+11

.github/workflows/test.yml

··· 18 18 steps: 19 19 - uses: cachix/install-nix-action@v31 20 20 - run: nix flake check -L github:vic/checkmate --override-input target github:$GITHUB_REPOSITORY/$GITHUB_SHA 21 21 + noflake: 22 22 + needs: [non-draft] 23 23 + name: noflake 24 24 + runs-on: ubuntu-latest 25 25 + steps: 26 26 + - uses: wimpysworld/nothing-but-nix@main 27 27 + - uses: cachix/install-nix-action@v31 28 28 + - uses: DeterminateSystems/magic-nix-cache-action@v13 29 29 + - uses: actions/checkout@v4 30 30 + - run: sed -i 's@# den.outPath@den.outPath@' templates/noflake/with-inputs.nix 31 31 + - run: cd templates/noflake && nix-build -A nixosConfigurations.igloo.config.system.build.toplevel 21 32 template: 22 33 needs: [non-draft] 23 34 strategy:

+7 -4

README.md

··· 1 1 <p align="right"> 2 2 <a href="https://github.com/sponsors/vic"><img src="https://img.shields.io/badge/sponsor-vic-white?logo=githubsponsors&logoColor=white&labelColor=%23FF0000" alt="Sponsor Vic"/> 3 3 </a> 4 4 + <a href="https://deepwiki.com/vic/den"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a> 4 5 <a href="https://github.com/vic/den/releases"><img src="https://img.shields.io/github/v/release/vic/den?style=plastic&logo=github&color=purple"/></a> 5 6 <a href="https://vic.github.io/dendrix/Dendritic-Ecosystem.html#vics-dendritic-libraries"> <img src="https://img.shields.io/badge/Dendritic-Nix-informational?logo=nixos&logoColor=white" alt="Dendritic Nix"/> </a> 6 7 <a href="LICENSE"> <img src="https://img.shields.io/github/license/vic/den" alt="License"/> </a> ··· 19 20 20 21 <img width="300" height="300" alt="den" src="https://github.com/user-attachments/assets/af9c9bca-ab8b-4682-8678-31a70d510bbb" /> 21 22 22 22 - - Dendritic: each module configures **same** concern over **different** Nix classes. 23 23 + - [Dendritic](https://github.com/mightyiam/dendritic): **same** concern across **different** Nix classes. 23 24 24 25 - Create [DRY](modules/aspects/provides/unfree.nix) & [`class`-generic](modules/aspects/provides/primary-user.nix) modules. 25 26 26 27 - [Parametric](modules/aspects/provides/define-user.nix) over `host`/`home`/`user`. 27 28 28 28 - - [Share](templates/default/modules/namespace.nix) aspects across systems & repos. 29 29 + - Context-aware [dependencies](modules/aspects/dependencies.nix): user/host contributions. 30 30 + 31 31 + - [templates/noflake](templates/noflake). Works with stable Nix (no-flakes) and needs no flake-parts. 29 32 30 30 - - Context-aware [dependencies](modules/aspects/dependencies.nix): user/host contributions. 33 33 + - [Share](templates/default/modules/namespace.nix) aspects across systems & repos. 31 34 32 35 - [Routable](templates/default/modules/aspects/eg/routes.nix) configurations. 33 36 ··· 35 38 36 39 - Use `stable`/`unstable` channels per config. 37 40 38 38 - - Freeform `host`/`user`/`home` [schemas](modules/_types.nix) (no `specialArgs`). 41 41 + - Freeform `host`/`user`/`home` [schemas](modules/_types.nix) (no `specialArgs`) with base modules. 39 42 40 43 - Multi-platform, multi-tenant hosts. 41 44

+17

templates/noflake/README.md

··· 1 1 + # Den without flake-parts 2 2 + 3 3 + This template provides an example Den setup with stable Nix (no-flakes), no flake-parts and nix-maid instead of home-manager. 4 4 + 5 5 + It configures a NixOS host with one user. 6 6 + 7 7 + Try it with: 8 8 + 9 9 + ```shell 10 10 + nixos-rebuild build --file . -A nixosConfigurations.igloo 11 11 + ``` 12 12 + 13 13 + or 14 14 + 15 15 + ```shell 16 16 + nix-build -A nixosConfigurations.igloo.config.system.build.toplevel 17 17 + ```

