testing new nix setup based on yoinked repo - thanks truxnell

.github/lint/.yamllint.yaml

@@ -0,0 +1,27 @@
+---
+ignore: |
+  .direnv/
+  .private/
+  .vscode/
+  **/*.sops.yaml
+
+extends: default
+
+rules:
+  truthy:
+    allowed-values: ["true", "false", "on"]
+
+  comments:
+    min-spaces-from-content: 1
+
+  line-length: disable
+
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+
+  indentation: enable

.github/renovate.json5

@@ -0,0 +1,32 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+      "github>spiceratops/renovate-config",
+      "github>spiceratops/renovate-config:automerge-github-actions",
+      "github>spiceratops/nix-gitops//.github/renovate/autoMerge.json5",
+    ],
+    "gitAuthor": "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>",
+    "ignoreTests": "true",
+
+    // TODO remove once out of beta?
+    // https://docs.renovatebot.com/modules/manager/nix/
+    "nix": {
+        "enabled": "true",
+    },
+
+    "lockFileMaintenance": {
+        "enabled": "true",
+        "automerge": "true",
+        "schedule": [ "before 4am on Sunday" ],
+    },
+
+    "regexManagers": [
+    {
+      fileMatch: ["(^|/)nixos/.*\\.nix$"],
+      matchStrings: [
+        'image *= *"(?<depName>.*?):(?<currentValue>.*?)(@(?<currentDigest>sha256:[a-f0-9]+))?"',
+      ],
+      datasourceTemplate: "docker",
+    }
+  ],
+}

.github/renovate/autoMerge.json5

@@ -0,0 +1,47 @@
+{
+
+  "packageRules": [
+    {
+  // automerge minor, patch, digest
+      "matchDatasources": ['docker'],
+      "automerge": "true",
+      "automergeType": "branch",
+      "schedule": [ "before 4am on Sunday" ],
+      "matchUpdateTypes": [ 'minor', 'patch', 'digest'],
+      "matchPackageNames": [
+        'ghcr.io/twin/gatus',
+        'vaultwarden/server',
+        'sissbruecker/linkding',
+        'ghcr.io/autobrr/autobrr',
+        'gotenberg/gotenberg',
+
+      ],
+
+    },
+    // automerge patch and digest
+    {
+      "matchDatasources": ['docker'],
+      "automerge": "true",
+      "automergeType": "branch",
+      "schedule": [ "before 4am on Sunday" ],
+      "matchUpdateTypes": [ 'patch', 'digest'],
+      "matchPackageNames": [
+        "ghcr.io/gethomepage/homepage",
+        "garethgeorge/backrest",
+        "ghcr.io/buroa/qbtools",
+        "ghcr.io/dgtlmoon/changedetection.io",
+        "ghcr.io/amruthpillai/reactive-resume",
+        "ghcr.io/foxxmd/multi-scrobbler",
+      ]
+
+    },
+    {
+      // automerge all digests
+      "matchDatasources": ['docker'],
+      "automerge": "true",
+      "automergeType": "branch",
+      "matchUpdateTypes": [ 'digest'],
+    },
+
+  ],
+}

.github/settings.yml

@@ -0,0 +1,76 @@
+---
+# These settings are synced to GitHub by https://probot.github.io/apps/settings/
+
+repository:
+  # See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings.
+
+  # The name of the repository. Changing this will rename the repository
+  name: nix-gitops
+
+  # A short description of the repository that will show up on GitHub
+  description: My nix & nixos home setup
+
+  # A URL with more information about the repository
+  # homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  topics: nix, nixos
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # If projects are disabled for the organization, passing `true` will cause an API error.
+  has_projects: false
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: false
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: false
+
+  # Updates the default branch for this repository.
+  default_branch: main
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: false
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+  delete_branch_on_merge: true
+
+  # Either `true` to enable automated security fixes, or `false` to disable
+  # automated security fixes.
+  enable_automated_security_fixes: false
+
+  # Either `true` to enable vulnerability alerts, or `false` to disable
+  # vulnerability alerts.
+  enable_vulnerability_alerts: true
+
+# Labels: define labels for Issues and Pull Requests
+# labels:
+#   - name: bug
+#     color: CC0000
+#     description: An issue with the system 🐛.
+
+#   - name: feature
+#     # If including a `#`, make sure to wrap it with quotes!
+#     color: '#336699'
+#     description: New functionality.
+
+#   - name: Help Wanted
+#     # Provide a new name to rename an existing label
+#     new_name: first-timers-only
+
+# TODO branch protection once nailed down.

