From cafee81d469924ce193e0b26dd4f757e32702d01 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Sun, 14 Jul 2024 01:13:04 -0500 Subject: [PATCH] initial import --- .gitignore | 6 + flake.lock | 284 ++++++++++++++++++++++++++++++++++++++++ flake.nix | 111 ++++++++++++++++ modules/installer.nix | 87 ++++++++++++ modules/luks.nix | 22 ++++ modules/packages.nix | 43 ++++++ modules/server.nix | 53 ++++++++ modules/session.nix | 16 +++ modules/systemd-efi.nix | 6 + rowlet.nix | 21 +++ snorlax.nix | 21 +++ sobble.nix | 21 +++ 12 files changed, 691 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 modules/installer.nix create mode 100644 modules/luks.nix create mode 100644 modules/packages.nix create mode 100644 modules/server.nix create mode 100644 modules/session.nix create mode 100644 modules/systemd-efi.nix create mode 100644 rowlet.nix create mode 100644 snorlax.nix create mode 100644 sobble.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e4492bb --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +result +\#*# +*~ +.* +!.git* +*poop* diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..066af46 --- /dev/null +++ b/flake.lock @@ -0,0 +1,284 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1718194053, + "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "interlude": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1720929675, + "narHash": "sha256-Ofvbdb2qM8JyiOw3wpsqAS7C3oxX90KcwSM074kOXLA=", + "ref": "refs/heads/main", + "rev": "1e7658a97a0e34ec84eda0af2854d00fa1c6657d", + "revCount": 2, + "type": "git", + "url": "https://git.strudelline.net/nix/interlude" + }, + "original": { + "type": "git", + "url": "https://git.strudelline.net/nix/interlude" + } + }, + "ipcalc": { + "locked": { + "lastModified": 1720829192, + "narHash": "sha256-uo1vVwyhdbEqzUa27/wxvnIZFIRyiTidIDRXeP59FWg=", + "ref": "refs/heads/main", + "rev": "e7e8242a9918161d8e0b3fb4b725612aef8a03bb", + "revCount": 3, + "type": "git", + "url": "https://git.strudelline.net/nix/ipcalc" + }, + "original": { + "type": "git", + "url": "https://git.strudelline.net/nix/ipcalc" + } + }, + "nixlib": { + "locked": { + "lastModified": 1719708727, + "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1720859326, + "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1720691131, + "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1720954236, + "narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1720691131, + "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "numbers": { + "inputs": { + "ipcalc": "ipcalc", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1721177469, + "narHash": "sha256-8puiNyCJy6k1Pl25BgE4wUUpifO7f1hraR7JI9lAqW4=", + "ref": "refs/heads/main", + "rev": "27af88462c971572a72a9a05c8608dca74e4a4b7", + "revCount": 13, + "type": "git", + "url": "https://git.strudelline.net/cascade/numbers" + }, + "original": { + "type": "git", + "url": "https://git.strudelline.net/cascade/numbers" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "interlude": "interlude", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs_3", + "numbers": "numbers", + "unstable": "unstable" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "unstable": { + "locked": { + "lastModified": 1721116560, + "narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8cf1d03 --- /dev/null +++ b/flake.nix @@ -0,0 +1,111 @@ +{ + inputs = { + nixpkgs.url = "nixpkgs/nixos-24.05"; + unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + numbers.url = "git+https://git.strudelline.net/cascade/numbers"; + interlude.url = "git+https://git.strudelline.net/nix/interlude"; + nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + deploy-rs.url = "github:serokell/deploy-rs"; + }; + outputs = { self, nixpkgs, unstable, numbers, interlude, nixos-generators, deploy-rs }@inputs: + with builtins; + with nixpkgs.lib; + with interlude.lib; + let + includableModules = + let localModules = "${./.}" + "/modules"; + dirContents = readDir (traceVal localModules); + filenames = attrNames (trace "dirContents: ${toJSON dirContents}" dirContents); + dirs = (filter (n: dirContents."${n}" == "directory" && + readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames); + files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames); + in + foldl recursiveUpdate {} ( + (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}" "${localModules}/${x}"); }) (trace "dirs: ${toJSON dirs}" dirs)) + ++ (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}.nix" "${localModules}/${x}.nix"); }) (trace "files: ${toJSON files}" files)) + ); + buildMachine' = name: mods: cfg: { + # the evaluated machine + nixosConfigurations."