initial commit

.envrc

@@ -0,0 +1 @@
+use flake

flake.nix

@@ -0,0 +1,22 @@
+{
+  description = "malobeo infrastructure";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    mfsync.url = "github:k4lipso/mfsync";
+
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-22.05";
+      inputs = {
+        nixpkgs.follows = "nixpkgs-stable";
+      };
+    };
+  };
+
+  outputs = { ... } @ args: import ./outputs.nix args;
+}

machines/configuration.nix

@@ -0,0 +1,42 @@
+{ self
+, nixpkgs-unstable
+, nixpkgs
+, sops-nix
+, inputs
+, nixos-hardware
+, home-manager
+, home-manager-stable
+, simple-nixos-mailserver
+, ...
+}:
+let
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
+  nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem;
+
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    { _module.args.inputs = inputs; }
+    {
+      imports = [
+        ({ pkgs, ... }: {
+          nix.extraOptions = ''
+            experimental-features = nix-command flakes
+          '';
+        })
+
+        sops-nix.nixosModules.sops
+      ];
+    }
+  ];
+  defaultModules = baseModules;
+in
+{
+  moderatio = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    modules = defaultModules ++ [
+      #nixos-hardware.nixosModules.lenovo-thinkpad-t480s
+      ./moderatio/configuration.nix
+    ];
+  };
+}

outputs.nix

@@ -0,0 +1,24 @@
+{ self
+, utils
+, nixpkgs
+, nixpkgs-unstable
+, sops-nix
+, ...
+} @inputs:
+
+# filter i686-liux from defaultSystem to run nix flake check successfully
+let filter_system = name: if name == utils.lib.system.i686-linux then false else true;
+in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems) ( system:
+  let
+    pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
+    pkgs = nixpkgs.legacyPackages."${system}";
+  in
+  {
+    devShells.default = pkgs.callPackage ./shell.nix {
+      inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
+    };
+  })) // {
+    nixosConfigurations = import ./machines/configuration.nix (inputs // {
+      inherit inputs;
+    });
+}

shell.nix

@@ -0,0 +1,20 @@
+{ mkShell
+, sops-import-keys-hook
+, ssh-to-pgp
+, sops-init-gpg-key
+, sops
+}:
+
+mkShell {
+  sopsPGPKeyDirs = [
+    "./machines/secrets/keys/hosts"
+    "./machines/secrets/keys/users"
+  ];
+
+  nativeBuildInputs = [
+    ssh-to-pgp
+    sops-import-keys-hook
+    sops-init-gpg-key
+    sops
+  ];
+}