From fb0c1a44512f1c02f6b8f414085c387e019d25c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Sat, 16 Sep 2023 21:51:35 +0200 Subject: [PATCH] Big readme update and more Updated readme with tons of information. Made kazuki a hercules agent. Fixed secrets ownerships. Started working on a custom installer iso. Changed helix theme. --- README.md | 43 ++++++++++++++++ effects.nix | 6 ++- flake.lock | 67 ++++++++++++------------- flake.nix | 12 ++++- hosts/common/default.nix | 5 ++ hosts/common/hercules.nix | 24 +++++++++ hosts/default.nix | 3 ++ hosts/installer/default.nix | 15 ++++++ hosts/kazuki/default.nix | 2 + hosts/kazuki/vault.nix | 5 +- hosts/legion/default.nix | 1 + hosts/legion/initrd.nix | 14 ++++++ modules/nixos/settei/sane-defaults.nix | 2 + modules/nixos/settei/user.nix | 2 + secrets/hercules-token.age | Bin 0 -> 607 bytes secrets/secrets.nix | 1 + wrappers/helix/default.nix | 1 + 17 files changed, 164 insertions(+), 39 deletions(-) create mode 100644 hosts/common/default.nix create mode 100644 hosts/common/hercules.nix create mode 100644 hosts/installer/default.nix create mode 100644 hosts/legion/initrd.nix create mode 100644 secrets/hercules-token.age diff --git a/README.md b/README.md index d3794b0..de09368 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,46 @@ 雪定(せってい) + +## Project structure +- hosts - per-machine configurations + - common - common options between my machines which aren't reusable by others + - kazuki - my linux arm server + - legion - my linux x86 server[^1] + - hijiri - my macbook[^1] + - hijiri-vm - linux vm running on my macbook + - miyagi - my work machine[^1] +- modules - options which in principle should be reusable by others + - nixos + - settei - my opinionated nixos options + - flake - flake-parts modules +- secrets - agenix secrets +- wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager)) +- assets - miscellaneous values reused throughout my config +- effects.nix - hercules-ci configuration +- deploy.nix - deploy-rs configuration + +[^1]: Machine not migrated yet or in the process of migrating. See: https://nest.pijul.com/nrabulinski/nix-config + +## Code guidelines + +Not set rules but general guidelines for myself to hopefully keep this config clean, maintainable, and reusable. + +- only importing downwards. this means no `imports = [ ../../foo/bar/some-module.nix ];` +- ideally only one level of imports. +this means i'll try to only do `imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not `imports = [ ./x/y/z.nix ];` +- the file should be roughly in order of most interesting to least interesting options. +- `imports` should be the first attribute (except for `_file`) +- anything that goes into `modules` should be usable by others. any options specific to me go into `hosts/default.nix` or `hosts/common`. +- there should be no implicit state anywhere in the config. +(sounds obvious but this is already broken with legion and the zfs pool but i'll let that one slide) +to achieve this i still need to create a proper live iso with my config and my bootstrapping ssh key + +## TODOs +Sorted rougly by priority + +- finish migrating legion +- private nix cache +- set up hercules agent on legion +- hercules-ci checking if configuration is valid +- hercules-ci effects for deploying machines on update (if configuration is valid) diff --git a/effects.nix b/effects.nix index 9ca8b80..368f6ec 100644 --- a/effects.nix +++ b/effects.nix @@ -1,5 +1,9 @@ { + defaultEffectSystem = "aarch64-linux"; hercules-ci = { - flake-update.enable = true; + flake-update = { + enable = true; + when.dayOfWeek = null; + }; }; } diff --git a/flake.lock b/flake.lock index a50c369..4c075b8 100644 --- a/flake.lock +++ b/flake.lock @@ -175,28 +175,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "hercules-ci-effects", - "hercules-ci-agent", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "haskell-flake": { "locked": { "lastModified": 1684780604, @@ -215,21 +193,24 @@ }, "hercules-ci-agent": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": [ + "flake-parts" + ], "haskell-flake": "haskell-flake", "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688568579, - "narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=", + "lastModified": 1693397971, + "narHash": "sha256-P5PQ8KzK/SXvEsw+AzG7OBUgnGhuUzKETNHhqVokc+0=", "owner": "hercules-ci", "repo": "hercules-ci-agent", - "rev": "367dd8cd649b57009a6502e878005a1e54ad78c5", + "rev": "344b8b1079731a8c1e144119174f684fb492e03a", "type": "github" }, "original": { - "id": "hercules-ci-agent", - "type": "indirect" + "owner": "hercules-ci", + "repo": "hercules-ci-agent", + "type": "github" } }, "hercules-ci-effects": { @@ -237,10 +218,10 @@ "flake-parts": [ "flake-parts" ], - "hercules-ci-agent": "hercules-ci-agent", - "nixpkgs": [ - "nixpkgs" - ] + "hercules-ci-agent": [ + "hercules-ci-agent" + ], + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1689397210, @@ -306,7 +287,7 @@ "flake-parts": [ "flake-parts" ], - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1690830552, @@ -382,6 +363,21 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1689393711, + "narHash": "sha256-l3gyTPy/qWLDk1CY1EgYwlsxcGxN2aVd7MlCzQa69rk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "27fcd46fa18df36d270174246e7bd8f1787129ff", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1690753480, "narHash": "sha256-GQgPs8fCh/LsyQoYMUZgT2p7jFVWyHu9p+1Nl/dp8GY=", @@ -397,7 +393,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1694760568, "narHash": "sha256-3G07BiXrp2YQKxdcdms22MUx6spc6A++MSePtatCYuI=", @@ -441,11 +437,12 @@ "deploy-rs": "deploy-rs", "disko": "disko", "flake-parts": "flake-parts", + "hercules-ci-agent": "hercules-ci-agent", "hercules-ci-effects": "hercules-ci-effects", "home-manager": "home-manager", "mailserver": "mailserver", "niko-nur": "niko-nur", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "racket": "racket", "wrapper-manager": "wrapper-manager", "wrapper-manager-hm-compat": "wrapper-manager-hm-compat" diff --git a/flake.nix b/flake.nix index 36e4312..43c4486 100644 --- a/flake.nix +++ b/flake.nix @@ -100,10 +100,16 @@ url = "github:nrabulinski/racket.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + hercules-ci-agent = { + url = "github:hercules-ci/hercules-ci-agent"; + inputs.flake-parts.follows = "flake-parts"; + }; hercules-ci-effects = { url = "github:hercules-ci/hercules-ci-effects"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-parts.follows = "flake-parts"; + inputs = { + flake-parts.follows = "flake-parts"; + hercules-ci-agent.follows = "hercules-ci-agent"; + }; }; }; @@ -113,12 +119,14 @@ "https://cache.garnix.io" "https://nix-community.cachix.org" "https://cache.nixos.org/" + "https://hercules-ci.cachix.org" ]; trusted-public-keys = [ "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" ]; }; } diff --git a/hosts/common/default.nix b/hosts/common/default.nix new file mode 100644 index 0000000..3d41fec --- /dev/null +++ b/hosts/common/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./hercules.nix + ]; +} diff --git a/hosts/common/hercules.nix b/hosts/common/hercules.nix new file mode 100644 index 0000000..7d96f71 --- /dev/null +++ b/hosts/common/hercules.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + lib, + ... +}: { + options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; + + config = lib.mkIf config.common.hercules.enable { + age.secrets.hercules-token = { + file = ../../secrets/hercules-token.age; + owner = config.systemd.services.hercules-ci-agent.serviceConfig.User; + }; + + services.hercules-ci-agent = { + enable = true; + settings = { + clusterJoinTokenPath = config.age.secrets.hercules-token.path; + concurrentTasks = lib.mkDefault 4; + binaryCachesPath = pkgs.writeText "empty-caches.json" "{}"; + }; + }; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 4dcf82e..3f6095b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -43,7 +43,9 @@ inputs.disko.nixosModules.disko inputs.mailserver.nixosModules.default inputs.home-manager.nixosModules.home-manager + inputs.hercules-ci-agent.nixosModules.agent-service self.nixosModules.settei + ./common defaultOptions module ]; @@ -55,5 +57,6 @@ ./kazuki ./hijiri-vm # ./legion + ./installer ]; } diff --git a/hosts/installer/default.nix b/hosts/installer/default.nix new file mode 100644 index 0000000..4a46850 --- /dev/null +++ b/hosts/installer/default.nix @@ -0,0 +1,15 @@ +{lib, ...