Skip to content

chore(nixos): adopt flake-parts + treefmt/lint CI and dedup Darwin configs#64

Merged
GregHilston merged 1 commit into
masterfrom
chore/tooling-and-dedup
Jun 30, 2026
Merged

chore(nixos): adopt flake-parts + treefmt/lint CI and dedup Darwin configs#64
GregHilston merged 1 commit into
masterfrom
chore/tooling-and-dedup

Conversation

@GregHilston

Copy link
Copy Markdown
Owner

Summary

A deep-dive cleanup of the nixos/ config focused on two buckets: tooling/CI quality and simplify/dedup. No behavior changes to deployed systems — the Darwin host configs evaluate to the same Homebrew sets, oMLX deploy, and NFS mounts as before; this is structure, linting, and CI.

Secrets are documented only (a decision record), not migrated — 1Password stays the source of truth.

Tooling & CI

  • flake-parts migrationflake.nix no longer hand-stitches forEachSystem/pkgsFor and repeats the same specialArgs + module list 8×. Host wiring, formatting, and the dev shell now live in flake-modules/{hosts,treefmt,dev}.nix, with mkNixos/mkDarwin helpers collapsing the per-host boilerplate.
  • treefmt-nixnix fmt now runs alejandra + statix + deadnix (deadnix configured with no-lambda-pattern-names = true so module arg signatures are preserved). Exposed as checks.<system>.treefmt, so nix flake check fails on lint/format violations.
  • git-hooks.nix — replaces the hand-rolled scripts/hooks/{pre-commit,pre-push} + install-hooks.sh. treefmt runs on pre-commit; nix flake check on pre-push. Installed via the devShell shellHook.
  • devShellshell.nix folded into devShells.default (nix develop), matching the tooling CI uses.
  • GitHub Actions:
    • Fixed fmt.yml — the old nix fmt -- --check . was a silent no-op under treefmt; now builds the treefmt check.
    • Added citadel to the validate.yml Darwin matrix.
    • Added scheduled update-flake-lock.yml (DeterminateSystems) + dependabot.yml for pinned Actions.

Simplify & dedup

  • oMLX deploy — the stow + jq merge + launchctl kickstart block was pasted nearly verbatim across dungeon/moria/citadel. Extracted into a services.omlxDeploy option in modules/darwin/omlx.nix; each host now sets one cacheSize (8/32/12 GB). Activation ordering verified via the rendered postActivation.text.
  • Homebrew base/overlay — extracted homebrew-base.nix (shared enable/onActivation, common brews/casks/taps, the oMLX launchd agent) imported by all three Darwin hosts; each keeps only its extras. Verified behavior-preserving: all 9 evaluated brews/casks/taps sets (dungeon/moria/citadel) are byte-identical to before the split.
  • NFS mounts — dungeon's two near-identical mount daemons collapsed into a mkNfsMountDaemon { mountPoint; server; path; retries; logFile; } helper. Rendered scripts confirmed identical (correct IPs, retry counts, mount flags).
  • Stale docs — replaced the obsolete nix-gc "Future" note with accurate Determinate Nixd GC guidance.

Secrets (decision record only)

Added a note to nixos/CLAUDE.md: keep 1Password op inject as the source of truth; the manual headless just secrets (VNC + GUI unlock on dungeon) is tolerable while dungeon is the only headless Darwin host. Revisit (lean agenix) if a second headless host appears or the unlock dance becomes painful — both agenix and sops-nix decrypt at activation to tmpfs and remove the plaintext-on-disk + GUI-unlock steps. Not migrated this round.

Verification

  • nix fmt idempotent (0 changed on rerun)
  • nix flake check green (treefmt + pre-commit checks)
  • Dry-run builds clean for dungeon, moria, citadel (darwinConfigurations.<host>.system --dry-run)
  • Homebrew partition proven exact via before/after nix eval set diffs

Test plan

  • CI (fmt.yml, validate.yml) goes green on this PR
  • just dt <host> then just dr <host> on a Darwin host; confirm the ✓ oMLX configured for <host> activation line and merged ~/.omlx/settings.json
  • Confirm NFS mounts (/Volumes/unraid-data, /Volumes/fob-backup) still come up after activation

…nfigs

Tooling & CI:
- Migrate flake.nix to flake-parts; split host wiring, treefmt, and dev
  shell into flake-modules/{hosts,treefmt,dev}.nix
- treefmt-nix runs alejandra + statix + deadnix as `nix fmt` and a
  `nix flake check` gate
- Replace hand-rolled scripts/hooks/* with git-hooks.nix (treefmt on
  pre-commit, `nix flake check` on pre-push) and a real devShell
- Fold shell.nix into devShells.default
- CI: fix fmt.yml (was a no-op `nix fmt --check`), add citadel to
  validate.yml, add scheduled update-flake-lock.yml + dependabot.yml

Simplify & dedup:
- Extract the oMLX deploy script into `services.omlxDeploy` (each host
  sets one cacheSize) instead of pasting ~30 lines per Darwin host
- Split Homebrew into homebrew-base.nix (shared baseline + oMLX agent)
  plus per-host extras; verified evaluated brew/cask/tap sets unchanged
- Factor dungeon's two NFS mount daemons into a mkNfsMountDaemon helper
- Retire the stale nix-gc "Future" note in favour of Determinate Nixd
- Add a secrets decision-record note (keep 1Password; revisit agenix if
  a second headless host appears) — documented only, not migrated
@GregHilston GregHilston merged commit 321ed35 into master Jun 30, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant