port to a flake

built and switched. will try reboot.

.gitignore

@@ -1,2 +1,2 @@
 result
-secrets/
+secrets/*

cfg/services/duplicity.nix

@@ -7,7 +7,7 @@
   # create key with: b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles
   #   ^ run this until you get a key with no forward slashes :upside_down:
   #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
-  services.duplicity.targetUrl = builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/nixos/secrets/duplicity_url);
+  services.duplicity.targetUrl = builtins.replaceStrings ["\n"] [""] (builtins.readFile ../../secrets/duplicity_url);
   # format: PASSPHRASE=<cleartext>
   # two sisters
   services.duplicity.secretFile = /etc/nixos/secrets/duplicity_env;

cfg/users.nix

@@ -14,7 +14,7 @@
     uid = 1000;
     # XXX colin: this is what the installer has, but is it necessary?
     # group = "users";
-    extraGroups = [ "wheel" ];
+    extraGroups = [ "wheel" "nixbuild" ];
     initialHashedPassword = "";
     shell = pkgs.bashInteractive;
     # XXX colin: create ssh key for THIS user by logging in and running:

configuration.nix

@@ -8,7 +8,7 @@
 #   nix-option   ##  query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
 #   nixos-rebuild switch --upgrade   ## pull changes from the nixos channel (e.g. security updates) and rebuild
 
-{ config, modulesPath, pkgs, specialArgs, options }:
+{ config, pkgs, ... }:
 
 {
 
@@ -21,37 +21,5 @@
       experimental-features = nix-command flakes
     '';
   };
-
-  nixpkgs.overlays = [
-    (self: super: {
-      #### customized packages
-      # nixos-unstable pleroma is too far out-of-date for our db
-      pleroma = super.callPackage ./pkgs/pleroma { };
-      # jackett doesn't allow customization of the bind address: this will probably always be here.
-      jackett = self.callPackage ./pkgs/jackett { pkgs = super; };
-      # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
-      # systemd = import ./pkgs/systemd { pkgs = super; };
-
-      #### nixos-unstable packages
-      # gitea: 1.16.5 contains a fix which makes manual user approval *actually* work.
-      # https://github.com/go-gitea/gitea/pull/19119
-      # safe to remove after 1.16.5 (or 1.16.7 if we need db compat?)
-      gitea = pkgs.unstable.gitea;
-
-      # try a newer rpi4 u-boot
-      # ubootRaspberryPi4_64bit = pkgs.unstable.ubootRaspberryPi4_64bit;
-      ubootRaspberryPi4_64bit = self.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = super; };
-    })
-  ];
-
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
-
 }
 

flake.lock

@@ -0,0 +1,42 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1652975354,
+        "narHash": "sha256-qP1DpEYQdSq7NZ542TSHffIT6xGm7MaSMG9faQWPcg0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "685d243d971c4f9655c981036b9c7bafdb728a0d",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-21.11",
+        "type": "indirect"
+      }
+    },
+    "pkgsUnstable": {
+      "locked": {
+        "lastModified": 1651726670,
+        "narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "pkgsUnstable": "pkgsUnstable"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -9,20 +9,54 @@
   };
   outputs = { self, pkgsUnstable, nixpkgs }: {
     nixosConfigurations.uninsane = nixpkgs.lib.nixosSystem {
-      inherit (self.packages.aarch64-linux) pkgs;
-      pkgs.unstable = pkgsUnstable;
+      # inherit (self.packages.aarch64-linux) pkgs;
+      pkgs = import nixpkgs {
+        system = "aarch64-linux";
+        config.allowUnfree = true;
+        overlays = [
+          (self: super: {
+            pkgsUnstable.system = "aarch64-linux";  # extraneous?
+            #### customized packages
+            # nixos-unstable pleroma is too far out-of-date for our db
+            pleroma = super.callPackage ./pkgs/pleroma { };
+            # jackett doesn't allow customization of the bind address: this will probably always be here.
+            jackett = self.callPackage ./pkgs/jackett { pkgs = super; };
+            # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
+            # systemd = import ./pkgs/systemd { pkgs = super; };
+
+            #### nixos-unstable packages
+            # gitea: 1.16.5 contains a fix which makes manual user approval *actually* work.
+            # https://github.com/go-gitea/gitea/pull/19119
+            # safe to remove after 1.16.5 (or 1.16.7 if we need db compat?)
+            gitea = pkgsUnstable.legacyPackages.aarch64-linux.gitea;
+
+            # try a newer rpi4 u-boot
+            # ubootRaspberryPi4_64bit = pkgs.unstable.ubootRaspberryPi4_64bit;
+            ubootRaspberryPi4_64bit = self.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = super; };
+          })
+        ];
+      };
       system = "aarch64-linux";
       modules = [
         ./configuration.nix
         ./cfg
         ./modules
+        ({ pkgs, ... }: {
+          # This value determines the NixOS release from which the default
+          # settings for stateful data, like file locations and database versions
+          # on your system were taken. It‘s perfectly fine and recommended to leave
+          # this value at the release version of the first install of this system.
+          # Before changing this value read the documentation for this option
+          # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+          system.stateVersion = "21.11"; # Did you read the comment?
+        })
       ];
     };
-    packages = nixpkgs.lib.genAttrs nixpkgs.lib.platforms.all (system:
-      {
-        pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
-      }
-    );
+    # packages = nixpkgs.lib.genAttrs nixpkgs.lib.platforms.all (system:
+    #   {
+    #     pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
+    #   }
+    # );
     # flake-utils.lib.eachDefaultSystem (system:
     #   let pkgs = nixpkgs.legacyPackages.${system};
     #   in {

readme.md

@@ -0,0 +1,11 @@
+after checking out, drop secrets into secrets/
+
+to build:
+```sh
+nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
+```
+
+query with:
+```sh
+nix flake show
+```

secrets/duplicity_url

@@ -0,0 +1 @@
+b2://<REPLACEME:api-key-id>:<REPLACEME:api-key>@<REPLACEME:bucket-name>

secrets/readme.md

@@ -0,0 +1,6 @@
+populate the files here which are referenced from the rest of the nix config.
+
+hacky secrets management. TODO: read:
+- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
+- git-crypt (https://github.com/bobbbay/dotfiles.git)
+