atomic

.github/workflows/check.yaml

@@ -0,0 +1,26 @@
+name: Run checks and tests
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@d64e0553100205688c0fb2fa16edb0fc8663c590
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Evaluate flake outputs
+        run: nix flake check --all-systems

.github/workflows/ensure_docs.yaml

@@ -0,0 +1,27 @@
+name: Check for changes to docs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  ensure_docs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Get all changed docs files
+        id: changed-markdown-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47
+        with:
+          files: docs/**
+
+      - name: Fail if no change to docs
+        if: steps.changed-markdown-files.outputs.any_changed == 'false'
+        run: exit 1

.github/workflows/test.yaml → .github/workflows/lint.yaml

@@ -1,11 +1,11 @@
-name: Run tests
+name: Lint
 
 on:
   pull_request:
     types: [opened, synchronize]
 
 jobs:
-  test:
+  lint:
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -22,22 +22,9 @@ jobs:
           extra_nix_config: |
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
 
-      - name: Evaluate flake outputs
-        run: nix flake check --all-systems
-
       - name: Run linting and formatting checks
         run: |
           nix develop -c statix check
           nix develop -c deadnix
           nix develop -c treefmt --ci
           nix develop -c zizmor .
-
-      - name: Get all changed docs files
-        id: changed-markdown-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47
-        with:
-          files: docs/**
-
-      - name: Fail if no change to docs
-        if: steps.changed-markdown-files.outputs.any_changed == 'false'
-        run: exit 1

.gitignore

@@ -1,9 +1,9 @@
-tmp
-
-# Nix
+# generated files
 
 result
-
-# Direnv
-
 .direnv
+*.qcow2
+keys/
+
+# developer choice
+tmp

Justfile

@@ -1,8 +1,8 @@
-check: format lint test
+check: nice test
 
-nice: format lint
+nice: format-nix lint
 
-format: format-nix
+format: format-nix format-gha
 
 format-nix:
   treefmt

docs/README.md

@@ -1,26 +1,40 @@
 ## current state
 
-`nodes.nixos.veil` has nginx with https setup and the `rrv.sh` website.
-`manifest` has externals and proxies skeleton impl set up.
+nothing!
 
-## directory structure
+## what this is
 
-- `docs/` should contain:
-    - README.md -> instructions and information
-    - runbook.md -> commands and procedures
-- `ops/` should contain IaC:
-    - `nix/` contains Nix code that is consumed by `flake.nix` in the root directory
-    - `sops/` contains sops encrypted secrets with age
+a sort of exploration of the dendritic method. i like the dendritic method for how it turns writing a nix flake into an act of letting the system grow organically by writing a custom flake-parts module for every problem you encounter. i pay homage to this by adding a cheeky requirement to the dendritic method rules, that i think is thematically very appropriate for real-life dendritic systems - the flake must be able to self-replicate. run `nix flake init --template github:rrvsh/cathedral#pkg_shell` to see it :)
+
+the manifest declares all nodes, for now only nixos, and the manifest utilities will parse this "request", and automatically pick and choose modules that when put together, makes these nixosConfigurations. however, the beauty of using flake-parts is the abstraction layer of being able to have **separate** nodes have modules or options set that are dependent on **each other**, which allows us to do things like:
+
+    - declare: this manifest provides a reverse proxy.
+    - specify: this reverse proxy will run from machine a.
+    - declare: machine b needs a reverse proxy to make a webapp public.
+
+and then, the configurations will include all that is needed to make that happen.
+
+the end state of this is essentially to provide the backend to easily automating writing/generating nix code. the syntax of the manifest options are deliberately simple, as the main issue of generating nixos configurations now are, to me, the complexity of "merging" nixos modules. so, we kind of "merge" those modules first before we present a simpler set of options to the user.
+
+### RULES
+
+- every file must be ATOMIC -> HARD REQUIREMENT! includes all types of files
+- lists should be sorted if possible
 
 ## dev setup
 
-with `direnv`, run `direnv allow` and all dependencies will be in your shell.
+with `direnv`, run `direnv allow` and all dependencies will be in your shell. otherwise, install nix and run `nix develop` after cloning the repository.
+
+warning: the logic is in an unfinished state. you cannot yet import any flake-parts module i have written here and put it into your own config, or for most of my modules as a general rule (too much dependence on each other). feel free to steal any of the logic for yourself though :)
 
 run:
 
 - `just nice` to format and lint
 - `just check` to test
 
-## architecture
+## acknowledgements
 
-`ops/nix/manifest/manifest.nix` describes the overview of the IaC. the rest construct the system configs.
+- [ornicar](https://github.com/ornicar/dotfiles), for being my inspiration to start using Nix, open source, and being a full fledged software engineer
+- [NixOS & Flakes Book](https://nixos-and-flakes.thiscute.world/) for teaching me how to use NixOS, flakes, and home-manager: the best damn tutorial on the internet I've seen yet
+- [NotAShelf](https://github.com/notashelf/nyx) for introducing me to the idea of monorepos and custom logic (read: over-engineering) for Nix flakes
+- [drupol/infra](https://not-a-number.io/2025/refactoring-my-infrastructure-as-code-configurations/) for introducing the dendritic pattern to me, and [mightyiam](https://discourse.nixos.org/t/pattern-every-file-is-a-flake-parts-module/61271) for pioneering it.

docs/runbook.md

@@ -1 +1,14 @@
 ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
+
+rg --no-binary --hidden --null -l '' \
+      | tr '\0' '\n' \
+      | grep -vE '^\.git/' \
+      | grep -vE '/(\.direnv|result|tmp|node_modules)/' \
+      | while read -l f
+      echo "\n==== $f ====\n"
+      cat "$f"
+  end | pbcopy
+
+nix store info --store ssh://eu.nixbuild.net
+
+nix run nixpkgs#darwin.linux-builder

flake.nix

@@ -5,22 +5,20 @@
       (inputs.import-tree ./ops/nix)
       // {
         systems = import inputs.systems;
-        flake.paths.root = ./.;
+        flake.paths = {
+          root = ./.;
+          device = ./ops/definitions/devices;
+          secrets = ./ops/definitions/secrets;
+        };
       }
     );
   inputs = {
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     flake-parts.url = "github:hercules-ci/flake-parts";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    home-manager.url = "github:nix-community/home-manager";
-    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
-    nix-darwin.url = "github:nix-darwin/nix-darwin/master";
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    sops-nix.url = "github:Mic92/sops-nix";
     import-tree.url = "github:vic/import-tree";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
     systems.url = "github:nix-systems/default";
-    rrv-sh.url = "github:rrvsh/rrv.sh";
-    rrv-sh.inputs.nixpkgs.follows = "nixpkgs";
   };
 }