From 8f7a75814d6ceb3bd934831110165e693ed80cf0 Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Fri, 13 Jun 2025 23:18:52 -0400 Subject: [PATCH] init commit --- .envrc | 3 + .gitignore | 4 + configurations/nixos/tofu/configuration.nix | 38 ++ configurations/nixos/tofu/default.nix | 16 + configurations/nixos/tofu/disko.nix | 47 ++ .../nixos/tofu/hardware-configuration.nix | 36 ++ flake.lock | 543 ++++++++++++++++++ flake.nix | 37 ++ justfile | 32 ++ modules/flake/deploy.nix | 55 ++ modules/flake/devshell.nix | 12 + modules/flake/toplevel.nix | 16 + modules/nixos/common/avahi.nix | 12 + modules/nixos/common/default.nix | 9 + modules/nixos/common/discovery.nix | 49 ++ modules/nixos/common/nixos-generators.nix | 6 + modules/nixos/common/ssh.nix | 9 + modules/nixos/common/yggdrasil.nix | 68 +++ modules/nixos/default.nix | 10 + overlays/default.nix | 21 + packages/otf/default.nix | 50 ++ 21 files changed, 1073 insertions(+) create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 configurations/nixos/tofu/configuration.nix create mode 100644 configurations/nixos/tofu/default.nix create mode 100644 configurations/nixos/tofu/disko.nix create mode 100644 configurations/nixos/tofu/hardware-configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 justfile create mode 100644 modules/flake/deploy.nix create mode 100644 modules/flake/devshell.nix create mode 100644 modules/flake/toplevel.nix create mode 100644 modules/nixos/common/avahi.nix create mode 100644 modules/nixos/common/default.nix create mode 100644 modules/nixos/common/discovery.nix create mode 100644 modules/nixos/common/nixos-generators.nix create mode 100644 modules/nixos/common/ssh.nix create mode 100644 modules/nixos/common/yggdrasil.nix create mode 100644 modules/nixos/default.nix create mode 100644 overlays/default.nix create mode 100644 packages/otf/default.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..fc56281 --- /dev/null +++ b/.envrc @@ -0,0 +1,3 @@ +source_url https://raw.githubusercontent.com/juspay/omnix/75ed48923835963e2f18baba08f54a8adc307ba2/omnixrc "sha256-8C2Jb5bHx/0cvm1+9gOlBEdWzbikCWT5UsJWewUAFt4=" +watch_file om.yaml +use omnix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..249564b --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +data2 +data +result +.direnv diff --git a/configurations/nixos/tofu/configuration.nix b/configurations/nixos/tofu/configuration.nix new file mode 100644 index 0000000..c07da7e --- /dev/null +++ b/configurations/nixos/tofu/configuration.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: +{ + disko.devices.disk.main.device = "/dev/vda"; + + users.users.admin = { + isNormalUser = true; + + name = "sky"; + extraGroups = [ + "wheel" + "networkmanager" + "video" + "input" + ]; + uid = 1000; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA9i9HoP7X8Ufzz8rAaP7Nl3UOMZxQHMrsnA5aEQfpTyIQ1qW68jJ4jGK5V6Wv27MMc3czDU1qfFWIbGEWurUHQ=" + ]; + services.tailscale = { + enable = true; + }; + services.tty-ips.enable = true; + networking.yggdrasil.enable = true; + networking.yggdrasil.AllowedPublicKeys = [ + "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074" + ]; + virtualisation.incus.agent.enable = true; + nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostName = "smultiboi"; + environment.systemPackages = [ + pkgs.otf + ]; + # Used for backwards compatibility, please read the changelog before changing. + # $ darwin-rebuild changelog + system.stateVersion = "25.05"; +} diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix new file mode 100644 index 0000000..f9289d7 --- /dev/null +++ b/configurations/nixos/tofu/default.nix @@ -0,0 +1,16 @@ +# See /modules/nixos/* for actual settings +# This file is just *top-level* configuration. +{ flake, ... }: + +let + inherit (flake) inputs; + inherit (inputs) self; +in +{ + imports = [ + self.nixosModules.default + ./configuration.nix + ./hardware-configuration.nix + ./disko.nix + ]; +} diff --git a/configurations/nixos/tofu/disko.nix b/configurations/nixos/tofu/disko.nix new file mode 100644 index 0000000..804896c --- /dev/null +++ b/configurations/nixos/tofu/disko.nix @@ -0,0 +1,47 @@ +{ + lib, + config, + ... +}: +{ + boot.loader.grub.efiSupport = lib.mkDefault true; + boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true; + disko.devices = { + disk = { + "main" = { + # suffix is to prevent disk name collisions + name = "main-" + config.networking.hostName; + type = "disk"; + # device = ; + content = { + type = "gpt"; + partitions = { + "boot" = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; + }; + "ESP" = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "nofail" ]; + }; + }; + "root" = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/configurations/nixos/tofu/hardware-configuration.nix b/configurations/nixos/tofu/hardware-configuration.nix new file mode 100644 index 0000000..3876427 --- /dev/null +++ b/configurations/nixos/tofu/hardware-configuration.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + # virtualisation.qemu.guestAgent.enable = true; + services.qemuGuest.enable = true; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8af07ed --- /dev/null +++ b/flake.lock @@ -0,0 +1,543 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1747575206, + "owner": "ryantm", + "repo": "agenix", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1727447169, + "owner": "serokell", + "repo": "deploy-rs", + "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "revCount": 1236, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/disko/1.12.0/0196b11c-619a-758e-a575-5bc724a22daf/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/disko/1.12.0.tar.gz" + } + }, + "disko_2": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744940522, + "narHash": "sha256-TNoetfICvd29DhxRPpmyKItQBDlqSvKcV+wGNkn14jk=", + "owner": "nix-community", + "repo": "disko", + "rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "revCount": 372, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.372%2Brev-c621e8422220273271f52058f618c94e405bb0f5/0195f502-afa0-7717-826b-66943fb33808/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1.372.tar.gz" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747556831, + "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", + "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", + "revCount": 4762, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/home-manager/0.2505.4762%2Brev-d0bbd221482c2713cccb80220f3c9d16a6e20a33/0196e282-f128-7f4d-9772-a83177941c96/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/home-manager/0.2505.%2A.tar.gz" + } + }, + "nix-darwin": { + "locked": { + "lastModified": 1748437600, + "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", + "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", + "revCount": 802746, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.802746%2Brev-7282cb574e0607e65224d33be8241eae7cfe0979/01972246-83e0-7eee-b37e-089e4cceceda/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505.%2A.tar.gz" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748751003, + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-anywhere": { + "inputs": { + "disko": "disko_2", + "flake-parts": "flake-parts_2", + "nixos-images": "nixos-images", + "nixos-stable": "nixos-stable", + "nixpkgs": "nixpkgs_3", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1747722472, + "owner": "nix-community", + "repo": "nixos-anywhere", + "rev": "1e2882c902322f1fd5992da0f5674c70ad8b133b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "1.10.0", + "repo": "nixos-anywhere", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747663185, + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixos-images": { + "inputs": { + "nixos-stable": [ + "nixos-anywhere", + "nixos-stable" + ], + "nixos-unstable": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744853194, + "narHash": "sha256-NBOdBdQdxb3FdM4Ywb4cATMLfFtkPqDYh0LIQMZ7eRY=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "8f6f8060a13096934c2a502eb0508bdc3f1284a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, + "nixos-stable": { + "locked": { + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixos-unified": { + "locked": { + "lastModified": 