From 67c2250833abaf2d14dcd141950fde4d17778fb9 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Sat, 25 Jan 2025 22:24:37 +0100
Subject: [PATCH] setup repo structure (& test system config)
---
.envrc | 1 +
.gitignore | 1 +
.pre-commit-config.yaml | 20 ++++
LICENSE | 22 ++++
flake.lock | 194 +++++++++++++++++++++++++++++++++++
flake.nix | 90 ++++++++++++++++
modules/base_system.nix | 114 ++++++++++++++++++++
modules/user_account.nix | 28 +++++
packages/default.nix | 5 +
systems/default.nix | 41 ++++++++
systems/test.eh22.intern.nix | 51 +++++++++
treefmt.nix | 6 ++
12 files changed, 573 insertions(+)
create mode 100644 .envrc
create mode 100644 .gitignore
create mode 100644 .pre-commit-config.yaml
create mode 100644 LICENSE
create mode 100644 flake.lock
create mode 100644 flake.nix
create mode 100644 modules/base_system.nix
create mode 100644 modules/user_account.nix
create mode 100644 packages/default.nix
create mode 100644 systems/default.nix
create mode 100644 systems/test.eh22.intern.nix
create mode 100644 treefmt.nix
diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..92b2793
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.direnv
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..20af30f
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,20 @@
+---
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+exclude: ^(.*.secret.*)$
+repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v5.0.0
+ hooks:
+ - id: trailing-whitespace
+ - id: end-of-file-fixer
+ - id: check-added-large-files
+
+ - repo: local
+ hooks:
+ - id: run-format
+ name: run-format
+ language: syste
+ types: [ text ]
+ entry: "nix fmt"
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..41b1c7d
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 Easterhegg 2025, CCC Hansestadt Hamburg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..efb7113
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,194 @@
+{
+ "nodes": {
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1726560853,
+ "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flakey-profile": {
+ "locked": {
+ "lastModified": 1712898590,
+ "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+ "owner": "lf-",
+ "repo": "flakey-profile",
+ "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "lf-",
+ "repo": "flakey-profile",
+ "type": "github"
+ }
+ },
+ "home-manager": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1736373539,
+ "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "release-24.11",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "lix": {
+ "inputs": {
+ "flake-utils": "flake-utils",
+ "flakey-profile": "flakey-profile",
+ "lix": "lix_2",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1732605668,
+ "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+ "ref": "release-2.91",
+ "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
+ "revCount": 113,
+ "type": "git",
+ "url": "https://git.lix.systems/lix-project/nixos-module.git"
+ },
+ "original": {
+ "ref": "release-2.91",
+ "type": "git",
+ "url": "https://git.lix.systems/lix-project/nixos-module.git"
+ }
+ },
+ "lix_2": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1729298361,
+ "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+ "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+ "type": "tarball",
+ "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+ },
+ "original": {
+ "type": "tarball",
+ "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1737672001,
+ "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-24.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "home-manager": "home-manager",
+ "lix": "lix",
+ "nixpkgs": "nixpkgs",
+ "sops-nix": "sops-nix",
+ "systems": "systems_2",
+ "treefmt-nix": "treefmt-nix"
+ }
+ },
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1737411508,
+ "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_2": {
+ "locked": {
+ "lastModified": 1689347949,
+ "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+ "owner": "nix-systems",
+ "repo": "default-linux",
+ "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default-linux",
+ "type": "github"
+ }
+ },
+ "treefmt-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1737483750,
+ "narHash": "sha256-5An1wq5U8sNycOBBg3nsDDgpwBmR9liOpDGlhliA6Xo=",
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "rev": "f2cc121df15418d028a59c9737d38e3a90fbaf8f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..1afd777
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,90 @@
+{
+ description = "lillinfra - lillys infrastructure configuration";
+
+ inputs = {
+ # nixpkgs
+ nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.11";
+
+ # some helpers for writing flakes with less repitition
+ systems.url = "github:nix-systems/default-linux";
+
+ # dotfile (and user package) manager
+ home-manager = {
+ url = "github:nix-community/home-manager?ref=release-24.11";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ # secret management
+ sops-nix = {
+ url = "github:Mic92/sops-nix";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ # lix package manager
+ # https://lix.systems
+ lix = {
+ url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.91";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ # treeformat for specifying how to properly format files in this repo
+ treefmt-nix = {
+ url = "github:numtide/treefmt-nix";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ };
+
+ outputs =
+ {
+ self,
+ nixpkgs,
+ systems,
+ treefmt-nix,
+ ...
