chore: switched to colmena and sane file layout

2023-05-02 22:08:36 +09:00 · 2023-05-02 22:08:36 +09:00 · 6866a1e19d
parent 38e496f5af
commit 6866a1e19d
29 changed files with 434 additions and 243 deletions
--- a/apps/rekey.nix
+++ b/apps/rekey.nix
@ -1,72 +0,0 @@
 {
  self,
  nixpkgs,
  ...
 }: system:
 with nixpkgs.lib; let
  pkgs = import nixpkgs {inherit system;};
  rekeyCommandForHost = hostName: hostAttrs: let
    masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
    pubKeyStr = hostAttrs.config.rekey.pubKey;
    secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
    rekeyCommand = secretName: secretAttrs: ''
      echo "Rekeying secret ${secretName} for host ${hostName}"
      echo "${secretAttrs.file}"
      ${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
      | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
      || { echo "[1;3mCould not rekey secrets. Inserting dummy values[m" \
      ; echo "Invalide due to failure when rekeying." \
      | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
    '';
  in
    if masterIdentities == ""
    then ''
      echo -e "[1;3mNo Identities set for host ${hostName}. Cannot decrypt.\n\
      Make sure you set 'config.rekey.masterIdentityPaths'[m"
    ''
    else if
      let
        key = hostAttrs.config.rekey.pubKey;
      in
        isPath key && (! pathExists key)
    then ''
      echo -e "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
      Make sure the public keys are reachable by the building system'[m"
    ''
    else ''
      mkdir -p ${secretPath}
      ${concatStringsSep "\n" (mapAttrsToList rekeyCommand hostAttrs.config.rekey.secrets)}
    '';
  rekeyScript = ''
    set -euo pipefail
    ${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
    nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
  '';
  rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
  rekey-copy-secretsForHost = hostName: hostAttrs: let
    drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
  in ''
    echo "Copied secrets for ${hostName} to ${drv}"
  '';
  rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
    ${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
  '';
 in {
  rekey = {
    type = "app";
    program = "${rekey-exe}";
  };
  rekey-copy-secrets = {
    type = "app";
    program = "${rekey-copy-secrets-exe}";
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -21,6 +21,51 @@
        "type": "github"
      }
    },
    "agenix-rekey": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682854491,
        "narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
        "rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7",
        "type": "github"
      },
      "original": {
        "owner": "oddlama",
        "repo": "agenix-rekey",
        "type": "github"
      }
    },
    "colmena": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "stable": "stable"
      },
      "locked": {
        "lastModified": 1682737380,
        "narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=",
        "owner": "zhaofengli",
        "repo": "colmena",
        "rev": "be837ee341b6508c355035973d5f7c7e88d7c64f",
        "type": "github"
      },
      "original": {
        "owner": "zhaofengli",
        "repo": "colmena",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -44,6 +89,22 @@
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1650374568,
        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -160,6 +221,21 @@
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1683009613,
        "narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=",
        "owner": "nixos",
        "repo": "nixos-hardware",
        "rev": "7dc46304675f4ff2d6be921ef60883efd31363c4",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1681920287,
@ -210,7 +286,7 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-utils": [
          "flake-utils"
        ],
@ -237,14 +313,33 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "agenix-rekey": "agenix-rekey",