+16

templates/noflake/default.nix

··· 1 1 + let 2 2 + 3 3 + outputs = 4 4 + inputs: 5 5 + (inputs.nixpkgs.lib.evalModules { 6 6 + modules = [ (inputs.import-tree ./modules) ]; 7 7 + specialArgs = { 8 8 + inherit inputs; 9 9 + inherit (inputs) self; 10 10 + }; 11 11 + }).config; 12 12 + 13 13 + in 14 14 + # Den outputs configurations at flake top-level attr 15 15 + # even when it does not depend on flakes or flake-parts. 16 16 + (import ./with-inputs.nix outputs).flake

+11

templates/noflake/modules/compat.nix

··· 1 1 + { inputs, lib, ... }: 2 2 + { 3 3 + # we can import this flakeModule even if we dont have flake-parts as input! 4 4 + imports = [ inputs.den.flakeModule ]; 5 5 + 6 6 + # NOTE: Currently Den needs a top-level attribute where to place configurations, 7 7 + # by default it is the `flake` attribute, even if Den uses no flake-parts at all. 8 8 + options.flake = lib.mkOption { 9 9 + type = lib.types.submodule { freeformType = lib.types.anything; }; 10 10 + }; 11 11 + }

+38

templates/noflake/modules/den.nix

··· 1 1 + { inputs, ... }: 2 2 + { 3 3 + # tux user on igloo host. 4 4 + den.hosts.x86_64-linux.igloo.users.tux = { }; 5 5 + 6 6 + # host aspect 7 7 + den.aspects.igloo = { 8 8 + nixos = 9 9 + { pkgs, ... }: 10 10 + { 11 11 + # remove these for a real bootable host 12 12 + boot.loader.grub.enable = false; 13 13 + fileSystems."/".device = "/dev/fake"; 14 14 + passthru = { }; 15 15 + 16 16 + environment.systemPackages = [ 17 17 + pkgs.vim 18 18 + ]; 19 19 + }; 20 20 + }; 21 21 + 22 22 + # user aspect 23 23 + den.aspects.tux = { 24 24 + # user configures the host it lives in 25 25 + nixos = { 26 26 + # hipster-tux uses nix-maid instead of home-manager. 27 27 + imports = [ inputs.nix-maid.nixosModules.default ]; 28 28 + 29 29 + users.users.tux = { 30 30 + isNormalUser = true; 31 31 + maid.file.home.".gitconfig".text = '' 32 32 + [user] 33 33 + name=Tux 34 34 + ''; 35 35 + }; 36 36 + }; 37 37 + }; 38 38 + }