+ }:
+ let
+ # instantiate nixpkgs for the given system, configuring this flake's overlay (and therefor packages) too
+ mkPkgs =
+ system:
+ import nixpkgs {
+ inherit system;
+ overlays = [ self.overlays.default ];
+ };
+ # helper to iterate over all supported systems, passing the corresponding instantiated nixpkgs
+ eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f (mkPkgs system));
+ # evaluate the treefmt.nix module given an instantiated nixpkgs
+ treefmtEval = pkgs: treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
+ in
+ {
+ nixosConfigurations = import ./systems { flake = self; };
+ overlays.default =
+ final: prev:
+ import ./packages {
+ flake = self;
+ pkgs = prev;
+ };
+ packages = eachSystem (
+ pkgs:
+ import ./packages {
+ inherit pkgs;
+ flake = self;
+ }
+ );
+
+ devShells = eachSystem (pkgs: {
+ default = pkgs.mkShell {
+ packages = with pkgs; [
+ age
+ ssh-to-age
+ pre-commit
+ ];
+ };
+ });
+
+ # maintenance
+ formatter = eachSystem (pkgs: (treefmtEval pkgs).config.build.wrapper);
+ checks = eachSystem (pkgs: {
+ formatting = (treefmtEval pkgs).config.build.check self;
+ });
+ };
+}
diff --git a/modules/base_system.nix b/modules/base_system.nix
new file mode 100644
index 0000000..9116cfd
--- /dev/null
+++ b/modules/base_system.nix
@@ -0,0 +1,114 @@
+#
+# Module that is included for all systems and configures basic NixOS setting that we want
+#
+{
+ modulesPath,
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+{
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ # boot config
+ boot.initrd.systemd.enable = true;
+ boot.initrd.availableKernelModules = [
+ "ahci"
+ "xhci_pci"
+ "virtio_pci"
+ "sr_mod"
+ "virtio_blk"
+ ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+ boot.loader.systemd-boot = {
+ enable = true;
+ configurationLimit = 25;
+ editor = false;
+ };
+
+ # settings for nix and nixos
+ nixpkgs.config.allowUnfree = true;
+ nix.settings = {
+ tarball-ttl = 60;
+ trusted-users = [
+ "root"
+ "@wheel"
+ ];
+ experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+ };
+ nix.gc = {
+ automatic = true;
+ dates = "weekly";
+ options = "--delete-older-than 30d";
+ };
+
+ # link flake source into /etc/nixos
+ environment.etc."nixos".source = ../.;
+
+ # locale settings
+ time.timeZone = lib.mkDefault "Europe/Berlin";
+ i18n = {
+ # https://man.archlinux.org/man/locale.7
+ defaultLocale = lib.mkDefault "en_US.UTF-8";
+ extraLocaleSettings = lib.genAttrs [
+ "LC_CTYPE"
+ "LC_NUMERIC"
+ "LC_TIME"
+ "LC_COLLATE"
+ "LC_MONETARY"
+ "LC_PAPER"
+ "LC_NAME"
+ "LC_ADDRESS"
+ "LC_TELEPHONE"
+ "LC_MEASUREMENT"
+ "LC_IDENTIFICATION"
+ ] (key: "de_DE.UTF-8");
+ };
+ services.xserver.xkb.layout = lib.mkDefault "de";
+
+ # vconsole
+ console = {
+ font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u16n.psf.gz";
+ packages = lib.mkDefault [ pkgs.terminus_font ];
+ keyMap = lib.mkDefault "de";
+ useXkbConfig = lib.mkDefault true;
+ };
+
+ # ssh server
+ services.openssh = {
+ enable = true;
+ settings = {
+ PermitRootLogin = "no";
+ PasswordAuthentication = false;
+ };
+ };
+
+ # misc software settings
+ home-manager.useGlobalPkgs = lib.mkDefault true;
+ programs.command-not-found.enable = false;
+ environment.localBinInPath = true;
+ services.qemuGuest.enable = true;
+
+ # derive sops key from ssh key if ssh is enable and configure host sepcific secrets
+ sops.age.sshKeyPaths = lib.mkIf config.services.openssh.enable [ "/etc/ssh/ssh_host_ed25519_key" ];
+ #sops.defaultSopsFile = ../data/secrets + "/${config.networking.fqdnOrHostName}.yml";
+