}: { + configurations.nixos = let + mkInstaller = system: ({pkgs, ...}: { + nixpkgs = {inherit system;}; + + environment.systemPackages = [pkgs.nixos-install-tools]; + + # Make nixos-anywhere treat this as a installer iso + system.nixos.variant_id = "installer"; + }); + systems = ["aarch64-linux" "x86_64-linux"]; + installers = map (system: lib.nameValuePair "installer-${system}" (mkInstaller system)) systems; + in + lib.listToAttrs installers; +} diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index 1b915f2..d7bc7a1 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -24,5 +24,7 @@ loader.systemd-boot.configurationLimit = 1; loader.efi.canTouchEfiVariables = true; }; + + common.hercules.enable = true; }; } diff --git a/hosts/kazuki/vault.nix b/hosts/kazuki/vault.nix index c5328c9..99ff89a 100644 --- a/hosts/kazuki/vault.nix +++ b/hosts/kazuki/vault.nix @@ -1,5 +1,8 @@ {config, ...}: { - age.secrets.vault-cert-env.file = ../../secrets/vault-cert-env.age; + age.secrets.vault-cert-env = { + file = ../../secrets/vault-cert-env.age; + owner = config.services.nginx.user; + }; services.vaultwarden = { enable = true; diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix index bec2483..120d8b6 100644 --- a/hosts/legion/default.nix +++ b/hosts/legion/default.nix @@ -9,6 +9,7 @@ in { imports = [ ./hardware.nix # ./disks.nix + ./initrd.nix ]; nixpkgs.system = "x86_64-linux"; diff --git a/hosts/legion/initrd.nix b/hosts/legion/initrd.nix new file mode 100644 index 0000000..b9d4527 --- /dev/null +++ b/hosts/legion/initrd.nix @@ -0,0 +1,14 @@ +{ + config, + username, + ... +}: { + boot.initrd = { + availableKernelModules = ["ath10k_pci" "r8169"]; + network.enable = true; + network.ssh = { + enable = true; + authorizedKeys = config.users.users.${username}.openssh.authorizedKeys.keys; + }; + }; +} diff --git a/modules/nixos/settei/sane-defaults.nix b/modules/nixos/settei/sane-defaults.nix index f3964c8..9dca8f8 100644 --- a/modules/nixos/settei/sane-defaults.nix +++ b/modules/nixos/settei/sane-defaults.nix @@ -65,11 +65,13 @@ "https://hyprland.cachix.org" "https://cache.garnix.io" "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" ]; trusted-public-keys = [ "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" ]; }; }; diff --git a/modules/nixos/settei/user.nix b/modules/nixos/settei/user.nix index 74850a0..348c8d6 100644 --- a/modules/nixos/settei/user.nix +++ b/modules/nixos/settei/user.nix @@ -29,6 +29,8 @@ in { home-manager.extraSpecialArgs = cfg.extraArgs; home-manager.users.${username} = { + _file = ./user.nix; + imports = [cfg.config]; home = { diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age new file mode 100644 index 0000000000000000000000000000000000000000..06175fb6dda49d5866669465543918974c4b63c5 GIT binary patch literal 607 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)Fv+saEmtTE^)W4u z2+JK#8dQoa(ajJreS7C;FrGlZMBUiD0K}Mu` znWv#wNkzG1W^QF}sK2j|Czr0Su7Z2Gg=unVM0R0BXjZOKMOkujkbiPufMaQCc14b9 zWl>o~end*Pn^%gfFV~N$YYrIx(e5mGu*6`QZqSpG``HhcU0QNp$859on-5idUXQ*x z2r%VcI(ziyQcqwtp(i*Ip$n7?9z7 zftLoSLCn^}p{POl* zw|t$K-NQROeyx!aViT9`OPus}R(!Fk*yoZQnS)j5pBrENwa)XvbCF*>FXyrHGC$w* z+3VtT?a#)iPaY2Tefo7t%CEdeCa<2$f_%CKN$<*^zS^h#qsVaPbL9+s^U3zpRokSV pR)uch-uLvmZ$3lU%&BI-s!aO@U;gXTe&@3L@{0Ov?hA96Vga|U_m%(v literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9b19c60..143e71a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,4 +5,5 @@ in { "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; + "hercules-token.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; } diff --git a/wrappers/helix/default.nix b/wrappers/helix/default.nix index 6b7a3ea..353bd5e 100644 --- a/wrappers/helix/default.nix +++ b/wrappers/helix/default.nix @@ -15,6 +15,7 @@ cursorline = true; auto-save = true; indent-guides.render = true; + theme = "base16_default_dark"; }; }; languages = {