From 4102b381f0d9e77d84a64102538e9e7763d597ce Mon Sep 17 00:00:00 2001 From: kat witch Date: Sat, 4 Sep 2021 02:47:02 +0100 Subject: [PATCH] profiles: raspi init, aarch64 init, oracle/common improved, shared --- README.md | 2 +- config/hosts/daiyousei/nixos.nix | 50 +------------- config/hosts/rinnosuke/nixos.nix | 43 +----------- config/hosts/shinmyoumaru/nixos.nix | 66 +------------------ config/profiles/base/access.nix | 6 +- config/profiles/base/profiles.nix | 10 ++- config/profiles/hardware/aarch64.nix | 5 ++ config/profiles/hardware/oracle/common.nix | 42 ++++++++++++ config/profiles/hardware/raspi.nix | 52 +++++++++++++++ .../{base/includes.nix => shared.nix} | 1 - 10 files changed, 118 insertions(+), 159 deletions(-) create mode 100644 config/profiles/hardware/aarch64.nix create mode 100644 config/profiles/hardware/raspi.nix rename config/profiles/{base/includes.nix => shared.nix} (82%) diff --git a/README.md b/README.md index 36689ae3..7e4cb3de 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ These are the NixOS configurations for my systems. I run nothing other than NixO - [ ] Eventually refactor recursiveMod to be sane. - [ ] Extend recursiveMod to allow for merging of structures. - [ ] Create a “lite” base profile for devices like shinmyoumaru. - - [ ] Add a shared profile that adds user imports. + - [x] Add a shared profile that adds user imports. - [ ] Migrate some of shinmyoumaru’s configuration into profiles.hardware.raspi ## Nodes diff --git a/config/hosts/daiyousei/nixos.nix b/config/hosts/daiyousei/nixos.nix index 5f19f6bf..dfa700cb 100644 --- a/config/hosts/daiyousei/nixos.nix +++ b/config/hosts/daiyousei/nixos.nix @@ -1,23 +1,10 @@ -{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; let - oci-root = meta.deploy.targets.oci-root.tf; - addr_ipv6_nix = - let - prefix = head (splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); - in - assert hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6; -in -{ +{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; { imports = with meta; [ + profiles.hardware.aarch64 profiles.hardware.oracle.ubuntu services.nginx ]; - deploy.tf.providers.local = { }; - - nixpkgs.localSystem = systems.examples.aarch64-multiplatform // { - system = "aarch64-linux"; - }; - kw.oci = { base = "Canonical Ubuntu"; specs = { @@ -41,37 +28,4 @@ in networkFilter = [ "public" ]; block.locations."/" = { root = splashy; }; }; - - networking = { - useDHCP = false; - interfaces.enp0s3 = { - useDHCP = true; - ipv6 = { - addresses = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) [{ - address = addr_ipv6_nix; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - prefixLength = 0; - }]; - }; - }; - }; - - network = { - addresses = { - public = { - enable = true; - # TODO: move into module - nixos.ipv6.address = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) addr_ipv6_nix; - tf.ipv6.address = tf.resources."${config.networking.hostName}_ipv6".refAttr "ip_address"; - }; - }; - firewall.public.interfaces = singleton "enp0s3"; - tf = { - enable = true; - ipv4_attr = "public_ip"; - }; - }; } diff --git a/config/hosts/rinnosuke/nixos.nix b/config/hosts/rinnosuke/nixos.nix index b1c9f87e..79dc8a04 100644 --- a/config/hosts/rinnosuke/nixos.nix +++ b/config/hosts/rinnosuke/nixos.nix @@ -1,12 +1,4 @@ -{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; let - oci-root = meta.deploy.targets.oci-root.tf; - addr_ipv6_nix = - let - prefix = head (splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); - in - assert hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6; -in -{ +{ config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; { imports = with meta; [ profiles.hardware.oracle.ubuntu services.knot @@ -36,37 +28,4 @@ in networkFilter = [ "public" ]; block.locations."