From fc530f450f5cbbb07820642029a2e1bf4f9839ce Mon Sep 17 00:00:00 2001 From: Julius de Jeu Date: Thu, 19 May 2022 15:03:13 +0200 Subject: [PATCH] Initial Commit --- .gitignore | 1 + common/default.nix | 42 ++++++++++++ common/lxc.nix | 11 ++++ common/users/default.nix | 32 ++++++++++ flake.lock | 135 +++++++++++++++++++++++++++++++++++++++ flake.nix | 63 ++++++++++++++++++ machines/base.nix | 5 ++ machines/nginx.nix | 10 +++ 8 files changed, 299 insertions(+) create mode 100644 .gitignore create mode 100644 common/default.nix create mode 100644 common/lxc.nix create mode 100644 common/users/default.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 machines/base.nix create mode 100644 machines/nginx.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62cd3e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result* \ No newline at end of file diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 0000000..65d78ff --- /dev/null +++ b/common/default.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: + +{ + imports = [ ./users ]; + + security.sudo.wheelNeedsPassword = false; + + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; + + # Clean /tmp on boot. + boot.cleanTmpDir = true; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + programs.fish.enable = true; + + # Optimize nix store by hardlinking identitical files. + nix = { + package = pkgs.nixUnstable; + autoOptimiseStore = true; + binaryCaches = [ + "https://cachix.cachix.org" + "https://nix-community.cachix.org" + "https://nixpkgs-review-bot.cachix.org" + ]; + binaryCachePublicKeys = [ + "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" + ]; + trustedUsers = [ "root" "jdejeu" ]; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + nixpkgs.config.allowUnfree = true; +} diff --git a/common/lxc.nix b/common/lxc.nix new file mode 100644 index 0000000..ededbcd --- /dev/null +++ b/common/lxc.nix @@ -0,0 +1,11 @@ +{ modulesPath, ... }: { + imports = [ "${toString modulesPath}/virtualisation/lxc-container.nix" ]; + services.sshd.enable = true; + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + boot.isContainer = true; + +} diff --git a/common/users/default.nix b/common/users/default.nix new file mode 100644 index 0000000..e82de4b --- /dev/null +++ b/common/users/default.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ git curl ]; + programs.neovim.enable = true; + programs.neovim.viAlias = true; + programs.fish.shellInit = "set -U fish_greeting"; + + users.defaultUserShell = pkgs.fish; + + users.extraUsers.jdejeu = { + isNormalUser = true; + home = "/home/jdejeu"; + description = "Julius"; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJBY9eQlR/JRnjVC2wKWQ+o02wDlGUlSgN/4e3i6ans PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrSvbUoRc7K47cD6TIZUdVjExuNpv6JUzjvUwRtRVj9 Laptop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIATd0L/QJQOk9BR/H+TEo1X1t/ZxtxANNXXiTYf5+RbD jdejeu@archlife" + ]; + }; + + # Configure the root account + users.extraUsers.root = { + # Allow my SSH keys for logging in as root. + openssh.authorizedKeys.keys = + config.users.users.jdejeu.openssh.authorizedKeys.keys; + # Also use zsh for root + shell = pkgs.fish; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..5f6fd55 --- /dev/null +++ b/flake.lock @@ -0,0 +1,135 @@ +{ + "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable", + "utils": "utils" + }, + "locked": { + "lastModified": 1652494498, + "narHash": "sha256-KA1PQ8UW9LWKKQjjxGgyLNLkivUg9g4UZtTLIAueoiM=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "ea4f2ba6dcc8ae1796528f94e878722fdf6afcf1", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1636849918, + "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1652457860, + "narHash": "sha256-fZZRON0geucxAFCEamzuZ5z4oj7xJj+6C9HWm1JY2n0=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "11f97f971383d036159edd9221f1b3a60ed78c4f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1652559422, + "narHash": "sha256-jPVTNImBTUIFdtur+d4IVot6eXmsvtOcBm0TzxmhWPk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8b3398bc7587ebb79f93dfeea1b8c574d3c6dba1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "colmena": "colmena", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + }, + "stable": { + "locked": { + "lastModified": 1650830814, + "narHash": "sha256-P7vGsHdS19eHVUJt4BeQA4JfauL2nOpEcnYKIbX76YM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c254b8c915ac912ae9ee9dc74eac555ccbf33795", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "utils": { + "locked": { + "lastModified": 1649676176, + "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..95fe025 --- /dev/null +++ b/flake.nix @@ -0,0 +1,63 @@ +{ + description = "A very basic flake"; + inputs = { + + nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { self, nixpkgs, colmena, nixos-generators, ... }: + let pkgs = nixpkgs.legacyPackages.x86_64-linux; + in { + + packages.x86_64-linux.hello = pkgs.hello; + + packages.x86_64-linux.default = colmena.packages.x86_64-linux.colmena; + + packages.x86_64-linux.register = let + lxc = nixos-generators.nixosGenerate { + pkgs = pkgs; + modules = [ ./machines/base.nix ]; + format = "lxc"; + }; + metadata = nixos-generators.nixosGenerate { + pkgs = pkgs; + modules = [ ./machines/base.nix ]; + format = "lxc-metadata"; + }; + in with import nixpkgs { system = "x86_64-linux"; }; + stdenv.mkDerivation { + name = "register-lxc-container"; + buildInputs = [ ]; + src = self; + buildPhase = + "mkdir -p $out; ln -s ${lxc} $out/lxc; ln -s ${metadata} $out/metadata"; + installPhase = "ln -s $out/lxc/tarball/nixos-system-x86_64-linux.tar.xz $out/lxc.tar.xz; ln -s $out/metadata/tarball/nixos-system-x86_64-linux.tar.xz $out/metadata.tar.xz"; + }; + + colmena = { + meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; }; + nginx = { + imports = [ ./machines/nginx.nix ]; + deployment.targetHost = "10.21.150.250"; + }; + + nginx2 = { + imports = [ ./machines/nginx.nix ]; + deployment.targetHost = "10.21.150.95"; + }; + }; + + devShells.x86_64-linux.default = pkgs.mkShell { + buildInputs = [ colmena.packages.x86_64-linux.colmena ]; + }; + + }; +} diff --git a/machines/base.nix b/machines/base.nix new file mode 100644 index 0000000..3d2304d --- /dev/null +++ b/machines/base.nix @@ -0,0 +1,5 @@ +{ config, pkgs, ... }: { + imports = [ ../common ../common/lxc.nix ]; + networking.hostName = "base"; + system.stateVersion = "21.11"; +} diff --git a/machines/nginx.nix b/machines/nginx.nix new file mode 100644 index 0000000..e5c7544 --- /dev/null +++ b/machines/nginx.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + imports = [ ../common ../common/lxc.nix ]; + networking.hostName = "nginx"; + system.stateVersion = "21.11"; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.enable = true; + services.nginx.package = pkgs.nginxMainline; + +}