nixos-anywhere #4
25 changed files with 329 additions and 193 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
use_flake
|
34
README.md
34
README.md
|
@ -1,19 +1,27 @@
|
||||||
# nixos-servers
|
# nixos-servers
|
||||||
|
|
||||||
Nix definitions to configure our physical servers.
|
Nix definitions to configure our physical servers.
|
||||||
Currently, only one physical server (named jefke) is implemented.
|
Currently, only one physical server (named jefke) is implemented but more are planned!
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
|
||||||
|
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
|
||||||
|
3. Install Direnv ([link](https://direnv.net/))
|
||||||
|
4. Allow direnv for this repository: `direnv allow`
|
||||||
|
|
||||||
|
## Bootstrapping
|
||||||
|
|
||||||
|
We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
|
||||||
|
This reformats the hard disk of the server and installs a fresh NixOS.
|
||||||
|
Additionally, it deploys an age identity, which is later used for decrypting secrets.
|
||||||
|
|
||||||
|
⚠️ This will wipe your server completely ⚠️
|
||||||
|
|
||||||
|
1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
|
||||||
|
2. Ensure you have root SSH access to the server.
|
||||||
|
3. Run nixos-anywhere: `./bootstrap.sh <servername>`
|
||||||
|
|
||||||
## Deployment
|
## Deployment
|
||||||
|
|
||||||
### Prerequisites
|
Deployment can simply be done as follows: `deploy`
|
||||||
|
|
||||||
Before a NixOS definition can be deployed, some prerequite preparational steps must be performed.
|
|
||||||
|
|
||||||
1. Manually install NixOS on the physical machine. This could potentially be automated in the future with [nixos-anywhere](https://github.com/nix-community/nixos-anywhere), but for now this is a manual process.
|
|
||||||
2. Enable SSH and install authorized keys.
|
|
||||||
3. Ensure Python3 is installed for Ansible.
|
|
||||||
4. Run Ansible playbook which deploys secrets `ansible-playbook deploy_secrets.yml`.
|
|
||||||
|
|
||||||
### NixOS deployment
|
|
||||||
|
|
||||||
Finally, the NixOS definition can be deployed as follows: `nix run github:serokell/deploy-rs`.
|
|
||||||
|
|
10
agenix.nix
Normal file
10
agenix.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ machine, ... }: {
|
||||||
|
age = {
|
||||||
|
identityPaths = [ "/root/age_ed25519" ];
|
||||||
|
|
||||||
|
secrets = {
|
||||||
|
"host_ed25519".file = ./secrets/${machine.name}_host_ed25519.age;
|
||||||
|
"user_ed25519".file = ./secrets/${machine.name}_user_ed25519.age;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1 +0,0 @@
|
||||||
use flake
|
|
|
@ -1,8 +0,0 @@
|
||||||
[defaults]
|
|
||||||
inventory=inventory
|
|
||||||
vault_password_file=$HOME/.config/home/ansible-vault-secret
|
|
||||||
host_key_checking = False
|
|
||||||
remote_user = root
|
|
||||||
|
|
||||||
[diff]
|
|
||||||
always = True
|
|
|
@ -1,32 +0,0 @@
|
||||||
- name: Deploy secrets
|
|
||||||
hosts: jefke
|
|
||||||
tasks:
|
|
||||||
- name: Place user certificate
|
|
||||||
copy:
|
|
||||||
src: files/jefke_user_ed25519.crt
|
|
||||||
dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
|
|
||||||
|
|
||||||
- name: Place user public key
|
|
||||||
copy:
|
|
||||||
src: files/jefke_user_ed25519.pub
|
|
||||||
dest: /etc/ssh/ssh_user_ed25519_key.pub
|
|
||||||
|
|
||||||
- name: Place user private key
|
|
||||||
copy:
|
|
||||||
src: files/jefke_user_ed25519
|
|
||||||
dest: /etc/ssh/ssh_user_ed25519_key
|
|
||||||
|
|
||||||
- name: Place host certificate
|
|
||||||
copy:
|
|
||||||
src: files/jefke_host_ed25519.crt
|
|
||||||
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
||||||
|
|
||||||
- name: Place host public key
|
|
||||||
copy:
|
|
||||||
src: files/jefke_host_ed25519.pub
|
|
||||||
dest: /etc/ssh/ssh_host_ed25519_key.pub
|
|
||||||
|
|
||||||
- name: Place host private key
|
|
||||||
copy:
|
|
||||||
src: files/jefke_host_ed25519
|
|
||||||
dest: /etc/ssh/ssh_host_ed25519_key
|
|
|
@ -1,25 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
37613631656435623262663132613734663862346638313566623466663838333634663934663539
|
|
||||||
3035363062373461313937383365383233643861346562660a666235323134663361366635343037
|
|
||||||
35316364633964333963363866333364333834646636326632313261633863616661373763346539
|
|
||||||
3266346433356362620a663634356331306538386463616261626232396464663166316533613330
|
|
||||||
63633664626261333862623366666235383862386233313761616561623932666364636237346663
|
|
||||||
32616633616364356537336463643237383233356232363836376337343166336332386530653338
|
|
||||||
31643635303630386166393236616237343262653862323436636465613736393762623239646538
