Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Bladesy:d91a06a0e7b64eb31d1921123120a9ffa9d757d0
Branches Tags
Bladesy:master
Bladesy:feature/divide-modules
..
compare: Bladesy:14d7d5f4de040cd80cad6e3519f012cf9032871a
Branches Tags
Bladesy:feature/divide-modules
Bladesy:master

7 Commits
d91a06a0e7 ... 14d7d5f4de

Author SHA1 Message Date
Bladesy
14d7d5f4de fix: make dk1 efi partition detectable 2025-05-01 18:26:55 +01:00
Bladesy
47571c2535 feat: add remote-installer package and silence dk1-iso warnings 2025-05-01 16:11:21 +01:00
Bladesy
e2d298ad67 fix: add correct disk device path to dk1 2025-04-30 13:26:54 +01:00
Bladesy
f811de4d3b fix: minor consistency fix between dk1 and dk1-iso 2025-04-30 10:12:24 +01:00
Bladesy
1531917a20 feat: add static networking, password protected users, ssh login support, and nixos-anywhere to dk1-iso 2025-04-30 10:11:35 +01:00
Bladesy
c84cb9b723 fix: ensure that dk1 and dk1-iso share the same key, and keep secrets updated 2025-04-26 19:06:03 +01:00
Bladesy
0829df3b5d feat: add dk1-iso 2025-04-26 18:58:56 +01:00
24 changed files with 552 additions and 16 deletions
Show Stats Expand all files Collapse all files

2
.sops.yaml
View File

@ -1,7 +1,9 @@
keys: keys:
- &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug - &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
- &dk1 age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
creation_rules: creation_rules:
- path_regex: library/secrets/.*.yaml - path_regex: library/secrets/.*.yaml
key_groups: key_groups:
- age: - age:
- *sv1 - *sv1
- *dk1

2
applications/default.nix
View File

@ -1,2 +1,4 @@
{pkgs}: { {pkgs}: {
write-iso = pkgs.callPackage ./write-iso.nix {};
install-remote = pkgs.callPackage ./install-remote.nix {};
} }

4
applications/install-remote.nix Normal file
View File

@ -0,0 +1,4 @@
{remote-installer}: {
type = "app";
program = "${remote-installer}/bin/remote-installer";
}

4
applications/write-iso.nix Normal file
View File

@ -0,0 +1,4 @@
{iso-writer}: {
type = "app";
program = "${iso-writer}/bin/iso-writer";
}

1
configurations/default.nix
View File

@ -1,4 +1,5 @@
{lib}: { {lib}: {
sv1 = lib.callFragment ./sv1.nix {}; sv1 = lib.callFragment ./sv1.nix {};
dk1 = lib.callFragment ./dk1.nix {}; dk1 = lib.callFragment ./dk1.nix {};
dk1-iso = lib.callFragment ./dk1-iso.nix {};
} }

9
configurations/dk1-iso.nix Normal file
View File

@ -0,0 +1,9 @@
{
nixosSystem,
nixosSystems,
nixosModules,
}:
nixosSystem {
system = nixosSystems.x86_64-linux;
modules = [nixosModules.dk1-iso];
}

113
flake.lock generated
View File

@ -20,6 +20,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1731242966, "lastModified": 1731242966,
@ -35,7 +56,75 @@
"type": "github" "type": "github"
} }
}, },
"nixos-anywhere": {
"inputs": {
"disko": [
"disko"
],
"flake-parts": "flake-parts",
"nixos-images": "nixos-images",
"nixos-stable": [
"nixpkgs"
],
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1745505025,
"narHash": "sha256-F9IekLaLYVG/UNUiaN194qu0n1pOgeqjGkD1l5OVEgM=",
"owner": "nix-community",
"repo": "nixos-anywhere",
"rev": "edf1adb89307f921575b5fcd0c6bb4e684fbd38b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-anywhere",
"type": "github"
}
},
"nixos-images": {
"inputs": {
"nixos-stable": [
"nixos-anywhere",
"nixos-stable"
],
"nixos-unstable": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744853194,
"narHash": "sha256-NBOdBdQdxb3FdM4Ywb4cATMLfFtkPqDYh0LIQMZ7eRY=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "8f6f8060a13096934c2a502eb0508bdc3f1284a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": {
"lastModified": 1745991046,
"narHash": "sha256-+WiKX2uUkuWrkUdfy8XP0Lic2qN7h3pH+tWn1DfTfFg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "920a79ee9b49febd7a8b7251e210aeee9c06b644",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1733261153, "lastModified": 1733261153,
"narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=",
@ -55,7 +144,8 @@
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"impermanence": "impermanence", "impermanence": "impermanence",
"nixpkgs": "nixpkgs", "nixos-anywhere": "nixos-anywhere",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
@ -78,6 +168,27 @@
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744961264,
"narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8d404a69efe76146368885110f29a2ca3700bee6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

10
flake.nix
View File

@ -12,6 +12,13 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-anywhere = {
url = "github:nix-community/nixos-anywhere";
inputs = {
nixos-stable.follows = "nixpkgs";
disko.follows = "disko";
};
};
}; };
outputs = { outputs = {
@ -20,6 +27,7 @@
disko, disko,
impermanence, impermanence,
sops-nix, sops-nix,
nixos-anywhere,
}: let }: let
lib = nixpkgs.lib.extend self.overlays.lib; lib = nixpkgs.lib.extend self.overlays.lib;
pkgs = nixpkgs.legacyPackages.x86_64-linux.extend self.overlays.pkgs; pkgs = nixpkgs.legacyPackages.x86_64-linux.extend self.overlays.pkgs;
@ -28,7 +36,7 @@
in { in {
overlays = import ./overlays { overlays = import ./overlays {
nixos-config = self // {inherit library;}; nixos-config = self // {inherit library;};
inherit disko impermanence sops-nix; inherit disko impermanence sops-nix nixos-anywhere;
}; };
nixosConfigurations = import ./configurations {inherit lib;}; nixosConfigurations = import ./configurations {inherit lib;};
nixosModules = import ./modules; nixosModules = import ./modules;

2
library/secrets/default.nix
View File

@ -1,3 +1,5 @@
{ {
sb1 = ./sb1.yaml; sb1 = ./sb1.yaml;
network-manager = ./network-manager.yaml;
users = ./users.yaml;
} }

31
library/secrets/network-manager.yaml Normal file
View File

@ -0,0 +1,31 @@
home-ssid: ENC[AES256_GCM,data:zi9AkDx7lInM8Qpn,iv:/ivnuq0L2fc8UQZtjlw073EbzslN+GBl4dYOZm+MYQQ=,tag:X9MztKFvdG1aKuYMa94h8w==,type:str]
home-psk: ENC[AES256_GCM,data:GEY/+0imm1o=,iv:FsUyy479GQ+PfXwdEvXqX1qPcRcYKGIiMCyTf7wYVTs=,tag:2d7LtoiRrF0NhwKhfYQnkA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRDNtR1huOVJ6clNycERp
M0R0SnM2RUVCVXFFWWUrdnZzVHVIS1luZkEwCkUrVHpjTWlPdmZJRXQ2M2xGdzBn
OTVlcDRFdzZsUlRFVE1Vd1VFKy81R00KLS0tIFRSNHowK3E0UGZlYzk1RW5HR2tV
bWNYUG16QTZ1b3RHWThPcm5vdUpGenMKs7xWFe70u3ochn51t7uGITG/oHRDC4v5
LJIl5LBauwkJO3ddZqPnc57ci2lXukM8Z4EKi3QwYiJ6dxxtizTAng==
-----END AGE ENCRYPTED FILE-----
- recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbG9VZDBvM3k2Z0pFMTNO
ZHQ2UUtMWnJhVGY2M256L2lEbVpLUFM4R0V3ClhCNUV1b0ZEQkhaRklMenpyRzJq
Ym95Y21BUHpacXhFcnhwY2FwMUMzQ2MKLS0tIDRuY2FnbVEzQ295R3JqUnk0NjVC
enEyWkRVT014Vk1FTktmVU5kbjVaUTAKJKIIMjBDLJxXv6y9nIzirH5vaqkQyZ6a
pF45ayqxXOAdonrnn0hbyxW8NcKp0Jjy0ehTd6AfAnNCrxPomPbflw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-27T13:55:15Z"
mac: ENC[AES256_GCM,data:sV9QVvQTeHAqPVluN+RHyUXI9zmMw3P6ok1VQ+XHnOcJb4GSWkUdOmWT4XcAMWUSPKEIbexei97rfj46BMT+2VbJS414buoOxvKSx17UVEdFwlXGVIv3jvmyrfp3jd66gSYzznJe8wBakbdKWCHb5kLnF4tqGpdgKprAxwaYnlU=,iv:wEk4qVEF20OZzdjRCRjMzZgipI76hIew39GF/dknKr4=,tag:jJU5JBHsElMxgIgANDcuJg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

