swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: adapt bootstrap script for new structure

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-05 03:07:08 +02:00
parent 49b557befa
commit de3d35a9b2
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
17 changed files with 391 additions and 272 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,5 +1,6 @@
secrets/keys/pubring.kbx secrets/keys/pubring.kbx
secrets/keys/private-keys-v1.d/ secrets/keys/private-keys-v1.d/
install/flake.lock
result result
*.~undo-tree~ *.~undo-tree~
*.iso *.iso

303
SwarselSystems.org
View file

@ -1440,6 +1440,7 @@ Lastly, I add some of my own library functions to be used alongside the function
# nix build --print-out-paths --no-link .#images.<target-system>.live-iso # nix build --print-out-paths --no-link .#images.<target-system>.live-iso
packages.live-iso = inputs.nixos-generators.nixosGenerate { packages.live-iso = inputs.nixos-generators.nixosGenerate {
inherit pkgs; inherit pkgs;
specialArgs = { inherit self; };
modules = [ modules = [
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
"${self}/install/installer-config.nix" "${self}/install/installer-config.nix"
@ -1460,7 +1461,7 @@ Lastly, I add some of my own library functions to be used alongside the function
{ {
description = "Minimal installer flake - not to be used manually"; description = "Minimal installer flake - not to be used manually";
inputs.swarsel.url = "github:Swarsel/.dotfiles"; inputs.swarsel.url = "./..";
outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; }; outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
} }
@ -1705,7 +1706,7 @@ My work machine. Built for more security, this is the gold standard of my config
:CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d :CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d
:END: :END:
#+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/default.nix #+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/default.nix
{ self, config, inputs, lib, ... }: { self, config, inputs, lib, minimal, ... }:
let let
primaryUser = config.swarselsystems.mainUser; primaryUser = config.swarselsystems.mainUser;
sharedOptions = { sharedOptions = {
@ -2821,15 +2822,15 @@ This is a slim setup for developing base configuration. I do not track the hardw
:CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e :CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e
:END: :END:
#+begin_src nix-ts :tangle hosts/nixos/toto/default.nix #+begin_src nix-ts :tangle hosts/nixos/toto/default.nix
{ self, lib, minimal, ... }: { self, config, lib, minimal, ... }:
let let
primaryUser = config.swarselsystems.mainUser;
sharedOptions = { sharedOptions = {
isBtrfs = true; isBtrfs = true;
isLinux = true; isLinux = true;
profiles = { profiles = {
toto = lib.mkIf (!minimal) true; toto = lib.mkIf (!minimal) true;
minimal = lib.mkIf minimal true; minimal = lib.mkIf minimal true;
btrfs = lib.mkIf minimal true;
}; };
}; };
in in
@ -2857,12 +2858,13 @@ This is a slim setup for developing base configuration. I do not track the hardw
isSwap = true; isSwap = true;
swapSize = "2G"; swapSize = "2G";
# rootDisk = "/dev/nvme0n1"; # rootDisk = "/dev/nvme0n1";
rootDisk = "/dev/sda"; rootDisk = "/dev/vda";
profiles.btrfs = lib.mkIf minimal true;
# rootDisk = "/dev/vda"; # rootDisk = "/dev/vda";
} }
sharedOptions; sharedOptions;
home-manager.users."setup" = { home-manager.users.${primaryUser} = {
home.stateVersion = lib.mkForce "23.05"; home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate swarselsystems = lib.recursiveUpdate
{ {
@ -3022,8 +3024,12 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
#+begin_src nix-ts :tangle install/installer-config.nix #+begin_src nix-ts :tangle install/installer-config.nix
{ pkgs, lib, ... }: { self, config, pkgs, lib, ... }:
{ let
pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
in
{
config = { config = {
home-manager.users.root.home = { home-manager.users.root.home = {
stateVersion = "23.05"; stateVersion = "23.05";
@ -3035,9 +3041,48 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
}; };
}; };
}; };
home-manager.users.swarsel = {
home = {
username = "swarsel";
homeDirectory = lib.mkDefault "/home/swarsel";
stateVersion = lib.mkDefault "23.05";
keyboard.layout = "us";
sessionVariables = {
FLAKE = "/home/swarsel/.dotfiles";
};
file = {
".bash_history" = {
text = ''
swarsel-install -n chaostheatre
'';
};
};
};
};
nix.settings = { security.sudo.extraConfig = ''
experimental-features = [ "nix-command" "flakes" ]; Defaults env_keep+=SSH_AUTH_SOCK
Defaults lecture = never
'';
security.pam = {
sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
nix = {
channel.enable = false;
package = pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ [ ../nix/nix-plugins.patch ];
})}/lib/nix/plugins
extra-builtins-file = ${../nix/extra-builtins.nix}
'';
settings.experimental-features = [ "nix-command" "flakes" ];
}; };
boot = { boot = {
@ -3087,7 +3132,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
networking = { networking = {
hostName = "drugstore"; hostName = "drugstore";
wireless.enable = false; wireless.enable = false;
dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
networkmanager.enable = true; networkmanager.enable = true;
}; };
@ -3095,11 +3140,20 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
users = { users = {
allowNoPasswordLogin = true; allowNoPasswordLogin = true;
groups.swarsel = { };
users = { users = {
root = { swarsel = {
name = "swarsel";
group = "swarsel";
isNormalUser = true;
password = "setup"; # this is overwritten after install password = "setup"; # this is overwritten after install
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ "wheel" ];
};
root = {
initialHashedPassword = lib.mkForce null; initialHashedPassword = lib.mkForce null;
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDd0XXoLfRE0AyasxscEBwMqOnLWPqwz+etGqzVNeSw/RcgnxOi903mlVjCH+jzWMSe2GVSgzgM20j/r9sfE2P1z+wq/RODFS04JM0ltUoFkkm/IDZXQ2piOk7AoVi5ajdx4EiBnXY87jvxh5cCgQltkj3ouPF7FVN/MaN21IgWYB8NgkaVGft//OplodlDQNot17c0sFMibY0HcquwmHhqKOtKM1gT98+jZl0rd1rCqXFOvkesW6FPC4nzirPai+Hizp5gncrkJOZmLLqrjVx6PfpQzqzIhoUn1YS5CpyfXnKZUgx2Oi8SENmWOZ9DxYvDklgEttob37E2bIXbUhOw/u4I3olGFgCsKL6jg0N+d5teEaCZFnzlOp0UMWiUo7lVqq7Bwl3rNka2pxEdZ9v/1+m9cJiP7h6pnKmccVGku57iGIDnsnoTrmo1qbAje+EsmPYbc+qMnTDvOdSHTOXnjsyTd+ADklvMHCUAuf6ku4ktQEhlZxU3PvYvKHa1cTCEXxLWjytIgHgTgab9M5IH29Q55LSRRQBzUdkwjOG6KhsqG+xEE6038EbXr0MGKTm01AFmeVZWewmkSLu2UdoOMiw8mTSQhQFfp2QruYHnh7oJCo7ttKT1sLoRX+TfgQm1ryn/orhReg2GFfmbiLGxaJGVNvjqCxqrIFQXx4ZDHw== cardno:22_412_399" ]; password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
}; };
}; };
}; };
@ -3110,10 +3164,10 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
system.activationScripts.cache = { system.activationScripts.cache = {
text = '' text = ''
mkdir -p -m=0777 /home/setup/.local/state/nix/profiles mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
mkdir -p -m=0777 /home/setup/.local/state/home-manager/gcroots mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
mkdir -p -m=0777 /home/setup/.local/share/nix/ mkdir -p -m=0777 /home/swarsel/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/setup/.local/share/nix/trusted-settings.json > /dev/null printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
mkdir -p /root/.local/share/nix/ mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
''; '';
@ -3730,24 +3784,9 @@ A breakdown of the flags being set:
- nix.nixPath: Basically the same as =nix.registry=, but for the legacy nix commands - nix.nixPath: Basically the same as =nix.registry=, but for the legacy nix commands
#+begin_src nix-ts :tangle modules/nixos/common/settings.nix #+begin_src nix-ts :tangle modules/nixos/common/settings.nix
{ lib, pkgs, config, outputs, inputs, minimal, ... }: { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
{ let
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings"; settings = if minimal then { } else {
config = lib.mkIf config.swarselsystems.modules.general
({
system.stateVersion = lib.mkDefault "23.05";
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
}
// lib.optionalAttrs (!minimal) {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ } { }
@ -3759,14 +3798,6 @@ A breakdown of the flags being set:
in in
{ {
settings = { settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5; connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w "; bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
@ -3802,7 +3833,50 @@ A breakdown of the flags being set:
environment.TMPDIR = "/var/tmp"; environment.TMPDIR = "/var/tmp";
}; };
}); };
in
{
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general
(lib.recursiveUpdate
{
nix = {
package = pkgs.nixVersions.nix_2_28;
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
};
# extraOptions = ''
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
# extra-builtins-file = ${self + /nix/extra-builtins.nix}
# '';
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
})}/lib/nix/plugins
extra-builtins-file = ${self + /nix/extra-builtins.nix}
'';
};
system.stateVersion = lib.mkDefault "23.05";
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
}
settings);
} }
#+end_src #+end_src
@ -3869,7 +3943,7 @@ For that reason, make sure that =sops-nix= is properly working before setting th
description = "Leon S"; description = "Leon S";
password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup"; password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path; hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path;
extraGroups = lib.mkIf (!minimal) [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ]; packages = with pkgs; [ ];
}; };
}; };
@ -3941,9 +4015,8 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
#+begin_src nix-ts :tangle modules/nixos/common/pii.nix #+begin_src nix-ts :tangle modules/nixos/common/pii.nix
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, ... }: { config, inputs, lib, minimal, ... }:
let let
# If the given expression is a bare set, it will be wrapped in a function, # If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to # so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets. # how modules can be functions or sets.
@ -3968,51 +4041,51 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
in in
{ {
options = { options = {
repo = { repo = {
secretFiles = lib.mkOption { secretFiles = lib.mkOption {
default = { }; default = { };
type = lib.types.attrsOf lib.types.path; type = lib.types.attrsOf lib.types.path;
example = lib.literalExpression "{ local = ./pii.nix.enc; }"; example = lib.literalExpression "{ local = ./pii.nix.enc; }";
description = '' description = ''
This file manages the origin for this machine's repository-secrets. Anything that is This file manages the origin for this machine's repository-secrets. Anything that is
technically not a secret in the classical sense (i.e. that it has to be protected technically not a secret in the classical sense (i.e. that it has to be protected
after it has been deployed), but something you want to keep secret from the public; after it has been deployed), but something you want to keep secret from the public;
Anything that you wouldn't want people to see on GitHub, but that can live unencrypted Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
on your own devices. Consider it a more ergonomic nix alternative to using git-crypt. on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
All of these secrets may (and probably will be) put into the world-readable nix-store All of these secrets may (and probably will be) put into the world-readable nix-store
on the build and target hosts. You'll most likely want to store personally identifiable on the build and target hosts. You'll most likely want to store personally identifiable
information here, such as: information here, such as:
- MAC Addreses - MAC Addreses
- Static IP addresses - Static IP addresses
- Your full name (when configuring your users) - Your full name (when configuring your users)
- Your postal address (when configuring e.g. home-assistant) - Your postal address (when configuring e.g. home-assistant)
- ... - ...
Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`, Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`. the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
''; '';
}; };
secrets = lib.mkOption { secrets = lib.mkOption {
readOnly = true; readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles; default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
type = lib.types.unspecified; type = lib.types.unspecified;
description = "Exposes the loaded repo secrets. This option is read-only."; description = "Exposes the loaded repo secrets. This option is read-only.";
};
}; };
swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
}; };
swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
};
config = lib.mkIf config.swarselsystems.modules.pii { config = lib.mkIf config.swarselsystems.modules.pii {
repo.secretFiles = repo.secretFiles =
let let
local = config.node.secretsDir + "/pii.nix.enc"; local = config.node.secretsDir + "/pii.nix.enc";
in in
(lib.optionalAttrs (lib.pathExists local) { inherit local; }) // { (lib.optionalAttrs (lib.pathExists local && !minimal ) { inherit local; }) // lib.optionalAttrs (!minimal) {
common = ../../../secrets/repo/pii.nix.enc; common = ../../../secrets/repo/pii.nix.enc;
}; };
}; };
} }
#+end_src #+end_src
@ -9988,7 +10061,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
isBtrfs = lib.mkEnableOption "use btrfs filesystem"; isBtrfs = lib.mkEnableOption "use btrfs filesystem";
mainUser = lib.mkOption { mainUser = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = if (!minimal) then globals.user.name else "setup" ; default = if (!minimal) then globals.user.name else "swarsel" ;
}; };
homeDir = lib.mkOption { homeDir = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -11113,7 +11186,7 @@ Eza provides me with a better =ls= command and some other useful aliases.
Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]].
#+begin_src nix-ts :tangle modules/home/common/git.nix #+begin_src nix-ts :tangle modules/home/common/git.nix
{ lib, config, nixosConfig, globals, ... }: { lib, config, nixosConfig, globals, minimal, ... }:
let let
inherit (nixosConfig.repo.secrets.common.mail) address1; inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName; inherit (nixosConfig.repo.secrets.common) fullName;
@ -11125,6 +11198,7 @@ Here I set up my git config, automatic signing of commits, useful aliases for my
config = lib.mkIf config.swarselsystems.modules.git { config = lib.mkIf config.swarselsystems.modules.git {
programs.git = { programs.git = {
enable = true; enable = true;
} // lib.optionalAttrs (!minimal) {
aliases = { aliases = {
a = "add"; a = "add";
c = "commit"; c = "commit";
@ -14565,6 +14639,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
fi fi
cd "$FLAKE" cd "$FLAKE"
rm install/flake.lock || true
git_root=$(git rev-parse --show-toplevel) git_root=$(git rev-parse --show-toplevel)
# ------------------------ # ------------------------
green "Wiping known_hosts of $target_destination" green "Wiping known_hosts of $target_destination"
@ -14609,7 +14684,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
# ------------------------ # ------------------------
green "Deploying minimal NixOS installation on $target_destination" green "Deploying minimal NixOS installation on $target_destination"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts" echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@ -14675,14 +14750,15 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
# -------------------------- # --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user" green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown -R $target_user:users /home/$target_user/.ssh/"
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
# __________________________ # __________________________
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
green "Adding ssh host fingerprints for git{lab,hub}" green "Adding ssh host fingerprints for git{lab,hub}"
$ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts" $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
$ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts" $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
fi fi
# -------------------------- # --------------------------
@ -14699,35 +14775,48 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
fi fi
if yes_or_no "Do you want to rebuild immediately?"; then if yes_or_no "Do you want to rebuild immediately?"; then
green "Rebuilding nix-config on $target_hostname" green "Building nix-config for $target_hostname"
yellow "Reminder: The password is 'setup'" # yellow "Reminder: The password is 'setup'"
$ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json" $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json"
$ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch" # $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
store_path=$(nix build --no-link --print-out-paths .#nixosConfigurations."$target_hostname".config.system.build.toplevel)
green "Copying generation to $target_hostname"
nix copy --to "ssh://root@$target_destination" "$store_path"
# prev_system=$($ssh_root_cmd " readlink -e /nix/var/nix/profiles/system")
green "Linking generation in bootloader"
$ssh_root_cmd "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
green "Setting generation to activate upon next boot"
$ssh_root_cmd "$store_path/bin/switch-to-configuration boot"
else
echo
green "NixOS was successfully installed!"
echo "Post-install config build instructions:"
echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
echo "just sync $target_user $target_destination"
echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
echo "cd nix-config"
# see above FIXME:(bootstrap)
echo "sudo nixos-rebuild .pre-commit-config.yaml show-trace --flake .#$target_hostname switch"
# echo "just rebuild"
echo
fi fi
else
echo
green "NixOS was successfully installed!"
echo "Post-install config build instructions:"
echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
echo "just sync $target_user $target_destination"
echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
echo "cd nix-config"
# see above FIXME:(bootstrap)
echo "sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
# echo "just rebuild"
echo
fi fi
green "NixOS was successfully installed!"
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
(pre-commit run --all-files 2> /dev/null || true) && (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) &&
git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" &&
git add "$git_root/.sops.yaml" && git add "$git_root/.sops.yaml" &&
git add "$git_root/secrets" && git add "$git_root/secrets" &&
(git commit -m "feat: deployed $target_hostname" || true) && git push (git commit -m "feat: deployed $target_hostname" || true) && git push
fi fi
if yes_or_no "Reboot now?"; then
$ssh_root_cmd "reboot"
fi
#+end_src #+end_src
@ -15820,6 +15909,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
impermanence = lib.mkDefault true; impermanence = lib.mkDefault true;
lanzaboote = lib.mkDefault true; lanzaboote = lib.mkDefault true;
autologin = lib.mkDefault true; autologin = lib.mkDefault true;
pii = lib.mkDefault true;
server = { server = {
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
}; };
@ -16181,6 +16271,7 @@ This holds modules that are to be used on most hosts. These are also the most im
sops = lib.mkDefault true; sops = lib.mkDefault true;
kitty = lib.mkDefault true; kitty = lib.mkDefault true;
zsh = lib.mkDefault true; zsh = lib.mkDefault true;
git = lib.mkDefault true;
}; };
}; };
@ -16255,6 +16346,8 @@ This holds modules that are to be used on most hosts. These are also the most im
general = lib.mkDefault true; general = lib.mkDefault true;
sops = lib.mkDefault true; sops = lib.mkDefault true;
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
kitty = lib.mkDefault true;
git = lib.mkDefault true;
}; };
}; };

59
files/scripts/swarsel-bootstrap.sh
View file

@ -174,6 +174,7 @@ if [ ! -d "$FLAKE" ]; then
fi fi
cd "$FLAKE" cd "$FLAKE"
rm install/flake.lock || true
git_root=$(git rev-parse --show-toplevel) git_root=$(git rev-parse --show-toplevel)
# ------------------------ # ------------------------
green "Wiping known_hosts of $target_destination" green "Wiping known_hosts of $target_destination"
@ -218,7 +219,7 @@ $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "$
# ------------------------ # ------------------------
green "Deploying minimal NixOS installation on $target_destination" green "Deploying minimal NixOS installation on $target_destination"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination" nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts" echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@ -284,14 +285,15 @@ sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.
# -------------------------- # --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user" green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown -R $target_user:users /home/$target_user/.ssh/"
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
# __________________________ # __________________________
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
green "Adding ssh host fingerprints for git{lab,hub}" green "Adding ssh host fingerprints for git{lab,hub}"
$ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts" $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
$ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts" $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
fi fi
# -------------------------- # --------------------------
@ -308,32 +310,45 @@ if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $targe
fi fi
if yes_or_no "Do you want to rebuild immediately?"; then if yes_or_no "Do you want to rebuild immediately?"; then
green "Rebuilding nix-config on $target_hostname" green "Building nix-config for $target_hostname"
yellow "Reminder: The password is 'setup'" # yellow "Reminder: The password is 'setup'"
$ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json" $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json"
$ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch" # $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
store_path=$(nix build --no-link --print-out-paths .#nixosConfigurations."$target_hostname".config.system.build.toplevel)
green "Copying generation to $target_hostname"
nix copy --to "ssh://root@$target_destination" "$store_path"
# prev_system=$($ssh_root_cmd " readlink -e /nix/var/nix/profiles/system")
green "Linking generation in bootloader"
$ssh_root_cmd "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
green "Setting generation to activate upon next boot"
$ssh_root_cmd "$store_path/bin/switch-to-configuration boot"
else
echo
green "NixOS was successfully installed!"
echo "Post-install config build instructions:"
echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
echo "just sync $target_user $target_destination"
echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
echo "cd nix-config"
# see above FIXME:(bootstrap)
echo "sudo nixos-rebuild .pre-commit-config.yaml show-trace --flake .#$target_hostname switch"
# echo "just rebuild"
echo
fi fi
else
echo
green "NixOS was successfully installed!"
echo "Post-install config build instructions:"
echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
echo "just sync $target_user $target_destination"
echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
echo "cd nix-config"
# see above FIXME:(bootstrap)
echo "sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
# echo "just rebuild"
echo
fi fi
green "NixOS was successfully installed!"
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
(pre-commit run --all-files 2> /dev/null || true) && (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) &&
git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" &&
git add "$git_root/.sops.yaml" && git add "$git_root/.sops.yaml" &&
git add "$git_root/secrets" && git add "$git_root/secrets" &&
(git commit -m "feat: deployed $target_hostname" || true) && git push (git commit -m "feat: deployed $target_hostname" || true) && git push
fi fi
if yes_or_no "Reboot now?"; then
$ssh_root_cmd "reboot"
fi

2
hosts/nixos/nbl-imba-2/default.nix
View file

@ -1,4 +1,4 @@
{ self, config, inputs, lib, ... }: { self, config, inputs, lib, minimal, ... }:
let let
primaryUser = config.swarselsystems.mainUser; primaryUser = config.swarselsystems.mainUser;
sharedOptions = { sharedOptions = {

9
hosts/nixos/toto/default.nix
View file

@ -1,12 +1,12 @@
{ self, lib, minimal, ... }: { self, config, lib, minimal, ... }:
let let
primaryUser = config.swarselsystems.mainUser;
sharedOptions = { sharedOptions = {
isBtrfs = true; isBtrfs = true;
isLinux = true; isLinux = true;
profiles = { profiles = {
toto = lib.mkIf (!minimal) true; toto = lib.mkIf (!minimal) true;
minimal = lib.mkIf minimal true; minimal = lib.mkIf minimal true;
btrfs = lib.mkIf minimal true;
}; };
}; };
in in
@ -34,12 +34,13 @@ in
isSwap = true; isSwap = true;
swapSize = "2G"; swapSize = "2G";
# rootDisk = "/dev/nvme0n1"; # rootDisk = "/dev/nvme0n1";
rootDisk = "/dev/sda"; rootDisk = "/dev/vda";
profiles.btrfs = lib.mkIf minimal true;
# rootDisk = "/dev/vda"; # rootDisk = "/dev/vda";
} }
sharedOptions; sharedOptions;
home-manager.users."setup" = { home-manager.users.${primaryUser} = {
home.stateVersion = lib.mkForce "23.05"; home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate swarselsystems = lib.recursiveUpdate
{ {

2
install/flake.nix
View file

@ -1,7 +1,7 @@
{ {
description = "Minimal installer flake - not to be used manually"; description = "Minimal installer flake - not to be used manually";
inputs.swarsel.url = "github:Swarsel/.dotfiles"; inputs.swarsel.url = "./..";
outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; }; outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
} }

72
install/installer-config.nix
View file

@ -1,5 +1,9 @@
{ pkgs, lib, ... }: { self, config, pkgs, lib, ... }:
let
pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
in
{ {
config = { config = {
home-manager.users.root.home = { home-manager.users.root.home = {
stateVersion = "23.05"; stateVersion = "23.05";
@ -11,9 +15,48 @@
}; };
}; };
}; };
home-manager.users.swarsel = {
home = {
username = "swarsel";
homeDirectory = lib.mkDefault "/home/swarsel";
stateVersion = lib.mkDefault "23.05";
keyboard.layout = "us";
sessionVariables = {
FLAKE = "/home/swarsel/.dotfiles";
};
file = {
".bash_history" = {
text = ''
swarsel-install -n chaostheatre
'';
};
};
};
};
nix.settings = { security.sudo.extraConfig = ''
experimental-features = [ "nix-command" "flakes" ]; Defaults env_keep+=SSH_AUTH_SOCK
Defaults lecture = never
'';
security.pam = {
sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
nix = {
channel.enable = false;
package = pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ [ ../nix/nix-plugins.patch ];
})}/lib/nix/plugins
extra-builtins-file = ${../nix/extra-builtins.nix}
'';
settings.experimental-features = [ "nix-command" "flakes" ];
}; };
boot = { boot = {
@ -63,7 +106,7 @@
networking = { networking = {
hostName = "drugstore"; hostName = "drugstore";
wireless.enable = false; wireless.enable = false;
dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
networkmanager.enable = true; networkmanager.enable = true;
}; };
@ -71,11 +114,20 @@
users = { users = {
allowNoPasswordLogin = true; allowNoPasswordLogin = true;
groups.swarsel = { };
users = { users = {
root = { swarsel = {
name = "swarsel";
group = "swarsel";
isNormalUser = true;
password = "setup"; # this is overwritten after install password = "setup"; # this is overwritten after install
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ "wheel" ];
};
root = {
initialHashedPassword = lib.mkForce null; initialHashedPassword = lib.mkForce null;
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDd0XXoLfRE0AyasxscEBwMqOnLWPqwz+etGqzVNeSw/RcgnxOi903mlVjCH+jzWMSe2GVSgzgM20j/r9sfE2P1z+wq/RODFS04JM0ltUoFkkm/IDZXQ2piOk7AoVi5ajdx4EiBnXY87jvxh5cCgQltkj3ouPF7FVN/MaN21IgWYB8NgkaVGft//OplodlDQNot17c0sFMibY0HcquwmHhqKOtKM1gT98+jZl0rd1rCqXFOvkesW6FPC4nzirPai+Hizp5gncrkJOZmLLqrjVx6PfpQzqzIhoUn1YS5CpyfXnKZUgx2Oi8SENmWOZ9DxYvDklgEttob37E2bIXbUhOw/u4I3olGFgCsKL6jg0N+d5teEaCZFnzlOp0UMWiUo7lVqq7Bwl3rNka2pxEdZ9v/1+m9cJiP7h6pnKmccVGku57iGIDnsnoTrmo1qbAje+EsmPYbc+qMnTDvOdSHTOXnjsyTd+ADklvMHCUAuf6ku4ktQEhlZxU3PvYvKHa1cTCEXxLWjytIgHgTgab9M5IH29Q55LSRRQBzUdkwjOG6KhsqG+xEE6038EbXr0MGKTm01AFmeVZWewmkSLu2UdoOMiw8mTSQhQFfp2QruYHnh7oJCo7ttKT1sLoRX+TfgQm1ryn/orhReg2GFfmbiLGxaJGVNvjqCxqrIFQXx4ZDHw== cardno:22_412_399" ]; password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
}; };
}; };
}; };
@ -86,10 +138,10 @@
system.activationScripts.cache = { system.activationScripts.cache = {
text = '' text = ''
mkdir -p -m=0777 /home/setup/.local/state/nix/profiles mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
mkdir -p -m=0777 /home/setup/.local/state/home-manager/gcroots mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
mkdir -p -m=0777 /home/setup/.local/share/nix/ mkdir -p -m=0777 /home/swarsel/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/setup/.local/share/nix/trusted-settings.json > /dev/null printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
mkdir -p /root/.local/share/nix/ mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
''; '';

3
modules/home/common/git.nix
View file

@ -1,4 +1,4 @@
{ lib, config, nixosConfig, globals, ... }: { lib, config, nixosConfig, globals, minimal, ... }:
let let
inherit (nixosConfig.repo.secrets.common.mail) address1; inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName; inherit (nixosConfig.repo.secrets.common) fullName;
@ -10,6 +10,7 @@ in
config = lib.mkIf config.swarselsystems.modules.git { config = lib.mkIf config.swarselsystems.modules.git {
programs.git = { programs.git = {
enable = true; enable = true;
} // lib.optionalAttrs (!minimal) {
aliases = { aliases = {
a = "add"; a = "add";
c = "commit"; c = "commit";

2
modules/home/common/sharedsetup.nix
View file

@ -9,7 +9,7 @@
isBtrfs = lib.mkEnableOption "use btrfs filesystem"; isBtrfs = lib.mkEnableOption "use btrfs filesystem";
mainUser = lib.mkOption { mainUser = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = if (!minimal) then globals.user.name else "setup"; default = if (!minimal) then globals.user.name else "swarsel";
}; };
homeDir = lib.mkOption { homeDir = lib.mkOption {
type = lib.types.str; type = lib.types.str;

68
modules/iso/minimal.nix
View file

@ -1,68 +0,0 @@
{ lib, pkgs, ... }:
{
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
warn-dirty = false;
};
boot = {
# initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = lib.mkForce [ "brtfs" "vfat" ];
loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
configurationLimit = lib.mkDefault 5;
consoleMode = lib.mkDefault "max";
};
};
};
services = {
qemuGuest.enable = true;
openssh = {
enable = true;
ports = lib.mkDefault [ 22 ];
settings.PermitRootLogin = "yes";
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
};
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults lecture = never
'';
security.pam = {
sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
environment.systemPackages = with pkgs; [
curl
git
gnupg
rsync
ssh-to-age
sops
vim
just
sbctl
];
programs = {
git.enable = true;
};
fileSystems."/boot".options = [ "umask=0077" ];
networking.networkmanager.enable = true;
}

