setup repo structure (& test system config)

2025-01-25 22:24:37 +01:00 · 2025-01-25 22:24:37 +01:00 · 67c2250833
commit 67c2250833
12 changed files with 573 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.direnv
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,20 @@
+---
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+exclude: ^(.*.secret.*)$
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+
+  - repo: local
+    hooks:
+      - id: run-format
+        name: run-format
+        language: syste
+        types: [ text ]
+        entry: "nix fmt"
+
--- a/22
+++ b/22
@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 Easterhegg 2025, CCC Hansestadt Hamburg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,194 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736373539,
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "lix": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "flakey-profile": "flakey-profile",
+        "lix": "lix_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1732605668,
+        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+        "ref": "release-2.91",
+        "rev": "96824d606a6656650bbe436366bc89d5ee3a6573",
+        "revCount": 113,
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      },
+      "original": {
+        "ref": "release-2.91",
+        "type": "git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      }
+    },
+    "lix_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729298361,
+        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1737672001,
+        "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "lix": "lix",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737411508,
+        "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737483750,
+        "narHash": "sha256-5An1wq5U8sNycOBBg3nsDDgpwBmR9liOpDGlhliA6Xo=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "f2cc121df15418d028a59c9737d38e3a90fbaf8f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,90 @@
+{
+  description = "lillinfra - lillys infrastructure configuration";
+
+  inputs = {
+    # nixpkgs
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.11";
+
+    # some helpers for writing flakes with less repitition
+    systems.url = "github:nix-systems/default-linux";
+
+    # dotfile (and user package) manager
+    home-manager = {
+      url = "github:nix-community/home-manager?ref=release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # secret management
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # lix package manager
+    # https://lix.systems
+    lix = {
+      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.91";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # treeformat for specifying how to properly format files in this repo
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      systems,
+      treefmt-nix,
+      ...
+    }:
+    let
+      # instantiate nixpkgs for the given system, configuring this flake's overlay (and therefor packages) too
+      mkPkgs =
+        system:
+        import nixpkgs {
+          inherit system;
+          overlays = [ self.overlays.default ];
+        };
+      # helper to iterate over all supported systems, passing the corresponding instantiated nixpkgs
+      eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f (mkPkgs system));
+      # evaluate the treefmt.nix module given an instantiated nixpkgs
+      treefmtEval = pkgs: treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
+    in
+    {
+      nixosConfigurations = import ./systems { flake = self; };
+      overlays.default =
+        final: prev:
+        import ./packages {
+          flake = self;
+          pkgs = prev;
+        };
+      packages = eachSystem (
+        pkgs:
+        import ./packages {
+          inherit pkgs;
+          flake = self;
+        }
+      );
+
+      devShells = eachSystem (pkgs: {
+        default = pkgs.mkShell {
+          packages = with pkgs; [
+            age
+            ssh-to-age
+            pre-commit
+          ];
+        };
+      });
+
+      # maintenance
+      formatter = eachSystem (pkgs: (treefmtEval pkgs).config.build.wrapper);
+      checks = eachSystem (pkgs: {
+        formatting = (treefmtEval pkgs).config.build.check self;
+      });
+    };
+}
--- a/modules/base_system.nix
+++ b/modules/base_system.nix
@ -0,0 +1,114 @@
+#
+# Module that is included for all systems and configures basic NixOS setting that we want
+#
+{
+  modulesPath,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # boot config
+  boot.initrd.systemd.enable = true;
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "sr_mod"
+    "virtio_blk"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 25;
+    editor = false;
+  };
+
+  # settings for nix and nixos
+  nixpkgs.config.allowUnfree = true;