19
library/secrets/sb1.yaml
View File

@ -9,11 +9,20 @@ sops:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug - recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdlpSYXhOdndtS0Y0QTRz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZWllVjN5TE1YUENueFFo
N2pxczhIQVBWSnV1dnY3WDVVRlErYnh4OWdnClRUSjVXeWMrTmxWVEVGT0V6YUMr NVZDbXc5cEFBZ25PaVVRYWtGN3ZuMDI3cVhnCmRSM0g3SzU3dWZueGF2dGZYa01z
V2ovSVhpcmRIN3ljWUx0cmJnSnBzMzAKLS0tIHBNalN3emcrbjZZcytoVFgyQTh2 OFFuMVFIbFdRUkFGaDcyWThnME56cW8KLS0tIFkxanBHUEdOOEJ1cXppSmhDUUdC
elREcXRxeGdVTW1TZGtKelVURkdlWW8KSWpXIAL0Vb1a3un8WIcjMNbIbR41VcK2 czExSmg1YWo4YlZQM0plSG5vNnpsR28KQ8v96L/EcZmyBFnKjhJPsgN6miKdWHGt
604AZYjooB6OzX2sOkGOOAIvB17S2nesL/nQUobWkM8bQSuH/TgR5g== 61KwpMn8g89+f+QdFfji4NkJfteeLsnHMG+JKzoetVB05Xp+cDwfmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ2d2ZVlpTG5NTnZ0RHYx
WDVyMlkvVHdhNCtPSFluSHVQSW4yM1dhdmc0CktUazdwK1J1ME1CZERnZlRDM25p
bFczQ2hUYWY5YVZ0TTU3R2FLSHk4RkEKLS0tIGJBVkEwcDk4MjdJL3FMVnVXd0ZO
YS9pM3VKcTlTSVArK1B3ZHZnRzhvQW8KfdvpHYMWHkTaprrB1WgRIBHzQnaWeKmp
Rx6xKwOeTaIS4g62Lv9M9uHJzaVD2v22Q53MNeHOPS+47D7XBrstrA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-01T22:35:24Z" lastmodified: "2025-01-01T22:35:24Z"
mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str] mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str]

