sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add generation of installer image for each host

Browse source
This commit is contained in:
oddlama 2023-04-26 23:52:25 +02:00
parent 05ce0e6f5c
commit 3e810b1711
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 245 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -32,6 +32,7 @@ This is my personal nix config.
- `format-secrets.nix` Runs the code formatter on the secret .nix files - `format-secrets.nix` Runs the code formatter on the secret .nix files
- `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup) - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup)
- `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair
- `show-wireguard-qr.nix` Generates a QR code for external wireguard participants
- `checks.nix` pre-commit-hooks for this repository - `checks.nix` pre-commit-hooks for this repository
- `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts) - `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts)
- `dev-shell.nix` Environment setup for `nix develop` for using this flake - `dev-shell.nix` Environment setup for `nix develop` for using this flake
@ -49,7 +50,7 @@ This is my personal nix config.
## How-To ## How-To
#### Add and deploy new machine #### Add new machine
... ...
@ -60,6 +61,11 @@ This is my personal nix config.
- generate-initrd-keys - generate-initrd-keys
- generate-wireguard-keys - generate-wireguard-keys
#### Initial deploy
- Boot from some nixos-minimal.iso
-
#### Show QR for external wireguard client #### Show QR for external wireguard client
nix run show-wireguard-qr nix run show-wireguard-qr

70
flake.lock generated
View file

@ -109,6 +109,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682299489,
"narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
"owner": "nix-community",
"repo": "disko",
"rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -187,11 +207,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682273416, "lastModified": 1682419509,
"narHash": "sha256-YvRc5TOyf92Fcvt6cYfsqxfjqalAUME3Klv4IbdhkBE=", "narHash": "sha256-+/HI3RbJcEKQ5+55dECzh8geginsbabsA0R3ORKi2Us=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "a5a294a622a7d3a837aaa145334e4d813c1bc5b1", "rev": "6142193635ecdafb9a231bd7d1880b9b7b210d19",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -250,6 +270,42 @@
"type": "github" "type": "github"
} }
}, },
"nixlib": {
"locked": {
"lastModified": 1681001314,
"narHash": "sha256-5sDnCLdrKZqxLPK4KA8+f4A3YKO/u6ElpMILvX0g72c=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "367c0e1086a4eb4502b24d872cea2c7acdd557f4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682332772,
"narHash": "sha256-GMoWhChQdeNM2FFqVbEZgBABSdi/+JgSP6v+jUz5b24=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d774aeedc0685e5871be1e1ee0511900deeb21c2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1680876084, "lastModified": 1680876084,
@ -288,11 +344,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1682181988, "lastModified": 1682453498,
"narHash": "sha256-CYWhlNi16cjGzMby9h57gpYE59quBcsHPXiFgX4Sw5k=", "narHash": "sha256-WoWiAd7KZt5Eh6n+qojcivaVpnXKqBsVgpixpV2L9CE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe", "rev": "c8018361fa1d1650ee8d4b96294783cf564e8a7f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -349,11 +405,13 @@
"agenix": "agenix", "agenix": "agenix",
"agenix-rekey": "agenix-rekey", "agenix-rekey": "agenix-rekey",
"colmena": "colmena", "colmena": "colmena",
"disko": "disko",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"lib-net": "lib-net", "lib-net": "lib-net",
"microvm": "microvm", "microvm": "microvm",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall", "nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",

24
flake.nix
View file

@ -8,6 +8,11 @@
inputs.flake-utils.follows = "flake-utils"; inputs.flake-utils.follows = "flake-utils";
}; };
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -22,6 +27,11 @@
nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-hardware.url = "github:NixOS/nixos-hardware";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-nftables-firewall = { nixos-nftables-firewall = {
url = "github:thelegy/nixos-nftables-firewall"; url = "github:thelegy/nixos-nftables-firewall";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -57,11 +67,14 @@
outputs = { outputs = {
self, self,
colmena, colmena,
nixos-generators,
nixpkgs, nixpkgs,
flake-utils, flake-utils,
agenix-rekey, agenix-rekey,
... ...
} @ inputs: } @ inputs: let
recursiveMergeAttrs = nixpkgs.lib.foldl' nixpkgs.lib.recursiveUpdate {};
in
{ {
extraLib = import ./nix/lib.nix inputs; extraLib = import ./nix/lib.nix inputs;
@ -80,6 +93,15 @@
# All nixos based hosts collected together # All nixos based hosts collected together
nodes = self.colmenaNodes // self.microvmNodes; nodes = self.colmenaNodes // self.microvmNodes;
# Collect installer packages
inherit
(recursiveMergeAttrs
(nixpkgs.lib.mapAttrsToList
(import ./nix/generate-installer.nix inputs)
self.colmenaNodes))
packages
;
} }
// flake-utils.lib.eachDefaultSystem (system: rec { // flake-utils.lib.eachDefaultSystem (system: rec {
pkgs = import nixpkgs { pkgs = import nixpkgs {

