linuxlab.nix/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";

    flake-utils.url = "github:numtide/flake-utils";

    git-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    colmena = {
      url = "github:zhaofengli/colmena";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };

    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixago = {
      url = "github:jmgilman/nixago";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };

    sops = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    ldap-sync = {
      type = "git";
      url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git";
      flake = false;
    };
  };

  outputs =
    { self
    , nixpkgs
    , flake-utils
    , colmena
    , git-hooks
    , nixago
    , ...
    }@inputs:
    let

      # List of all machine names as defined in the machines directory
      machines = builtins.attrNames (builtins.readDir ./machines);

      clients = builtins.attrNames (import ./clients.nix);

    in
    {
      colmena = {
        meta = {
          nixpkgs = import nixpkgs {
            system = "x86_64-linux";
          };

          specialArgs = {
            inherit inputs;
          };
        };

        defaults = {
          imports = [
            inputs.disko.nixosModules.disko
            inputs.sops.nixosModules.sops

            ./shared
          ];

          deployment.replaceUnknownProfiles = false;
        };
      }

      # Machines
      // (builtins.listToAttrs (builtins.map
        (name: {
          inherit name;
          value = ./machines/${name};
        })
        machines))

      # Clients
      // (builtins.listToAttrs (builtins.map
        (id: {
          name = "client-${id}";
          value = (import ./client) id;
        })
        clients))
      ;

    } // flake-utils.lib.eachDefaultSystem (system: {
      checks = {
        pre-commit = git-hooks.lib.${system}.run {
          src = ./.;
          hooks = {
            nixpkgs-fmt.enable = true;
            statix.enable = true;
            shellcheck.enable = true;
          };
        };
      };

      devShells.default =
        let
          pkgs = nixpkgs.legacyPackages.${system};

          sops-config = nixago.lib.${system}.make {
            data = (pkgs.callPackage ./sops-config.nix {
              inherit machines;
            }).config;
            output = ".sops.yaml";
            format = "yaml";
          };

        in
        pkgs.mkShell {
          buildInputs =
            self.checks.${system}.pre-commit.enabledPackages ++
            [ colmena.packages.${system}.colmena ] ++
            (with pkgs; [
              bash
              gitAndTools.git
              sops
              age
              openssh
              ssh-to-age
            ]);

          shellHook = ''
            ${self.checks.${system}.pre-commit.shellHook}
            ${sops-config.shellHook}
          '';
        };

      packages.disks =
        let
          pkgs = nixpkgs.legacyPackages.${system};
          hive = colmena.lib.makeHive self.outputs.colmena;

        in
        pkgs.linkFarm "linuxlab-testing" (builtins.mapAttrs
          (_: node: node.config.system.build.diskoImages)
          hive.nodes);
    });

  nixConfig = {
    extra-substituters = [
      "https://colmena.cachix.org"
    ];

    extra-trusted-public-keys = [
      "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
    ];
  };
}