Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add dk1-iso

Browse Source
This commit is contained in:
Bladesy 2025-04-26 18:58:56 +01:00
parent d91a06a0e7
commit 0829df3b5d
14 changed files with 208 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -1,7 +1,9 @@
keys: keys:
- &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug - &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
- &dk1-iso age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
creation_rules: creation_rules:
- path_regex: library/secrets/.*.yaml - path_regex: library/secrets/.*.yaml
key_groups: key_groups:
- age: - age:
- *sv1 - *sv1
- *dk1-iso

1
applications/default.nix
View File

@ -1,2 +1,3 @@
{pkgs}: { {pkgs}: {
write-iso = pkgs.callPackage ./write-iso.nix {};
} }

4
applications/write-iso.nix Normal file
View File

@ -0,0 +1,4 @@
{iso-writer}: {
type = "app";
program = "${iso-writer}/bin/iso-writer";
}

1
configurations/default.nix
View File

@ -1,4 +1,5 @@
{lib}: { {lib}: {
sv1 = lib.callFragment ./sv1.nix {}; sv1 = lib.callFragment ./sv1.nix {};
dk1 = lib.callFragment ./dk1.nix {}; dk1 = lib.callFragment ./dk1.nix {};
dk1-iso = lib.callFragment ./dk1-iso.nix {};
} }

9
configurations/dk1-iso.nix Normal file
View File

@ -0,0 +1,9 @@
{
nixosSystem,
nixosSystems,
nixosModules,
}:
nixosSystem {
system = nixosSystems.x86_64-linux;
modules = [nixosModules.dk1-iso];
}

1
library/secrets/default.nix
View File

@ -1,3 +1,4 @@
{ {
sb1 = ./sb1.yaml; sb1 = ./sb1.yaml;
network-manager = ./network-manager.yaml;
} }

31
library/secrets/network-manager.yaml Normal file
View File

@ -0,0 +1,31 @@
home_ssid: ENC[AES256_GCM,data:KB/wa+XEw7KGD3sO,iv:OavELC88DUOzPkj5dQsZbpolo4k5uKPVfEmIt6nWP/0=,tag:4towJ8hav0Vj2DpFpLUF5A==,type:str]
home_psk: ENC[AES256_GCM,data:GA7ZED/cFaA=,iv:0EU06LM0MfTAmmafasPKq0xxl7w2h1Y45tBi4NVDvmA=,tag:cMGUOVlUANybdkcp7Cmd5w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRDNtR1huOVJ6clNycERp
M0R0SnM2RUVCVXFFWWUrdnZzVHVIS1luZkEwCkUrVHpjTWlPdmZJRXQ2M2xGdzBn
OTVlcDRFdzZsUlRFVE1Vd1VFKy81R00KLS0tIFRSNHowK3E0UGZlYzk1RW5HR2tV
bWNYUG16QTZ1b3RHWThPcm5vdUpGenMKs7xWFe70u3ochn51t7uGITG/oHRDC4v5
LJIl5LBauwkJO3ddZqPnc57ci2lXukM8Z4EKi3QwYiJ6dxxtizTAng==
-----END AGE ENCRYPTED FILE-----
- recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbG9VZDBvM3k2Z0pFMTNO
ZHQ2UUtMWnJhVGY2M256L2lEbVpLUFM4R0V3ClhCNUV1b0ZEQkhaRklMenpyRzJq
Ym95Y21BUHpacXhFcnhwY2FwMUMzQ2MKLS0tIDRuY2FnbVEzQ295R3JqUnk0NjVC
enEyWkRVT014Vk1FTktmVU5kbjVaUTAKJKIIMjBDLJxXv6y9nIzirH5vaqkQyZ6a
pF45ayqxXOAdonrnn0hbyxW8NcKp0Jjy0ehTd6AfAnNCrxPomPbflw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-26T11:02:52Z"
mac: ENC[AES256_GCM,data:kC+tWF+5JVFJigJHKf5RxDggOQPHbSKvllWxWCrL0DvL/FS1a0W0Xi35d473DfxkUUUKSHDguan3V0YlL64103sXlMU3hxdquFmNUjYl08s5fuzGDIpX56ROLpxtKCaDsDFgsvq41mwSSZQuT0qS7DULzAgE7PKW5luhJBxMXu8=,iv:z1OnnhP8cKZrn51FBEooiUSk8puOTqVoyXPfittM/RM=,tag:iLoN6Vh6PkXC0Gk4f2JoQA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
modules/default.nix
View File

@ -1,4 +1,5 @@
{ {
sv1 = import ./sv1.nix; sv1 = import ./sv1.nix;
dk1 = import ./dk1.nix; dk1 = import ./dk1.nix;
dk1-iso = import ./dk1-iso.nix;
} }

