diff --git a/README.md b/README.md index b90a554..53046e1 100644 --- a/README.md +++ b/README.md @@ -64,28 +64,21 @@ but here's a quick breakdown of the what you will find where. ... incomplete. -- add to `hosts` in `flake.nix` -- create hosts/ -- fill net.nix -- fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) -- run generate-secrets +- Add to `hosts` in `flake.nix` +- Create hosts/ +- Fill net.nix +- Fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) +- Run generate-secrets #### Initial deploy -A. Fresh pre-made installer ISO - -- Create a iso disk image for the system with `nix build --print-out-paths --no-link .#installer-image-` -- dd the resulting image to a stick and boot from it on the target -- (Optional) ssh into the target (keys are already set up) - -B. Reusing any nixos-live iso - -- Boot from live-iso and setup ssh access by writing your key to `/root/.ssh/authorized_keys` -- Copy installer package with `nix copy --to .#installer-package-` +- Create a bootable iso disk image with `nix build --print-out-paths --no-link .#images..live-iso`, dd it to a stick and boot +- (Alternative) Use an official NixOS live-iso and setup ssh manually +- Copy the installer from a local machine to the live system with `nix copy --to .#packages..installer-package.` Afterwards: -- Run `install-system` and reboot +- Run `install-system` in the live environment and reboot - Retrieve the new host identity by using `ssh-keyscan | grep -o 'ed25519.*' > host//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) - Rekey the secrets for the new identity `nix run .#rekey` diff --git a/flake.nix b/flake.nix index 51b4e13..812b09a 100644 --- a/flake.nix +++ b/flake.nix @@ -72,12 +72,14 @@ outputs = { self, + agenix-rekey, colmena, elewrap, - nixpkgs, - microvm, flake-utils, - agenix-rekey, + microvm, + nixos-generators, + nixpkgs, + pre-commit-hooks, ... } @ inputs: let inherit (nixpkgs) lib; @@ -123,12 +125,12 @@ # to any system via nodes. nodes = self.colmenaNodes // self.microvmNodes; - # For each true NixOS system, we want to expose an installer image that - # can be used to do setup on the node. + # For each true NixOS system, we want to expose an installer package that + # can be used to do the initial setup on the node from a live environment. inherit (lib.foldl' lib.recursiveUpdate {} (lib.mapAttrsToList - (import ./nix/generate-installer.nix inputs) + (import ./nix/generate-installer-package.nix inputs) self.colmenaNodes)) packages ; @@ -146,11 +148,60 @@ ]; }; + # For each major system, we provide a customized installer image that + # has ssh and some other convenience stuff preconfigured. + # Not strictly necessary for new setups. + images.live-iso = nixos-generators.nixosGenerate { + inherit pkgs; + modules = [ + ./nix/installer-configuration.nix + ./modules/config/ssh.nix + ]; + format = + { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + } + .${system}; + }; + + # Define local apps and apps used for rekeying secrets + # `nix run .#` apps = agenix-rekey.defineApps self pkgs self.nodes // import ./apps inputs system; - checks = import ./nix/checks.nix inputs system; - devShells.default = import ./nix/dev-shell.nix inputs system; + + # `nix flake check` + checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run { + src = lib.cleanSource ./.; + hooks = { + alejandra.enable = true; + statix.enable = true; + luacheck.enable = true; + stylua.enable = true; + }; + }; + + # `nix develop` + devShells.default = pkgs.mkShell { + name = "nix-config"; + packages = with pkgs; [ + # Nix + alejandra + cachix + colmena + deadnix + nix-tree + statix + update-nix-fetchgit + ]; + + shellHook = '' + ${self.checks.${system}.pre-commit-check.shellHook} + ''; + }; + + # `nix fmt` formatter = pkgs.alejandra; }); } diff --git a/hosts/zackbiene/README.md b/hosts/zackbiene/README.md index aea9262..021ccb4 100644 --- a/hosts/zackbiene/README.md +++ b/hosts/zackbiene/README.md @@ -1,5 +1,7 @@ # First Setup +- Install Tow-Boot (version 006 is broken, currently used 005) to SPI flash to be able to use UEFI. <3 + - In HomeAssistant, MQTT integration needs to be added manually, and the mqtt connection details must be entered localhost:1883, user=home_assistant, pass= diff --git a/nix/checks.nix b/nix/checks.nix deleted file mode 100644 index 1ca408b..0000000 --- a/nix/checks.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - self, - pre-commit-hooks, - ... -}: system: { - pre-commit-check = - pre-commit-hooks.lib.${system}.run - { - src = self.pkgs.