+  nix.settings = {
+    tarball-ttl = 60;
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  # link flake source into /etc/nixos
+  environment.etc."nixos".source = ../.;
+
+  # locale settings
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+  i18n = {
+    # https://man.archlinux.org/man/locale.7
+    defaultLocale = lib.mkDefault "en_US.UTF-8";
+    extraLocaleSettings = lib.genAttrs [
+      "LC_CTYPE"
+      "LC_NUMERIC"
+      "LC_TIME"
+      "LC_COLLATE"
+      "LC_MONETARY"
+      "LC_PAPER"
+      "LC_NAME"
+      "LC_ADDRESS"
+      "LC_TELEPHONE"
+      "LC_MEASUREMENT"
+      "LC_IDENTIFICATION"
+    ] (key: "de_DE.UTF-8");
+  };
+  services.xserver.xkb.layout = lib.mkDefault "de";
+
+  # vconsole
+  console = {
+    font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u16n.psf.gz";
+    packages = lib.mkDefault [ pkgs.terminus_font ];
+    keyMap = lib.mkDefault "de";
+    useXkbConfig = lib.mkDefault true;
+  };
+
+  # ssh server
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  # misc software settings
+  home-manager.useGlobalPkgs = lib.mkDefault true;
+  programs.command-not-found.enable = false;
+  environment.localBinInPath = true;
+  services.qemuGuest.enable = true;
+
+  # derive sops key from ssh key if ssh is enable and configure host sepcific secrets
+  sops.age.sshKeyPaths = lib.mkIf config.services.openssh.enable [ "/etc/ssh/ssh_host_ed25519_key" ];
+  #sops.defaultSopsFile = ../data/secrets + "/${config.networking.fqdnOrHostName}.yml";
+
+  # additional apps
+  environment.systemPackages = with pkgs; [
+    git
+    helix
+    htop
+  ];
+  #environment.variables = {
+  #  EDITOR = "hx";
+  #  VISUAL = "hx";
+  #};
+}
--- a/modules/user_account.nix
+++ b/modules/user_account.nix
@ -0,0 +1,28 @@
+{
+  modulesPath,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  programs.fish.enable = true;
+
+  users.users.noc = {
+    createHome = true;
+    extraGroups = [
+      "wheel"
+    ];
+    home = "/home/noc";
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPaVpSL8G9Gs16bSNn9tDl29PiN0SwYZuYCMkp9baSua lilly"
+    ];
+    hashedPassword = "$y$j9T$V7Fvq4uxK/NywaPgqsTgx1$K4/tlsLOHCONtuG5CrQpv5.4/UPsjrtdWeal/qp1UwD";
+    isNormalUser = true;
+  };
+
+  home-manager.users.noc = {
+    home.preferXdgDirectories = true;
+  };
+}
--- a/packages/default.nix
+++ b/packages/default.nix
@ -0,0 +1,5 @@
+{ flake, pkgs }:
+{
+  # add new packages here as:
+  # name = pkgs.callPackage ./package-source.nix {};
+}
--- a/systems/default.nix
+++ b/systems/default.nix
@ -0,0 +1,41 @@
+{ flake }:
+let
+  nixpkgs = flake.inputs.nixpkgs;
+
+  # utility function to create a new nixos configuration
+  # call like `mkSystem "x86_64-linux" "<hostname>.eh22.intern"`
+  mkSystem =
+    systemType: name:
+    nixpkgs.lib.nixosSystem {
+      system = systemType;
+      specialArgs = flake.inputs;
+      modules = [
+        flake.inputs.home-manager.nixosModules.home-manager
+        flake.inputs.sops-nix.nixosModules.default
+        flake.inputs.lix.nixosModules.lixFromNixpkgs
+
+        ../modules/base_system.nix
+        ../modules/user_account.nix
+        #../modules/mail_relay.nix
+        ./${name}.nix
+
+        (
+          let
+            fqdnParts = nixpkgs.lib.strings.splitString "." name;
+          in
+          {
+            networking.hostName = builtins.head fqdnParts;
+            networking.domain =
+              if ((builtins.length fqdnParts) > 1) then
+                (builtins.concatStringsSep "." (builtins.tail fqdnParts))
+              else
+                null;
+          }
+        )
+      ];
+    };
+in
+{
+  # exposed hosts at myroot
+  "test.eh22.intern" = mkSystem "x86_64-linux" "test.eh22.intern";
+}
--- a/systems/test.eh22.intern.nix
+++ b/systems/test.eh22.intern.nix
@ -0,0 +1,51 @@
+{
+  ...
+}:
+{
+  imports = [ ];
+
+  # boot config
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-uuid/94A7-6995";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+    "/" = {
+      device = "/dev/disk/by-uuid/4e0b7ea5-8c74-478f-a4e3-ddc5691e4065";
+      fsType = "ext4";
+    };
+    "/srv/data/k8s" = {
+      device = "10.0.10.14:/srv/data/k8s";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "_netdev"
+      ];
+    };
+  };
+
+  # networking config
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks.enp1s0 = {
+      matchConfig = {
+        Type = "ether";
+        MACAddress = "52:54:00:e6:1f:51";
+      };
+      networkConfig = {
+        IPv6AcceptRA = false;
+      };
+      DHCP = "yes";
+    };
+  };
+
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11";
+}
--- a/treefmt.nix
+++ b/treefmt.nix
@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  projectRootFile = "flake.nix";
+  settings.global.on-unmatched = "info";
+  programs.nixfmt.enable = true;
+}