69
hosts/ward/fs.nix
View file

@ -1,16 +1,63 @@
{ {
fileSystems = { extraLib,
"/" = { pkgs,
device = "rpool/root/nixos"; ...
fsType = "zfs"; }: {
options = ["zfsutil" "X-mount.mkdir"]; disko.devices = {
}; disk = {
m2-ssd = {
"/boot" = { type = "disk";
device = "/dev/disk/by-uuid/10E6-553F"; device = "/dev/disk/by-id/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
fsType = "vfat"; content = {
type = "table";
format = "gpt";
partitions = [
{
name = "efi";
start = "2048";
end = "1GiB";
fs-type = "fat32";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "swap";
start = "1GiB";
end = "17GiB";
content = {
type = "swap";
randomEncryption = true;
};
}
{
name = "rpool";
start = "17GiB";
end = "100%";
content = {
type = "zfs";
pool = "rpool";
};
}
];
};
};
}; };
zpool = extraLib.disko.defineEncryptedZpool "rpool" {};
}; };
swapDevices = []; boot.initrd.systemd.services = {
impermanence-root = {
wantedBy = ["initrd.target"];
after = ["zfs-import-rpool.service"];
before = ["sysroot.mount"];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
};
};
};
} }

46
nix/generate-installer.nix Normal file
View file

@ -0,0 +1,46 @@
{
self,
nixos-generators,
...
}: nodeName: nodeAttrs: let
inherit (self.hosts.${nodeName}) system;
configuration = {pkgs, ...}: {
system.stateVersion = "23.05";
nix.extraOptions = ''
experimental-features = nix-command flakes recursive-nix
'';
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.password = "nixos";
environment = {
variables.EDITOR = "nvim";
systemPackages = with pkgs; [
neovim
git
tmux
parted
ripgrep
fzf
wget
curl
# TODO nodeAttrs.config.boot.system.
];
};
};
in {
packages.${system}."installer-image-${nodeName}" = nixos-generators.nixosGenerate {
pkgs = self.pkgs.${system};
modules = [configuration];
format =
{
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}
.${system};
};
}

2
nix/generate-node.nix
View file

@ -1,6 +1,7 @@
{ {
self, self,
colmena, colmena,
disko,
home-manager, home-manager,
#impermanence, #impermanence,
nixos-hardware, nixos-hardware,
@ -34,6 +35,7 @@ in
#impermanence.nixosModules.default #impermanence.nixosModules.default
agenix.nixosModules.default agenix.nixosModules.default
agenix-rekey.nixosModules.default agenix-rekey.nixosModules.default
disko.nixosModules.disko
nixos-nftables-firewall.nixosModules.default nixos-nftables-firewall.nixosModules.default
] ]
++ optionals nodeMeta.microVmHost [ ++ optionals nodeMeta.microVmHost [

45
nix/lib.nix
View file

@ -20,6 +20,7 @@
mergeAttrs mergeAttrs
nameValuePair nameValuePair
partition partition
recursiveUpdate
removeSuffix removeSuffix
splitString splitString
substring substring
@ -47,6 +48,50 @@ in rec {
# True if the path or string starts with / # True if the path or string starts with /
isAbsolutePath = x: substring 0 1 x == "/"; isAbsolutePath = x: substring 0 1 x == "/";
# Defines a simple encrypted and compressed pool
# with datasets necessary datasets for use with impermanence
disko.defineEncryptedZpool = name:
recursiveUpdate {
${name} = {
type = "zpool";
mode = "mirror";
rootFsOptions = {
compression = "zstd";
acltype = "posix";
atime = "off";
xattr = "sa";
dnodesize = "auto";
mountpoint = "none";
canmount = "off";
devices = "off";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "prompt";
};
options.ashift = "12";
datasets = {
"local".type = "zfs_fs";
"local/root" = {
type = "zfs_fs";
postCreateHook = "zfs snapshot ${name}/local/root@blank";
options.canmount = "on";
mountpoint = "/";
};
"local/nix" = {
type = "zfs_fs";
options.canmount = "on";
mountpoint = "/nix";
};
"safe".type = "zfs_fs";
"safe/persist" = {
type = "zfs_fs";
options.canmount = "on";
mountpoint = "/persist";
};
};
};
};
rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities; rageMasterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
rageExtraEncryptionPubkeys = rageExtraEncryptionPubkeys =
concatMapStrings ( concatMapStrings (