From 51533f7d07ae42b53f870658d97721407abb36a0 Mon Sep 17 00:00:00 2001 From: Sam Date: Tue, 14 May 2024 14:51:09 +0100 Subject: [PATCH] disko config and bootstrapping --- .sops.yaml | 11 --- flake.lock | 29 ++++++- flake.nix | 25 ++++++ home/common/optional/sops.nix | 3 +- home/users/admin/default.nix | 48 +++++++++++ hosts/bootstrap/default.nix | 87 ++++++++++++++++++++ hosts/bootstrap/hardware-configuration.nix | 32 +++++++ hosts/common/core/sops.nix | 2 +- hosts/common/disks/gpt-bios-compact.nix | 29 +++++++ hosts/common/disks/std-disk-config.nix | 59 +++++++++++++ hosts/common/users/admin/default.nix | 28 +++++++ hosts/common/users/{sam => }/keys/laptop.pub | 0 hosts/common/users/sam/default.nix | 2 +- hosts/fileserver/default.nix | 64 ++++++++++++++ hosts/fileserver/hardware-configuration.nix | 31 +++++++ 15 files changed, 432 insertions(+), 18 deletions(-) delete mode 100644 .sops.yaml create mode 100644 home/users/admin/default.nix create mode 100644 hosts/bootstrap/default.nix create mode 100644 hosts/bootstrap/hardware-configuration.nix create mode 100644 hosts/common/disks/gpt-bios-compact.nix create mode 100644 hosts/common/disks/std-disk-config.nix create mode 100644 hosts/common/users/admin/default.nix rename hosts/common/users/{sam => }/keys/laptop.pub (100%) create mode 100644 hosts/fileserver/default.nix create mode 100644 hosts/fileserver/hardware-configuration.nix diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index fb4cede..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,11 +0,0 @@ -keys: - - &users: - - &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv - - &hosts: - - &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3 -creation_rules: - - path_regex: secrets.yaml$ - key_groups: - - age: - - *sam - - *nixdev diff --git a/flake.lock b/flake.lock index dc6787e..ce312c8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715563999, + "narHash": "sha256-DDXZOKK0C5YeZ/GTUj7HiT+oqYIt8+qTsldaDvhWHFc=", + "owner": "nix-community", + "repo": "disko", + "rev": "e972a78f4a49cd92075d64b6feeef64d26bf2996", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -23,11 +43,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1715635214, - "narHash": "sha256-BeviucpDYaTQs0qGFTw8M3u7OJuqejN+uKCAn5094+g=", + "lastModified": 1715644238, + "narHash": "sha256-QIQlx1bJV3E/z3hGS0hFVmXy1841uCPPP80o1c4VGDM=", "ref": "refs/heads/master", - "rev": "42b4533b8adf75f03f1ed98374cc75d02ec1e04d", - "revCount": 1, + "rev": "c8cc6d01c075b8fe802b3fd70bd961b1d13f747f", + "revCount": 2, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -82,6 +102,7 @@ }, "root": { "inputs": { + "disko": "disko", "home-manager": "home-manager", "nix-secrets": "nix-secrets", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 3404913..86f6440 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,12 @@ home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + # Declarative partitioning and formatting + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Secrets management sops-nix = { url = "github:mic92/sops-nix"; @@ -29,6 +35,7 @@ self, nixpkgs, home-manager, + disko, ... } @ inputs: let inherit (self) outputs; @@ -75,6 +82,24 @@ } ]; }; + fileserver = nixpkgs.lib.nixosSystem { + inherit specialArgs; + modules = [ + # > Our main nixos configuration file < + ./hosts/fileserver + home-manager.nixosModules.home-manager{ + home-manager.extraSpecialArgs = specialArgs; + } + ]; + }; + bootstrap = nixpkgs.lib.nixosSystem { + inherit specialArgs; + modules = [ + disko.nixosModules.disko + ./hosts/common/disks/gpt-bios-compact.nix + ./hosts/bootstrap + ]; + }; }; # # Standalone home-manager configuration entrypoint diff --git a/home/common/optional/sops.nix b/home/common/optional/sops.nix index 040a808..2e6ed20 100644 --- a/home/common/optional/sops.nix +++ b/home/common/optional/sops.nix @@ -1,6 +1,7 @@ { inputs, config, ... }: let - secretsFile = ../../../secrets.yaml; + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; homeDirectory = config.home.homeDirectory; in { diff --git a/home/users/admin/default.nix b/home/users/admin/default.nix new file mode 100644 index 0000000..f2107a5 --- /dev/null +++ b/home/users/admin/default.nix @@ -0,0 +1,48 @@ +{ config, pkgs, lib, outputs, ... }: + +{ + home.username = "admin"; + home.homeDirectory = "/home/admin"; + home.stateVersion = "23.11"; + + imports = [ + ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? + + home.packages = [ + ]; + + programs.zsh = { + enable = true; + enableCompletion = true; + autosuggestion.enable = true; + syntaxHighlighting.enable = true; + + shellAliases = { + ll = "ls -l"; + update = "sudo nixos-rebuild switch --flake $(readlink -f /etc/nixos)#fileserver"; + }; + history.size = 10000; + history.path = "${config.xdg.dataHome}/zsh/history"; + + initExtra = '' + bindkey -v + bindkey "^H" backward-delete-char + bindkey "^?" backward-delete-char + set -o vi + export TERM=xterm + ''; + }; + + + home.file = { + }; + + home.sessionPath = [ + ]; + + home.sessionVariables = { + }; + + programs.home-manager.enable = true; +} + diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix new file mode 100644 index 0000000..e3590fa --- /dev/null +++ b/hosts/bootstrap/default.nix @@ -0,0 +1,87 @@ +{ lib, pkgs, configLib, configVars, ... }: +{ + imports = [ + # Import core options + ./hardware-configuration.nix + ../common/core + + # Import optional options +# ../common/optional/openssh + + # Create users for this host + ../common/users/admin + ]; + + #virtualisation.virtualbox.guest.enable = true; + virtualisation.libvirtd = { + qemu = { + package = pkgs.qemu_kvm; # only emulates host arch, smaller download + swtpm.enable = true; # allows for creating emulated TPM + ovmf.packages = [(pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff + }; + }; + #fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings. + #boot.loader.efi.canTouchEfiVariables = true; + #boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.enable = true; +# boot.loader.systemd-boot = { +# enable = true; +# # we use Git for version control, so we don't need to keep too many generations. +# # FIXME lower this even more after testing complete +# configurationLimit = lib.mkDefault 10; +# # pick the highest resolution for systemd-boot's console. +# consoleMode = lib.mkDefault "max"; +# }; + boot.initrd.systemd.enable = true; + + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + useXkbConfig = false; + }; + + + networking = { + # configures the network interface(include wireless) via `nmcli` & `nmtui` + networkmanager.enable = true; + }; + + services = { + qemuGuest.enable = true; + openssh = { + enable = true; + ports = [22]; # FIXME: Make this use configVars.networking + settings.PermitRootLogin = "yes"; + # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611 + # this mitigates the security issue caused by enabling u2fAuth in pam + authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + }; + }; + + security.pam = { + sshAgentAuth.enable = true; + #FIXME the above is deprecated in 24.05 but we will wait until release + #sshAgentAuth.enable = true; + services = { + sudo.u2fAuth = true; + }; + }; + + # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config. + # programs.ssh.startAgent = true; + + environment.systemPackages = builtins.attrValues { + inherit(pkgs) + wget + curl + rsync; + }; + + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + system.stateVersion = "23.11"; +} diff --git a/hosts/bootstrap/hardware-configuration.nix b/hosts/bootstrap/hardware-configuration.nix new file mode 100644 index 0000000..e1f3ff6 --- /dev/null +++ b/hosts/bootstrap/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + }; + + swapDevices = + [ + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index d313dde..ac5bda1 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -1,6 +1,6 @@ { pkgs, inputs, config, configVars, ... }: let - secretsDirectory = ../../../secrets.yaml; + secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; homeDirectory = "/home/${configVars.username}"; in diff --git a/hosts/common/disks/gpt-bios-compact.nix b/hosts/common/disks/gpt-bios-compact.nix new file mode 100644 index 0000000..80a0e46 --- /dev/null +++ b/hosts/common/disks/gpt-bios-compact.nix @@ -0,0 +1,29 @@ +# Example to create a bios compatible gpt partition +{ + disko.devices = { + disk = { + vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; # Needs to be first partition + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/disks/std-disk-config.nix b/hosts/common/disks/std-disk-config.nix new file mode 100644 index 0000000..2b2ca81 --- /dev/null +++ b/hosts/common/disks/std-disk-config.nix @@ -0,0 +1,59 @@ +{ + disko.devices = { + disk = { + #FIXME change to proper device or make dynamic like figdetingbits + sda = { + type = "disk"; + # FIXME change to proper device or make dynamic like figdetingbits + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + # Subvolumes must set a mountpoint in order to be mounted, + # unless their parent is mounted + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + + "/persist" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/persist"; + }; + + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + + "/swap" = { + mountOptions = [ "noatime" ]; + mountpoint = "/.swapvol"; + swap.swapfile.size = "8192M"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/users/admin/default.nix b/hosts/common/users/admin/default.nix new file mode 100644 index 0000000..b629ce7 --- /dev/null +++ b/hosts/common/users/admin/default.nix @@ -0,0 +1,28 @@ +{ pkgs, inputs, config, lib, ... }: +let + pubKeys = lib.filesystem.listFilesRecursive (../keys); +in +{ + users.users.admin = { + isNormalUser = true; + password = "nixos"; # Overridden if sops is working + shell = pkgs.zsh; # default shell + + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + + extraGroups = + [ "qemu-libvirtd" "libvirtd" + "wheel" "video" "audio" "disk" "networkmanager" + ]; + + }; + + programs.zsh.enable = true; + + environment.systemPackages = [ + pkgs.rsync + pkgs.curl + pkgs.tmux + pkgs.neovim + ]; +} diff --git a/hosts/common/users/sam/keys/laptop.pub b/hosts/common/users/keys/laptop.pub similarity index 100% rename from hosts/common/users/sam/keys/laptop.pub rename to hosts/common/users/keys/laptop.pub diff --git a/hosts/common/users/sam/default.nix b/hosts/common/users/sam/default.nix index 86b5a1a..fd1941e 100644 --- a/hosts/common/users/sam/default.nix +++ b/hosts/common/users/sam/default.nix @@ -1,6 +1,6 @@ { pkgs, inputs, config, lib, ... }: let - pubKeys = lib.filesystem.listFilesRecursive (./keys); + pubKeys = lib.filesystem.listFilesRecursive (../keys); in { users.users.sam = { diff --git a/hosts/fileserver/default.nix b/hosts/fileserver/default.nix new file mode 100644 index 0000000..9dc8695 --- /dev/null +++ b/hosts/fileserver/default.nix @@ -0,0 +1,64 @@ +{ inputs, config, lib, pkgs, outputs, configLib, ... }: + +{ + imports = + [ + # Import core options + ./hardware-configuration.nix + ../common/core + + # Import optional options + ../common/optional/openssh + + # Create users for this host + ../common/users/admin + + ]; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + ]; + config = { + allowUnfree = true; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking.networkmanager.enable = true; + + time.timeZone = "Europe/London"; + + networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + useXkbConfig = false; + }; + + services.printing.enable = true; + + services.libinput.enable = true; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + hardware = { + opengl.enable = true; + nvidia.modesetting.enable = true; + }; + + system.stateVersion = "23.11"; + +} + diff --git a/hosts/fileserver/hardware-configuration.nix b/hosts/fileserver/hardware-configuration.nix new file mode 100644 index 0000000..18a632f --- /dev/null +++ b/hosts/fileserver/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/71f3bf73-5464-4a04-b301-b68a62e711a2"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}