${name}" = + let + pkgs = import nixpkgs { config = { allowUnfree = true; };}; + specialArgs = { basePath = "${toString ./.}"; inherit inputs numbers; }; + in nixosSystem (cfg // { + inherit pkgs specialArgs; + modules = [ + self.nixosModules.vmFormats + numbers.nixosModules.users + self.nixosModules.session + ({...}: { + # fixed values. + networking.hostName = traceVal name; + system.stateVersion = "24.05"; + nix.settings.require-sigs = false; + }) + ] ++ mods; + }); + }; + buildMachine = name: + # the evaluated machine + with numbers.api; + let + modules = [ + self.nixosModules.fixFlakeRegistry + numbers.nixosModules.networking + self.nixosModules.packages + self.nixosModules.luks + self.nixosModules.systemd-efi + numbers.nixosModules.users + ] ++ (map (x: self.nixosModules."${x}") (hostModules name)); + arch = hostSystem name; + in + (buildMachine' name modules { system = arch; }) + // + { + deploy.nodes."${name}" = { + hostname = "172.16.19.1"; + profiles.system = { + user = "root"; + path = deploy-rs.lib."${arch}".activate.nixos self.nixosConfigurations."${name}"; + }; + }; + + # This is highly advised, and will prevent many possible mistakes + checks = deploy-rs.lib."${arch}".deployChecks self.deploy; + }; + in + foldl recursiveUpdate { + nixosModules = { + vmFormats = { config, ... }: { + imports = [ + nixos-generators.nixosModules.all-formats + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + formatConfigs.iso = { ... }: { + isoImage.squashfsCompression = "zstd"; + }; + + # the sample format from nixos-generators + # formatConfigs.my-custom-format = { config, modulesPath, ... }: { + # imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-base.nix" ]; + # formatAttr = "isoImage"; + # fileExtension = ".iso"; + # networking.wireless.networks = { + # # ... + # }; + # }; + }; + fixFlakeRegistry = { ... }: { nix.registry = { + nixpkgs.flake = inputs.nixpkgs; + unstable.flake = inputs.unstable; + };}; + }; + } ( # lists to recursively merge into the config. + [ includableModules ] + ++ (with numbers.api; map (h: buildMachine h) deployableHosts) + ++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )] + #++ [(buildMachine' "cascade-installer" [] {} )] + ); +} diff --git a/modules/installer.nix b/modules/installer.nix new file mode 100644 index 0000000..ba8b57b --- /dev/null +++ b/modules/installer.nix @@ -0,0 +1,87 @@ +{ config, pkgs, lib, ... }: + +let installer = pkgs.writeShellApplication { + name = "cascade-installer"; + runtimeInputs = with pkgs; [ + btrfs-progs + coreutils + cryptsetup + dig + dosfstools + e2fsprogs + git + lvm2 + nix + parted + util-linux + ]; + + text = + let + shq = lib.escapeShellArg; + partedMin = cmd: '' + parted -f -a minimal "$DEVICE" --script ${cmd} + ''; + partedOpt = cmd: '' + parted -f -a optimal "$DEVICE" --script ${cmd} + ''; + in + '' + if [ "$#" -ne 2 ];then + 1>&2 echo "usage: $0 hostname full-disk-device" + exit 1 + fi + HOSTNAME="$1" + DEVICE="$2" + LABEL="$HOSTNAME"-luks0 + LV="$HOSTNAME"-luks + + echo ABOUT TO DESTROY THIS MACHINE + sleep 10 || exit 1 + + wipefs -a "$DEVICE" + + ${partedMin "mklabel gpt"} + ${partedMin "mkpart ESP fat32 0% 1GB"} + ${partedMin "set 1 esp on"} + ${partedOpt "mkpart \"$HOSTNAME\"-luks0 ext4 1GB 100%"} + + sleep 1 + + cryptsetup -q luksFormat --type luks2 /dev/disk/by-partlabel/"$LABEL" -d /dev/zero -l 32 + cryptsetup -q luksOpen /dev/disk/by-partlabel/"$LABEL" "$LABEL" -d /dev/zero -l 32 + + pvcreate /dev/mapper/"$LABEL" + vgcreate "$LV" /dev/mapper/"$LABEL" + lvcreate -L 20G -n "$HOSTNAME"-root "$LV" + + mkfs.fat -F 32 -n BOOT /dev/disk/by-partlabel/ESP + mkfs.ext4 -L "$HOSTNAME"-root /dev/"$LV"/"$HOSTNAME"-root + + sleep 1 + + # note to future self who "fixes" this: + # the -p is to prevent error if the path exists, not to create / which obviously exists. + # this is a scenario that happens when rerunning these commands during debugging. just + # leave the -p, future me. please just leave it. + mkdir -p /mnt + mount /dev/disk/by-label/"$HOSTNAME"-root /mnt + mkdir -p /mnt/boot + mount /dev/disk/by-label/BOOT /mnt/boot + mkdir -p /mnt/root + + TOKEN="$(dig +short lan-git-token.cascade TXT | tr -d '"')" + umask 0077 + mkdir -p /root + printf 'machine git.strudelline.net\nlogin james\npassword %s\n' "$TOKEN" > /root/.netrc + printf 'machine git.strudelline.net\nlogin james\npassword %s\n' "$TOKEN" > /mnt/root/.netrc + + nixos-install --flake git+https://git.strudelline.net/cascade/nixos#"$HOSTNAME" --impure --no-root-password + ''; +}; +in +{ + environment.systemPackages = [ + installer + ]; +} diff --git a/modules/luks.nix b/modules/luks.nix new file mode 100644 index 0000000..1f484f9 --- /dev/null +++ b/modules/luks.nix @@ -0,0 +1,22 @@ +{ config, ... }: +{ + boot.initrd.kernelModules = [ "usb_storage" ]; + + boot.initrd.luks.devices = { + "${config.networking.hostName}-luks0" = { + device = "/dev/disk/by-partlabel/${config.networking.hostName}-luks0"; + allowDiscards = true; + keyFileSize = 32; + keyFile = "/dev/zero"; + }; + }; + fileSystems."