Flakify lib, sas

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

.gitignore

@@ -0,0 +1,7 @@
+# ---> Nix
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+
+# Ignore automatically generated direnv output
+.direnv

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "sas"]
 	path = submodules/sas
 	url = git@karaolidis.com:karaolidis/nix-sas.git
+[submodule "submodules/lib"]
+	path = submodules/lib
+	url = git@karaolidis.com:karaolidis/nix-lib.git

README.md

@@ -18,12 +18,11 @@ NixOS dotfiles and configuration for various hosts and users.
 
 - [`packages/`](./packages/): Custom packages.
 
-- [`lib/`](./lib): Nix library function definitions and utilities.
-  - [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
-    - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
-    - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
-    - [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
-    - [`update.sh`](./lib/scripts/update.sh): Update flake and all packages.
+- [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
+  - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
+  - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
+  - [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
+  - [`update.sh`](./lib/scripts/update.sh): Update flake and all packages.
 
 Any `options.nix` files create custom option definitions when present.
 

flake.lock

@@ -225,6 +225,29 @@
         "type": "github"
       }
     },
+    "lib": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755424080,
+        "narHash": "sha256-twJkLmKjrtIijjo8ov+n+l1jC5DXIU4wlZ8NH756tsw=",
+        "ref": "refs/heads/main",
+        "rev": "00d04c73f6ab7635d05586447fc350491c25989b",
+        "revCount": 4,
+        "type": "git",
+        "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1754725699,
@@ -353,6 +376,7 @@
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
+        "lib": "lib",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
         "nvidia-patch": "nvidia-patch",
@@ -387,13 +411,23 @@
       }
     },
     "sas": {
-      "flake": false,
+      "inputs": {
+        "lib": [
+          "lib"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
       "locked": {
-        "lastModified": 1755341965,
-        "narHash": "sha256-A6d2eaKp/AVr7pw6qY860XZMSSMr9suaoKEEKlpYHXo=",
+        "lastModified": 1755438221,
+        "narHash": "sha256-9rZCYTQRQc1YKcCukRYGHMZv4oxOH5cTlrc18Ntf79o=",
         "ref": "refs/heads/main",
-        "rev": "954fc8c375876169d0549548b0fdf905d3ebe06b",
-        "revCount": 6,
+        "rev": "5ff6864ab10b9cdf3262c97aa670dcf42374278f",
+        "revCount": 7,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
       },

flake.nix

@@ -26,14 +26,27 @@
     };
 
     # FIXME: https://github.com/NixOS/nix/issues/12281
-    secrets = {
-      url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
-      flake = false;
+    lib = {
+      url = "git+https://git.karaolidis.com/karaolidis/nix-lib.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        treefmt-nix.follows = "treefmt-nix";
+      };
     };
 
     # FIXME: https://github.com/NixOS/nix/issues/12281
     sas = {
       url = "git+ssh://git@karaolidis.com/karaolidis/nix-sas.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        lib.follows = "lib";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    # FIXME: https://github.com/NixOS/nix/issues/12281
+    secrets = {
+      url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
       flake = false;
     };
 
@@ -138,11 +151,10 @@
         };
 
         devShells.${system} = import ./hosts/common/shells { inherit pkgs; };
-        lib.${system} = import ./lib { inherit pkgs; };
         packages.${system} = import ./packages { inherit pkgs inputs system; };
 
         formatter.${system} = treefmt.config.build.wrapper;
-        checks.formatting.${system} = treefmt.config.build.check inputs.self;
+        checks.${system}.formatting = treefmt.config.build.check inputs.self;
       }
     );
 }

hosts/common/configs/user/gui/spicetify/default.nix

@@ -7,7 +7,6 @@
   ...
 }:
 let
-  selfLib = inputs.self.lib.${system};
   hmConfig = config.home-manager.users.${user};
 in
 {
@@ -70,7 +69,9 @@ in
       "spotify/prefs.init" = {
         source = ./config/prefs;
         onChange = ''
-          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
+          ${
+            inputs.lib.lib.${system}.runtime.merge.keyValue
+          } "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
         '';
       };
 
