From e6e509d3066e8f8cc5a64db753557b1f2095fc7e Mon Sep 17 00:00:00 2001 From: Bladesy Date: Mon, 16 Dec 2024 19:48:24 +0000 Subject: [PATCH] feat: add configuration sv1 --- .gitignore | 2 + applications/default.nix | 2 + configurations/default.nix | 3 + configurations/sv1.nix | 9 ++ flake.lock | 85 +++++++++++++ flake.nix | 40 ++++++ library/callFragment.nix | 7 ++ library/default.nix | 6 + library/nixosSystems.nix | 4 + library/sshKeys.nix | 6 + modules/default.nix | 3 + modules/sv1.nix | 208 +++++++++++++++++++++++++++++++ overlays/default.nix | 9 ++ overlays/lib.nix | 17 +++ overlays/pkgs.nix | 4 + packages/default.nix | 3 + packages/my-vim/default.nix | 13 ++ packages/my-vim/run-commands.vim | 27 ++++ shells/default.nix | 3 + shells/nixos-config.nix | 10 ++ 20 files changed, 461 insertions(+) create mode 100644 .gitignore create mode 100644 applications/default.nix create mode 100644 configurations/default.nix create mode 100644 configurations/sv1.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 library/callFragment.nix create mode 100644 library/default.nix create mode 100644 library/nixosSystems.nix create mode 100644 library/sshKeys.nix create mode 100644 modules/default.nix create mode 100644 modules/sv1.nix create mode 100644 overlays/default.nix create mode 100644 overlays/lib.nix create mode 100644 overlays/pkgs.nix create mode 100644 packages/default.nix create mode 100644 packages/my-vim/default.nix create mode 100644 packages/my-vim/run-commands.vim create mode 100644 shells/default.nix create mode 100644 shells/nixos-config.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..87a3018 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result +*.qcow2 diff --git a/applications/default.nix b/applications/default.nix new file mode 100644 index 0000000..7051552 --- /dev/null +++ b/applications/default.nix @@ -0,0 +1,2 @@ +{pkgs}: { +} diff --git a/configurations/default.nix b/configurations/default.nix new file mode 100644 index 0000000..a34936c --- /dev/null +++ b/configurations/default.nix @@ -0,0 +1,3 @@ +{lib}: { + sv1 = lib.callFragment ./sv1.nix {}; +} diff --git a/configurations/sv1.nix b/configurations/sv1.nix new file mode 100644 index 0000000..ce429ef --- /dev/null +++ b/configurations/sv1.nix @@ -0,0 +1,9 @@ +{ + nixosSystem, + nixosSystems, + nixosModules, +}: +nixosSystem { + system = nixosSystems.x86_64-linux; + modules = [nixosModules.sv1]; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..58663ab --- /dev/null +++ b/flake.lock @@ -0,0 +1,85 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733168902, + "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=", + "owner": "nix-community", + "repo": "disko", + "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1733261153, + "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "impermanence": "impermanence", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..a734f74 --- /dev/null +++ b/flake.nix @@ -0,0 +1,40 @@ +{ + description = "My NixOS configuration."; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + impermanence.url = "github:nix-community/impermanence"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { + self, + nixpkgs, + disko, + impermanence, + sops-nix, + }: let + lib = nixpkgs.lib.extend self.overlays.lib; + pkgs = nixpkgs.legacyPackages.x86_64-linux.extend self.overlays.pkgs; + in { + overlays = import ./overlays { + nixos-config = self; + inherit disko impermanence sops-nix; + }; + library = import ./library {inherit lib;}; + nixosConfigurations = import ./configurations {inherit lib;}; + nixosModules = import ./modules; + + formatter.x86_64-linux = pkgs.alejandra; + apps.x86_64-linux = import ./applications {inherit pkgs;}; + devShells.x86_64-linux = import ./shells {inherit pkgs;}; + packages.x86_64-linux = import ./packages {inherit pkgs;}; + }; +} diff --git a/library/callFragment.nix b/library/callFragment.nix new file mode 100644 index 0000000..450bed5 --- /dev/null +++ b/library/callFragment.nix @@ -0,0 +1,7 @@ +{lib}: path: attrs: let + fragment = import path; +in + with builtins; + if isAttrs fragment + then fragment + else fragment ((intersectAttrs (functionArgs fragment) lib) // attrs) diff --git a/library/default.nix b/library/default.nix new file mode 100644 index 0000000..cb0edbd --- /dev/null +++ b/library/default.nix @@ -0,0 +1,6 @@ +{lib}: { + callFragment = import ./callFragment.nix {inherit lib;}; + + nixosSystems = lib.callFragment ./nixosSystems.nix {}; + sshKeys = lib.callFragment ./sshKeys.nix {}; +} diff --git a/library/nixosSystems.nix b/library/nixosSystems.nix new file mode 100644 index 0000000..e76a8a0 --- /dev/null +++ b/library/nixosSystems.nix @@ -0,0 +1,4 @@ +{ + aarch64-linux = "aarch64-linux"; + x86_64-linux = "x86_64-linux"; +} diff --git a/library/sshKeys.nix b/library/sshKeys.nix new file mode 100644 index 0000000..e4a983c --- /dev/null +++ b/library/sshKeys.nix @@ -0,0 +1,6 @@ +let + header = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI"; +in { + lp1.user = header + "DIRyj2UXX2kmlx2zyzs0iW5LUt5oZCT/p5oJUXPvJNW"; + lp2.user = header + "Emm0kmLocunk26a4j0TnYt6V2iyaBL9ctJJmp2lY8W9"; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..deecc5b --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,3 @@ +{ + sv1 = import ./sv1.nix; +} diff --git a/modules/sv1.nix b/modules/sv1.nix new file mode 100644 index 0000000..3060e3e --- /dev/null +++ b/modules/sv1.nix @@ -0,0 +1,208 @@ +{ + lib, + pkgs, + ... +}: { + imports = with lib.nixosModules; [ + disko + impermanence + ]; + + disko.devices.disk.NixOS = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + BSP = { + type = "EF02"; + size = "1M"; + }; + Crypt = { + size = "100%"; + content = { + type = "luks"; + name = "crypt"; + extraFormatArgs = ["--type luks1"]; + content = { + type = "btrfs"; + postCreateHook = '' + btrfs="$(mktemp -d)" + mount -o subvol=/ /dev/mapper/crypt "$btrfs" + btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank" + umount "$btrfs" + rm -rf "$btrfs" + boot="$(mktemp -d)" + mount -o subvol=/boot /dev/mapper/crypt "$boot" + dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4 + cryptsetup luksAddKey \ + /dev/disk/by-partlabel/disk-NixOS-Crypt \ + "$boot/luks.bin" + umount "$boot" + rm -rf "$boot" + ''; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/boot" = { + mountpoint = "/boot"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swap"; + swap.swapfile.size = "4G"; + }; + }; + }; + }; + }; + }; + }; + }; + fileSystems = { + "/persist".neededForBoot = true; + "/var/log".neededForBoot = true; + }; + + boot = { + loader = { + grub = { + enable = true; + enableCryptodisk = true; + }; + }; + initrd = { + availableKernelModules = [ + "virtio_net" + "virtio_pci" + "virtio_mmio" + "virtio_blk" + "virtio_scsi" + "9p" + "9pnet_virtio" + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + kernelModules = [ + "virtio_balloon" + "virtio_console" + "virtio_rng" + "virtio_gpu" + ]; + secrets."/luks.bin" = "/boot/luks.bin"; + luks.devices.crypt = { + device = "/dev/disk/by-partlabel/disk-NixOS-Crypt"; + keyFile = "/luks.bin"; + }; + postDeviceCommands = lib.mkBefore '' + btrfs="$(mktemp -d)" + mount -o subvol=/ /dev/mapper/crypt "$btrfs" + trap "umount $btrfs_root; rm -rf $btrfs" EXIT + btrfs subvolume list -o "$btrfs/root" \ + | cut -f9 -d' ' \ + | while read subvolume; do \ + btrfs subvolume delete "$btrfs/$subvolume" + done \ + && btrfs subvolume delete "$btrfs/root" + btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root" + ''; + }; + }; + + networking = { + hostName = "sv1"; + networkmanager.enable = true; + }; + + time.timeZone = "Europe/London"; + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "uk"; + + users = { + mutableUsers = false; + users = { + root = { + isSystemUser = true; + openssh.authorizedKeys.keys = with lib.sshKeys; [ + lp1.user + lp2.user + ]; + }; + user = { + isNormalUser = true; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = with lib.sshKeys; [ + lp1.user + lp2.user + ]; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "without-password"; + }; + + nixpkgs.overlays = [lib.overlays.pkgs]; + environment = { + persistence."