        "colmena": "colmena",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "pre-commit-hooks": "pre-commit-hooks",
        "templates": "templates"
      }
    },
    "stable": {
      "locked": {
        "lastModified": 1669735802,
        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-22.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -262,17 +357,17 @@
    },
    "templates": {
      "locked": {
-        "lastModified": 1679299625,
+        "lastModified": 1678524284,
-        "narHash": "sha256-b3t2blYgmHf/HXc152Fa7+YKJSS05vRnrs8i+H6SWA8=",
+        "narHash": "sha256-3tk4RHKrIbz2tNVyW2WOrgZBe26jhfBiz7bzb7b8p5I=",
-        "ref": "refs/heads/main",
+        "owner": "nixos",
-        "rev": "c659b85f238d5554b98c2653cea4fd86f5ad8f4e",
+        "repo": "templates",
-        "revCount": 1,
+        "rev": "0edaa0637331e9d8acca5c8ec67936a2c8b8749b",
-        "type": "git",
+        "type": "github"
        "url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git"
      },
      "original": {
-        "type": "git",
+        "owner": "nixos",
-        "url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git"
+        "repo": "templates",
        "type": "github"
      }
    },
    "wlroots": {
--- a/flake.nix
+++ b/flake.nix
@ -15,6 +15,12 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Bin zu faul des zu kopieren
    agenix-rekey = {
      url = "github:oddlama/agenix-rekey";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    flake-utils.url = "github:numtide/flake-utils";
    pre-commit-hooks = {
@ -23,71 +29,60 @@
      inputs.flake-utils.follows = "flake-utils";
    };
-    templates = {
+    templates.url = "github:nixos/templates";
-      url = "git+ssh://gitea@git.lel.lol/patrick/nix-templates.git";
+
    colmena = {
      url = "github:zhaofengli/colmena";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    # someday
    #impermanence.url = "github:nix-community/impermanence";
    nixos-hardware.url = "github:nixos/nixos-hardware";
    hyprland.url = "github:hyprwm/Hyprland";
  };
  outputs = {
    self,
    nixpkgs,
    home-manager,
    agenix,
    flake-utils,
-    templates,
+    colmena,
-    hyprland,
+    agenix-rekey,
    ...
-  } @ inputs: let
+  } @ inputs:
    system = "x86_64-linux";
  in
    {
-      nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem {
+      secrets = {
-        inherit system;
+        masterIdentities = [./secrets/NIXOSc.key.pub ./secrets/NIXOSa.key.pub];
-        modules = [
+        extraEncryptionPubkeys = [./secrets/recipients.txt];
-          ./configuration.nix
+        content = import ./nix/secrets.nix inputs;
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
          }
          {home-manager.users.patrick.imports = [hyprland.homeManagerModules.default];}
          agenix.nixosModules.default
          {
            nix.registry = {
              nixpkgs.flake = nixpkgs;
              p.flake = nixpkgs;
              pkgs.flake = nixpkgs;
              templates.flake = templates;
            };
          }
        ];
      };
      hosts = {
        patricknix = {
          type = "nixos";
          system = "x86_64-linux";
        };
      };
      colmena = import ./nix/colmena.nix inputs;
      # all bare metal nodes
      colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes;
      # todo add microvmNodes
      nodes = self.colmenaNodes;
    }
-    // flake-utils.lib.eachSystem [system] (localSystem: rec {
+    // flake-utils.lib.eachDefaultSystem (system: rec {
      pkgs = import nixpkgs {
-        inherit localSystem;
+        inherit system;
        # TODO fix this to only allow specific unfree packages
        config.allowUnfree = true;
      };
-      apps = import ./apps/rekey.nix inputs localSystem;
+      apps = agenix-rekey.defineApps self pkgs self.nodes;
-
+      checks = import ./nix/checks.nix inputs system;
-      devShells.default = pkgs.mkShell {
+      devShells.default = import ./nix/dev-shell.nix inputs system;