|
|
||||||
35666266656465656333666266326639326161323230326232363461383634356264336333663664
|
|
||||||
61656361666430356238666366363138343239316631313861636463376462613336613631633233
|
|
||||||
38343161356464353138376131333563633539323231646530636566386434613463623934646162
|
|
||||||
36323665353766313034623261336336393862366561343165613733396236326365656436373930
|
|
||||||
65633838333438356464353436343638616163363637313665333336313137623035346235323332
|
|
||||||
36383731663366356634653837306561613037633166653939336434623637353665326538303165
|
|
||||||
66636332363131313332663130663332393237643361363166663634633661626137346264303938
|
|
||||||
30383132376331633938353934393939373437343438613861653837613337373638336636653039
|
|
||||||
39336637373730333434636134633062623064653432633730366139666265373066346132373639
|
|
||||||
64353536646639366636656634633431316330656634383234343631626138393936663637653239
|
|
||||||
62393130366136396363633264623139323437643862343964383963663162636332386630363363
|
|
||||||
34636535376264323564383533306162316437306462326636313936316430326235633761356138
|
|
||||||
39666235646364353332613038623935343265346661633032303036653461396139383933316263
|
|
||||||
36316465383063643961353031633365613962383264663636623662363461626365356330663232
|
|
||||||
39393632366439623063326232373733333766353638393466396365663039666130383239366534
|
|
||||||
32326139306235306332376565366137373630303363346366306337306439643866393361333032
|
|
||||||
38626139633761613365
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9u root@jefke
|
|
|
@ -1,25 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
61393933316139623835666133666433393235376532643538363733656439356465393062636265
|
|
||||||
3236373661386566326631636333346430316264616537320a386336376239613865363032666239
|
|
||||||
63616166363837393562643836333765393536363564636365616638333939323436383735616262
|
|
||||||
3331363766353038620a626662666331613734313564636564633238653762336364666237353635
|
|
||||||
36353837666366346565626162666466353661646630376261643133393966336236656234626139
|
|
||||||
38326164366565646539396139343538636234646330623965623430303535316131636261336133
|
|
||||||
61373763326566666565366432353535653430326466316130376337656431363038666334653332
|
|
||||||
63646439323635303432653536643464666266303533633330663137376432353563366133663661
|
|
||||||
31393430356235323535303562323662313936393132383162316238666162373232313736646630
|
|
||||||
34343131393963313839393330356539636532613936383932393537346134356337306336633434
|
|
||||||
32653961616161656136306234313335653336336230366237303336346631623735646564323962
|
|
||||||
31316165333264613433313761393936643433323762363161393730363161613839333038363032
|
|
||||||
63393038346365353362366639386334666134613961383033306566333361373630353539366635
|
|
||||||
32363732353262313436376462616437363337623933363964333763396233656438346638633432
|
|
||||||
66383338336237313266666161656633656264623532633764333565663331666665623031353265
|
|
||||||
31646233383238313734633234653666313734343263653936333636323463653636333535656565
|
|
||||||
30646133366265363938363561623335653239643637656339393236313535326366643238396562
|
|
||||||
30623631656530353362613536633935343131353961353735333561626463353632623465613063
|
|
||||||
37373661333339353030626437653863653736353939643966373834663262383035336337656335
|
|
||||||
34333836373535373164623436666465346564356539313032316130616439323161653134646364
|
|
||||||
32363938356235343736396431333639656366663130366439363062643137326162366563346266
|
|
||||||
30343834386135616663613964353262333462613465646362353437373362326363326136333131
|
|
||||||
66356466656162393038316361323335363261653036316533646563376262353039623939306663
|
|
||||||
35333430633836373064
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69 root@jefke
|
|
|
@ -1,27 +0,0 @@
|
||||||
{
|
|
||||||
"nodes": {
|
|
||||||
"nixpkgs": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1698434055,
|
|
||||||
"narHash": "sha256-Phxi5mUKSoL7A0IYUiYtkI9e8NcGaaV5PJEaJApU1Ko=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "1a3c95e3b23b3cdb26750621c08cc2f1560cb883",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"ref": "nixos-23.05",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"root": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": "nixpkgs"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"root": "root",
|
|
||||||
"version": 7
|
|
||||||
}
|
|
|
@ -1,26 +0,0 @@
|
||||||
{
|
|
||||||
inputs = {
|
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
|
||||||
};
|
|
||||||
|
|
||||||
outputs = {
|
|
||||||
self,
|
|
||||||
nixpkgs,
|
|
||||||
...
|
|
||||||
}: let
|
|
||||||
supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
|
|
||||||
forEachSupportedSystem = f:
|
|
||||||
nixpkgs.lib.genAttrs supportedSystems (system:
|
|
||||||
f {
|
|
||||||
pkgs = import nixpkgs {inherit system;};
|
|
||||||
});
|
|
||||||
in {
|
|
||||||
devShells = forEachSupportedSystem ({pkgs}: {
|
|
||||||
default = pkgs.mkShell {
|
|
||||||
packages = with pkgs; [
|
|
||||||
ansible
|
|
||||||
];
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,5 +0,0 @@
|
||||||
all:
|
|
||||||
hosts:
|
|
||||||
jefke:
|
|
||||||
ansible_user: root
|
|
||||||
ansible_host: jefke.hyp
|
|
43
bootstrap.sh
Executable file
43
bootstrap.sh
Executable file
|
@ -0,0 +1,43 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
IFS=$'\n\t'
|
||||||
|
|
||||||
|
servername="${1-}"
|
||||||
|
|
||||||
|
if [ -z "$servername" ]
|
||||||
|
then
|
||||||
|
echo "Usage: $0 SERVERNAME"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
confirmation="Yes, wipe ${servername}."
|
||||||
|
|
||||||
|
echo "⚠️ This will wipe ${servername} completely! ⚠️"
|
||||||
|
echo "Confirm by typing: \"${confirmation}\""
|
||||||
|
read response
|
||||||
|
|
||||||
|
if [ "$response" != "$confirmation" ]; then
|
||||||
|
echo "Aborting."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create a temporary directory
|
||||||
|
temp=$(mktemp -d)
|
||||||
|
|
||||||
|
# Function to cleanup temporary directory on exit
|
||||||
|
cleanup() {
|
||||||
|
rm -rf "$temp"