+249

templates/noflake/npins/default.nix

··· 1 1 + /* 2 2 + This file is provided under the MIT licence: 3 3 + 4 4 + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 5 5 + 6 6 + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 7 7 + 8 8 + THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 9 9 + */ 10 10 + # Generated by npins. Do not modify; will be overwritten regularly 11 11 + let 12 12 + # Backwards-compatibly make something that previously didn't take any arguments take some 13 13 + # The function must return an attrset, and will unfortunately be eagerly evaluated 14 14 + # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments 15 15 + mkFunctor = 16 16 + fn: 17 17 + let 18 18 + e = builtins.tryEval (fn { }); 19 19 + in 20 20 + (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; }; 21 21 + 22 22 + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 23 23 + range = 24 24 + first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); 25 25 + 26 26 + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 27 27 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); 28 28 + 29 29 + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 30 30 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); 31 31 + concatStrings = builtins.concatStringsSep ""; 32 32 + 33 33 + # If the environment variable NPINS_OVERRIDE_${name} is set, then use 34 34 + # the path directly as opposed to the fetched source. 35 35 + # (Taken from Niv for compatibility) 36 36 + mayOverride = 37 37 + name: path: 38 38 + let 39 39 + envVarName = "NPINS_OVERRIDE_${saneName}"; 40 40 + saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; 41 41 + ersatz = builtins.getEnv envVarName; 42 42 + in 43 43 + if ersatz == "" then 44 44 + path 45 45 + else 46 46 + # this turns the string into an actual Nix path (for both absolute and 47 47 + # relative paths) 48 48 + builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" ( 49 49 + if builtins.substring 0 1 ersatz == "/" then 50 50 + /. + ersatz 51 51 + else 52 52 + /. + builtins.getEnv "PWD" + "/${ersatz}" 53 53 + ); 54 54 + 55 55 + mkSource = 56 56 + name: spec: 57 57 + { 58 58 + pkgs ? null, 59 59 + }: 60 60 + assert spec ? type; 61 61 + let 62 62 + # Unify across builtin and pkgs fetchers. 63 63 + # `fetchGit` requires a wrapper because of slight API differences. 64 64 + fetchers = 65 65 + if pkgs == null then 66 66 + { 67 67 + inherit (builtins) fetchTarball fetchurl; 68 68 + # For some fucking reason, fetchGit has a different signature than the other builtin fetchers … 69 69 + fetchGit = args: (builtins.fetchGit args).outPath; 70 70 + } 71 71 + else 72 72 + { 73 73 + fetchTarball = 74 74 + { 75 75 + url, 76 76 + sha256, 77 77 + }: 78 78 + pkgs.fetchzip { 79 79 + inherit url sha256; 80 80 + extension = "tar"; 81 81 + }; 82 82 + inherit (pkgs) fetchurl; 83 83 + fetchGit = 84 84 + { 85 85 + url, 86 86 + submodules, 87 87 + rev, 88 88 + name, 89 89 + narHash, 90 90 + }: 91 91 + pkgs.fetchgit { 92 92 + inherit url rev name; 93 93 + fetchSubmodules = submodules; 94 94 + hash = narHash; 95 95 + }; 96 96 + }; 97 97 + 98 98 + # Dispatch to the correct code path based on the type 99 99 + path = 100 100 + if spec.type == "Git" then 101 101 + mkGitSource fetchers spec 102 102 + else if spec.type == "GitRelease" then 103 103 + mkGitSource fetchers spec 104 104 + else if spec.type == "PyPi" then 105 105 + mkPyPiSource fetchers spec 106 106 + else if spec.type == "Channel" then 107 107 + mkChannelSource fetchers spec 108 108 + else if spec.type == "Tarball" then 109 109 + mkTarballSource fetchers spec 110 110 + else if spec.type == "Container" then 111 111 + mkContainerSource pkgs spec 112 112 + else 113 113 + builtins.throw "Unknown source type ${spec.type}"; 114 114 + in 115 115 + spec // { outPath = mayOverride name path; }; 116 116 + 117 117 + mkGitSource = 118 118 + { 119 119 + fetchTarball, 120 120 + fetchGit, 121 121 + ... 