-        name = "nixos config";
+      formatter = pkgs.alejandra;
        packages = with pkgs; [
          alejandra
          statix
          update-nix-fetchgit
          # lua and nix language servers
          lua-language-server
          nil
        ];
        shellHook = ''
          ${self.checks.${system}.pre-commit-check.shellHook}
        '';
      };
      checks = import ./modules/checks.nix inputs localSystem;
    });
 }
--- a/hosts/common/networking.nix
+++ b/hosts/common/networking.nix
@ -1,15 +1,15 @@
 {
  networking.wireless.iwd.enable = true;
  rekey.secrets.eduroam = {
-    file = ../secrets/iwd/eduroam.8021x.age;
+    file = ../../secrets/iwd/eduroam.8021x.age;
    path = "/var/lib/iwd/eduroam.8021x";
  };
  rekey.secrets.devoloog = {
-    file = ../secrets/iwd/devolo-og.psk.age;
+    file = ../../secrets/iwd/devolo-og.psk.age;
    path = "/var/lib/iwd/devolo-og.psk";
  };
  rekey.secrets.kaist = {
-    file = ../secrets/iwd/kaist.8021x.age;
+    file = ../../secrets/iwd/kaist.8021x.age;
    path = "/var/lib/iwd/Welcome_KAIST.8021x";
  };
@ -22,7 +22,7 @@
  # I need a static global IP address for my dorm LAN
  # So to not dox myself this config file is hardcoded
  rekey.secrets.enp0s20f0u2u4 = {
-    file = ../secrets/koreaIP.age;
+    file = ../../secrets/koreaIP.age;
    path = "/etc/systemd/network/10-enp0s20f0u2u4.network";
    mode = "444";
  };
--- a/hosts/common/nix.nix
+++ b/hosts/common/nix.nix
@ -1,4 +1,4 @@
-{
+{pkgs, ...}: {
  nix = {
    settings = {
      auto-optimise-store = true;
@ -22,9 +22,10 @@
    daemonIOSchedPriority = 5;
    distributedBuilds = true;
    extraOptions = ''
-      builders-use-substitutes = true
+         builders-use-substitutes = true
-      experimental-features = nix-command flakes recursive-nix
+         experimental-features = nix-command flakes recursive-nix
-      flake-registry = /etc/nix/registry.json
+         flake-registry = /etc/nix/registry.json
      plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
    '';
    optimise.automatic = true;
    gc = {
--- a/hosts/common/nvidia.nix
+++ b/hosts/common/nvidia.nix
--- a/hosts/common/pipewire.nix
+++ b/hosts/common/pipewire.nix
--- a/hosts/common/smb-mounts.nix
+++ b/hosts/common/smb-mounts.nix
@ -15,7 +15,7 @@
  ];
 in {
  environment.systemPackages = [pkgs.cifs-utils];
-  rekey.secrets.smb-creds.file = ../secrets/smb.cred.age;
+  rekey.secrets.smb-creds.file = ../../secrets/smb.cred.age;
  fileSystems = {
    "/mnt/smb/patri-data" = {
      device = "//10.0.0.1/patri-data";
--- a/hosts/common/touchscreen.nix
+++ b/hosts/common/touchscreen.nix
--- a/hosts/common/wireguard.nix
+++ b/hosts/common/wireguard.nix
@ -10,8 +10,8 @@
  privateKeyFile = config.rekey.secrets.wireguard-priv.path;
 in {
  rekey.secrets = {
-    wireguard-pre.file = ../secrets/wireguard/elisabeth-pre.wg.age;
+    wireguard-pre.file = ../../secrets/wireguard/elisabeth-pre.wg.age;
-    wireguard-priv.file = ../secrets/wireguard/elisabeth-priv.wg.age;
+    wireguard-priv.file = ../../secrets/wireguard/elisabeth-priv.wg.age;
  };
  networking.wg-quick.interfaces = {
--- a/hosts/common/xserver.nix
+++ b/hosts/common/xserver.nix
--- a/hosts/patricknix/default.nix
+++ b/hosts/patricknix/default.nix
@ -1,6 +1,9 @@
 {
  config,
  inputs,
  pkgs,
  nodeName,
  lib,
  ...
 }: let
  shell = pkgs.zsh;
@ -9,16 +12,14 @@ in {
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    #user home configuration
-    ./users
+    ../../users/patrick
    #
-    ./modules/pipewire.nix
+    ../common/pipewire.nix
-    ./modules/rekey.nix
+    ../common/nvidia.nix
-    ./modules/nvidia.nix
+    ../common/wireguard.nix
-    ./modules/wireguard.nix
+    ../common/smb-mounts.nix
-    ./modules/smb-mounts.nix
+    ../common/networking.nix
-    ./modules/networking.nix
+    ../common/nix.nix
    ./modules/nix.nix
    #./modules/xserver.nix
  ];
  # Use the systemd-boot EFI boot loader.
@ -43,10 +44,21 @@ in {
    packages = with pkgs; [terminus_font];
    useXkbConfig = true; # use xkbOptions in tty.
  };
  # Identities with which all secrets are encrypted
  rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
-  rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
+  rekey = {
    inherit
      (inputs.self.secrets)
      masterIdentities
      extraEncryptionPubkeys
      ;
    #forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
    hostPubkey = let
      pubkeyPath = ../. + "/${nodeName}/secrets/host.pub";
    in
      lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
      pubkeyPath;
  };
  hardware.opengl.enable = true;
@ -57,7 +69,7 @@ in {
  # Disable mutable Users, any option can only be set by the nix config
  users.mutableUsers = false;
-  rekey.secrets.patrick.file = ./secrets/patrick.passwd.age;
+  rekey.secrets.patrick.file = ../../secrets/patrick.passwd.age;
  environment.etc.issue.text = ''
    <<< Welcome to NixOS 23.05.20230304.3c5319a (\m) - \l >>>
@ -80,7 +92,7 @@ in {
    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w $sys$devpath/brightness"
  '';
-  rekey.secrets.root.file = ./secrets/root.passwd.age;
+  rekey.secrets.root.file = ../../secrets/root.passwd.age;
  users.users.root = {
    inherit shell;
    openssh.authorizedKeys.keys = [
--- a/hosts/patricknix/hardware-configuration.nix
+++ b/hosts/patricknix/hardware-configuration.nix
--- a/hosts/patricknix/secrets/host.pub
+++ b/hosts/patricknix/secrets/host.pub
--- a/modules/checks.nix
+++ b/modules/checks.nix
@ -1,15 +0,0 @@
 {
  self,
  pre-commit-hooks,
  ...
 }: system: {
  pre-commit-check = pre-commit-hooks.lib.${system}.run {
    src = self.pkgs.${system}.lib.cleanSource ../.;
    hooks = {
      alejandra.enable = true;
      statix.enable = true;
      #luacheck
      #stylua
    };
  };
 }
--- a/modules/rekey-drv.nix
+++ b/modules/rekey-drv.nix
@ -1,22 +0,0 @@
 pkgs: config: (
  # Derivation to copy the rekeyd secrets for tmp to the nix store
  # Agenix will read them from the store for decryption
  pkgs.stdenv.mkDerivation rec {
    pname = "host-secrets";
    version = "1";
    description = "Rekeyed secrets for this host";
    # Set all keys and secrets as input so the derivation gets rebuild if any of them change
    pubKeyStr = config.rekey.pubKey;
    secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
    dontMakeSourcesWriteable = true;
    dontUnpack = true;
    dontConfigure = true;
    dontBuild = true;
    installPhase = ''
         cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out \
      || { echo "Warning Secrets not available. Maybe you forgot to run 'nix run .#rekey' to rekey them?"; exit 1; }
    '';
  }
 )
--- a/modules/rekey.nix
+++ b/modules/rekey.nix
@ -1,43 +0,0 @@
 {
  lib,
  config,
  pkgs,
  stdenv,
  options,
  ...
 }: {
  options = with lib; {
    rekey.secrets = options.age.secrets;
    rekey.pubKey = mkOption {
      type = types.coercedTo types.path builtins.readFile types.str;
      description = ''
        The age public key set as a recipient when rekeying.
        either a path to a public key file or a string public key
        **NEVER set this to a private key part**
        ~~This will end up in the nix store.~~
      '';
      example = /etc/ssh/ssh_host_ed25519_key.pub;
    };
    rekey.masterIdentityPaths = mkOption {
      type = types.listOf types.path;
      description = ''
        A list of Identities used for decrypting your secrets before rekeying.
        **WARING this will end up in the nix-store**
        Only use yubikeys or password encrypted age keys
      '';
    };
  };
  config = with lib; let
    secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
    drv = import ./rekey-drv.nix pkgs config;
  in
    mkIf (config.rekey.secrets != {}) {
      # export all secrets to agenix with rewritten path from rekey
      age.secrets = let
        newPath = x: "${drv}/${x}.age";
      in
        mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
    };
 }
--- a/nix/checks.nix
+++ b/nix/checks.nix
@ -0,0 +1,18 @@
 {
  self,
  pre-commit-hooks,
  ...
