disko config and bootstrapping

.sops.yaml

@@ -1,11 +0,0 @@
-keys:
-  - &users:
-    - &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
-  - &hosts:
-    - &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
-creation_rules:
-  - path_regex: secrets.yaml$
-    key_groups:
-      - age:
-        - *sam
-        - *nixdev

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1715563999,
+        "narHash": "sha256-DDXZOKK0C5YeZ/GTUj7HiT+oqYIt8+qTsldaDvhWHFc=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "e972a78f4a49cd92075d64b6feeef64d26bf2996",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -23,11 +43,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1715635214,
+        "lastModified": 1715644238,
-        "narHash": "sha256-BeviucpDYaTQs0qGFTw8M3u7OJuqejN+uKCAn5094+g=",
+        "narHash": "sha256-QIQlx1bJV3E/z3hGS0hFVmXy1841uCPPP80o1c4VGDM=",
         "ref": "refs/heads/master",
-        "rev": "42b4533b8adf75f03f1ed98374cc75d02ec1e04d",
+        "rev": "c8cc6d01c075b8fe802b3fd70bd961b1d13f747f",
-        "revCount": 1,
+        "revCount": 2,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
@@ -82,6 +102,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "home-manager": "home-manager",
         "nix-secrets": "nix-secrets",
         "nixpkgs": "nixpkgs",

flake.nix

@@ -13,6 +13,12 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
+    # Declarative partitioning and formatting
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     # Secrets management
     sops-nix = {
       url = "github:mic92/sops-nix";
@@ -29,6 +35,7 @@
     self,
     nixpkgs,
     home-manager,
+    disko,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -75,6 +82,24 @@
           }
         ];
       };
+      fileserver = nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        modules = [
+          # > Our main nixos configuration file <
+          ./hosts/fileserver
+          home-manager.nixosModules.home-manager{
+            home-manager.extraSpecialArgs = specialArgs;
+          }
+        ];
+      };
+      bootstrap = nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        modules = [
+          disko.nixosModules.disko
+          ./hosts/common/disks/gpt-bios-compact.nix
+          ./hosts/bootstrap
+        ];
+      };
     };
 
 #    # Standalone home-manager configuration entrypoint

home/common/optional/sops.nix

@@ -1,6 +1,7 @@
 { inputs, config, ... }:
 let
-  secretsFile = ../../../secrets.yaml;
+  secretsDirectory = builtins.toString inputs.nix-secrets;
+  secretsFile = "${secretsDirectory}/secrets.yaml";
   homeDirectory = config.home.homeDirectory;
 in
 {

home/users/admin/default.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, lib, outputs, ... }:
+
+{
+  home.username = "admin";
+  home.homeDirectory = "/home/admin";
+  home.stateVersion = "23.11"; 
+
+  imports = [
+  ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
+
+  home.packages = [
+  ];
+
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestion.enable = true;
+    syntaxHighlighting.enable = true;
+  
+    shellAliases = {
+      ll = "ls -l";
+      update = "sudo nixos-rebuild switch --flake $(readlink -f /etc/nixos)#fileserver";
+    };
+    history.size = 10000;
+    history.path = "${config.xdg.dataHome}/zsh/history";
+
+    initExtra = '' 
+      bindkey -v 
+      bindkey "^H" backward-delete-char
+      bindkey "^?" backward-delete-char
+      set -o vi
+      export TERM=xterm
+    '';
+  };
+  
+
+  home.file = {
+  };
+
+  home.sessionPath = [
+  ];
+
+  home.sessionVariables = {
+  };
+
+  programs.home-manager.enable = true;
+}
+