+ # additional apps
+ environment.systemPackages = with pkgs; [
+ git
+ helix
+ htop
+ ];
+ #environment.variables = {
+ # EDITOR = "hx";
+ # VISUAL = "hx";
+ #};
+}
diff --git a/modules/user_account.nix b/modules/user_account.nix
new file mode 100644
index 0000000..50f7a41
--- /dev/null
+++ b/modules/user_account.nix
@@ -0,0 +1,28 @@
+{
+ modulesPath,
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+{
+ programs.fish.enable = true;
+
+ users.users.noc = {
+ createHome = true;
+ extraGroups = [
+ "wheel"
+ ];
+ home = "/home/noc";
+ shell = pkgs.fish;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPaVpSL8G9Gs16bSNn9tDl29PiN0SwYZuYCMkp9baSua lilly"
+ ];
+ hashedPassword = "$y$j9T$V7Fvq4uxK/NywaPgqsTgx1$K4/tlsLOHCONtuG5CrQpv5.4/UPsjrtdWeal/qp1UwD";
+ isNormalUser = true;
+ };
+
+ home-manager.users.noc = {
+ home.preferXdgDirectories = true;
+ };
+}
diff --git a/packages/default.nix b/packages/default.nix
new file mode 100644
index 0000000..477cd63
--- /dev/null
+++ b/packages/default.nix
@@ -0,0 +1,5 @@
+{ flake, pkgs }:
+{
+ # add new packages here as:
+ # name = pkgs.callPackage ./package-source.nix {};
+}
diff --git a/systems/default.nix b/systems/default.nix
new file mode 100644
index 0000000..8085fc5
--- /dev/null
+++ b/systems/default.nix
@@ -0,0 +1,41 @@
+{ flake }:
+let
+ nixpkgs = flake.inputs.nixpkgs;
+
+ # utility function to create a new nixos configuration
+ # call like `mkSystem "x86_64-linux" "<hostname>.eh22.intern"`
+ mkSystem =
+ systemType: name:
+ nixpkgs.lib.nixosSystem {
+ system = systemType;
+ specialArgs = flake.inputs;
+ modules = [
+ flake.inputs.home-manager.nixosModules.home-manager
+ flake.inputs.sops-nix.nixosModules.default
+ flake.inputs.lix.nixosModules.lixFromNixpkgs
+
+ ../modules/base_system.nix
+ ../modules/user_account.nix
+ #../modules/mail_relay.nix
+ ./${name}.nix
+
+ (
+ let
+ fqdnParts = nixpkgs.lib.strings.splitString "." name;
+ in
+ {
+ networking.hostName = builtins.head fqdnParts;
+ networking.domain =
+ if ((builtins.length fqdnParts) > 1) then
+ (builtins.concatStringsSep "." (builtins.tail fqdnParts))
+ else
+ null;
+ }
+ )
+ ];
+ };
+in
+{
+ # exposed hosts at myroot
+ "test.eh22.intern" = mkSystem "x86_64-linux" "test.eh22.intern";
+}
diff --git a/systems/test.eh22.intern.nix b/systems/test.eh22.intern.nix
new file mode 100644
index 0000000..5bb58c0
--- /dev/null
+++ b/systems/test.eh22.intern.nix
@@ -0,0 +1,51 @@
+{
+ ...
+}:
+{
+ imports = [ ];
+
+ # boot config
+ fileSystems = {
+ "/boot" = {
+ device = "/dev/disk/by-uuid/94A7-6995";
+ fsType = "vfat";
+ options = [
+ "fmask=0077"
+ "dmask=0077"
+ ];
+ };
+ "/" = {
+ device = "/dev/disk/by-uuid/4e0b7ea5-8c74-478f-a4e3-ddc5691e4065";
+ fsType = "ext4";
+ };
+ "/srv/data/k8s" = {
+ device = "10.0.10.14:/srv/data/k8s";
+ fsType = "nfs";
+ options = [
+ "defaults"
+ "_netdev"
+ ];
+ };
+ };
+
+ # networking config
+ networking.useDHCP = false;
+ systemd.network = {
+ enable = true;
+ networks.enp1s0 = {
+ matchConfig = {
+ Type = "ether";
+ MACAddress = "52:54:00:e6:1f:51";
+ };
+ networkConfig = {
+ IPv6AcceptRA = false;
+ };
+ DHCP = "yes";
+ };
+ };
+
+ # DO NOT CHANGE
+ # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+ home-manager.users.noc.home.stateVersion = "24.11";
+ system.stateVersion = "24.11";
+}
diff --git a/treefmt.nix b/treefmt.nix
new file mode 100644
index 0000000..b9ea13a
--- /dev/null
+++ b/treefmt.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+ projectRootFile = "flake.nix";
+ settings.global.on-unmatched = "info";
+ programs.nixfmt.enable = true;
+}