remove extraneous nixpkgs inputs

flake.lock

@@ -93,7 +93,9 @@
     },
     "firefox-darwin": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1687568341,
@@ -200,7 +202,9 @@
     "nil": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "rust-overlay": "rust-overlay"
       },
       "locked": {
@@ -276,38 +280,6 @@
       }
     },
     "nixpkgs": {
-      "locked": {
-        "lastModified": 1639237670,
-        "narHash": "sha256-RTdL4rEQcgaZGpvtDgkp3oK/V+1LM3I53n0ACPSroAQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "edfb969386ebe6c3cf8f878775a7975cd88f926d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1680487167,
-        "narHash": "sha256-9FNIqrxDZgSliGGN2XJJSvcDYmQbgOANaZA4UWnTdg4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "53dad94e874c9586e71decf82d972dfb640ef044",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
       "locked": {
         "lastModified": 1687502512,
         "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
@@ -323,7 +295,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1686929285,
         "narHash": "sha256-WGtVzn+vGMPTXDO0DMNKVFtf+zUSqeW+KKk4Y/Ae99I=",
@@ -432,7 +404,7 @@
         "nil": "nil",
         "nix2vim": "nix2vim",
         "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs",
         "null-ls-nvim-src": "null-ls-nvim-src",
         "nur": "nur",
         "nvim-lspconfig-src": "nvim-lspconfig-src",
@@ -570,7 +542,7 @@
       "inputs": {
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1687279045,

flake.nix

@@ -20,14 +20,17 @@
     home-manager = {
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows =
-        "nixpkgs"; # Use system packages list where available
+        "nixpkgs"; # Use system packages list for their inputs
     };
 
     # Community packages; used for Firefox extensions
     nur.url = "github:nix-community/nur";
 
     # Use official Firefox binary for macOS
-    firefox-darwin.url = "github:bandithedoge/nixpkgs-firefox-darwin";
+    firefox-darwin = {
+      url = "github:bandithedoge/nixpkgs-firefox-darwin";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     # Manage disk format and partitioning
     disko = {
@@ -54,7 +57,10 @@
     };
 
     # Nix language server
-    nil.url = "github:oxalica/nil/2023-04-03";
+    nil = {
+      url = "github:oxalica/nil/2023-04-03";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     # Neovim plugins
     nvim-lspconfig-src = {
@@ -159,7 +165,7 @@
           import ./hosts/lookingglass { inherit inputs globals overlays; };
       };
 
-      # For quickly applying local settings with:
+      # For quickly applying home-manager settings with:
       # home-manager switch --flake .#tempest
       homeConfigurations = {
         tempest =

hosts/tempest/default.nix

@@ -92,6 +92,14 @@ inputs.nixpkgs.lib.nixosSystem {
         ryujinx.enable = true;
       };
 
+      cloudflareTunnel = {
+        enable = true;
+        id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
+        credentialsFile = ../../private/cloudflared-tempest.age;
+        ca =
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
+      };
+
     }
   ];
 }

modules/nixos/services/prometheus.nix

@@ -6,10 +6,13 @@
     default = null;
   };
 
-  # If hosting Grafana, host local Prometheus and listen for inbound jobs.
-  # If not hosting Grafana, send remote Prometheus writes to primary host
+  config = let
 
-  config = lib.mkIf config.services.prometheus.enable {
+    # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
+    # not hosting Grafana, send remote Prometheus writes to primary host.
+    isServer = config.services.grafana.enable;
+
+  in lib.mkIf config.services.prometheus.enable {
 
     services.prometheus = {
       exporters.node.enable = true;
@@ -17,10 +20,9 @@
         job_name = "local";
         static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
       }];
-      webExternalUrl = lib.mkIf config.services.grafana.enable
-        "https://${config.prometheusServer}";
+      webExternalUrl = lib.mkIf isServer "https://${config.prometheusServer}";
       # Web config file: https://prometheus.io/docs/prometheus/latest/configuration/https/
-      webConfigFile = lib.mkIf config.services.grafana.enable
+      webConfigFile = lib.mkIf isServer
         ((pkgs.formats.yaml { }).generate "webconfig.yml" {
           basic_auth_users = {
             # Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
@@ -29,7 +31,7 @@
               "$2y$10$r7FWHLHTGPAY312PdhkPEuvb05aGn9Nk1IO7qtUUUjmaDl35l6sLa";
           };
         });
-      remoteWrite = lib.mkIf (!config.services.grafana.enable) [{
+      remoteWrite = lib.mkIf (!isServer) [{
         name = config.networking.hostName;
         url = "https://${config.prometheusServer}";
         basic_auth = {
@@ -41,20 +43,19 @@
     };
 
     # Create credentials file for remote Prometheus push
-    secrets.prometheus = lib.mkIf (!config.services.grafana.enable) {
+    secrets.prometheus = lib.mkIf (!isServer) {
       source = ../../../private/prometheus.age;
       dest = "${config.secretsDirectory}/prometheus";
       owner = "prometheus";
       group = "prometheus";
       permissions = "0440";
     };
-    systemd.services.prometheus-secret =
-      lib.mkIf (!config.services.grafana.enable) {
+    systemd.services.prometheus-secret = lib.mkIf (!isServer) {
       requiredBy = [ "prometheus.service" ];
       before = [ "prometheus.service" ];
     };
 
-    caddy.routes = lib.mkIf config.services.grafana.enable [{
+    caddy.routes = lib.mkIf isServer [{
       match = [{ host = [ config.prometheusServer ]; }];
       handle = [{
         handler = "reverse_proxy";

private/cloudflared-tempest.age

@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyB1VnBt
+RTV5eWc3RDNUR2lOWFRaMlgzREQyMlcvUFNxV0N2Vm9lVVZKOUZ3ClJjaWtYZjR5
+ZTB4L2M4MFB0UThaMzlRT3JkUEE1N3RrSUlpZnRFbmFDdWcKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIE5iTUs1ak9VZjRIRGpLMWtDcVB0RjVFRW8vOENQZlkzeGhsYmFB
+QzJ6Z00KZmcvZ0hYMjN1bGZwY3NvMjlCbnpHUWVjdVU4cnBGcDQxTU8wZ0EyQXdU
+MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgazRzK2ZnSUZNWURoKzZMZmM4VTlDbVBh
+WGc4MlE5TGFiN1MzV01FT1oyQQppRUhUNjdlQURNQm8rR0JOOUJFNm9vaXhPTXFW
+U2lJU09jWVA0TDRrVHY4Ci0tLSBudWJTclRTek1RWHYzYzA4aTduODB0NUNWbVVP
+cUIyVzJncWhDS053d25nCneJhp1QT1v+dAguW9wAKDgWST59KNBgbY01jkf1IqXc
+FbmkctPIMggim3uCBqjzBboYvf+dtt0Fcu9aiB+4YmGUeQNb+9mdPweXoHmVrego
+XygVsbuSP4xKWtIJhBJ/3/jEK9LqBtv+owdUIxbw5Ci6A0JvSu+tnUj5oAgMyT2z
+YrGRK9plQZteeUkMcd6+anSEUpP45lzfz/T7loD9ViCbPHRuUFgwkwUcRGjQStm3
+pnx9bi8N4ac599f4KqInm5gd
+-----END AGE ENCRYPTED FILE-----