

6
modules/nixos/services/matrix/default.nix
View File

@@ -17,12 +17,12 @@ let
sops = { sops = {
secrets = { secrets = {
"jallen-nas/matrix/client-id" = { "jallen-nas/matrix/client-id" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"); sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
owner = "matrix-synapse"; owner = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
}; };
"jallen-nas/matrix/client-secret" = { "jallen-nas/matrix/client-secret" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"); sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml";
owner = "matrix-synapse"; owner = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
}; };
@@ -72,7 +72,7 @@ let
listeners = [ listeners = [
{ {
port = cfg.port; inherit (cfg) port;
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
bind_addresses = [ bind_addresses = [

1
modules/nixos/services/sparky-fitness/default.nix
View File

@@ -9,7 +9,6 @@ let
serverName = "sparky-fitness-server"; serverName = "sparky-fitness-server";
frontendName = "sparky-fitness"; frontendName = "sparky-fitness";
dbName = "sparky-fitness-db";
serverCfg = config.${namespace}.services.${serverName}; serverCfg = config.${namespace}.services.${serverName};
frontendCfg = config.${namespace}.services.${frontendName}; frontendCfg = config.${namespace}.services.${frontendName};

1
packages/cockpit-podman/default.nix
View File

@@ -1,5 +1,4 @@
{ {
fetchFromGitHub,
lib, lib,
namespace, namespace,
nodejs, nodejs,

1
packages/system/nebula-sign-cert/default.nix
View File

@@ -1,5 +1,4 @@
{ {
lib,
writeShellApplication, writeShellApplication,
nebula, nebula,
sops, sops,

6
packages/system/open-remote-ssh/default.nix
View File

@@ -16,12 +16,10 @@ let
in in
vscode-utils.buildVscodeMarketplaceExtension { vscode-utils.buildVscodeMarketplaceExtension {
mktplcRef = { mktplcRef = {
name = vars.name; inherit (vars) name publisher version;
publisher = vars.publisher;
version = vars.version;
}; };
vsix = sources.vsix; inherit (sources) vsix;
unpackPhase = '' unpackPhase = ''
${lib.getExe pkgs.unzip} -q $src ${lib.getExe pkgs.unzip} -q $src

25
statix.toml Normal file
View File

@@ -0,0 +1,25 @@
# Disable lint rules that generate excessive false-positives or noise.
#
# manual_inherit / manual_inherit_from: very high volume of style suggestions.
# useless_parens: many intentional parentheses for readability.
# empty_pattern: { ... }: is a valid and readable no-arg pattern.
# unquoted_uri: false-positives inside shell heredocs in Nix strings.
# useless_has_attr: if/has-attr patterns are sometimes clearer.
# repeated_keys: intentionally split across sections for readability/context.
disabled = [
"manual_inherit",
"manual_inherit_from",
"useless_parens",
"empty_pattern",
"unquoted_uri",
"useless_has_attr",
"repeated_keys",
]
# Exclude files where statix's parser fails on complex shell-in-Nix content.
ignore = [
"modules/home/programs/update-checker/default.nix",
"modules/home/programs/waybar/scripts/weather.nix",
"modules/home/programs/waybar/scripts/media.nix",
"qemu.nix",
]

2
systems/aarch64-linux/macbook-pro-nixos/filesystems.nix
View File

@@ -1,4 +1,4 @@
{ ... }: _:
let let
defaultNetworkShareOptions = [ defaultNetworkShareOptions = [
"sec=none" "sec=none"

46
systems/x86_64-linux/jallen-nas/services.nix
View File

@@ -7,12 +7,31 @@ let
nasData = "/media/nas/main"; nasData = "/media/nas/main";
in in
{ {
systemd.network.wait-online.enable = false; systemd = {
# Force tailscaled to use nftables (Critical for clean nftables-only systems) network.wait-online.enable = false;
# This avoids the "iptables-compat" translation layer issues. services = {
systemd.services.tailscaled.serviceConfig.Environment = [ # Force tailscaled to use nftables (Critical for clean nftables-only systems)
"TS_DEBUG_FIREWALL_MODE=nftables" # This avoids the "iptables-compat" translation layer issues.
]; tailscaled.serviceConfig.Environment = [
"TS_DEBUG_FIREWALL_MODE=nftables"
];
# Pre-create extensions and grant superuser-owned objects that the sparkyfitness
# role cannot manage itself. Appended to postgresql-setup.service which already
# runs as the postgres superuser after the DB is confirmed ready.
#
# 1. pg_stat_statements requires superuser to CREATE EXTENSION.
# 2. The extension installs functions owned by the postgres superuser; the
# sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
# pre-grant them here before the app's grantPermissions() runs.
postgresql-setup.script = lib.mkAfter ''
psql -d sparkyfitness -c "
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
"
'';
};
};
networking.nftables.enable = true; networking.nftables.enable = true;
boot.initrd.systemd.network.wait-online.enable = false; boot.initrd.systemd.network.wait-online.enable = false;
@@ -168,19 +187,4 @@ in
}; };
# Pre-create extensions and grant superuser-owned objects that the sparkyfitness
# role cannot manage itself. Appended to postgresql-setup.service which already
# runs as the postgres superuser after the DB is confirmed ready.
#
# 1. pg_stat_statements requires superuser to CREATE EXTENSION.
# 2. The extension installs functions owned by the postgres superuser; the
# sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
# pre-grant them here before the app's grantPermissions() runs.
systemd.services.postgresql-setup.script = lib.mkAfter ''
psql -d sparkyfitness -c "
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
"
'';
} }

8
systems/x86_64-linux/matt-nixos/sops.nix
View File

@@ -6,7 +6,7 @@
}: }:
let let
user = config.${namespace}.user.name; user = config.${namespace}.user.name;
desktopSopsFile = (lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml"); desktopSopsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml";
in in
{ {
# Permission modes are in octal representation (same as chmod), # Permission modes are in octal representation (same as chmod),
@@ -32,7 +32,7 @@ in
neededForUsers = true; neededForUsers = true;
mode = "0600"; mode = "0600";
owner = config.users.users."${user}".name; owner = config.users.users."${user}".name;
group = config.users.users."${user}".group; inherit (config.users.users."${user}") group;
}; };
"desktop/hass_token" = { "desktop/hass_token" = {
@@ -65,13 +65,13 @@ in
"ssh-keys-public/desktop-nixos" = { "ssh-keys-public/desktop-nixos" = {
mode = "0644"; mode = "0644";
owner = config.users.users."${user}".name; owner = config.users.users."${user}".name;
group = config.users.users."${user}".group; inherit (config.users.users."${user}") group;
restartUnits = [ "sshd.service" ]; restartUnits = [ "sshd.service" ];
}; };
"ssh-keys-private/desktop-nixos" = { "ssh-keys-private/desktop-nixos" = {
mode = "0600"; mode = "0600";
owner = config.users.users."${user}".name; owner = config.users.users."${user}".name;
group = config.users.users."${user}".group; inherit (config.users.users."${user}") group;
restartUnits = [ "sshd.service" ]; restartUnits = [ "sshd.service" ];
}; };
"ssh-keys-public/desktop-nixos-root" = { "ssh-keys-public/desktop-nixos-root" = {

5
treefmt.nix
View File

@@ -37,7 +37,10 @@
statix.enable = false; statix.enable = false;
stylua.enable = false; stylua.enable = false;
taplo.enable = false; taplo.enable = false;
yamlfmt.enable = true; yamlfmt = {
enable = true;
excludes = [ "secrets/*.yaml" ];
};
}; };
settings = { settings = {