mirror of
https://github.com/SebastianWendel/srx-platform-nix.git
synced 2024-09-19 20:09:02 +02:00
292 lines
8.7 KiB
Nix
292 lines
8.7 KiB
Nix
{ self, lib, inputs, ... }:
|
||
{
|
||
imports = with inputs; [
|
||
git-hooks.flakeModule
|
||
treefmt-nix.flakeModule
|
||
devenv.flakeModule
|
||
devshell.flakeModule
|
||
flake-root.flakeModule
|
||
];
|
||
|
||
perSystem = { self', inputs', pkgs, config, ... }:
|
||
{
|
||
formatter = config.treefmt.build.wrapper;
|
||
|
||
pre-commit = {
|
||
inherit pkgs;
|
||
check.enable = true;
|
||
settings = {
|
||
hooks = {
|
||
treefmt.enable = true;
|
||
nil.enable = true;
|
||
statix.enable = true;
|
||
deadnix.enable = true;
|
||
shellcheck.enable = true;
|
||
};
|
||
excludes = [ "flake.lock" ];
|
||
};
|
||
};
|
||
|
||
treefmt = {
|
||
projectRootFile = "flake.nix";
|
||
programs = {
|
||
deadnix.enable = true;
|
||
deadnix.no-lambda-pattern-names = true;
|
||
nixpkgs-fmt.enable = true;
|
||
shellcheck.enable = true;
|
||
statix.enable = true;
|
||
};
|
||
};
|
||
|
||
devShells = {
|
||
default = pkgs.mkShell {
|
||
name = "srx.nix.digital";
|
||
inputsFrom = [
|
||
config.flake-root.devShell
|
||
self'.devShells.commands
|
||
self'.devShells.nix
|
||
self'.devShells.k8s
|
||
self'.devShells.opentofu
|
||
];
|
||
packages = with pkgs; [
|
||
gitFull
|
||
git-lfs
|
||
treefmt
|
||
act
|
||
actionlint
|
||
shellcheck
|
||
bind
|
||
knot-dns
|
||
wireguard-tools
|
||
ipcalc
|
||
minio-client
|
||
];
|
||
|
||
shellHook = ''
|
||
${config.pre-commit.installationScript}
|
||
'';
|
||
};
|
||
|
||
nix = pkgs.mkShell {
|
||
packages = with pkgs; [
|
||
(pkgs.vault-push-approle-envs self')
|
||
(pkgs.vault-push-approles self')
|
||
agenix
|
||
deadnix
|
||
nil
|
||
nix-fast-build
|
||
sops
|
||
statix
|
||
vault
|
||
];
|
||
};
|
||
|
||
k8s = pkgs.mkShell {
|
||
packages = with pkgs; [
|
||
k3d
|
||
kubectl
|
||
kubernetes-helm
|
||
];
|
||
};
|
||
};
|
||
|
||
devshells.commands = {
|
||
motd = ''
|
||
$(echo -e "\n")
|
||
{202}SRX Platform Development Environment{reset}
|
||
$(type -p menu &>/dev/null && menu)
|
||
'';
|
||
|
||
commands = [
|
||
{
|
||
name = "reload";
|
||
command = "direnv reload";
|
||
help = "Reload the local environment.";
|
||
category = "development";
|
||
}
|
||
{
|
||
name = "fmt";
|
||
command = "nix fmt";
|
||
help = "Run reformating with nix flake.";
|
||
category = "development";
|
||
}
|
||
{
|
||
name = "generate";
|
||
command = "${inputs'.nixos-generators.packages.nixos-generate}/bin/nixos-generate $@";
|
||
help = "Generate NixOS configuration with nixos-generators.";
|
||
category = "development";
|
||
}
|
||
{
|
||
name = "health";
|
||
command = "${lib.getExe pkgs.nix-health}";
|
||
help = "Checking the health of your Nix setup.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "list";
|
||
command = "nix flake show";
|
||
help = "Run nix flake cheshow.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "check";
|
||
command = "nix flake check";
|
||
help = "Run nix flake check.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "build";
|
||
command = "nix build";
|
||
help = "Run nix flake build.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "run";
|
||
command = "nix run .\#run-qemu-vm -- $@";
|
||
help = "Run host build in a qemu vm.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "repl";
|
||
command = "nix repl -f .";
|
||
help = "Evaluate expressions interactive with Nix repl.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "inspect";
|
||
command = "${lib.getExe pkgs.nix-inspect}";
|
||
help = "Inspect NixOS config and Nix expressions.";
|
||
category = "nix";
|
||
}
|
||
{
|
||
name = "cve";
|
||
command = "nix build && ${lib.getExe pkgs.vulnix} ./result";