.github/workflows/build-raspi4.yaml

@@ -0,0 +1,38 @@
+---
+name: build-image
+on:
+  workflow_dispatch:
+    inputs:
+      image:
+        description: 'Which image to build'
+        required: true
+        default: 'rpi4'
+        options: ['iso', 'rpi4']
+
+jobs:
+  build-sd-image:
+    name: Build Nixos image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-23.05
+          extra_nix_config: |
+            extra-platforms = aarch64-linux
+      - name: Check nix.conf
+        run: cat /etc/nix/nix.conf
+      - name: Register binfmt
+        run: |
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+      - name: Test binfmt availability
+        run: |
+          cat /proc/sys/fs/binfmt_misc/qemu-aarch64
+        shell: bash
+      - name: Build SD Image
+        run: |
+          nix build .#images.${{ github.event.inputs.image }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: rpi4.img
+          path: ./result/sd-image/*.img*

.github/workflows/diff-pr.yaml

@@ -0,0 +1,120 @@
+---
+name: Pull Request
+permissions:
+  pull-requests: write
+on:
+  pull_request:
+    paths:
+      - .github/workflows/**
+      - "**.nix"
+      - "flake.lock"
+
+jobs:
+  build:
+    if: github.event.pull_request.draft == false
+    name: "Build ${{ matrix.target }}"
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: mnas
+    steps:
+      - name: Create nix mount point
+        if: contains(matrix.os, 'ubuntu')
+        run: sudo mkdir /nix
+
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        if: contains(matrix.os, 'ubuntu')
+        with:
+          root-reserve-mb: 512
+          swap-size-mb: 1024
+          build-mount-path: "/nix"
+          remove-dotnet: true
+          remove-android: true
+          remove-haskell: true
+          remove-docker-images: true
+          remove-codeql: true
+          overprovision-lvm: true
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install nix
+        uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            extra-platforms = aarch64-linux
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Register binfmt
+        run: |
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+
+
+      - name: Garbage collect build dependencies
+        run: nix-collect-garbage
+
+      - name: Fetch old system profile
+        run: nix build github:truxnell/nix-config#top.${{ matrix.target }} -v  --log-format raw --profile ./profile
+
+      - name: Add new system to profile
+        run: |
+          set -o pipefail
+          nix build .#top.${{ matrix.target }}  --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
+
+      - name: Output build failure
+        if: failure()
+        run: |
+          drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
+          if [ -n $drv ]; then
+            nix log $drv
+            echo $drv
+          fi
+          exit 1
+
+      - name: Diff profile
+        id: diff
+        run: |
+          nix profile diff-closures --profile ./profile
+          delimiter="$(openssl rand -hex 16)"
+          echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
+          nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
+          echo "${delimiter}" >> "${GITHUB_OUTPUT}"
+
+      - name: Scan for security issues
+        id: security
+        run: |
+          nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt
+          OUTPUT_SECURITY="$(cat /tmp/security.txt)"
+          OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
+          OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
+          OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
+          echo "$OUTPUT_SECURITY"
+
+          delimiter="$(openssl rand -hex 16)"
+          echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
+          echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}"
+          echo "${delimiter}" >> "${GITHUB_OUTPUT}"
+
+      - name: Comment report in pr
+        uses: marocchino/sticky-pull-request-comment@v2
+        if: ${{ !startswith(github.ref, 'dependabot') }}
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          header: ".#top.${{ matrix.target }}"
+          message: |
+            ### Report for `${{ matrix.target }}`
+
+            <summary> Version changes </summary> <br>
+            <pre> ${{ steps.diff.outputs.diff }} </pre>
+
+            <details>
+            <summary> Security vulnerability report </summary> <br>
+            <pre> ${{ steps.security.outputs.security }} </pre>
+            </details>
+
+# Liberated from edeneast's github

.gitignore

@@ -5,8 +5,6 @@ Thumbs.db
 .private/
 # archive
 .archive/
-# ansible
-xanmanning.k3s*
 # terraform
 .terraform
 *.tfvars
@@ -18,4 +16,10 @@ xanmanning.k3s*
 *.pem
 # envrc
 .envrc
-.nix
+.nix*
+.mozilla
+**/*.tmp.sops.yaml
+result
+.direnv
+**/*.sops.tmp.yaml
+.kube

.gitleaksignore

@@ -0,0 +1 @@
+nixos/modules/nixos/services/adguardhome/default.nix:hashicorp-tf-password:47