Commit graph

17 commits

Author SHA1 Message Date
William Carroll
5fd094d39c Replace ~ with /home/wpcarro
Nix runs the `rebuild` command as root, so ~ resolves to /root, which is not
what I want.
2020-03-08 19:14:08 +00:00
William Carroll
9b49731c02 Use static directory path as root for learn.wpcarro.dev
With this simple change, Nix should copy the static directory and all of its
contents to /nix/store and return the path to that directory.

See TODO for more what I would have liked to do ideally.
2020-03-08 19:11:10 +00:00
William Carroll
c187d89f27 Rename socrates/default.nix -> socrates/configuration.nix
readTree uses the output attribute set of default.nix as the value for
nixos.socrates, which disables me from resolving nixos.socrates.rebuild since
there is no rebuild attribute in the output attribute set from default.nix.

If I rename default.nix -> configuration.nix, I can resolve
nixos.socrates.{configuration,hardware,rebuild}.
2020-03-07 16:17:23 +00:00
William Carroll
694ca4a85f Ensure socrates/default.nix is a function
Nix complains that `nixos.socrates` is not a function but a set. By adding
`{ ... }:` to the top of the file, I'm hoping to change it from a set to a
function.
2020-03-07 16:17:23 +00:00
William Carroll
5ba3f2b572 Attempt to serve {learn,blog}.wpcarro.dev
Reading an Nginx tutorial and trying to port the information over to NixOS.
2020-03-07 16:17:22 +00:00
William Carroll
431b4980e4 Remove fix-point recursion from socrates/default.nix
The fixed-point recursion isn't necessary.
2020-03-07 15:07:32 +00:00
William Carroll
6eb239dcce Manually require dependencies for <nixpkgs>, <briefcase>
When I build socrates using `sudo nixos-rebuild [...] switch`, my
`nixos-config` (i.e. <briefcase/nixos/socrates/default.nix>) is a simple Nix
anonymous function. Typically readTree populates my pkgs, briefcase, depot
function parameters with <nixpkgs>, <briefcase>, <depot>, but `nixos-rebuild` is
unaware of `readTree`.

For now I'm manually importing these dependencies, and I'm leaving a TODO to
reconsider switching to the `{ pkgs, briefcase, ... }` style when I better
understand NixOS.
2020-03-01 22:44:35 +00:00
William Carroll
3e51bf600a Removing unused parameters in installer.nix
I'm neither using config nor pkgs, so I'm deleteing them.
2020-03-01 22:32:25 +00:00
William Carroll
fd720fbe4d Nest configuration beneath socrates directory
Create a socrates directory to store configuration for socrates.
2020-03-01 22:32:24 +00:00
William Carroll
6a076e8329 Expose depot and briefcase to rebuild script
At the moment, I don't think nixos-rebuild is reading $NIX_PATH, which
appropriately sets the paths for depot and briefcase. I'm going to explicitly
expose these values in the rebuild script for now.
2020-02-23 20:11:33 +00:00
William Carroll
0973ca006c Define monzo-token-server as a root systemd service
After I considered the security implications of calling
`systemctl --user cat monzo-token-server`, I realized that monzo-token-server
should be a root service instead of a user service.

This service unit now also explicitly depends on briefcase.monzo_ynab.tokens,
which is a big improvement.
2020-02-23 20:01:33 +00:00
William Carroll
a1a4689ad3 Consume updated kv module
Exposing store_path to the tokens module to support the newly updated kv
module, which requires an explicit storePath parameter.
2020-02-23 20:01:15 +00:00
William Carroll
3f46ac6513 Change systemd unit type: oneshot -> simple
"oneshot", according to `man systemd.service`, "will consider the unit up after
the main process exits". Since I designed token-server to run continuously, it
will not intentionally exit; therefore, systemd awaits its exit, which never
comes. "simple", on the other hand, does what I want.
2020-02-23 19:32:52 +00:00
William Carroll
f926b4d61a Expose secrets to Monzo / YNAB service
Here is my first attempt to manage secrets when I deploy onto a NixOS machine.

Background: When I develop, I use direnv, which reads an .envrc file in which I
define my secrets. My secrets are read from `pass` using a pattern like this...

```shell
secret_value="$(pass show path/to/secret)"
```

...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which
asks me for a password to authenticate. This means that when I cd into a
directory with an .envrc file using this pattern, I may be prompted by GPG for a
password. When I'm not, it's because gpg-agent is still caching my
password. This works for development, but I currently do not know how to use
direnv for deployments.

Here is what I'm using until I find a more convenient solution:
- Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets
  directory and its contents are only readable by root.
- Use systemd's Environment and NixOS's builtins.readFile to read the files in
  /etc/secrets when I can `sudo nixos-rebuild`.

Ideally I could call a function like `builtins.readFromPasswordStore` within
configuration.nix. This would allow me to skip the step where I run...

```shell
> ssh socrates
> pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id
> pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret
> # etc
```

...I don't know how to manage secrets using NixOS, but at least this is one
answer.
2020-02-23 19:32:49 +00:00
William Carroll
695de12482 Incorporate NixOS configuration
TL;DR:
- Move /etc/nixos/configuration.nix -> //nixos/configuration.nix
- Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix
- Document installer.nix
- Create rebuild.nix wrapper around `sudo nixos-rebuild switch`

Previously I sketched ideas for the configuration.nix for socrates -- also known
as flattop -- the inexpensive Acer laptop residing in my flat and stored that
configuration.nix file in briefcase. Now, however, I have successfully installed
NixOS onto socrates. By default NixOS saves the configuration.nix and
hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files
into briefcase.

Because the command `nixos-rebuild` looks for the NixOS configuration
file in /etc/nixos, I wrote rebuild.nix, which creates a program to
call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 18:44:44 +00:00
William Carroll
79013316a6 Support installer.nix
The command...
nix-build -A config.system.build.isoImage -I nixos-config=installer.nix nixos
...creates an .iso file in the ./result directory. You can then copy this onto a
USB and use it a custom installer...
cp ./result/iso/*-linux.iso /dev/sda

I needed an installer that used a version of the Linux kernel higher than the
one distributed on NixOS's website: 4.19.? -> 5.4.20+. My Acer laptop needed a
version of the kernel that supported its network controller: Intel 3168NGW.

TODO(wpcarro): Pin the nixpkgs git commit SHA inside of installer.nix.
2020-02-20 19:51:51 +00:00
William Carroll
01f0ebfa32 Support basic nixos/configuration.nix
I'm attempting to configure an old Acer laptop that I bought at a used
electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install
NixOS on it. The configuration.nix herein defines a starting point for the
configuration for that machine. It isn't currently working.

Troubleshooting and solutions forthcoming...
2020-02-20 19:49:15 +00:00