/persist" = { + hideMounts = true; + directories = ["/var/lib/nixos"]; + }; + systemPackages = with pkgs; [ + git + my-vim + ]; + }; + + nix.settings = { + trusted-users = ["root"]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + + system.stateVersion = "24.11"; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..3abf2f3 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,9 @@ +{ + nixos-config, + disko, + impermanence, + sops-nix, +}: { + lib = import ./lib.nix {inherit nixos-config disko impermanence sops-nix;}; + pkgs = import ./pkgs.nix {inherit nixos-config;}; +} diff --git a/overlays/lib.nix b/overlays/lib.nix new file mode 100644 index 0000000..744af5d --- /dev/null +++ b/overlays/lib.nix @@ -0,0 +1,17 @@ +{ + nixos-config, + disko, + impermanence, + sops-nix, +}: final: prev: let + inherit (nixos-config) overlays library; +in + library + // {inherit overlays;} + // { + nixosModules = + nixos-config.nixosModules + // disko.nixosModules + // sops-nix.nixosModules + // impermanence.nixosModules; + } diff --git a/overlays/pkgs.nix b/overlays/pkgs.nix new file mode 100644 index 0000000..43cc01d --- /dev/null +++ b/overlays/pkgs.nix @@ -0,0 +1,4 @@ +{nixos-config}: final: prev: let + inherit (nixos-config) overlays packages; +in + packages.x86_64-linux // {lib = prev.lib.extend overlays.lib;} diff --git a/packages/default.nix b/packages/default.nix new file mode 100644 index 0000000..20fc436 --- /dev/null +++ b/packages/default.nix @@ -0,0 +1,3 @@ +{pkgs}: { + my-vim = pkgs.callPackage ./my-vim {}; +} diff --git a/packages/my-vim/default.nix b/packages/my-vim/default.nix new file mode 100644 index 0000000..7304748 --- /dev/null +++ b/packages/my-vim/default.nix @@ -0,0 +1,13 @@ +{vim-full}: let + vimNoGui = vim: + vim.override {config.vim.gui = "none";}; + vimNoIcon = vim: + vim.overrideAttrs (prev: { + postFixup = prev.postFixup + "rm -r $out/share/{applications,icons}"; + }); + vimCustom = vim: + vim.customize { + vimrcConfig.customRC = builtins.readFile ./run-commands.vim; + }; +in + vimCustom (vimNoIcon (vimNoGui vim-full)) diff --git a/packages/my-vim/run-commands.vim b/packages/my-vim/run-commands.vim new file mode 100644 index 0000000..999598e --- /dev/null +++ b/packages/my-vim/run-commands.vim @@ -0,0 +1,27 @@ +" Allow backspacing. +set backspace=indent,eol,start +" Syntax highlighting. +syntax on +" Vertical rule highlighting. +set colorcolumn=81 +hi ColorColumn ctermbg=245 +" Vertical line highlighting. +set cursorcolumn +hi CursorColumn ctermbg=238 +" Horizontal line highlighting. +set cursorline +hi clear CursorLine +hi clear CursorLineNr +hi link CursorLine CursorColumn +hi link CursorLineNr CursorColumn +" Numbering. +set number +set relativenumber +" Indentation. +set expandtab +set shiftwidth=4 +set tabstop=4 +" Nix. +autocmd BufRead,BufNewFile *.nix set filetype=nix +autocmd Filetype nix set shiftwidth=2 +autocmd Filetype nix set tabstop=2 diff --git a/shells/default.nix b/shells/default.nix new file mode 100644 index 0000000..5eee0e7 --- /dev/null +++ b/shells/default.nix @@ -0,0 +1,3 @@ +{pkgs}: { + nixos-config = pkgs.callPackage ./nixos-config.nix {}; +} diff --git a/shells/nixos-config.nix b/shells/nixos-config.nix new file mode 100644 index 0000000..cb07cbc --- /dev/null +++ b/shells/nixos-config.nix @@ -0,0 +1,10 @@ +{ + mkShell, + my-vim, +}: +mkShell { + packages = [my-vim]; + shellHook = '' + PS1="\n\[\033[1;33m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] " + ''; +}