5
modules/nixos/common/pii.nix
View file

@ -1,7 +1,6 @@
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, ... }: { config, inputs, lib, minimal, ... }:
let let
# If the given expression is a bare set, it will be wrapped in a function, # If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to # so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets. # how modules can be functions or sets.
@ -66,7 +65,7 @@ in
let let
local = config.node.secretsDir + "/pii.nix.enc"; local = config.node.secretsDir + "/pii.nix.enc";
in in
(lib.optionalAttrs (lib.pathExists local) { inherit local; }) // { (lib.optionalAttrs (lib.pathExists local && !minimal) { inherit local; }) // lib.optionalAttrs (!minimal) {
common = ../../../secrets/repo/pii.nix.enc; common = ../../../secrets/repo/pii.nix.enc;
}; };
}; };

130
modules/nixos/common/settings.nix
View file

@ -1,31 +1,62 @@
{ lib, pkgs, config, outputs, inputs, minimal, ... }: { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
let
settings = if minimal then { } else {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ }
'';
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 10d";
};
optimise = {
automatic = true;
dates = "weekly";
};
channel.enable = false;
registry = rec {
nixpkgs.flake = inputs.nixpkgs;
p = nixpkgs;
};
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
services.dbus.implementation = "broker";
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
};
in
{ {
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings"; options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general config = lib.mkIf config.swarselsystems.modules.general
({ (lib.recursiveUpdate
{
system.stateVersion = lib.mkDefault "23.05"; nix = {
package = pkgs.nixVersions.nix_2_28;
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
}
// lib.optionalAttrs (!minimal) {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ }
'';
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = { settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
@ -35,40 +66,29 @@
"pipe-operators" "pipe-operators"
]; ];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
}; };
gc = { # extraOptions = ''
automatic = true; # plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
dates = "weekly"; # extra-builtins-file = ${self + /nix/extra-builtins.nix}
options = "--delete-older-than 10d"; # '';
}; extraOptions = ''
optimise = { plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
automatic = true; buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
dates = "weekly"; patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
}; })}/lib/nix/plugins
channel.enable = false; extra-builtins-file = ${self + /nix/extra-builtins.nix}
registry = rec { '';
nixpkgs.flake = inputs.nixpkgs;
p = nixpkgs;
};
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
}; };
services.dbus.implementation = "broker"; system.stateVersion = lib.mkDefault "23.05";
systemd.services.nix-daemon = { nixpkgs = {
environment.TMPDIR = "/var/tmp"; overlays = [ outputs.overlays.default ];
}; config = {
allowUnfree = true;
};
};
}); }
settings);
} }

2
modules/nixos/common/users.nix
View file

@ -14,7 +14,7 @@ in
description = "Leon S"; description = "Leon S";
password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup"; password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path; hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path;
extraGroups = lib.mkIf (!minimal) [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ]; packages = with pkgs; [ ];
}; };
}; };

1
nix/iso.nix
View file

@ -5,6 +5,7 @@
# nix build --print-out-paths --no-link .#images.<target-system>.live-iso # nix build --print-out-paths --no-link .#images.<target-system>.live-iso
packages.live-iso = inputs.nixos-generators.nixosGenerate { packages.live-iso = inputs.nixos-generators.nixosGenerate {
inherit pkgs; inherit pkgs;
specialArgs = { inherit self; };
modules = [ modules = [
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
"${self}/install/installer-config.nix" "${self}/install/installer-config.nix"

1
profiles/home/minimal/default.nix
View file

@ -7,6 +7,7 @@
sops = lib.mkDefault true; sops = lib.mkDefault true;
kitty = lib.mkDefault true; kitty = lib.mkDefault true;
zsh = lib.mkDefault true; zsh = lib.mkDefault true;
git = lib.mkDefault true;
}; };
}; };

2
profiles/home/toto/default.nix
View file

@ -6,6 +6,8 @@
general = lib.mkDefault true; general = lib.mkDefault true;
sops = lib.mkDefault true; sops = lib.mkDefault true;
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
kitty = lib.mkDefault true;
git = lib.mkDefault true;
}; };
}; };

1
profiles/nixos/toto/default.nix
View file

@ -12,6 +12,7 @@
impermanence = lib.mkDefault true; impermanence = lib.mkDefault true;
lanzaboote = lib.mkDefault true; lanzaboote = lib.mkDefault true;
autologin = lib.mkDefault true; autologin = lib.mkDefault true;
pii = lib.mkDefault true;
server = { server = {
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
}; };