chore(nixos): adopt flake-parts + treefmt/lint CI and dedup Darwin configs#64
Merged
Conversation
…nfigs
Tooling & CI:
- Migrate flake.nix to flake-parts; split host wiring, treefmt, and dev
shell into flake-modules/{hosts,treefmt,dev}.nix
- treefmt-nix runs alejandra + statix + deadnix as `nix fmt` and a
`nix flake check` gate
- Replace hand-rolled scripts/hooks/* with git-hooks.nix (treefmt on
pre-commit, `nix flake check` on pre-push) and a real devShell
- Fold shell.nix into devShells.default
- CI: fix fmt.yml (was a no-op `nix fmt --check`), add citadel to
validate.yml, add scheduled update-flake-lock.yml + dependabot.yml
Simplify & dedup:
- Extract the oMLX deploy script into `services.omlxDeploy` (each host
sets one cacheSize) instead of pasting ~30 lines per Darwin host
- Split Homebrew into homebrew-base.nix (shared baseline + oMLX agent)
plus per-host extras; verified evaluated brew/cask/tap sets unchanged
- Factor dungeon's two NFS mount daemons into a mkNfsMountDaemon helper
- Retire the stale nix-gc "Future" note in favour of Determinate Nixd
- Add a secrets decision-record note (keep 1Password; revisit agenix if
a second headless host appears) — documented only, not migrated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A deep-dive cleanup of the
nixos/config focused on two buckets: tooling/CI quality and simplify/dedup. No behavior changes to deployed systems — the Darwin host configs evaluate to the same Homebrew sets, oMLX deploy, and NFS mounts as before; this is structure, linting, and CI.Secrets are documented only (a decision record), not migrated — 1Password stays the source of truth.
Tooling & CI
flake.nixno longer hand-stitchesforEachSystem/pkgsForand repeats the samespecialArgs+ module list 8×. Host wiring, formatting, and the dev shell now live inflake-modules/{hosts,treefmt,dev}.nix, withmkNixos/mkDarwinhelpers collapsing the per-host boilerplate.nix fmtnow runs alejandra + statix + deadnix (deadnix configured withno-lambda-pattern-names = trueso module arg signatures are preserved). Exposed aschecks.<system>.treefmt, sonix flake checkfails on lint/format violations.scripts/hooks/{pre-commit,pre-push}+install-hooks.sh. treefmt runs on pre-commit;nix flake checkon pre-push. Installed via the devShellshellHook.shell.nixfolded intodevShells.default(nix develop), matching the tooling CI uses.fmt.yml— the oldnix fmt -- --check .was a silent no-op under treefmt; now builds thetreefmtcheck.validate.ymlDarwin matrix.update-flake-lock.yml(DeterminateSystems) +dependabot.ymlfor pinned Actions.Simplify & dedup
jqmerge +launchctl kickstartblock was pasted nearly verbatim across dungeon/moria/citadel. Extracted into aservices.omlxDeployoption inmodules/darwin/omlx.nix; each host now sets onecacheSize(8/32/12 GB). Activation ordering verified via the renderedpostActivation.text.homebrew-base.nix(sharedenable/onActivation, common brews/casks/taps, the oMLX launchd agent) imported by all three Darwin hosts; each keeps only its extras. Verified behavior-preserving: all 9 evaluatedbrews/casks/tapssets (dungeon/moria/citadel) are byte-identical to before the split.mkNfsMountDaemon { mountPoint; server; path; retries; logFile; }helper. Rendered scripts confirmed identical (correct IPs, retry counts, mount flags).nix-gc"Future" note with accurate Determinate Nixd GC guidance.Secrets (decision record only)
Added a note to
nixos/CLAUDE.md: keep 1Passwordop injectas the source of truth; the manual headlessjust secrets(VNC + GUI unlock on dungeon) is tolerable while dungeon is the only headless Darwin host. Revisit (lean agenix) if a second headless host appears or the unlock dance becomes painful — both agenix and sops-nix decrypt at activation to tmpfs and remove the plaintext-on-disk + GUI-unlock steps. Not migrated this round.Verification
nix fmtidempotent (0 changed on rerun)nix flake checkgreen (treefmt + pre-commit checks)darwinConfigurations.<host>.system --dry-run)nix evalset diffsTest plan
fmt.yml,validate.yml) goes green on this PRjust dt <host>thenjust dr <host>on a Darwin host; confirm the✓ oMLX configured for <host>activation line and merged~/.omlx/settings.json/Volumes/unraid-data,/Volumes/fob-backup) still come up after activation