1747972413, + "owner": "srid", + "repo": "nixos-unified", + "rev": "a1d1cd9ae1ca9866f47afc5e12f30acded261fcb", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "nixos-unified", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1746576598, + "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1745088452, + "narHash": "sha256-6SrsUiwNtyQtl+JJNcNKe98iediwPrY9Kldhszqggto=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ae0c0ebf757121ee44bb98e70a71212a9961055d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1748437600, + "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", + "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", + "revCount": 802746, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.802746%2Brev-7282cb574e0607e65224d33be8241eae7cfe0979/01972246-83e0-7eee-b37e-089e4cceceda/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505.%2A.tar.gz" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", + "disko": "disko", + "flake-parts": "flake-parts", + "home-manager": "home-manager_2", + "nix-darwin": "nix-darwin", + "nix-index-database": "nix-index-database", + "nixos-anywhere": "nixos-anywhere", + "nixos-generators": "nixos-generators", + "nixos-unified": "nixos-unified", + "nixpkgs": "nixpkgs_4", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1731850885, + "narHash": "sha256-V5eA7YtZwUnjtDK8hHoiXB17hBKZ+L6kpgR0UxKehtQ=", + "rev": "793c07f331a831e4321038e3e8ac2e503167af8b", + "revCount": 887, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/Mic92/sops-nix/0.1.887%2Brev-793c07f331a831e4321038e3e8ac2e503167af8b/01933a5d-224a-74d8-bbdb-08ceebbdd708/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/Mic92/sops-nix/0.1.887" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744961264, + "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "8d404a69efe76146368885110f29a2ca3700bee6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..afa70c7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,37 @@ +{ + description = "A home-manager template providing useful tools & settings for Nix-based development"; + + inputs = { + # Principle inputs (updated by `nix run .#update`) + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2505.*.tar.gz"; + nix-darwin.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2505.*.tar.gz"; + # nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.url = "https://flakehub.com/f/nix-community/home-manager/0.2505.*.tar.gz"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + flake-parts.url = "https://flakehub.com/f/hercules-ci/flake-parts/0.1.372.tar.gz"; + nixos-unified.url = "github:srid/nixos-unified"; + agenix = { + url = "github:ryantm/agenix"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + disko.url = "https://flakehub.com/f/nix-community/disko/1.12.0.tar.gz"; + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + nix-index-database.url = "github:nix-community/nix-index-database"; + nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + nixos-anywhere.url = "github:nix-community/nixos-anywhere/1.10.0"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix.url = "https://flakehub.com/f/Mic92/sops-nix/0.1.887"; + }; + + # Wired using https://nixos-unified.org/autowiring.html + outputs = + inputs: + inputs.nixos-unified.lib.mkFlake { + inherit inputs; + root = ./.; + }; +} diff --git a/justfile b/justfile new file mode 100644 index 0000000..77602eb --- /dev/null +++ b/justfile @@ -0,0 +1,32 @@ +# Like GNU `make`, but `just` rustier. +# https://just.systems/ +# run `just` from this directory to see available commands + +# Default command when 'just' is run without arguments +default: + @just --list + +# Update nix flake +[group('Main')] +update: + nix flake update + +# Lint nix files +[group('dev')] +lint: + nix fmt + +# Check nix flake +[group('dev')] +check: + nix flake check + +# Manually enter dev shell +[group('dev')] +dev: + nix develop + +# Activate the configuration +[group('Main')] +run: + nix run diff --git a/modules/flake/deploy.nix b/modules/flake/deploy.nix new file mode 100644 index 0000000..db11e63 --- /dev/null +++ b/modules/flake/deploy.nix @@ -0,0 +1,55 @@ +{ inputs, ... }: +let + inherit (inputs) + self + deploy-rs + nixpkgs + nixos-anywhere + agenix + ; + inherit (nixpkgs) lib; + + genNode = + hostName: nixosCfg: + let + # inherit (self.hosts.