|
||
help = "Run NixOS security scanner with vulnix.";
|
||
category = "security";
|
||
}
|
||
{
|
||
name = "secrets";
|
||
command = "${pkgs.trivy}/bin/trivy fs .";
|
||
help = "All-in-one security scanner with trivy.";
|
||
category = "security";
|
||
}
|
||
{
|
||
name = "age";
|
||
command = "${pkgs.agenix}/bin/agenix $@";
|
||
help = "Manage NixOS secrets with agenix.";
|
||
category = "operations";
|
||
}
|
||
{
|
||
name = "infect";
|
||
command = "${inputs'.nixos-anywhere.packages.nixos-anywhere}/bin/nixos-anywhere $@";
|
||
help = "Install NixOS everywhere via ssh.";
|
||
category = "operations";
|
||
}
|
||
{
|
||
name = "deploy";
|
||
command = "${pkgs.deploy-rs.deploy-rs}/bin/deploy $@";
|
||
help = "Deploy NixOS remote machines with deploy-rs.";
|
||
category = "operations";
|
||
}
|
||
{
|
||
name = "show";
|
||
command = "terranix --pkgs /run/current-system/nixpkgs terranix/default.nix";
|
||
help = "Show terranix state.";
|
||
category = "terraform";
|
||
}
|
||
{
|
||
name = "validate";
|
||
command = "nix run .\#tf-validate";
|
||
help = "Run terraform validate.";
|
||
category = "terraform";
|
||
}
|
||
{
|
||
name = "apply";
|
||
command = "nix run .\#tf-apply";
|
||
help = "Run terraform apply.";
|
||
category = "terraform";
|
||
}
|
||
{
|
||
name = "destroy";
|
||
command = "nix run .\#tf-destroy";
|
||
help = "Run terraform destroy.";
|
||
category = "terraform";
|
||
}
|
||
{
|
||
name = "state";
|
||
command = "nix run .\#tf-state -- $@";
|
||
help = "Manage terraform state.";
|
||
category = "terraform";
|
||
}
|
||
];
|
||
};
|
||
|
||
apps = {
|
||
run-qemu-vm = {
|
||
type = "app";
|
||
program = toString (pkgs.writers.writeBash "run-qemu-vm" ''
|
||
if [[ ! -z "$@" ]]; then
|
||
nixos-rebuild build-vm --flake .#$@
|
||
export QEMU_NET_OPTS="hostfwd=tcp::2221-:22"
|
||
./result/bin/run-$@-vm
|
||
else
|
||
echo "Usage: "$0" <host>"
|
||
exit 1
|
||
fi
|
||
'');
|
||
};
|
||
|
||
nix-upgrades = {
|
||
type = "app";
|
||
program = toString (pkgs.writers.writeBash "nix-upgrades" ''
|
||
set -eou pipefail
|
||
|
||
NORMAL="\033[0m"
|
||
RED="\033[0;31m"
|
||
YELLOW="\033[0;33m"
|
||
GREEN="\033[0;32m"
|
||
SKULL="💀"
|
||
CHECK="✅"
|
||
WARNING="⚠️"
|
||
FIRE="🔥"
|
||
MAG="🔍"
|
||
|
||
echo
|
||
echo -e "$YELLOW$MAG Scanning for upgradable hosts...$NORMAL"
|
||
echo
|
||
|
||
${lib.concatMapStringsSep "\n" (host:
|
||
let
|
||
inherit (self.hosts.${host}) address;
|
||
in lib.optionalString (address != null) ''
|
||
echo -n -e "${host}: $RED"
|
||
RUNNING=$(ssh "${address}" "readlink /run/current-system")
|
||
if [ $? = 0 ] && [ -n "$RUNNING" ]; then
|
||
CURRENT=$(nix eval --raw ".#nixosConfigurations.${host}.config.system.build.toplevel" 2>/dev/null)
|
||
RUNNING_VER=$(basename $RUNNING|rev|cut -d - -f 1|rev)
|
||
RUNNING_DATE=$(echo $RUNNING_VER|cut -d . -f 3)
|
||
CURRENT_VER=$(basename $CURRENT|rev|cut -d - -f 1|rev)
|
||
CURRENT_DATE=$(echo $CURRENT_VER|cut -d . -f 3)
|
||
|
||
if [ "$RUNNING" = "$CURRENT" ]; then
|
||
echo -e "$GREEN$CHECK Current: $NORMAL $RUNNING_VER"
|
||
elif [ $RUNNING_DATE -gt $CURRENT_DATE ]; then
|
||
echo -e "$GREEN$FIRE Newer: $NORMAL $RUNNING_VER > $CURRENT_VER"
|
||
elif [ "$RUNNING_VER" = "$CURRENT_VER" ]; then
|
||
echo -e "$YELLOW$WARNING Modified: $NORMAL $RUNNING_VER"
|
||
elif [ -n "$RUNNING_VER" ]; then
|
||
echo -e "$RED$SKULL Outdated: $NORMAL $RUNNING_VER < $CURRENT_VER"
|
||
else
|
||
echo -e "$RED$SKULL Error: $NORMAL $RUNNING_VER"
|
||
fi
|
||
else
|
||
echo -e "$RED$SKULL SSH Connection Failed$NORMAL"
|
||
fi
|
||
echo -n -e "$NORMAL"
|
||
'') (builtins.attrNames self.nixosConfigurations)}
|
||
'');
|
||
};
|
||
};
|
||
};
|
||
}
|