hosts/bootstrap/default.nix

@@ -0,0 +1,87 @@
+{  lib, pkgs, configLib, configVars, ... }:
+{
+  imports = [
+      # Import core options
+      ./hardware-configuration.nix
+      ../common/core
+
+      # Import optional options
+#      ../common/optional/openssh
+
+      # Create users for this host
+      ../common/users/admin
+  ];
+
+  #virtualisation.virtualbox.guest.enable = true;
+  virtualisation.libvirtd = {
+    qemu = {
+      package = pkgs.qemu_kvm; # only emulates host arch, smaller download
+      swtpm.enable = true; # allows for creating emulated TPM
+      ovmf.packages = [(pkgs.OVMF.override {
+        secureBoot = true;
+        tpmSupport = true;
+      }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
+    };
+  };
+  #fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings.
+  #boot.loader.efi.canTouchEfiVariables = true;
+  #boot.loader.grub.device = "/dev/vda"; 
+  boot.loader.grub.enable = true;
+#  boot.loader.systemd-boot = {
+#    enable = true;
+#    # we use Git for version control, so we don't need to keep too many generations.
+#    # FIXME  lower this even more after testing complete
+#    configurationLimit = lib.mkDefault 10;
+#    # pick the highest resolution for systemd-boot's console.
+#    consoleMode = lib.mkDefault "max";
+#  };
+  boot.initrd.systemd.enable = true;
+
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "uk";
+    useXkbConfig = false; 
+  };
+
+
+  networking = {
+    # configures the network interface(include wireless) via `nmcli` & `nmtui`
+    networkmanager.enable = true;
+  };
+
+  services = {
+    qemuGuest.enable = true;
+    openssh = {
+      enable = true;
+      ports = [22]; # FIXME: Make this use configVars.networking
+      settings.PermitRootLogin = "yes";
+      # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
+      # this mitigates the security issue caused by enabling u2fAuth in pam
+      authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+    };
+  };
+
+  security.pam = {
+    sshAgentAuth.enable = true;
+    #FIXME the above is deprecated in 24.05 but we will wait until release
+    #sshAgentAuth.enable = true;
+    services = {
+      sudo.u2fAuth = true;
+    };
+  };
+
+  # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
+ # programs.ssh.startAgent = true;
+
+  environment.systemPackages = builtins.attrValues {
+    inherit(pkgs)
+    wget
+    curl
+    rsync;
+  };
+
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  system.stateVersion = "23.11";
+}

hosts/bootstrap/hardware-configuration.nix

@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { 
+    };
+
+  swapDevices =
+    [ 
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/common/core/sops.nix

@@ -1,6 +1,6 @@
 { pkgs, inputs, config, configVars, ... }:
 let
-  secretsDirectory = ../../../secrets.yaml;
+  secretsDirectory = builtins.toString inputs.nix-secrets;
   secretsFile = "${secretsDirectory}/secrets.yaml";
   homeDirectory = "/home/${configVars.username}";
 in

hosts/common/disks/gpt-bios-compact.nix

@@ -0,0 +1,29 @@
+# Example to create a bios compatible gpt partition
+{
+  disko.devices = {
+    disk = {
+      vda = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+              priority = 1; # Needs to be first partition
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/common/disks/std-disk-config.nix

@@ -0,0 +1,59 @@
+{
+  disko.devices = {
+    disk = {
+      #FIXME change to proper device or make dynamic like figdetingbits
+      sda = {
+        type = "disk";
+        # FIXME change to proper device or make dynamic like figdetingbits
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  "/root" = {
+                    mountpoint = "/";
+                  };
+
+                  "/persist" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/persist";
+                  };
+
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+
+                  "/swap" = {
+                    mountOptions = [ "noatime" ];
+                    mountpoint = "/.swapvol";
+                    swap.swapfile.size = "8192M";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/common/users/admin/default.nix

@@ -0,0 +1,28 @@
+{ pkgs, inputs, config, lib, ... }:
+let
+  pubKeys = lib.filesystem.listFilesRecursive (../keys);
+in 
+{
+  users.users.admin = {
+    isNormalUser = true;
+    password = "nixos"; # Overridden if sops is working
+    shell = pkgs.zsh; # default shell
+
+    openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+
+    extraGroups =
+       [ "qemu-libvirtd" "libvirtd" 
+         "wheel" "video" "audio" "disk" "networkmanager" 
+       ]; 
+
+  };
+
+  programs.zsh.enable = true;
+
+  environment.systemPackages = [
+      pkgs.rsync
+      pkgs.curl
+      pkgs.tmux
+      pkgs.neovim
+  ]; 
+}

hosts/common/users/sam/default.nix

@@ -1,6 +1,6 @@
 { pkgs, inputs, config, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive (./keys);
+  pubKeys = lib.filesystem.listFilesRecursive (../keys);
 in 
 {
   users.users.sam = {

hosts/fileserver/default.nix

@@ -0,0 +1,64 @@
+{ inputs, config, lib, pkgs, outputs, configLib, ... }:
+
+{
+  imports =
+    [ 
+      # Import core options
+      ./hardware-configuration.nix
+      ../common/core
+
+      # Import optional options
+      ../common/optional/openssh
+
+      # Create users for this host
+      ../common/users/admin
+
+    ];
+
+  nixpkgs = {
+      overlays = [
+        outputs.overlays.additions
+        outputs.overlays.modifications
+        outputs.overlays.unstable-packages
+      ];
+      config = {
+        allowUnfree = true;
+      };
+    };
+  
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda"; 
+
+  networking.networkmanager.enable = true;  
+
+  time.timeZone = "Europe/London";
+
+  networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "uk";
+    useXkbConfig = false; 
+  };
+
+  services.printing.enable = true;
+
+  services.libinput.enable = true;
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  hardware = {
+    opengl.enable = true;
+    nvidia.modesetting.enable = true;
+  };
+
+  system.stateVersion = "23.11"; 
+
+}
+

hosts/fileserver/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/71f3bf73-5464-4a04-b301-b68a62e711a2";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}