31
library/secrets/users.yaml Normal file
View File

@ -0,0 +1,31 @@
root-password: ENC[AES256_GCM,data:SaK/GlzszoYqf1l+fxqXe24ipAhU6xicqwXjTeeABIag4ZOqc6fYp6h1faPDOzNqfKX0D2wrWVahTcZ5eJM8Jc3mi8AJi9VrLg==,iv:no4IU8AolKrvuTediCOQgrJkuRX4BInmVnRLER3QVjI=,tag:l2zWu7ieqiT9dsjVe80T4g==,type:str]
user-password: ENC[AES256_GCM,data:0kN3tnoZ2OD1YO/xz9WnvJixShopigtDGVnvaTRvib2vkO7pMl2Jlg5WIFo37Bb3zwWw0OkIiA2exXcBiSRJiIxmoWR8mmBI4Q==,iv:qHbE6GqJPUHTUgMd/ty+clg5roJLswoCw2xO5M1KKqo=,tag:85KUx5wrd9SnRITsUAMUPg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveHVjN2EwYjgrc2FLRVpL
cVBUNStRRkI2RnpBb3YzZUx6dnpJUHhiamwwCkJ1L3lubWZ3Y0YyWXNQWmJkMjhL
TkxTejRWUWIzajBNcFBqSnJBQ1BFL2cKLS0tIEl0TllEcStwTWF0NngxWVM1cUdI
M2E5TG56S3FMaFVhUG5JQmw2SWpKQjAKNmddLTfypjo3wU84jOsCQULX5cmUunWt
WM712sCFeJShWTA47zBg9um4+dWhY+QungDiuJO2+zoj6UMuE31vew==
-----END AGE ENCRYPTED FILE-----
- recipient: age14x7k4stulqyp849x3uksprk2w3vjyn6pjlvgrp6up3tem6g6xucqvms68t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUFWeDJ2L1lWazE1eFZC
MEZSQmRiNDhuY0VvWStMUkUrQ0Z0V1BrYVdZCitFTDB4d2ZWVE5lLzhMbWFVSFZ3
RkdxTzlYQkRyclFFclhnRXdqa1o3Z0kKLS0tIEFmNUFTWkl4K3dtTWhJK2ptWXpJ
NUdwczNJNDVEQkk5cnl4Mmh3UGMra1EKFEIbff+6kGo67KCd1Dj+dRaqlfM5Rmi5
MiYibYIb5Ff47HG/uEA/u5nt/DHE8yUGeBldbJoqE92arA18st8dgg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-27T13:58:51Z"
mac: ENC[AES256_GCM,data:uMCeMLYJrfAHQ037NZKmXTuPuZnSU1GOCFMsVE/xjGBkZnXJ4yYh3Fec3ncyuD0HWHgEeFGh4lRi3YNu6nkiK2R/mCrIrm4A3Ry0k0yGjam6Q8dfigaV9RkmMf50bV+JA6j03G5pxfyrBq5OTSWohYSmsvOTJXRKvIJalxfn+f0=,iv:AUcoar5Ls3qLtcg6WkHjElYefwsHN2GNKIMinvF0bps=,tag:qDCpTXRMsjS8880csWRTpw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
modules/default.nix
View File

@ -1,4 +1,5 @@
{ {
sv1 = import ./sv1.nix; sv1 = import ./sv1.nix;
dk1 = import ./dk1.nix; dk1 = import ./dk1.nix;
dk1-iso = import ./dk1-iso.nix;
} }

133
modules/dk1-iso.nix Normal file
View File

@ -0,0 +1,133 @@
{
lib,
config,
pkgs,
modulesPath,
...
}: {
imports = with lib.nixosModules; [
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
sops
];
sops = {
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = [];
keyFile = "/iso/key";
};
secrets = {
root-password = {
sopsFile = lib.secrets.users;
neededForUsers = true;
};
user-password = {
sopsFile = lib.secrets.users;
neededForUsers = true;
};
home-ssid.sopsFile = lib.secrets.network-manager;
home-psk.sopsFile = lib.secrets.network-manager;
};
templates.network-manager.content = ''
home_ssid="${config.sops.placeholder.home-ssid}"
home_psk="${config.sops.placeholder.home-psk}"
'';
};
boot.extraModulePackages = with config.boot.kernelPackages; [
rtl88xxau-aircrack
];
networking = {
hostName = "dk1-iso";
wireless.enable = false;
networkmanager = {
enable = true;
ensureProfiles = {
profiles.home = {
connection = {
id = "home";
type = "wifi";
};
ipv4 = {
method = "manual";
address1 = "192.168.0.200/24";
gateway = "192.168.0.1";
dns = "192.168.0.1";
};
wifi = {
ssid = "$home_ssid";
mode = "infrastructure";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$home_psk";
};
};
environmentFiles = [config.sops.templates.network-manager.path];
};
};
};
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
users = {
mutableUsers = false;
users = {
root = {
isSystemUser = true;
hashedPassword = null;
hashedPasswordFile = config.sops.secrets.root-password.path;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
user = {
isNormalUser = true;
extraGroups = ["wheel"];
hashedPassword = null;
hashedPasswordFile = config.sops.secrets.user-password.path;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
nixos = {
hashedPassword = null;
hashedPasswordFile = config.sops.secrets.user-password.path;
};
};
};
services = {
openssh = {
enable = true;
settings.PermitRootLogin = lib.mkForce "without-password";
};
getty = {
helpLine = lib.mkForce "";
autologinUser = lib.mkForce null;
};
};
nixpkgs.overlays = [lib.overlays.pkgs];
environment.systemPackages = with pkgs; [
git
my-vim
nixos-anywhere
];
nix.settings = {
trusted-users = ["root"];
experimental-features = [
"nix-command"
"flakes"
];
};
system.stateVersion = "24.11";
}