${hostName}) address hostPlatform remoteBuild; + # inherit (deploy-rs.lib.${hostPlatform}) activate; + system = self.nixosConfigurations."${hostName}".pkgs.system; + in + { + hostname = hostName; + profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName}; + }; +in +{ + perSystem = + { + system, + ... + }: + { + apps = rec { + default = deploy; + secrets = { + type = "app"; + program = "${agenix.packages.${system}.agenix}/bin/agenix"; + meta.description = ""; + }; + install = { + type = "app"; + program = "${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere"; + meta.description = ""; + }; + deploy = deploy-rs.apps.${system}.deploy-rs; + }; + }; + flake = { + deploy = { + autoRollback = false; + magicRollback = true; + user = "root"; + remoteBuild = true; + nodes = lib.mapAttrs genNode (self.nixosConfigurations or { }); + }; + }; +} diff --git a/modules/flake/devshell.nix b/modules/flake/devshell.nix new file mode 100644 index 0000000..0b06c85 --- /dev/null +++ b/modules/flake/devshell.nix @@ -0,0 +1,12 @@ +{ + perSystem = { pkgs, ... }: { + devShells.default = pkgs.mkShell { + name = "nixos-unified-template-shell"; + meta.description = "Shell environment for modifying this Nix configuration"; + packages = with pkgs; [ + just + nixd + ]; + }; + }; +} diff --git a/modules/flake/toplevel.nix b/modules/flake/toplevel.nix new file mode 100644 index 0000000..f8c0704 --- /dev/null +++ b/modules/flake/toplevel.nix @@ -0,0 +1,16 @@ +# Top-level flake glue to get our configuration working +{ inputs, ... }: + +{ + imports = [ + inputs.nixos-unified.flakeModules.default + inputs.nixos-unified.flakeModules.autoWire + ]; + perSystem = { self', pkgs, ... }: { + # For 'nix fmt' + formatter = pkgs.nixpkgs-fmt; + + # Enables 'nix run' to activate. + packages.default = self'.packages.activate; + }; +} diff --git a/modules/nixos/common/avahi.nix b/modules/nixos/common/avahi.nix new file mode 100644 index 0000000..f7cd96d --- /dev/null +++ b/modules/nixos/common/avahi.nix @@ -0,0 +1,12 @@ +_: { + services.avahi = { + enable = true; + nssmdns4 = true; + nssmdns6 = true; + publish = { + addresses = true; + enable = true; + userServices = true; + }; + }; +} diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix new file mode 100644 index 0000000..af6e953 --- /dev/null +++ b/modules/nixos/common/default.nix @@ -0,0 +1,9 @@ +{ flake, ... }: +{ + imports = + with builtins; + map (fn: ./${fn}) (filter (fn: fn != "default.nix") (attrNames (readDir ./.))) + ++ [ + flake.inputs.disko.nixosModules.default + ]; +} diff --git a/modules/nixos/common/discovery.nix b/modules/nixos/common/discovery.nix new file mode 100644 index 0000000..dbc65a3 --- /dev/null +++ b/modules/nixos/common/discovery.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + inherit (lib) mkOption mkIf types; +in +{ + options.services.tty-ips = { + enable = mkOption { + type = types.bool; + default = false; + description = "Show interface IPs in TTY login using a dynamic issue file."; + }; + }; + + config = mkIf config.services.tty-ips.enable { + systemd.services.tty-ips = { + description = "Generate /run/issue.dynamic with interface IPs"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + before = [ "getty@tty1.service" ]; + + serviceConfig = + let + sw = "/run/current-system/sw/bin"; + in + { + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "tty-ips-generate" '' + echo "Welcome to NixOS!" > /run/issue.dynamic + echo "" >> /run/issue.dynamic + echo "IP Addresses:" >> /run/issue.dynamic + ${sw}/ip -brief addr show ygg0 | ${sw}/awk '{print " " $3}v' | ${pkgs.qrencode}/bin/qrencode -t ANSIUTF8 >> /run/issue.dynamic + echo "" >> /run/issue.dynamic + ''; + }; + }; + + services.getty.extraArgs = [ + "--issue-file" + "/run/issue.dynamic" + ]; + }; +} diff --git a/modules/nixos/common/nixos-generators.nix b/modules/nixos/common/nixos-generators.nix new file mode 100644 index 0000000..71544ac --- /dev/null +++ b/modules/nixos/common/nixos-generators.nix @@ -0,0 +1,6 @@ +{ flake, ... }: +{ + imports = [ + flake.inputs.nixos-generators.nixosModules.all-formats + ]; +} diff --git a/modules/nixos/common/ssh.nix b/modules/nixos/common/ssh.nix new file mode 100644 index 0000000..fadae72 --- /dev/null +++ b/modules/nixos/common/ssh.nix @@ -0,0 +1,9 @@ +_: { + security = { + sudo.execWheelOnly = true; + pam = { + sshAgentAuth.enable = true; + services.sudo.sshAgentAuth = true; + }; + }; +} diff --git a/modules/nixos/common/yggdrasil.nix b/modules/nixos/common/yggdrasil.nix new file mode 100644 index 0000000..bff6463 --- /dev/null +++ b/modules/nixos/common/yggdrasil.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + ... +}: +let + inherit (lib) + mkOption + mkEnableOption + mkIf + types + ; + cfg = config.networking.yggdrasil; +in +{ + options.networking.yggdrasil = { + enable = mkEnableOption "enables yggdrasil a sdwan solution"; + AllowedPublicKeys = mkOption { + type = with types; listOf str; + default = [ "" ]; + }; + }; + config = mkIf cfg.enable { + users = { + users.yggdrasil = { + isSystemUser = true; + description = "Yggdrasil"; + group = "yggdrasil"; + uid = 728; + }; + groups.yggdrasil.gid = 728; + }; + + systemd.services.yggdrasil = { + serviceConfig = { + DynamicUser = lib.mkForce false; + User = "yggdrasil"; + RestrictNamespaces = lib.mkForce "no"; + }; + }; + services.yggdrasil = { + enable = true; + persistentKeys = true; + openMulticastPort = true; + settings = { + inherit (cfg) AllowedPublicKeys; + Peers = [ + "tls://ygg.yt:443" + "tls://ygg.jjolly.dev:3443" + "quic://ygg-kcmo.incognet.io:8885" + ]; + MulticastInterfaces = [ + { + Regex = "w.*"; + Beacon = true; + Listen = true; + Port = 9001; + Priority = 0; + } + ]; + IfName = "ygg0"; + IfMTU = 65535; + NodeInfoPrivacy = false; + NodeInfo = null; + }; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..9886cbd --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,10 @@ +# This is your nixos configuration. +# For home configuration, see /modules/home/* +{ flake, ... }: +{ + imports = [ + flake.inputs.self.nixosModules.common + ]; + services.openssh.enable = true; + nixpkgs.overlays = [ flake.inputs.self.overlays.default ]; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..8cc2f2a --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,21 @@ +{ flake, ... }: + +let + inherit (flake) inputs; + inherit (inputs) self; + + pkgsDir = ../packages; # This must be absolute or relative to this file + + # List only subdirs with default.nix + packageDirs = builtins.filter (name: builtins.pathExists (pkgsDir + "/${name}/default.nix")) ( + builtins.attrNames (builtins.readDir pkgsDir) + ); + +in +self: super: +builtins.listToAttrs ( + map (name: { + name = name; + value = self.callPackage (pkgsDir + "/${name}") { }; + }) packageDirs +) diff --git a/packages/otf/default.nix b/packages/otf/default.nix new file mode 100644 index 0000000..7924831 --- /dev/null +++ b/packages/otf/default.nix @@ -0,0 +1,50 @@ +{ + lib, + fetchFromGitHub, + buildGoModule, + git, +}: +buildGoModule rec { + pname = "otf"; + version = "0.3.23"; + + src = fetchFromGitHub { + owner = "leg100"; + repo = "otf"; + rev = "v${version}"; + hash = "sha256-lm/J0ZEdkF+aI+NvbYg75rCexqjDLz/w+Sp9PhhAsv4="; + leaveDotGit = true; + postFetch = '' + cd "$out" + git rev-parse HEAD > $out/COMMIT_HASH + date -u -d "@$(git log -1 --pretty=%ct)" "+%s" > $out/BUILD_TIME + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; + }; + nativeBuildInputs = [ git ]; + + vendorHash = "sha256-8FcdezTBWCIChytTbJal3TzTi/JfUbkW3Yu4djzDIgk="; + + ldflags = [ + "-s" + "-w" + "-X github.com/leg100/otf/internal.Version=v${version}" + ]; + + preBuild = '' + ldflags+=" -X github.com/leg100/otf/internal.Commit=$(cat COMMIT_HASH)" + ldflags+=" -X github.com/leg100/otf/internal.Built=$(cat BUILD_TIME)" + ''; + + subPackages = [ + "cmd/otf" + "cmd/otf-agent" + "cmd/otfd" + ]; + + meta = with lib; { + description = "An open source alternative to Terraform Enterprise."; + license = licenses.mpl20; + platforms = platforms.linux ++ platforms.darwin; + }; +}