122 122 + }: 123 123 + { 124 124 + repository, 125 125 + revision, 126 126 + url ? null, 127 127 + submodules, 128 128 + hash, 129 129 + ... 130 130 + }: 131 131 + assert repository ? type; 132 132 + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository 133 133 + # In the latter case, there we will always be an url to the tarball 134 134 + if url != null && !submodules then 135 135 + fetchTarball { 136 136 + inherit url; 137 137 + sha256 = hash; 138 138 + } 139 139 + else 140 140 + let 141 141 + url = 142 142 + if repository.type == "Git" then 143 143 + repository.url 144 144 + else if repository.type == "GitHub" then 145 145 + "https://github.com/${repository.owner}/${repository.repo}.git" 146 146 + else if repository.type == "GitLab" then 147 147 + "${repository.server}/${repository.repo_path}.git" 148 148 + else if repository.type == "Forgejo" then 149 149 + "${repository.server}/${repository.owner}/${repository.repo}.git" 150 150 + else 151 151 + throw "Unrecognized repository type ${repository.type}"; 152 152 + urlToName = 153 153 + url: rev: 154 154 + let 155 155 + matched = builtins.match "^.*/([^/]*)(\\.git)?$" url; 156 156 + 157 157 + short = builtins.substring 0 7 rev; 158 158 + 159 159 + appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; 160 160 + in 161 161 + "${if matched == null then "source" else builtins.head matched}${appendShort}"; 162 162 + name = urlToName url revision; 163 163 + in 164 164 + fetchGit { 165 165 + rev = revision; 166 166 + narHash = hash; 167 167 + 168 168 + inherit name submodules url; 169 169 + }; 170 170 + 171 171 + mkPyPiSource = 172 172 + { fetchurl, ... }: 173 173 + { 174 174 + url, 175 175 + hash, 176 176 + ... 177 177 + }: 178 178 + fetchurl { 179 179 + inherit url; 180 180 + sha256 = hash; 181 181 + }; 182 182 + 183 183 + mkChannelSource = 184 184 + { fetchTarball, ... }: 185 185 + { 186 186 + url, 187 187 + hash, 188 188 + ... 189 189 + }: 190 190 + fetchTarball { 191 191 + inherit url; 192 192 + sha256 = hash; 193 193 + }; 194 194 + 195 195 + mkTarballSource = 196 196 + { fetchTarball, ... }: 197 197 + { 198 198 + url, 199 199 + locked_url ? url, 200 200 + hash, 201 201 + ... 202 202 + }: 203 203 + fetchTarball { 204 204 + url = locked_url; 205 205 + sha256 = hash; 206 206 + }; 207 207 + 208 208 + mkContainerSource = 209 209 + pkgs: 210 210 + { 211 211 + image_name, 212 212 + image_tag, 213 213 + image_digest, 214 214 + ... 215 215 + }: 216 216 + if pkgs == null then 217 217 + builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers" 218 218 + else 219 219 + pkgs.dockerTools.pullImage { 220 220 + imageName = image_name; 221 221 + imageDigest = image_digest; 222 222 + finalImageTag = image_tag; 223 223 + }; 224 224 + in 225 225 + mkFunctor ( 226 226 + { 227 227 + input ? ./sources.json, 228 228 + }: 229 229 + let 230 230 + data = 231 231 + if builtins.isPath input then 232 232 + # while `readFile` will throw an error anyways if the path doesn't exist, 233 233 + # we still need to check beforehand because *our* error can be caught but not the one from the builtin 234 234 + # *piegames sighs* 235 235 + if builtins.pathExists input then 236 236 + builtins.fromJSON (builtins.readFile input) 237 237 + else 238 238 + throw "Input path ${toString input} does not exist" 239 239 + else if builtins.isAttrs input then 240 240 + input 241 241 + else 242 242 + throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset"; 243 243 + version = data.version; 244 244 + in 245 245 + if version == 7 then 246 246 + builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins 247 247 + else 248 248 + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" 249 249 + )