@@ -78,7 +79,9 @@ in
         source = ./config/prefs-user;
         onChange = ''
           user=$(cat "${hmConfig.sops.secrets."spotify/username".path}")
-          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
+          ${
+            inputs.lib.lib.${system}.runtime.merge.keyValue
+          } "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
         '';
       };
     };

hosts/elara/configs/globalprotect/default.nix

@@ -0,0 +1,29 @@
+{ config, inputs, ... }:
+{
+  sops.secrets = {
+    "globalprotect/email".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+    "globalprotect/gateway".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+    "globalprotect/ssh/key".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+    "ntfy/username".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+    "ntfy/password".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+  };
+
+  sas.globalprotect = {
+    enable = true;
+
+    email.file = config.sops.secrets."globalprotect/email".path;
+    gateway.file = config.sops.secrets."globalprotect/gateway".path;
+
+    sish = {
+      host = "karaolidis.com";
+      port = "2222";
+      keyFile = config.sops.secrets."globalprotect/ssh/key".path;
+    };
+
+    ntfy = {
+      url = "https://ntfy.karaolidis.com/sas";
+      username.file = config.sops.secrets."ntfy/username".path;
+      password.file = config.sops.secrets."ntfy/password".path;
+    };
+  };
+}

lib/default.nix

@@ -1,5 +0,0 @@
-{ pkgs, ... }:
-{
-  fetchers = import ./fetchers { inherit pkgs; };
-  runtime = import ./runtime { inherit pkgs; };
-}

lib/fetchers/default.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-{
-  sshKnownHosts = import ./sshKnownHosts { inherit pkgs; };
-}

lib/fetchers/sshKnownHosts/default.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-pkgs.lib.fetchers.withNormalizedHash { } (
-  {
-    host,
-    name ? "ssh-known-hosts-${host}",
-    outputHash,
-    outputHashAlgo,
-    port ? 22,
-    keyTypes ? [
-      "rsa"
-      "ecdsa"
-      "ed25519"
-    ],
-  }:
-  let
-    keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes;
-  in
-  pkgs.runCommandLocal name
-    {
-      inherit outputHash outputHashAlgo;
-      outputHashMode = "flat";
-      preferLocalBuild = true;
-
-      nativeBuildInputs = with pkgs; [
-        openssh
-        gnugrep
-        coreutils
-      ];
-    }
-    ''
-      ssh-keyscan -p ${toString port} -t ${keyTypeArgs} ${host} | grep -v '^#' | sort > $out
-    ''
-)

lib/runtime/default.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-{
-  merge = import ./merge { inherit pkgs; };
-}

lib/runtime/merge/default.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-{
-  keyValue = import ./keyValue { inherit pkgs; };
-}

lib/runtime/merge/keyValue/default.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-"${
-  pkgs.writeShellApplication {
-    name = "merge-key-value";
-    runtimeInputs = with pkgs; [
-      coreutils
-      gawk
-    ];
-    text = builtins.readFile ./key-value.sh;
-  }
-}/bin/merge-key-value"

lib/runtime/merge/keyValue/key-value.sh

@@ -1,15 +0,0 @@
-# shellcheck shell=bash
-
-source=$(realpath -m "$1")
-target=$(realpath -m "$2")
-
-if [[ -f "$target" ]]; then
-  temp=$(mktemp)
-  awk -F '=' 'NR==FNR{a[$1]=$0;next}($1 in a){$0=a[$1]}1' "$source" "$target" > "$temp"
-  mv "$temp" "$target"
-else
-  mkdir -p "$(dirname "$target")"
-  cp "$source" "$target"
-fi
-
-echo "Configuration file $target has been updated."

packages/ssh/known-hosts/github/default.nix

@@ -8,7 +8,7 @@ pkgs.stdenv.mkDerivation {
   pname = "ssh-known-hosts-github";
   version = "0-unstable-2025-02-25";
 
-  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
+  src = inputs.lib.lib.${system}.fetchers.sshKnownHosts {
     host = "github.com";
     hash = "sha256-wkNdynz7rhZvfXSAXDpQ2sk40afKAPeYHQ8Ei44CICI=";
   };

packages/ssh/known-hosts/gitlab/default.nix

@@ -8,7 +8,7 @@ pkgs.stdenv.mkDerivation {
   pname = "ssh-known-hosts-github";
   version = "0-unstable-2025-02-25";
 
-  src = inputs.self.lib.${system}.fetchers.sshKnownHosts {
+  src = inputs.lib.lib.${system}.fetchers.sshKnownHosts {
     host = "gitlab.com";
     hash = "sha256-5flUNj4vKn1Y2YE8bkUcsW3kQLRKn8WB3uPUxlhZMTk=";
   };