9
modules/dk1.nix
View File

@ -7,7 +7,7 @@
imports = with lib.nixosModules; [disko]; imports = with lib.nixosModules; [disko];
disko.devices.disk.NixOS = { disko.devices.disk.NixOS = {
device = "/dev/"; device = "/dev/nvme0n1";
type = "disk"; type = "disk";
content = { content = {
type = "gpt"; type = "gpt";
@ -44,7 +44,10 @@
efiSupport = true; efiSupport = true;
device = "nodev"; device = "nodev";
}; };
efi.efiSysMountPoint = "/efi"; efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/efi";
};
}; };
extraModulePackages = with config.boot.kernelPackages; [rtl88xxau-aircrack]; extraModulePackages = with config.boot.kernelPackages; [rtl88xxau-aircrack];
}; };
@ -73,7 +76,7 @@
}; };
}; };
nixpkgs.overlays = with lib.overlays; [pkgs]; nixpkgs.overlays = [lib.overlays.pkgs];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
my-vim my-vim

3
overlays/default.nix
View File

@ -3,7 +3,8 @@
disko, disko,
impermanence, impermanence,
sops-nix, sops-nix,
nixos-anywhere,
}: { }: {
lib = import ./lib.nix {inherit nixos-config disko impermanence sops-nix;}; lib = import ./lib.nix {inherit nixos-config disko impermanence sops-nix;};
pkgs = import ./pkgs.nix {inherit nixos-config;}; pkgs = import ./pkgs.nix {inherit nixos-config nixos-anywhere;};
} }

6
overlays/lib.nix
View File

@ -4,13 +4,13 @@
impermanence, impermanence,
sops-nix, sops-nix,
}: final: prev: let }: final: prev: let
inherit (nixos-config) overlays library; inherit (nixos-config) library overlays nixosConfigurations nixosModules;
in in
library library
// {inherit overlays;} // {inherit overlays nixosConfigurations;}
// { // {
nixosModules = nixosModules =
nixos-config.nixosModules nixosModules
// disko.nixosModules // disko.nixosModules
// sops-nix.nixosModules // sops-nix.nixosModules
// impermanence.nixosModules; // impermanence.nixosModules;

11
overlays/pkgs.nix
View File

@ -1,4 +1,11 @@
{nixos-config}: final: prev: let {
nixos-config,
nixos-anywhere,
}: final: prev: let
inherit (nixos-config) overlays packages; inherit (nixos-config) overlays packages;
in in
packages.x86_64-linux // {lib = prev.lib.extend overlays.lib;} packages.x86_64-linux
// {
lib = prev.lib.extend overlays.lib;
inherit (nixos-anywhere.packages.x86_64-linux) nixos-anywhere;
}

3
packages/default.nix
View File

@ -1,4 +1,7 @@
{pkgs}: { {pkgs}: {
my-vim = pkgs.callPackage ./my-vim {}; my-vim = pkgs.callPackage ./my-vim {};
my-site = pkgs.callPackage ./my-site {}; my-site = pkgs.callPackage ./my-site {};
iso-writer = pkgs.callPackage ./iso-writer {};
dk1-iso = pkgs.callPackage ./dk1-iso {};
remote-installer = pkgs.callPackage ./remote-installer {};
} }

4
packages/dk1-iso/default.nix Normal file
View File

@ -0,0 +1,4 @@
{lib}: let
inherit (lib.nixosConfigurations) dk1-iso;
in
dk1-iso.config.system.build.isoImage

30
packages/iso-writer/default.nix Normal file
View File

@ -0,0 +1,30 @@
{
lib,
stdenvNoCC,
makeWrapper,
coreutils,
xorriso,
dk1-iso,
}: let
inherit (lib) makeBinPath;
runtimeInputs = [
coreutils
xorriso
];
in
stdenvNoCC.mkDerivation {
name = "iso-writer";
src = ./src;
nativeBuildInputs = [makeWrapper];
buildInputs = runtimeInputs;
installPhase = ''
mkdir -p $out/bin
cp $src/iso-writer.sh $out/bin/iso-writer
chmod +x $out/bin/iso-writer
'';
postFixup = ''
wrapProgram $out/bin/iso-writer \
--set PATH ${makeBinPath runtimeInputs} \
--set source ${dk1-iso}/iso/${dk1-iso.isoName}
'';
}