+63

templates/noflake/npins/sources.json

··· 1 1 + { 2 2 + "pins": { 3 3 + "den": { 4 4 + "type": "Git", 5 5 + "repository": { 6 6 + "type": "GitHub", 7 7 + "owner": "vic", 8 8 + "repo": "den" 9 9 + }, 10 10 + "branch": "main", 11 11 + "submodules": false, 12 12 + "revision": "2dab67aab2214b84f5ac15adc4e900e90d07f17b", 13 13 + "url": "https://github.com/vic/den/archive/2dab67aab2214b84f5ac15adc4e900e90d07f17b.tar.gz", 14 14 + "hash": "sha256-LKTq2QTXzA5lR0xhrG/hkWtjvKnr91mvIabBof0/M4A=" 15 15 + }, 16 16 + "flake-aspects": { 17 17 + "type": "Git", 18 18 + "repository": { 19 19 + "type": "GitHub", 20 20 + "owner": "vic", 21 21 + "repo": "flake-aspects" 22 22 + }, 23 23 + "branch": "main", 24 24 + "submodules": false, 25 25 + "revision": "61524836788ef6991a82e7d34ebb0ccc05d374ed", 26 26 + "url": "https://github.com/vic/flake-aspects/archive/61524836788ef6991a82e7d34ebb0ccc05d374ed.tar.gz", 27 27 + "hash": "sha256-U15OaMr9AcJiB1wW2uCFzFO+DnQ3jJSvln+ZR/+Q0vE=" 28 28 + }, 29 29 + "import-tree": { 30 30 + "type": "Git", 31 31 + "repository": { 32 32 + "type": "GitHub", 33 33 + "owner": "vic", 34 34 + "repo": "import-tree" 35 35 + }, 36 36 + "branch": "main", 37 37 + "submodules": false, 38 38 + "revision": "3c23749d8013ec6daa1d7255057590e9ca726646", 39 39 + "url": "https://github.com/vic/import-tree/archive/3c23749d8013ec6daa1d7255057590e9ca726646.tar.gz", 40 40 + "hash": "sha256-ZvYKbFib3AEwiNMLsejb/CWs/OL/srFQ8AogkebEPF0=" 41 41 + }, 42 42 + "nix-maid": { 43 43 + "type": "Git", 44 44 + "repository": { 45 45 + "type": "GitHub", 46 46 + "owner": "viperml", 47 47 + "repo": "nix-maid" 48 48 + }, 49 49 + "branch": "master", 50 50 + "submodules": false, 51 51 + "revision": "303e67a8c67d1ba1416abd8842d206a57b46f832", 52 52 + "url": "https://github.com/viperml/nix-maid/archive/303e67a8c67d1ba1416abd8842d206a57b46f832.tar.gz", 53 53 + "hash": "sha256-nvybtwQnyGeUbAq/iOMnt0rOGrp8nkyjnZTW9XIsrfI=" 54 54 + }, 55 55 + "nixpkgs": { 56 56 + "type": "Channel", 57 57 + "name": "nixpkgs-unstable", 58 58 + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre937085.6308c3b21396/nixexprs.tar.xz", 59 59 + "hash": "sha256-RuGWBqXVEsZwwBvRGS/nRrA6PQyOQwVaAu139Z853Bk=" 60 60 + } 61 61 + }, 62 62 + "version": 7 63 63 + }

+42

templates/noflake/with-inputs.nix

··· 1 1 + # adapted from https://github.com/vic/dendritic-unflake 2 2 + let 3 3 + sources = (import ./npins) // { 4 4 + # uncomment for using local den checkout 5 5 + # den.outPath = ./../..; 6 6 + }; 7 7 + selfInputs = builtins.mapAttrs (name: value: mkInputs name value) sources; 8 8 + mkInputs = 9 9 + name: sourceInfo: 10 10 + let 11 11 + flakePath = sourceInfo.outPath + "/flake.nix"; 12 12 + isFlake = sources.${name}.flake or true; 13 13 + in 14 14 + if isFlake && builtins.pathExists flakePath then 15 15 + let 16 16 + flake = import (sourceInfo.outPath + "/flake.nix"); 17 17 + inputs = builtins.mapAttrs (name: _value: selfInputs.${name}) (flake.inputs or { }); 18 18 + outputs = flake.outputs (inputs // { inherit self; }); 19 19 + self = 20 20 + sourceInfo 21 21 + // outputs 22 22 + // { 23 23 + _type = "flake"; 24 24 + inherit inputs sourceInfo; 25 25 + }; 26 26 + in 27 27 + self 28 28 + else 29 29 + sourceInfo 30 30 + // { 31 31 + inherit sourceInfo; 32 32 + }; 33 33 + in 34 34 + selfInputs 35 35 + // { 36 36 + __functor = 37 37 + selfInputs: outputs: 38 38 + let 39 39 + self = outputs (selfInputs // { inherit self; }); 40 40 + in 41 41 + self; 42 42 + }