init

README.md

@@ -0,0 +1,16 @@
+# colmena anywhere
+
+A thin wrapper around [nixos-anywhere](https://github.com/numtide/nixos-anywhere)
+to build with colmena
+
+Colmena configurations must use disko.
+Have a look to schedar machine config in [../config/machines/schedar](../config/machines/schedar)
+
+# usage
+
+```
+$ ./colmena-anywhere.sh --help
+```
+
+
+Colmena nixpkgs version must provide nixos-anywhere (eg: with an overlay)

config/configuration.nix

@@ -0,0 +1,33 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, name, ... }:
+
+{
+  imports =
+    [
+      ./networking.nix
+      ./hardware-configuration.nix
+      ./programs.nix
+      ./ssh.nix
+      ./users.nix
+    ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  networking.hostName = "name";
+
+  time.timeZone = "Europe/Paris";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

config/disko.nix

@@ -0,0 +1,88 @@
+_:
+
+let
+  luksName = "mainfs";
+in
+{
+  boot.initrd.luks.devices.${luksName} = {
+    keyFile = "/dev/zero";
+    keyFileSize = 1;
+  };
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            {
+              name = "boot";
+              start = "0";
+              end = "1M";
+              flags = [ "bios_grub" ];
+            }
+            {
+              name = "ESP";
+              start = "1MiB";
+              end = "512MiB";
+              bootable = true;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            }
+            {
+              name = "luks";
+              start = "512MiB";
+              end = "-4GiB";
+              content = rec {
+                type = "luks";
+                name = luksName;
+                extraOpenArgs = [ "--keyfile-size=1" ];
+                extraFormatArgs = extraOpenArgs;
+                keyFile = "/dev/zero";
+                content = {
+                  type = "btrfs";
+                  mountpoint = "/mnt/btrfs-root";
+                  subvolumes = {
+                    "/rootfs" = {
+                      mountpoint = "/";
+                      mountOptions = [ "compress=zstd" ];
+                    };
+                    "/home" = {
+                      mountOptions = [ "compress=zstd" ];
+                      mountpoint = "/home";
+                    };
+                    "/var-lib" = {
+                      mountpoint = "/var/lib";
+                    };
+                    "/var-log" = {
+                      mountOptions = [ "compress=zstd" ];
+                      mountpoint = "/var/log";
+                    };
+                    "/nix" = {
+                      mountOptions = [ "noatime" "compress=zstd" ];
+                      mountpoint = "/nix";
+                    };
+                  };
+                };
+              };
+            }
+            {
+              name = "swap";
+              start = "-4GiB";
+              end = "100%";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+              };
+            }
+          ];
+        };
+      };
+    };
+  };
+}

config/hardware-configuration.nix

@@ -0,0 +1,21 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      (let sources = import ../npins; in sources.disko + "/module.nix")
+      ./disko.nix
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

config/networking.nix

@@ -0,0 +1,8 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking.useDHCP = true;
+}

config/programs.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    dhcpdump
+    dig
+    iftop
+    eza
+    git
+    htop
+    jq
+    lazygit
+    mosh
+    nmap
+    npins
+    ripgrep
+    screen
+    tcpdump
+    unzip
+    vim
+    wget
+    wireguard-tools
+  ];
+
+  environment.shellAliases = {
+    l = "eza -lah --git --git-repos-no-status";
+  };
+
+  programs.mosh.enable = !(builtins.elem config.networking.hostName []);
+  programs.mtr.enable = true;
+
+  programs.vim.defaultEditor = true;
+}

config/ssh.nix

@@ -0,0 +1,4 @@
+{...}: {
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+}

config/users.nix

@@ -0,0 +1,6 @@
+{...}: {
+  users.mutableUsers = false;
+  users.users.root = {
+    openssh.authorizedKeys.keyFiles = [../ssh.keys];
+  };
+}

default.nix

@@ -0,0 +1,14 @@
+{ sources ? import ./npins }:
+let
+  evalConfig = import (sources.nixpkgs + "/nixos/lib/eval-config.nix");
+  pkgs = import sources.nixpkgs {};
+  system = evalConfig {
+    modules = [
+      ./config/configuration.nix
+    ];
+  };
+  inherit (system.config.system.build) diskoScript toplevel;
+  colmenaAnywhere = pkgs.writeShellScript "nixos-anywhere-auto.sh" ''
+      ${pkgs.nixos-anywhere} -s ${diskoScript} ${toplevel}
+    '';
+in colmenaAnywhere

npins/default.nix

@@ -0,0 +1,47 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else assert repository.type == "Git"; builtins.fetchGit {
+      url = repository.url;
+      rev = revision;
+      # hash = hash;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

npins/sources.json

@@ -0,0 +1,25 @@
+{
+  "pins": {
+    "disko": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "version": "v1.5.0",
+      "revision": "5d2d3e421ade554b19b4dbb0d11a04023378a330",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.5.0",
+      "hash": "1d03a0wb710by1m2c3rx758vy67f8r71gnv2h3qn4jj1bx10sdg4"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre609935.062fc6cf99d8/nixexprs.tar.xz",
+      "hash": "1s0hsq8akjw3qn0zpzy0nh2558380q2pqsy3v4k4f2v52hhb1cj1"
+    }
+  },
+  "version": 3
+}

result

@@ -0,0 +1 @@
+/nix/store/22qf5gb7k4nkw3bs06pjf20s81p0n7wa-nixos-anywhere-auto.sh