disko config and bootstrapping

This commit is contained in:
Sam 2024-05-14 14:51:09 +01:00
parent 6b33a88d9e
commit 51533f7d07
15 changed files with 432 additions and 18 deletions

View File

@ -1,11 +0,0 @@
keys:
- &users:
- &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
- &hosts:
- &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *sam
- *nixdev

View File

@ -1,5 +1,25 @@
{ {
"nodes": { "nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1715563999,
"narHash": "sha256-DDXZOKK0C5YeZ/GTUj7HiT+oqYIt8+qTsldaDvhWHFc=",
"owner": "nix-community",
"repo": "disko",
"rev": "e972a78f4a49cd92075d64b6feeef64d26bf2996",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -23,11 +43,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1715635214, "lastModified": 1715644238,
"narHash": "sha256-BeviucpDYaTQs0qGFTw8M3u7OJuqejN+uKCAn5094+g=", "narHash": "sha256-QIQlx1bJV3E/z3hGS0hFVmXy1841uCPPP80o1c4VGDM=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "42b4533b8adf75f03f1ed98374cc75d02ec1e04d", "rev": "c8cc6d01c075b8fe802b3fd70bd961b1d13f747f",
"revCount": 1, "revCount": 2,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -82,6 +102,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-secrets": "nix-secrets", "nix-secrets": "nix-secrets",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",

View File

@ -13,6 +13,12 @@
home-manager.url = "github:nix-community/home-manager"; home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
# Declarative partitioning and formatting
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
# Secrets management # Secrets management
sops-nix = { sops-nix = {
url = "github:mic92/sops-nix"; url = "github:mic92/sops-nix";
@ -29,6 +35,7 @@
self, self,
nixpkgs, nixpkgs,
home-manager, home-manager,
disko,
... ...
} @ inputs: let } @ inputs: let
inherit (self) outputs; inherit (self) outputs;
@ -75,6 +82,24 @@
} }
]; ];
}; };
fileserver = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
# > Our main nixos configuration file <
./hosts/fileserver
home-manager.nixosModules.home-manager{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
bootstrap = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
disko.nixosModules.disko
./hosts/common/disks/gpt-bios-compact.nix
./hosts/bootstrap
];
};
}; };
# # Standalone home-manager configuration entrypoint # # Standalone home-manager configuration entrypoint

View File

@ -1,6 +1,7 @@
{ inputs, config, ... }: { inputs, config, ... }:
let let
secretsFile = ../../../secrets.yaml; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = config.home.homeDirectory; homeDirectory = config.home.homeDirectory;
in in
{ {

View File

@ -0,0 +1,48 @@
{ config, pkgs, lib, outputs, ... }:
{
home.username = "admin";
home.homeDirectory = "/home/admin";
home.stateVersion = "23.11";
imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
home.packages = [
];
programs.zsh = {
enable = true;
enableCompletion = true;
autosuggestion.enable = true;
syntaxHighlighting.enable = true;
shellAliases = {
ll = "ls -l";
update = "sudo nixos-rebuild switch --flake $(readlink -f /etc/nixos)#fileserver";
};
history.size = 10000;
history.path = "${config.xdg.dataHome}/zsh/history";
initExtra = ''
bindkey -v
bindkey "^H" backward-delete-char
bindkey "^?" backward-delete-char
set -o vi
export TERM=xterm
'';
};
home.file = {
};
home.sessionPath = [
];
home.sessionVariables = {
};
programs.home-manager.enable = true;
}

View File

@ -0,0 +1,87 @@
{ lib, pkgs, configLib, configVars, ... }:
{
imports = [
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
# ../common/optional/openssh
# Create users for this host
../common/users/admin
];
#virtualisation.virtualbox.guest.enable = true;
virtualisation.libvirtd = {
qemu = {
package = pkgs.qemu_kvm; # only emulates host arch, smaller download
swtpm.enable = true; # allows for creating emulated TPM
ovmf.packages = [(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
};
};
#fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings.
#boot.loader.efi.canTouchEfiVariables = true;
#boot.loader.grub.device = "/dev/vda";
boot.loader.grub.enable = true;
# boot.loader.systemd-boot = {
# enable = true;
# # we use Git for version control, so we don't need to keep too many generations.
# # FIXME lower this even more after testing complete
# configurationLimit = lib.mkDefault 10;
# # pick the highest resolution for systemd-boot's console.
# consoleMode = lib.mkDefault "max";
# };
boot.initrd.systemd.enable = true;
i18n.defaultLocale = "en_GB.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "uk";
useXkbConfig = false;
};
networking = {
# configures the network interface(include wireless) via `nmcli` & `nmtui`
networkmanager.enable = true;
};
services = {
qemuGuest.enable = true;
openssh = {
enable = true;
ports = [22]; # FIXME: Make this use configVars.networking
settings.PermitRootLogin = "yes";
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
# this mitigates the security issue caused by enabling u2fAuth in pam
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
};
};
security.pam = {
sshAgentAuth.enable = true;
#FIXME the above is deprecated in 24.05 but we will wait until release
#sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
# programs.ssh.startAgent = true;
environment.systemPackages = builtins.attrValues {
inherit(pkgs)
wget
curl
rsync;
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "23.11";
}

View File

@ -0,0 +1,32 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
};
swapDevices =
[
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@ -1,6 +1,6 @@
{ pkgs, inputs, config, configVars, ... }: { pkgs, inputs, config, configVars, ... }:
let let
secretsDirectory = ../../../secrets.yaml; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}"; homeDirectory = "/home/${configVars.username}";
in in

View File

@ -0,0 +1,29 @@
# Example to create a bios compatible gpt partition
{
disko.devices = {
disk = {
vda = {
device = "/dev/vda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
priority = 1; # Needs to be first partition
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

View File

@ -0,0 +1,59 @@
{
disko.devices = {
disk = {
#FIXME change to proper device or make dynamic like figdetingbits
sda = {
type = "disk";
# FIXME change to proper device or make dynamic like figdetingbits
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
};
}

View File

@ -0,0 +1,28 @@
{ pkgs, inputs, config, lib, ... }:
let
pubKeys = lib.filesystem.listFilesRecursive (../keys);
in
{
users.users.admin = {
isNormalUser = true;
password = "nixos"; # Overridden if sops is working
shell = pkgs.zsh; # default shell
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups =
[ "qemu-libvirtd" "libvirtd"
"wheel" "video" "audio" "disk" "networkmanager"
];
};
programs.zsh.enable = true;
environment.systemPackages = [
pkgs.rsync
pkgs.curl
pkgs.tmux
pkgs.neovim
];
}

View File

@ -1,6 +1,6 @@
{ pkgs, inputs, config, lib, ... }: { pkgs, inputs, config, lib, ... }:
let let
pubKeys = lib.filesystem.listFilesRecursive (./keys); pubKeys = lib.filesystem.listFilesRecursive (../keys);
in in
{ {
users.users.sam = { users.users.sam = {

View File

@ -0,0 +1,64 @@
{ inputs, config, lib, pkgs, outputs, configLib, ... }:
{
imports =
[
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/openssh
# Create users for this host
../common/users/admin
];
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
config = {
allowUnfree = true;
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.networkmanager.enable = true;
time.timeZone = "Europe/London";
networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
i18n.defaultLocale = "en_GB.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "uk";
useXkbConfig = false;
};
services.printing.enable = true;
services.libinput.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
hardware = {
opengl.enable = true;
nvidia.modesetting.enable = true;
};
system.stateVersion = "23.11";
}

View File

@ -0,0 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/71f3bf73-5464-4a04-b301-b68a62e711a2";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}