 }: system:
 with self.pkgs.${system}; {
  pre-commit-check =
    pre-commit-hooks.lib.${system}.run
    {
      src = lib.cleanSource ../.;
      hooks = {
        alejandra.enable = true;
        statix.enable = true;
        luacheck.enable = true;
        stylua.enable = true;
      };
    };
 }
--- a/nix/colmena.nix
+++ b/nix/colmena.nix
@ -0,0 +1,28 @@
 {
  self,
  nixpkgs,
  ...
 } @ inputs: let
  inherit
    (nixpkgs.lib)
    filterAttrs
    mapAttrs
    ;
  nixosNodes = filterAttrs (_: x: x.type == "nixos") self.hosts;
  nodes = mapAttrs (import ./generate-node.nix inputs) nixosNodes;
  generateColmenaNode = nodeName: _: {
    inherit (nodes.${nodeName}) imports;
  };
 in
  {
    meta = {
      description = "Patrick's colmena configuration(Eigenhändig geklaut von oddlama";
      # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
      nixpkgs = self.pkgs.x86_64-linux;
      # This is so colmena uses the correct nixpkgs and specialarges for each host
      nodeNixpkgs = mapAttrs (_: node: node.pkgs) nodes;
      nodeSpecialArgs = mapAttrs (_: node: node.specialArgs) nodes;
    };
  }
  // mapAttrs generateColmenaNode nodes
--- a/nix/dev-shell.nix
+++ b/nix/dev-shell.nix
@ -0,0 +1,28 @@
 {self, ...}: system:
 with self.pkgs.${system};
  mkShell {
    name = "nix-config";
    packages = [
      # Nix
      cachix
      colmena
      alejandra
      statix
      update-nix-fetchgit
      nil
      # Lua
      stylua
      (luajit.withPackages (p: with p; [luacheck]))
      lua-language-server
      # Misc
      shellcheck
      pre-commit
      rage
    ];
    shellHook = ''
      ${self.checks.${system}.pre-commit-check.shellHook}
    '';
  }
--- a/nix/extra-builtins.nix
+++ b/nix/extra-builtins.nix
@ -0,0 +1,34 @@
 # This file is intended to be used together with pkgs.nix-plugins,
 # to provide rage decryption as an additional safe builtin.
 #
 # Make sure that nix-plugins is installed by adding the following
 # statement to your configuration.nix:
 #
 # ```nix
 # {
 #   nix.extraOptions = ''
 #     plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
 #     # Please adjust path accordingly, or leave this out and alternativaly
 #     # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
 #     extra-builtins-file = ./extra-builtins.nix
 #   '';
 # }
 # ```
 {exec, ...}: let
  assertMsg = pred: msg: pred || builtins.throw msg;
  hasSuffix = suffix: content: let
    lenContent = builtins.stringLength content;
    lenSuffix = builtins.stringLength suffix;
  in
    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
 in {
  # Instead of calling rage directly here, we call a wrapper script that will cache the output
  # in a predictable path in /tmp, which allows us to only require the password for each encrypted
  # file once.
  rageImportEncrypted = identities: nixFile:
    assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
    assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
      exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
  # currentSystem
  unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
 }
--- a/nix/generate-node.nix
+++ b/nix/generate-node.nix
@ -0,0 +1,43 @@
 {
  self,
  colmena,
  home-manager,
  #impermanence,
  nixos-hardware,
  nixpkgs,
  agenix,
  agenix-rekey,
  hyprland,
  ...