/" = { root = splashy; }; }; - - networking = { - useDHCP = false; - interfaces.ens3 = { - useDHCP = true; - ipv6 = { - addresses = mkIf (config.network.addresses.public.nixos.ipv6.enable) [{ - address = config.network.addresses.public.nixos.ipv6.address; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - prefixLength = 0; - }]; - }; - }; - }; - - network = { - dns.enable = false; - addresses = { - public = { - enable = true; - nixos.ipv6.address = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) addr_ipv6_nix; - tf.ipv6.address = tf.resources.rinnosuke_ipv6.refAttr "ip_address"; - }; - }; - firewall.public.interfaces = singleton "ens3"; - tf = { - enable = true; - ipv4_attr = "public_ip"; - }; - }; } diff --git a/config/hosts/shinmyoumaru/nixos.nix b/config/hosts/shinmyoumaru/nixos.nix index c385b14e..f5e01e71 100644 --- a/config/hosts/shinmyoumaru/nixos.nix +++ b/config/hosts/shinmyoumaru/nixos.nix @@ -4,58 +4,16 @@ # Imports imports = with meta; [ + profiles.hardware.raspi profiles.base ./image.nix ]; - nixpkgs.crossOverlays = [ - (import ../../../overlays/pi) - ]; - - boot = { - kernelModules = mkForce [ "loop" "atkbd" ]; - initrd = { - includeDefaultModules = false; - availableKernelModules = mkForce [ - "mmc_block" - "usbhid" - "ext4" - "hid_generic" - "hid_lenovo" - "hid_apple" - "hid_roccat" - "hid_logitech_hidpp" - "hid_logitech_dj" - "hid_microsoft" - ]; - }; - }; - home-manager.users.kat.programs.neovim.enable = mkForce false; home-manager.users.hexchen.programs.vim.enable = mkForce false; programs.mosh.enable = mkForce false; - # Weird Shit - - nixpkgs.crossSystem = systems.examples.raspberryPi // { - system = "armv6l-linux"; - }; - - environment.noXlibs = true; - documentation.info.enable = false; - documentation.man.enable = false; - programs.command-not-found.enable = false; - security.polkit.enable = false; - security.audit.enable = false; - services.udisks2.enable = false; - boot.enableContainers = false; - - nix = { - binaryCaches = lib.mkForce [ "https://app.cachix.org/cache/thefloweringash-armv7" ]; - binaryCachePublicKeys = [ "thefloweringash-armv7.cachix.org-1:v+5yzBD2odFKeXbmC+OPWVqx4WVoIVO6UXgnSAWFtso=" ]; - }; - - # Terraform +# Terraform deploy.tf = { resources.shinmyoumaru = { @@ -68,26 +26,6 @@ }; }; - # Bootloader - - boot = { - loader = { - grub.enable = false; - generic-extlinux-compatible.enable = true; - }; - consoleLogLevel = lib.mkDefault 7; - kernelPackages = pkgs.linuxPackages_rpi1; - }; - - # File Systems and Swap - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - }; - }; - # Networking networking = { diff --git a/config/profiles/base/access.nix b/config/profiles/base/access.nix index 79d0a297..bfa49b05 100644 --- a/config/profiles/base/access.nix +++ b/config/profiles/base/access.nix @@ -1,8 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, meta, ... }: { security.sudo.wheelNeedsPassword = lib.mkForce false; + imports = with meta; [ + users.kat.base + ]; + users.users.root = { hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; diff --git a/config/profiles/base/profiles.nix b/config/profiles/base/profiles.nix index 0b55c3d9..0a5c495a 100644 --- a/config/profiles/base/profiles.nix +++ b/config/profiles/base/profiles.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, meta, ... }: with lib; @@ -7,6 +7,7 @@ with lib; deploy.profile = { gui = mkEnableOption "Graphical System"; vfio = mkEnableOption "VFIO"; + shared = mkEnableOption "Shared System"; trusted = mkEnableOption "Trusted Submodule"; cross = { enable = mkEnableOption "cross/emulated compilation"; @@ -33,6 +34,7 @@ with lib; ryzen = mkEnableOption "AMD Ryzen CPU"; ms-7b86 = mkEnableOption "MSI B450-A Pro Max"; rm-310 = mkEnableOption "Intel DQ67OW"; + raspi = mkEnableOption "Raspberry Pi 1 Model B+"; oracle = { common = mkEnableOption "OCI"; ubuntu = mkEnableOption "Canonical Ubuntu Base Image"; @@ -49,7 +51,10 @@ with lib; options.deploy.profile = { gui = mkEnableOption "Graphical System"; vfio = mkEnableOption "VFIO"; - trusted = mkEnableOption "Trusted Submodule"; + shared = mkEnableOption "Shared System"; + trusted = mkEnableOption "Trusted Submodule" // { + default = meta.trusted ? secrets; + }; cross = { enable = mkEnableOption "cross/emulated compilation"; aarch64 = mkOption { @@ -75,6 +80,7 @@ with lib; ryzen = mkEnableOption "AMD Ryzen CPU"; ms-7b86 = mkEnableOption "MSI B450-A Pro Max"; rm-310 = mkEnableOption "Intel DQ67OW"; + raspi = mkEnableOption "Raspberry Pi 1 Model B+"; oracle = { common = mkEnableOption "OCI"; ubuntu = mkEnableOption "Canonical Ubuntu Base Image"; diff --git a/config/profiles/hardware/aarch64.nix b/config/profiles/hardware/aarch64.nix new file mode 100644 index 00000000..207d39cc --- /dev/null +++ b/config/profiles/hardware/aarch64.nix @@ -0,0 +1,5 @@ +{ config, ... }: { + nixpkgs.localSystem = systems.examples.aarch64-multiplatform // { + system = "aarch64-linux"; + }; +} diff --git a/config/profiles/hardware/oracle/common.nix b/config/profiles/hardware/oracle/common.nix index 3b5d6711..0709f480 100644 --- a/config/profiles/hardware/oracle/common.nix +++ b/config/profiles/hardware/oracle/common.nix @@ -56,6 +56,48 @@ in nixos.oracle ]; config = { + networking.interfaces = let + interface = attrByPath [cfg.specs.shape] (throw "Unsupported shape") { + "VM.Standard.A1.Flex" = "enp0s3"; + "VM.Standard.E2.1.Micro" = "ens3"; + }; + in { + ${interface} = { + useDHCP = true; + ipv6 = { + addresses = mkIf (config.network.addresses.public.nixos.ipv6.enable) [{ + address = config.network.addresses.public.nixos.ipv6.address; + prefixLength = 64; + }]; + routes = [{ + address = "::"; + prefixLength = 0; + }]; + }; + }; + }; + + network = { + addresses = { + public = let + addr_ipv6_nix = + let + prefix = head (splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); + in + assert hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6; + in { + enable = true; + nixos.ipv6.address = mkIf (tf.state.resources ? ${tf.resources.${config.networking.hostName}.out.reference}) addr_ipv6_nix; + tf.ipv6.address = tf.resources.rinnosuke_ipv6.refAttr "ip_address"; + }; + }; + firewall.public.interfaces singleton interface; + tf = { + enable = true; + ipv4_attr = "public_ip"; + }; + }; + deploy.tf = let compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; diff --git a/config/profiles/hardware/raspi.nix b/config/profiles/hardware/raspi.nix new file mode 100644 index 00000000..65e1ec5d --- /dev/null +++ b/config/profiles/hardware/raspi.nix @@ -0,0 +1,52 @@ +{ config, ... }: { + deploy.profil.hardware.raspi = true; + + nixpkgs.crossOverlays = [ + (import ../../../overlays/pi) + ]; + + boot = { + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + consoleLogLevel = lib.mkDefault 7; + kernelPackages = pkgs.linuxPackages_rpi1; + kernelModules = mkForce [ "loop" "atkbd" ]; + initrd = { + includeDefaultModules = false; + availableKernelModules = mkForce [ + "mmc_block" + "usbhid" + "ext4" + "hid_generic" + "hid_lenovo" + "hid_apple" + "hid_roccat" + "hid_logitech_hidpp" + "hid_logitech_dj" + "hid_microsoft" + ]; + }; + }; + + environment.noXlibs = true; + documentation.info.enable = false; + documentation.man.enable = false; + programs.command-not-found.enable = false; + security.polkit.enable = false; + security.audit.enable = false; + services.udisks2.enable = false; + boot.enableContainers = false; + + nixpkgs.crossSystem = systems.examples.raspberryPi // { + system = "armv6l-linux"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + }; +} diff --git a/config/profiles/base/includes.nix b/config/profiles/shared.nix similarity index 82% rename from config/profiles/base/includes.nix rename to config/profiles/shared.nix index d32491aa..24ab6f24 100644 --- a/config/profiles/base/includes.nix +++ b/config/profiles/shared.nix @@ -1,6 +1,5 @@ { config, meta, ... }: { imports = with meta; [ - users.kat.base users.hexchen users.arc ];