62
packages/iso-writer/src/iso-writer.sh Normal file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env bash
read -a arguments <<< "$@"
number_of_arguments="${#arguments[@]}"
arguments_last_index="$(expr $number_of_arguments - 1)"
for argument_index in $(seq 0 "$arguments_last_index")
do
argument="${arguments[argument_index]}"
next_argument_index="$(expr $argument_index + 1)"
next_argument="${arguments[next_argument_index]}"
case "$argument" in
--*)
name="${argument/--/}"
[ "$argument_index" -eq "$arguments_last_index" \
-o "${next_argument:0:2}" = "--" ] \
&& declare "$name=$name"
;;
*)
value="$argument"
[ -n "$name" ] \
&& declare "$name=$value"
name=""
;;
esac
done
[ -n "$help" ] \
&& printf "Usage: iso-writer" \
&& printf " [--help]" \
&& printf " --source source" \
&& printf " [--key key]" \
&& printf " [--target target]" \
&& printf " --device device" \
&& printf "\n" \
&& printf "Write a keyed nixos-config iso to a device." \
&& printf "\n" \
&& exit
root_id="0"
[ "$(id -u)" -ne "$root_id" ] \
&& printf "Not running as root, exiting.\n" >&2 \
&& exit
[ -z "$source" ] \
&& printf "Source missing, exiting.\n" >&2 \
&& exit
[ -z "$device" ] \
&& printf "Device missing, exiting.\n" >&2 \
&& exit
[ -z "$key" ] \
&& target="$source"
[ -n "$key" -a -z "$target" ] \
&& temporary_directory="$(mktemp -d)" \
&& target="$temporary_directory/target.iso" \
&& trap "rm -rf \"$target\"" SIGTERM
[ -n "$key" ] \
&& xorriso \
-indev "$source" \
-outdev "$target" \
-map "$key" /key \
-boot_image any replay
dd bs=4M status=progress if="$target" of="$device"

28
packages/remote-installer/default.nix Normal file
View File

@ -0,0 +1,28 @@
{
lib,
stdenvNoCC,
makeWrapper,
coreutils,
nixos-anywhere,
}: let
inherit (lib) makeBinPath;
runtimeInputs = [
coreutils
nixos-anywhere
];
in
stdenvNoCC.mkDerivation {
name = "remote-installer";
src = ./src;
nativeBuildInputs = [makeWrapper];
buildInputs = runtimeInputs;
installPhase = ''
mkdir -p $out/bin
cp $src/remote-installer.sh $out/bin/remote-installer
chmod +x $out/bin/remote-installer
'';
postFixup = ''
wrapProgram $out/bin/remote-installer \
--set PATH ${makeBinPath runtimeInputs}
'';
}

50
packages/remote-installer/src/remote-installer.sh Normal file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
read -a arguments <<< "$@"
number_of_arguments="${#arguments[@]}"
arguments_last_index="$(expr $number_of_arguments - 1)"
for argument_index in $(seq 0 "$arguments_last_index")
do
argument="${arguments[argument_index]}"
next_argument_index="$(expr $argument_index + 1)"
next_argument="${arguments[next_argument_index]}"
case "$argument" in
--*)
name="${argument/--/}"
[ "$argument_index" -eq "$arguments_last_index" \
-o "${next_argument:0:2}" = "--" ] \
&& declare "$name=$name"
;;
*)
value="$argument"
[ -n "$name" ] \
&& declare "$name=$value"
name=""
;;
esac
done
[ -n "$help" ] \
&& printf "Usage: remote-installer" \
&& printf " [--help]" \
&& printf "\n" \
&& printf "Install a NixOS configuration remotely." \
&& printf "\n" \
&& exit
[ -z "$flake_address" ] \
&& protocol="git+https" \
&& gitea="gitea.dylanblades.com" \
&& repository="Bladesy/nixos-config" \
&& flake_address="$protocol://$gitea/$repository"
[ -z "$host_name" ] \
&& printf "host_name not provided.\n" \
&& exit
[ -z "$host_address" ] \
&& printf "host_address not provided.\n" \
&& exit
nixos-anywhere \
--disko-mode disko \
--flake "$flake_address#$host_name" \
--target-host "root@$host_address"