|
||||||
|
}
|
||||||
|
trap cleanup EXIT
|
||||||
|
|
||||||
|
# Create directory where age key will go.
|
||||||
|
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
|
||||||
|
mkdir "$temp/root"
|
||||||
|
|
||||||
|
secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
|
||||||
|
|
||||||
|
# Set the correct permissions
|
||||||
|
chmod 600 "$temp/root/age_ed25519"
|
||||||
|
|
||||||
|
# Install NixOS to the host system with our age identity
|
||||||
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake ".#${servername}" "root@${servername}.hyp"
|
|
@ -1,5 +1,5 @@
|
||||||
{ pkgs, ... }: {
|
{ pkgs, config, machine, ... }: {
|
||||||
imports = [ ./hardware-configuration.nix ];
|
imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ];
|
||||||
|
|
||||||
boot.loader = {
|
boot.loader = {
|
||||||
systemd-boot.enable = true;
|
systemd-boot.enable = true;
|
||||||
|
@ -32,7 +32,10 @@
|
||||||
KbdInteractiveAuthentication = false;
|
KbdInteractiveAuthentication = false;
|
||||||
};
|
};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
HostCertificate ${
|
||||||
|
builtins.toFile "host_ed25519-cert.pub" machine.host-cert
|
||||||
|
}
|
||||||
|
HostKey ${config.age.secrets.host_ed25519.path}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -65,8 +68,10 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
|
CertificateFile ${
|
||||||
HostKey /etc/ssh/ssh_user_ed25519_key
|
builtins.toFile "user_ed25519-cert.pub" machine.user-cert
|
||||||
|
}
|
||||||
|
HostKey ${config.age.secrets.user_ed25519.path}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
55
disk-config.nix
Normal file
55
disk-config.nix
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
# Running system:
|
||||||
|
|
||||||
|
# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
|
||||||
|
# nvme0n1 259:0 0 465,8G 0 disk
|
||||||
|
# ├─nvme0n1p1 259:1 0 512M 0 part /boot
|
||||||
|
# ├─nvme0n1p2 259:2 0 456,5G 0 part /nix/store
|
||||||
|
# │ /
|
||||||
|
# └─nvme0n1p3 259:3 0 8,8G 0 part [SWAP]
|
||||||
|
|
||||||
|
# Filesystem 1K-blocks Used Available Use% Mounted on
|
||||||
|
# devtmpfs 809892 0 809892 0% /dev
|
||||||
|
# tmpfs 8098920 0 8098920 0% /dev/shm
|
||||||
|
# tmpfs 4049460 3988 4045472 1% /run
|
||||||
|
# tmpfs 8098920 456 8098464 1% /run/wrappers
|
||||||
|
# /dev/nvme0n1p2 469995160 17597168 428450100 4% /
|
||||||
|
# /dev/nvme0n1p1 523248 119660 403588 23% /boot
|
||||||
|
# tmpfs 1619784 0 1619784 0% /run/user/0
|
||||||
|
|
||||||
|
# Disk name: nvme0n1
|
||||||
|
# disko template: simple-efi
|
||||||
|
# https://raw.githubusercontent.com/nix-community/disko/master/example/simple-efi.nix
|
||||||
|
|
||||||
|
{
|
||||||
|
disko.devices = {
|
||||||
|
disk = {
|
||||||
|
vdb = {
|
||||||
|
device = "/dev/nvme0n1";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
ESP = {
|
||||||
|
type = "EF00";
|
||||||
|
size = "500M";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
106
flake.lock
106
flake.lock
|
@ -1,5 +1,49 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"darwin": "darwin",
|
||||||
|
"home-manager": "home-manager",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696775529,
|
||||||
|
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"darwin": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"agenix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673295039,
|
||||||
|
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||||
|
"owner": "lnl7",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "lnl7",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
@ -20,6 +64,26 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"disko": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1699781810,
|
||||||
|
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -36,6 +100,27 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"home-manager": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"agenix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1682203081,
|
||||||
|
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "home-manager",
|
||||||
|
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "home-manager",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1671417167,
|
"lastModified": 1671417167,
|
||||||
|
@ -52,6 +137,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-unstable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1699725108,
|
||||||
|
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1699291058,
|
"lastModified": 1699291058,
|
||||||
|
@ -70,8 +171,11 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"nixpkgs": "nixpkgs_2"
|
"disko": "disko",
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
|
|
63
flake.nix
63
flake.nix
|
@ -3,31 +3,68 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||||
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
|
disko = {
|
||||||
|
url = "github:nix-community/disko";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
agenix = {
|
||||||
|
url = "github:ryantm/agenix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, deploy-rs, ... }:
|
outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
|
||||||
let system = "x86_64-linux";
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
|
||||||
|
machines = import ./machines;
|
||||||
|
mkNixosSystems = systemDef:
|
||||||
|
nixpkgs.lib.foldlAttrs (acc: name: machine:
|
||||||
|
acc // {
|
||||||
|
"${name}" = nixpkgs.lib.nixosSystem (systemDef machine);
|
||||||
|
}) { } machines;
|
||||||
|
mkDeployNodes = nodeDef:
|
||||||
|
nixpkgs.lib.foldlAttrs
|
||||||
|
(acc: name: machine: acc // { "${name}" = nodeDef machine; }) { }
|
||||||
|
machines;