57
modules/dk1-iso.nix Normal file
View File

@ -0,0 +1,57 @@
{
lib,
config,
modulesPath,
...
}: {
imports = with lib.nixosModules; [
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
sops
];
boot.extraModulePackages = with config.boot.kernelPackages; [
rtl88xxau-aircrack
];
sops = {
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = [];
keyFile = "/iso/key";
};
secrets = {
home_ssid.sopsFile = lib.secrets.network-manager;
home_psk.sopsFile = lib.secrets.network-manager;
};
templates.networkManager.content = ''
home_ssid="${config.sops.placeholder.home_ssid}"
home_psk="${config.sops.placeholder.home_psk}"
'';
};
networking = {
hostName = "dk1-iso";
wireless.enable = false;
networkmanager = {
enable = true;
ensureProfiles = {
profiles.home = {
connection = {
id = "home";
type = "wifi";
};
wifi = {
ssid = "$home_ssid";
mode = "infrastructure";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$home_psk";
};
};
environmentFiles = [config.sops.templates.networkManager.path];
};
};
};
}

6
overlays/lib.nix
View File

@ -4,13 +4,13 @@
impermanence, impermanence,
sops-nix, sops-nix,
}: final: prev: let }: final: prev: let
inherit (nixos-config) overlays library; inherit (nixos-config) library overlays nixosConfigurations nixosModules;
in in
library library
// {inherit overlays;} // {inherit overlays nixosConfigurations;}
// { // {
nixosModules = nixosModules =
nixos-config.nixosModules nixosModules
// disko.nixosModules // disko.nixosModules
// sops-nix.nixosModules // sops-nix.nixosModules
// impermanence.nixosModules; // impermanence.nixosModules;

2
packages/default.nix
View File

@ -1,4 +1,6 @@
{pkgs}: { {pkgs}: {
my-vim = pkgs.callPackage ./my-vim {}; my-vim = pkgs.callPackage ./my-vim {};
my-site = pkgs.callPackage ./my-site {}; my-site = pkgs.callPackage ./my-site {};
iso-writer = pkgs.callPackage ./iso-writer {};
dk1-iso = pkgs.callPackage ./dk1-iso {};
} }

4
packages/dk1-iso/default.nix Normal file
View File

@ -0,0 +1,4 @@
{lib}: let
inherit (lib.nixosConfigurations) dk1-iso;
in
dk1-iso.config.system.build.isoImage

30
packages/iso-writer/default.nix Normal file
View File

@ -0,0 +1,30 @@
{
lib,
stdenvNoCC,
makeWrapper,
coreutils,
xorriso,
dk1-iso,
}: let
inherit (lib) makeBinPath;
runtimeInputs = [
coreutils
xorriso
];
in
stdenvNoCC.mkDerivation {
name = "iso-writer";
src = ./src;
nativeBuildInputs = [makeWrapper];
buildInputs = runtimeInputs;
installPhase = ''
mkdir -p $out/bin
cp $src/iso-writer.sh $out/bin/iso-writer
chmod +x $out/bin/iso-writer
'';
postFixup = ''
wrapProgram $out/bin/iso-writer \
--set PATH ${makeBinPath runtimeInputs} \
--set source ${dk1-iso}/iso/${dk1-iso.isoName}
'';
}

62
packages/iso-writer/src/iso-writer.sh Normal file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env bash
read -a arguments <<< "$@"
number_of_arguments="${#arguments[@]}"
arguments_last_index="$(expr $number_of_arguments - 1)"
for argument_index in $(seq 0 "$arguments_last_index")
do
argument="${arguments[argument_index]}"
next_argument_index="$(expr $argument_index + 1)"
next_argument="${arguments[next_argument_index]}"
case "$argument" in
--*)
name="${argument/--/}"
[ "$argument_index" -eq "$arguments_last_index" \
-o "${next_argument:0:2}" = "--" ] \
&& declare "$name=$name"
;;
*)
value="$argument"
[ -n "$name" ] \
&& declare "$name=$value"
name=""
;;
esac
done
[ -n "$help" ] \
&& printf "Usage: iso-writer" \
&& printf " [--help]" \
&& printf " --source source" \
&& printf " [--key key]" \
&& printf " [--target target]" \
&& printf " --device device" \
&& printf "\n" \
&& printf "Write a keyed nixos-config iso to a device." \
&& printf "\n" \
&& exit
root_id="0"
[ "$(id -u)" -ne "$root_id" ] \
&& printf "Not running as root, exiting.\n" >&2 \
&& exit
[ -z "$source" ] \
&& printf "Source missing, exiting.\n" >&2 \
&& exit
[ -z "$device" ] \
&& printf "Device missing, exiting.\n" >&2 \
&& exit
[ -z "$key" ] \
&& target="$source"
[ -n "$key" -a -z "$target" ] \
&& temporary_directory="$(mktemp -d)" \
&& target="$temporary_directory/target.iso" \
&& trap "rm -rf \"$target\"" SIGTERM
[ -n "$key" ] \
&& xorriso \
-indev "$source" \
-outdev "$target" \
-map "$key" /key \
-boot_image any replay
dd bs=4M status=progress if="$target" of="$device"