diff --git a/base.nix b/base.nix index f839f9f..69c4920 100644 --- a/base.nix +++ b/base.nix @@ -71,6 +71,9 @@ users.groups."drift".name = "drift"; + # Trusted users on the nix builder machines + users.groups."nix-builder-users".name = "nix-builder-users"; + services.openssh = { enable = true; extraConfig = '' diff --git a/flake.lock b/flake.lock index 2ca51b4..19a7ed9 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699099781, + "narHash": "sha256-2WAs839yL6xmIPBLNVwbft46BDh0/RAjq1bAKNRqeR4=", + "owner": "nix-community", + "repo": "disko", + "rev": "548962c50b8afad7b8c820c1d6e21dc8394d6e65", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "grzegorz": { "inputs": { "nixpkgs": [ @@ -45,11 +65,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1697420972, - "narHash": "sha256-eFDasOzXAN8VswUntNBBwvKFyVKFvmwRNNVTDfGdB3M=", + "lastModified": 1697936579, + "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "1e370b96223b94d52006249a60033caaea605c65", + "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9", "type": "github" }, "original": { @@ -60,11 +80,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697706247, - "narHash": "sha256-nWLggeUxn/l8JrcQr9f+RfnCXp8cn0BN568PjMJh9ko=", + "lastModified": 1699024625, + "narHash": "sha256-abDyXs00jZtQcTrujB/a9MaIp7VY5v1VDVCF4zhXVYE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4ee5b576ac2861a818950aea99f609d7a6fc02a3", + "rev": "556a75f6a1302b6718fecd3ca8cbd109eb6cb067", "type": "github" }, "original": { @@ -91,11 +111,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1697332183, - "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", + "lastModified": 1698544399, + "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", + "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9", "type": "github" }, "original": { @@ -127,6 +147,7 @@ }, "root": { "inputs": { + "disko": "disko", "grzegorz": "grzegorz", "grzegorz-clients": "grzegorz-clients", "matrix-next": "matrix-next", @@ -144,11 +165,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1697339241, - "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=", + "lastModified": 1699021419, + "narHash": "sha256-oy2j2OHXYcckifASMeZzpmbDLSvobMGt0V/RvoDotF4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "51186b8012068c417dac7c31fb12861726577898", + "rev": "275b28593ef3a1b9d05b6eeda3ddce2f45f5c06f", "type": "github" }, "original": { @@ -159,11 +180,11 @@ }, "unstable": { "locked": { - "lastModified": 1697713104, - "narHash": "sha256-DN7YOyKMCpAVeZ44N42LrujtTkoerkS9+kTufQiuntY=", + "lastModified": 1699087154, + "narHash": "sha256-Eq8VMqpRtMonqeOlLi+F86S39l+RLx/0EbqystNaswc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6be2c349a30fcb489a3153dd331e9df387ab6449", + "rev": "e4082efedb483eb0478c3f014fa851449bca43f9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ed131af..26baabd 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,9 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git"; pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs"; @@ -19,7 +22,7 @@ grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs: + outputs = { self, nixpkgs, disko, matrix-next, pvv-calendar-bot, unstable, sops-nix, ... }@inputs: let nixlib = nixpkgs.lib; systems = [ @@ -77,6 +80,15 @@ ]; }; bekkalokk = stableNixosConfig "bekkalokk" { }; + bob = stableNixosConfig "bob" { + modules = [ + ./hosts/bob/configuration.nix + sops-nix.nixosModules.sops + + disko.nixosModules.disko + { disko.devices.disk.disk1.device = "/dev/vda"; } + ]; + }; ildkule = stableNixosConfig "ildkule" { }; #ildkule-unstable = unstableNixosConfig "ildkule" { }; shark = stableNixosConfig "shark" { }; diff --git a/hosts/bob/configuration.nix b/hosts/bob/configuration.nix new file mode 100644 index 0000000..674dac3 --- /dev/null +++ b/hosts/bob/configuration.nix @@ -0,0 +1,46 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../base.nix + ../../misc/metrics-exporters.nix + ./disks.nix + + ../../misc/builder.nix + ]; + + sops.defaultSopsFile = ../../secrets/bob/bob.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + networking.hostName = "bob"; # Define your hostname. + + systemd.network.networks."30-all" = values.defaultNetworkConfig // { + matchConfig.Name = "en*"; + DHCP = "yes"; + gateway = [ ]; + }; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + ]; + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/bob/disks.nix b/hosts/bob/disks.nix new file mode 100644 index 0000000..b2271dd --- /dev/null +++ b/hosts/bob/disks.nix @@ -0,0 +1,39 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/bob/hardware-configuration.nix b/hosts/bob/hardware-configuration.nix new file mode 100644 index 0000000..a97a3c3 --- /dev/null +++ b/hosts/bob/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/misc/builder.nix b/misc/builder.nix new file mode 100644 index 0000000..6f3847a --- /dev/null +++ b/misc/builder.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + nix.settings.trusted-users = [ "@nix-builder-users" ]; +} diff --git a/users/danio.nix b/users/danio.nix index 1ce1e53..57626e0 100644 --- a/users/danio.nix +++ b/users/danio.nix @@ -3,7 +3,12 @@ { users.users.danio = { isNormalUser = true; - extraGroups = [ "drift" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "drift" "nix-builder-users" ]; shell = pkgs.zsh; + + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp8iMOx3eTiG5AmDh2KjKcigf7xdRKn9M7iZQ4RqP0np0UN2NUbu+VAMJmkWFyi3JpxmLuhszU0F1xY+3qM3ARduy1cs89B/bBE85xlOeYhcYVmpcgPR5xduS+TuHTBzFAgp+IU7/lgxdjcJ3PH4K0ruGRcX1xrytmk/vdY8IeSk3GVWDRrRbH6brO4cCCFjX0zJ7G6hBQueTPQoOy3jrUvgpRkzZY4ZCuljXtxbuX5X/2qWAkp8ca0iTQ5FzNA5JUyj+DWeEzjIEz6GrckOdV2LjWpT9+CtOqoPZOUudE1J9mJk4snNlMQjE06It7Kr50bpwoPqnxjo7ZjlHFLezl +" + ]; }; } diff --git a/values.nix b/values.nix index fdd9093..d69cdee 100644 --- a/values.nix +++ b/values.nix @@ -37,6 +37,10 @@ in rec { ipv4 = pvv-ipv4 209; ipv6 = pvv-ipv6 209; }; + bob = { + ipv4 = "129.241.152.254"; + # ipv6 = ; + }; shark = { ipv4 = pvv-ipv4 196; ipv6 = pvv-ipv6 196;