${system}.lib.cleanSource ../.; - hooks = { - alejandra.enable = true; - statix.enable = true; - luacheck.enable = true; - stylua.enable = true; - }; - }; -} diff --git a/nix/dev-shell.nix b/nix/dev-shell.nix deleted file mode 100644 index 79a4bd1..0000000 --- a/nix/dev-shell.nix +++ /dev/null @@ -1,26 +0,0 @@ -{self, ...}: system: -with self.pkgs.${system}; - mkShell { - name = "nix-config"; - packages = [ - # Nix - cachix - colmena - alejandra - statix - update-nix-fetchgit - - # Lua - stylua - (luajit.withPackages (p: with p; [luacheck])) - - # Misc - shellcheck - pre-commit - rage - ]; - - shellHook = '' - ${self.checks.${system}.pre-commit-check.shellHook} - ''; - } diff --git a/nix/generate-installer-package.nix b/nix/generate-installer-package.nix new file mode 100644 index 0000000..8158990 --- /dev/null +++ b/nix/generate-installer-package.nix @@ -0,0 +1,34 @@ +{self, ...}: nodeName: nodeAttrs: let + inherit (self.hosts.${nodeName}) system; + pkgs = self.pkgs.${system}; + + disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}"; + disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; + disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; + + install-system = pkgs.writeShellScriptBin "install-system" '' + set -euo pipefail + + echo "Formatting disks..." + ${disko-script}/bin/disko-script + + echo "Installing system..." + nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} + + echo "Done!" + ''; + + installer-package = pkgs.symlinkJoin { + name = "installer-package-${nodeName}"; + paths = with pkgs; [ + disko-script + disko-mount + disko-format + install-system + ]; + }; +in { + # Everything required for the installer as a single package, + # so it can be used from an existing live system by copying the derivation. + packages.${system}.installer-package.${nodeName} = installer-package; +} diff --git a/nix/generate-installer.nix b/nix/generate-installer.nix deleted file mode 100644 index c18de14..0000000 --- a/nix/generate-installer.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - self, - nixos-generators, - ... -}: nodeName: nodeAttrs: let - inherit (self.hosts.${nodeName}) system; - - pkgs = self.pkgs.${system}; - - disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}"; - disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}"; - disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}"; - - install-system = pkgs.writeShellScriptBin "install-system" '' - set -euo pipefail - - echo "Formatting disks..." - ${disko-script}/bin/disko-script - - echo "Installing system..." - nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel} - - echo "Done!" - ''; - - installer-package = pkgs.symlinkJoin { - name = "installer-package-${nodeName}"; - paths = with pkgs; [ - disko-script - disko-mount - disko-format - install-system - ]; - }; - - configuration = { - pkgs, - lib, - ... - }: { - isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso"; - system.stateVersion = nodeAttrs.system.stateVersion; - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; - - console.keyMap = "de-latin1-nodeadkeys"; - - users.users.root = { - password = "nixos"; - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Uq+CDy5Pmt3If5M6d8K/Q7HArU6sZ7sgoj3T521Wm"]; - }; - - environment = { - variables.EDITOR = "nvim"; - systemPackages = with pkgs; [ - installer-package - - neovim - git - tmux - parted - ripgrep - fzf - wget - curl - ]; - }; - }; -in { - packages.${system} = { - # Everything required for the installer as a single package, - # so it can be used from an existing live system by copying the derivation. - # TODO can we use a unified installer iso? does that work regarding size of this package? - "installer-package-${nodeName}" = installer-package; - "installer-image-${nodeName}" = nixos-generators.nixosGenerate { - inherit pkgs; - modules = [ - configuration - ../hosts/common/core/ssh.nix - ]; - format = - { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - } - .${system}; - }; - }; -} diff --git a/nix/installer-configuration.nix b/nix/installer-configuration.nix new file mode 100644 index 0000000..a3b24c2 --- /dev/null +++ b/nix/installer-configuration.nix @@ -0,0 +1,38 @@ +{ + pkgs, + lib, + ... +}: { + isoImage.isoName = lib.mkForce "nixos.iso"; + system.stateVersion = "23.11"; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + console.keyMap = "de-latin1-nodeadkeys"; + + users.users.root = { + password = "nixos"; + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Uq+CDy5Pmt3If5M6d8K/Q7HArU6sZ7sgoj3T521Wm"]; + }; + + environment = { + variables.EDITOR = "nvim"; + systemPackages = with pkgs; [ + neovim + git + tmux + parted + ripgrep + fzf + wget + curl + ]; + + etc.issue.text = '' + \d \t + This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r) + \e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset} + ''; + }; +}