 } @ inputs: let
  inherit (nixpkgs.lib) optionals;
 in
  nodeName: nodeMeta: {
    inherit (nodeMeta) system;
    pkgs = self.pkgs.${nodeMeta.system};
    specialArgs = {
      inherit (nixpkgs) lib;
      inherit (self) nodes;
      inherit inputs;
      inherit nodeName;
      inherit nodeMeta;
      inherit hyprland;
      secrets = self.secrets.content;
      nodeSecrets = self.secrets.content.nodes.${nodeName};
      nixos-hardware = nixos-hardware.nixosModules;
      #impermanence = impermanence.nixosModules;
    };
    imports = [
      (../hosts + "/${nodeName}")
      home-manager.nixosModules.default
      #impermanence.nixosModules.default
      agenix.nixosModules.default
      agenix-rekey.nixosModules.default
      #]
      #++ optionals nodeMeta.microVmHost [
      #  microvm.nixosModules.host
      #]
      #++ optionals (nodeMeta.type == "microvm") [
      #  microvm.nixosModules.microvm
    ];
  }
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@ -0,0 +1,39 @@
 #!/usr/bin/env bash
 set -euo pipefail
 print_out_path=false
 if [[ "$1" == "--print-out-path" ]]; then
 	print_out_path=true
 	shift
 fi
 file="$1"
 shift
 identities=("$@")
 # Strip .age suffix, and store path prefix or ./ if applicable
 basename="${file%".age"}"
 [[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
 [[ "$file" == "./"* ]] && basename="${basename#"./"}"
 # Calculate a unique content-based identifier (relocations of
 # the source file in the nix store should not affect caching)
 new_name="$(sha512sum "$file")"
 new_name="${new_name:0:32}-${basename//"/"/"%"}"
 # Derive the path where the decrypted file will be stored
 out="/tmp/nix-import-encrypted/$new_name"
 mkdir -p "$(dirname "$out")"
 # Decrypt only if necessary
 if [[ ! -e "$out" ]]; then
 	args=()
 	for i in "${identities[@]}"; do
 		args+=("-i" "$i")
 	done
 	rage -d "${args[@]}" -o "$out" "$file"
 fi
 # Print out path or decrypted content
 [[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
--- a/nix/secrets.nix
+++ b/nix/secrets.nix
@ -0,0 +1,43 @@
 # This file manages access to repository-secrets. Anything that is technically
 # not a secret on your hosts, but something you want to keep secret from the public.
 # Anything you don't want people to see on GitHub that isn't a password or encrypted
 # using agenix.
 #
 # All of these secrets may (and probably will be) put into the world-readable nix-store
 # on the build and target hosts. You'll most likely want to store personally identifiable
 # information here, such as:
 #   - MAC Addreses
 #   - Static IP addresses
 #   - Your full name (when configuring e.g. users)
 #   - Your postal address (when configuring e.g. home-assistant)
 #   - ...
 {
  self,
  nixpkgs,
  ...
 } @ inputs: let
  inherit
    (nixpkgs.lib)
    mapAttrs
    ;
  # If the given expression is a bare set, it will be wrapped in a function,
  # so that the imported file can always be applied to the inputs, similar to
  # how modules can be functions or sets.
  constSet = x:
    if builtins.isAttrs x
    then (_: x)
    else x;
  # This "imports" an encrypted .nix.age file
  importEncrypted = path:
    constSet (
      if builtins.pathExists path
      then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
      else {}
    );
 in
  # this exposes all secrets in the repository secert file to the flake output
  (importEncrypted ../secrets/secrets.nix.age inputs)
  // {
    # this exposes host specific secrets
    nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
  }
--- a/secrets/NIXOSa.key.pub
+++ b/secrets/NIXOSa.key.pub
--- a/secrets/NIXOSc.key.pub
+++ b/secrets/NIXOSc.key.pub
--- a/users/common/default.nix
+++ b/users/common/default.nix
@ -51,6 +51,11 @@
        user = "root";
        inherit identityFile;
      };
      "patricknix" = {
        hostname = "localhost";
        user = "root";
        inherit identityFile;
      };
      "WSALVM" = {
        hostname = "172.10.8.156";
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@ -1,14 +1,16 @@
 {
  config,
  home-manager,
  hyprland,
  ...
 }: {
  home-manager.users.patrick.imports = [
    hyprland.homeManagerModules.default
    ./patrick.nix
-    ./common
+    ../common
  ];
  home-manager.users.root = {
-    imports = [./common];
+    imports = [../common];
  };
 }
--- a/users/patrick/patrick.nix
+++ b/users/patrick/patrick.nix
@ -4,10 +4,10 @@
  ...
 }: {
  imports = [
-    common/programs/kitty.nix
+    ../common/programs/kitty.nix
-    common/graphical/hyprland.nix
+    ../common/graphical/hyprland.nix
    #common/programs/polybar.nix
-    common/programs/rofi.nix
+    ../common/programs/rofi.nix
    #common/programs/spotify.nix
    #common/graphical/herbstluftwm.nix
    #common/graphical/autorandr.nix