{ description = "NixOS Configuration for extremist.software Hetzner VPS"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; website.url = "git+https://git.extremist.software/jet/website"; website.inputs.nixpkgs.follows = "nixpkgs"; noisebell.url = "git+https://git.extremist.software/jet/noisebell"; noisebell.inputs.nixpkgs.follows = "nixpkgs"; noisepics.url = "git+https://git.extremist.software/jet/noisepics"; noisepics.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, disko, ... }@inputs: { nixosConfigurations.extremist-software = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ disko.nixosModules.disko inputs.website.nixosModules.default inputs.agenix.nixosModules.default inputs.noisebell.nixosModules.default inputs.noisepics.nixosModules.default ./disk-config.nix ./configuration.nix ]; }; devShells.x86_64-linux.default = let pkgs = nixpkgs.legacyPackages.x86_64-linux; deploy = pkgs.writeShellScriptBin "nhs" '' nh os switch --hostname extremist-software --target-host jet@extremist-software path:. "$@" ''; check-secrets = pkgs.writeShellScriptBin "check-secrets" '' set -euo pipefail failed=0 for f in secrets/*.age; do last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n') if [ "$last" = "0a" ]; then echo "FAIL: $f has trailing newline" failed=1 fi done if [ "$failed" -eq 0 ]; then echo "All secrets OK: no trailing newlines" fi exit $failed ''; in pkgs.mkShell { packages = [ pkgs.nh inputs.agenix.packages.x86_64-linux.default deploy check-secrets ]; }; }; }