/" = { + device = "/dev/disk/by-label/${config.networking.hostName}-root"; + fsType = "ext4"; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + +} diff --git a/modules/packages.nix b/modules/packages.nix new file mode 100644 index 0000000..35a4417 --- /dev/null +++ b/modules/packages.nix @@ -0,0 +1,43 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, flake-inputs, ... }: + +{ + environment.systemPackages = with pkgs; [ + seatd + emacs-nox + inetutils + unzip + buildah + curl + vim + neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + sshfs + dig + gost + elinks + dislocker + ntfs3g + kubectl + sops + git + bc + pciutils + usbutils + file + htop + brightnessctl + kubernetes-helm + ripgrep + nettools + psmisc + + nixos-generators + ]; + + programs.mtr.enable = true; + programs.tmux.enable = true; +} diff --git a/modules/server.nix b/modules/server.nix new file mode 100644 index 0000000..a1154b8 --- /dev/null +++ b/modules/server.nix @@ -0,0 +1,53 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, flake-inputs, ... }: + +{ + networking.networkmanager.enable = false; + + virtualisation = { + kvmgt.enable = true; + libvirtd = { + enable = true; + qemu = { + runAsRoot = true; + verbatimConfig = '' + cgroup_device_acl = ["/dev/kvmfr0", "/dev/kvm"] + ''; + swtpm = { + enable = true; + }; + }; + }; + docker = { + enable = true; + enableNvidia = false; + }; + + containers = { + enable = true; + policy = { + default = [ { type = "insecureAcceptAnything"; } ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; + }; + }; + }; + }; + }; + + services.openssh.enable = true; + networking.firewall.enable = true; + + environment.systemPackages = [ pkgs.nfs-utils ]; + services.openiscsi = { + enable = true; + name = "${config.networking.hostName}-initiatorhost"; + }; + + systemd.network.wait-online.enable = lib.mkDefault false; + networking.useDHCP = false; +} diff --git a/modules/session.nix b/modules/session.nix new file mode 100644 index 0000000..8b7cb64 --- /dev/null +++ b/modules/session.nix @@ -0,0 +1,16 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, flake-inputs, ... }: + +{ + nix = { + #package = lib.mkForce pkgs.nixFlakes; + settings.experimental-features = [ "nix-command" "flakes" ]; + }; + + environment.sessionVariables = { + EDITOR = "nvim"; + }; +} diff --git a/modules/systemd-efi.nix b/modules/systemd-efi.nix new file mode 100644 index 0000000..e80cff7 --- /dev/null +++ b/modules/systemd-efi.nix @@ -0,0 +1,6 @@ +{ config, ... }: +{ + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.device = "nodev"; +} diff --git a/rowlet.nix b/rowlet.nix new file mode 100644 index 0000000..f48bd0b --- /dev/null +++ b/rowlet.nix @@ -0,0 +1,21 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, flake-inputs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + #./hardware-configuration.nix + ./lib/packages.nix + ./lib/server.nix + ./lib/session.nix + ]; + + networking.hostName = "rowlet"; # Define your hostname. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + + system.stateVersion = "24.05"; +} diff --git a/snorlax.nix b/snorlax.nix new file mode 100644 index 0000000..17b1d9e --- /dev/null +++ b/snorlax.nix @@ -0,0 +1,21 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, flake-inputs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + #./hardware-configuration.nix + ./lib/packages.nix + ./lib/server.nix + ./lib/session.nix + ]; + + networking.hostName = "snorlax"; # Define your hostname. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + + system.stateVersion = "24.05"; +} diff --git a/sobble.nix b/sobble.nix new file mode 100644 index 0000000..b83df5e --- /dev/null +++ b/sobble.nix @@ -0,0 +1,21 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, inputs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + #./hardware-configuration.nix + ./lib/packages.nix + ./lib/server.nix + ./lib/session.nix + ]; + + networking.hostName = "sobble"; # Define your hostname. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + + system.stateVersion = "24.05"; +}