commit 289bfa2fcd10aeab398ca190b84f31c6be7ea7ea Author: sinavir Date: Wed Apr 10 19:47:45 2024 +0200 init diff --git a/README.md b/README.md new file mode 100644 index 0000000..86f39aa --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# colmena anywhere + +A thin wrapper around [nixos-anywhere](https://github.com/numtide/nixos-anywhere) +to build with colmena + +Colmena configurations must use disko. +Have a look to schedar machine config in [../config/machines/schedar](../config/machines/schedar) + +# usage + +``` +$ ./colmena-anywhere.sh --help +``` + + +Colmena nixpkgs version must provide nixos-anywhere (eg: with an overlay) diff --git a/config/configuration.nix b/config/configuration.nix new file mode 100644 index 0000000..5ac88d7 --- /dev/null +++ b/config/configuration.nix @@ -0,0 +1,33 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ pkgs, name, ... }: + +{ + imports = + [ + ./networking.nix + ./hardware-configuration.nix + ./programs.nix + ./ssh.nix + ./users.nix + ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + networking.hostName = "name"; + + time.timeZone = "Europe/Paris"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/config/disko.nix b/config/disko.nix new file mode 100644 index 0000000..0a70ae7 --- /dev/null +++ b/config/disko.nix @@ -0,0 +1,88 @@ +_: + +let + luksName = "mainfs"; +in +{ + boot.initrd.luks.devices.${luksName} = { + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + start = "0"; + end = "1M"; + flags = [ "bios_grub" ]; + } + { + name = "ESP"; + start = "1MiB"; + end = "512MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "luks"; + start = "512MiB"; + end = "-4GiB"; + content = rec { + type = "luks"; + name = luksName; + extraOpenArgs = [ "--keyfile-size=1" ]; + extraFormatArgs = extraOpenArgs; + keyFile = "/dev/zero"; + content = { + type = "btrfs"; + mountpoint = "/mnt/btrfs-root"; + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" ]; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/var-lib" = { + mountpoint = "/var/lib"; + }; + "/var-log" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/var/log"; + }; + "/nix" = { + mountOptions = [ "noatime" "compress=zstd" ]; + mountpoint = "/nix"; + }; + }; + }; + }; + } + { + name = "swap"; + start = "-4GiB"; + end = "100%"; + content = { + type = "swap"; + randomEncryption = true; + }; + } + ]; + }; + }; + }; + }; +} diff --git a/config/hardware-configuration.nix b/config/hardware-configuration.nix new file mode 100644 index 0000000..70819a5 --- /dev/null +++ b/config/hardware-configuration.nix @@ -0,0 +1,21 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (let sources = import ../npins; in sources.disko + "/module.nix") + ./disko.nix + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/config/networking.nix b/config/networking.nix new file mode 100644 index 0000000..d72df3f --- /dev/null +++ b/config/networking.nix @@ -0,0 +1,8 @@ +{ + config, + pkgs, + lib, + ... +}: { + networking.useDHCP = true; +} diff --git a/config/programs.nix b/config/programs.nix new file mode 100644 index 0000000..de76245 --- /dev/null +++ b/config/programs.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + lib, + ... +}: { + environment.systemPackages = with pkgs; [ + dhcpdump + dig + iftop + eza + git + htop + jq + lazygit + mosh + nmap + npins + ripgrep + screen + tcpdump + unzip + vim + wget + wireguard-tools + ]; + + environment.shellAliases = { + l = "eza -lah --git --git-repos-no-status"; + }; + + programs.mosh.enable = !(builtins.elem config.networking.hostName []); + programs.mtr.enable = true; + + programs.vim.defaultEditor = true; +} diff --git a/config/ssh.nix b/config/ssh.nix new file mode 100644 index 0000000..08baa80 --- /dev/null +++ b/config/ssh.nix @@ -0,0 +1,4 @@ +{...}: { + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; +} diff --git a/config/users.nix b/config/users.nix new file mode 100644 index 0000000..c9d69ec --- /dev/null +++ b/config/users.nix @@ -0,0 +1,6 @@ +{...}: { + users.mutableUsers = false; + users.users.root = { + openssh.authorizedKeys.keyFiles = [../ssh.keys]; + }; +} diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..0459a52 --- /dev/null +++ b/default.nix @@ -0,0 +1,14 @@ +{ sources ? import ./npins }: +let + evalConfig = import (sources.nixpkgs + "/nixos/lib/eval-config.nix"); + pkgs = import sources.nixpkgs {}; + system = evalConfig { + modules = [ + ./config/configuration.nix + ]; + }; + inherit (system.config.system.build) diskoScript toplevel; + colmenaAnywhere = pkgs.writeShellScript "nixos-anywhere-auto.sh" '' + ${pkgs.nixos-anywhere} -s ${diskoScript} ${toplevel} + ''; +in colmenaAnywhere diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..9c8dea4 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,25 @@ +{ + "pins": { + "disko": { + "type": "GitRelease", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "disko" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "v1.5.0", + "revision": "5d2d3e421ade554b19b4dbb0d11a04023378a330", + "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.5.0", + "hash": "1d03a0wb710by1m2c3rx758vy67f8r71gnv2h3qn4jj1bx10sdg4" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.05pre609935.062fc6cf99d8/nixexprs.tar.xz", + "hash": "1s0hsq8akjw3qn0zpzy0nh2558380q2pqsy3v4k4f2v52hhb1cj1" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/result b/result new file mode 120000 index 0000000..9e50798 --- /dev/null +++ b/result @@ -0,0 +1 @@ +/nix/store/22qf5gb7k4nkw3bs06pjf20s81p0n7wa-nixos-anywhere-auto.sh \ No newline at end of file diff --git a/ssh.keys b/ssh.keys new file mode 100644 index 0000000..e69de29