mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: use generic installer iso from now on

Browse source
This commit is contained in:
oddlama 2023-07-24 14:15:18 +02:00
parent b39f516bd7
commit 1110bdcac1
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 142 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -64,28 +64,21 @@ but here's a quick breakdown of the what you will find where.
... incomplete. ... incomplete.
- add <name> to `hosts` in `flake.nix` - Add <name> to `hosts` in `flake.nix`
- create hosts/<name> - Create hosts/<name>
- fill net.nix - Fill net.nix
- fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) - Fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
- run generate-secrets - Run generate-secrets
#### Initial deploy #### Initial deploy
A. Fresh pre-made installer ISO - Create a bootable iso disk image with `nix build --print-out-paths --no-link .#images.<target-system>.live-iso`, dd it to a stick and boot
- (Alternative) Use an official NixOS live-iso and setup ssh manually
- Create a iso disk image for the system with `nix build --print-out-paths --no-link .#installer-image-<host>` - Copy the installer from a local machine to the live system with `nix copy --to <target> .#packages.<target-system>.installer-package.<target>`
- dd the resulting image to a stick and boot from it on the target
- (Optional) ssh into the target (keys are already set up)
B. Reusing any nixos-live iso
- Boot from live-iso and setup ssh access by writing your key to `/root/.ssh/authorized_keys`
- Copy installer package with `nix copy --to <target> .#installer-package-<host>`
Afterwards: Afterwards:
- Run `install-system` and reboot - Run `install-system` in the live environment and reboot
- Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub` - Retrieve the new host identity by using `ssh-keyscan <host/ip> | grep -o 'ed25519.*' > host/<host>/secrets/host.pub`
- (If the host has microvms, also retrieve their identities!) - (If the host has microvms, also retrieve their identities!)
- Rekey the secrets for the new identity `nix run .#rekey` - Rekey the secrets for the new identity `nix run .#rekey`

67
flake.nix
View file

@ -72,12 +72,14 @@
outputs = { outputs = {
self, self,
agenix-rekey,
colmena, colmena,
elewrap, elewrap,
nixpkgs,
microvm,
flake-utils, flake-utils,
agenix-rekey, microvm,
nixos-generators,
nixpkgs,
pre-commit-hooks,
... ...
} @ inputs: let } @ inputs: let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
@ -123,12 +125,12 @@
# to any system via nodes.<name> # to any system via nodes.<name>
nodes = self.colmenaNodes // self.microvmNodes; nodes = self.colmenaNodes // self.microvmNodes;
# For each true NixOS system, we want to expose an installer image that # For each true NixOS system, we want to expose an installer package that
# can be used to do setup on the node. # can be used to do the initial setup on the node from a live environment.
inherit inherit
(lib.foldl' lib.recursiveUpdate {} (lib.foldl' lib.recursiveUpdate {}
(lib.mapAttrsToList (lib.mapAttrsToList
(import ./nix/generate-installer.nix inputs) (import ./nix/generate-installer-package.nix inputs)
self.colmenaNodes)) self.colmenaNodes))
packages packages
; ;
@ -146,11 +148,60 @@
]; ];
}; };
# For each major system, we provide a customized installer image that
# has ssh and some other convenience stuff preconfigured.
# Not strictly necessary for new setups.
images.live-iso = nixos-generators.nixosGenerate {
inherit pkgs;
modules = [
./nix/installer-configuration.nix
./modules/config/ssh.nix
];
format =
{
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}
.${system};
};
# Define local apps and apps used for rekeying secrets
# `nix run .#<app>`
apps = apps =
agenix-rekey.defineApps self pkgs self.nodes agenix-rekey.defineApps self pkgs self.nodes
// import ./apps inputs system; // import ./apps inputs system;
checks = import ./nix/checks.nix inputs system;
devShells.default = import ./nix/dev-shell.nix inputs system; # `nix flake check`
checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run {
src = lib.cleanSource ./.;
hooks = {
alejandra.enable = true;
statix.enable = true;
luacheck.enable = true;
stylua.enable = true;
};
};
# `nix develop`
devShells.default = pkgs.mkShell {
name = "nix-config";
packages = with pkgs; [
# Nix
alejandra
cachix
colmena
deadnix
nix-tree
statix
update-nix-fetchgit
];
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
'';
};
# `nix fmt`
formatter = pkgs.alejandra; formatter = pkgs.alejandra;
}); });
} }

2
hosts/zackbiene/README.md
View file

@ -1,5 +1,7 @@
# First Setup # First Setup
- Install Tow-Boot (version 006 is broken, currently used 005) to SPI flash to be able to use UEFI. <3
- In HomeAssistant, MQTT integration needs to be added - In HomeAssistant, MQTT integration needs to be added
manually, and the mqtt connection details must be entered manually, and the mqtt connection details must be entered
localhost:1883, user=home_assistant, pass=<see corresponding secret file> localhost:1883, user=home_assistant, pass=<see corresponding secret file>