|
||||||
in {
|
in {
|
||||||
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
|
packages = [
|
||||||
|
pkgs.libsecret
|
||||||
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
|
# TODO: using nixos-anywhere from nixos-unstable produces buffer overflow.
|
||||||
inherit system;
|
# Related to this issue: https://github.com/nix-community/nixos-anywhere/issues/242
|
||||||
modules = [ ./configuration.nix ];
|
# Should wait until this is merged in nixos-unstable.
|
||||||
|
# pkgs-unstable.nixos-anywhere
|
||||||
|
pkgs-unstable.deploy-rs
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
formatter.${system} = pkgs.nixfmt;
|
||||||
|
|
||||||
|
nixosConfigurations = mkNixosSystems (machine: {
|
||||||
|
inherit system;
|
||||||
|
specialArgs = { inherit machine; };
|
||||||
|
modules = [
|
||||||
|
disko.nixosModules.disko
|
||||||
|
agenix.nixosModules.default
|
||||||
|
./configuration.nix
|
||||||
|
];
|
||||||
|
});
|
||||||
|
|
||||||
deploy = {
|
deploy = {
|
||||||
sshUser = "root";
|
sshUser = "root";
|
||||||
user = "root";
|
user = "root";
|
||||||
|
|
||||||
nodes.jefke = {
|
nodes = mkDeployNodes (machine: {
|
||||||
hostname = "jefke.hyp";
|
hostname = machine.hostname;
|
||||||
profiles.hypervisor = {
|
profiles.hypervisor = {
|
||||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
path = deploy-rs.lib.${system}.activate.nixos
|
||||||
self.nixosConfigurations.hypervisor;
|
self.nixosConfigurations.${machine.name};
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
checks = builtins.mapAttrs
|
checks = builtins.mapAttrs
|
||||||
|
|
|
@ -7,18 +7,18 @@
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" = {
|
# fileSystems."/" = {
|
||||||
device = "/dev/disk/by-uuid/b78f591c-c9b6-4dae-9837-56716d38990b";
|
# device = "/dev/disk/by-uuid/b78f591c-c9b6-4dae-9837-56716d38990b";
|
||||||
fsType = "ext4";
|
# fsType = "ext4";
|
||||||
};
|
# };
|
||||||
|
|
||||||
fileSystems."/boot" = {
|
# fileSystems."/boot" = {
|
||||||
device = "/dev/disk/by-uuid/6936-84C2";
|
# device = "/dev/disk/by-uuid/6936-84C2";
|
||||||
fsType = "vfat";
|
# fsType = "vfat";
|
||||||
};
|
# };
|
||||||
|
|
||||||
swapDevices =
|
# swapDevices =
|
||||||
[{ device = "/dev/disk/by-uuid/79fbd322-e58d-4e45-8969-06ef494cefea"; }];
|
# [{ device = "/dev/disk/by-uuid/79fbd322-e58d-4e45-8969-06ef494cefea"; }];
|
||||||
|
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
|
|
||||||
|
|
8
machines/default.nix
Normal file
8
machines/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
jefke = {
|
||||||
|
name = "jefke";
|
||||||
|
hostname = "jefke.hyp";
|
||||||
|
user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub;
|
||||||
|
host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub;
|
||||||
|
};
|
||||||
|
}
|
BIN
secrets/jefke_host_ed25519.age
Normal file
BIN
secrets/jefke_host_ed25519.age
Normal file
Binary file not shown.
BIN
secrets/jefke_user_ed25519.age
Normal file
BIN
secrets/jefke_user_ed25519.age
Normal file
Binary file not shown.
16
secrets/secrets.nix
Normal file
16
secrets/secrets.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
let
|
||||||
|
pkgs = import <nixpkgs> { };
|
||||||
|
lib = pkgs.lib;
|
||||||
|
secrets = {
|
||||||
|
jefke = {
|
||||||
|
publicKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260"
|
||||||
|
];
|
||||||
|
encryptedFiles = [ "jefke_host_ed25519.age" "jefke_user_ed25519.age" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in lib.attrsets.mergeAttrsList (builtins.map ({ publicKeys, encryptedFiles }:
|
||||||
|
lib.attrsets.mergeAttrsList (builtins.map
|
||||||
|
(encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; })
|
||||||
|
encryptedFiles)) (lib.attrsets.attrValues secrets))
|
||||||
|
|
Loading…
Reference in a new issue