17
nix/checks.nix
View file

@ -1,17 +0,0 @@
{
self,
pre-commit-hooks,
...
}: system: {
pre-commit-check =
pre-commit-hooks.lib.${system}.run
{
src = self.pkgs.${system}.lib.cleanSource ../.;
hooks = {
alejandra.enable = true;
statix.enable = true;
luacheck.enable = true;
stylua.enable = true;
};
};
}

26
nix/dev-shell.nix
View file

@ -1,26 +0,0 @@
{self, ...}: system:
with self.pkgs.${system};
mkShell {
name = "nix-config";
packages = [
# Nix
cachix
colmena
alejandra
statix
update-nix-fetchgit
# Lua
stylua
(luajit.withPackages (p: with p; [luacheck]))
# Misc
shellcheck
pre-commit
rage
];
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
'';
}

34
nix/generate-installer-package.nix Normal file
View file

@ -0,0 +1,34 @@
{self, ...}: nodeName: nodeAttrs: let
inherit (self.hosts.${nodeName}) system;
pkgs = self.pkgs.${system};
disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}";
disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}";
disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}";
install-system = pkgs.writeShellScriptBin "install-system" ''
set -euo pipefail
echo "Formatting disks..."
${disko-script}/bin/disko-script
echo "Installing system..."
nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel}
echo "Done!"
'';
installer-package = pkgs.symlinkJoin {
name = "installer-package-${nodeName}";
paths = with pkgs; [
disko-script
disko-mount
disko-format
install-system
];
};
in {
# Everything required for the installer as a single package,
# so it can be used from an existing live system by copying the derivation.
packages.${system}.installer-package.${nodeName} = installer-package;
}

90
nix/generate-installer.nix
View file

@ -1,90 +0,0 @@
{
self,
nixos-generators,
...
}: nodeName: nodeAttrs: let
inherit (self.hosts.${nodeName}) system;
pkgs = self.pkgs.${system};
disko-script = pkgs.writeShellScriptBin "disko-script" "${nodeAttrs.config.system.build.diskoScript}";
disko-mount = pkgs.writeShellScriptBin "disko-mount" "${nodeAttrs.config.system.build.mountScript}";
disko-format = pkgs.writeShellScriptBin "disko-format" "${nodeAttrs.config.system.build.formatScript}";
install-system = pkgs.writeShellScriptBin "install-system" ''
set -euo pipefail
echo "Formatting disks..."
${disko-script}/bin/disko-script
echo "Installing system..."
nixos-install --no-root-password --system ${nodeAttrs.config.system.build.toplevel}
echo "Done!"
'';
installer-package = pkgs.symlinkJoin {
name = "installer-package-${nodeName}";
paths = with pkgs; [
disko-script
disko-mount
disko-format
install-system
];
};
configuration = {
pkgs,
lib,
...
}: {
isoImage.isoName = lib.mkForce "nixos-image-${nodeName}.iso";
system.stateVersion = nodeAttrs.system.stateVersion;
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
console.keyMap = "de-latin1-nodeadkeys";
users.users.root = {
password = "nixos";
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Uq+CDy5Pmt3If5M6d8K/Q7HArU6sZ7sgoj3T521Wm"];
};
environment = {
variables.EDITOR = "nvim";
systemPackages = with pkgs; [
installer-package
neovim
git
tmux
parted
ripgrep
fzf
wget
curl
];
};
};
in {
packages.${system} = {
# Everything required for the installer as a single package,
# so it can be used from an existing live system by copying the derivation.
# TODO can we use a unified installer iso? does that work regarding size of this package?
"installer-package-${nodeName}" = installer-package;
"installer-image-${nodeName}" = nixos-generators.nixosGenerate {
inherit pkgs;
modules = [
configuration
../hosts/common/core/ssh.nix
];
format =
{
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}
.${system};
};
};
}

38
nix/installer-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
{
pkgs,
lib,
...
}: {
isoImage.isoName = lib.mkForce "nixos.iso";
system.stateVersion = "23.11";
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
console.keyMap = "de-latin1-nodeadkeys";
users.users.root = {
password = "nixos";
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Uq+CDy5Pmt3If5M6d8K/Q7HArU6sZ7sgoj3T521Wm"];
};
environment = {
variables.EDITOR = "nvim";
systemPackages = with pkgs; [
neovim
git
tmux
parted
ripgrep
fzf
wget
curl
];
etc.issue.text = ''
\d \t
This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r)
\e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset}
'';
};
}