aciceri/nixfleet
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

I should commit more frequently

Browse source
This commit is contained in:
Andrea Ciceri 2023-12-07 23:07:36 +01:00
parent aa8003f5b4
commit e82241b8b0
Signed by: aciceri
SSH key fingerprint: SHA256:/AagBweyV4Hlfg9u092n8hbHwD5fcB6A3qhDiDA65Rg
70 changed files with 1091 additions and 2018 deletions
Download patch file Download diff file Expand all files Collapse all files

354
hosts/default.nix
View file

@ -5,279 +5,89 @@
inputs,
...
}: {
options.fleet = {
hosts = lib.mkOption {
description = "Host configuration";
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
name = lib.mkOption {
description = "Host name";
type = lib.types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
default = name;
};
system = lib.mkOption {
description = "NixOS architecture (a.k.a. system)";
type = lib.types.str;
default = "x86_64-linux";
};
colmena = lib.mkOption {
description = "Set colmena.<host>";
type = lib.types.attrs;
default = {};
};
secrets = lib.mkOption {
description = "List of secrets names in the `secrets` folder";
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
file = lib.mkOption {
type = lib.types.path;
default = "${self.outPath}/secrets/${name}.age";
};
mode = lib.mkOption {
# TODO improve type
type = lib.types.str;
default = "0440";
};
};
}));
default = {};
};
enableHomeManager = lib.mkOption {
description = "Enable home-manager module";
type = lib.types.bool;
default = true;
};
overlays = lib.mkOption {
description = "Enabled Nixpkgs overlays";
type = lib.types.listOf (lib.mkOptionType {
name = "nixpkgs-overlay";
description = "nixpkgs overlay";
check = lib.isFunction;
merge = lib.mergeOneOption;
});
default = [];
};
extraModules = lib.mkOption {
description = "Extra NixOS modules";
type = lib.types.listOf lib.types.deferredModule;
default = [];
};
extraHmModules = lib.mkOption {
description = "Extra home-manager modules";
type = lib.types.listOf lib.types.deferredModule;
default = [];
};
extraHmModulesUser = lib.mkOption {
description = "User for which to import extraHmModulesUser";
type = lib.types.str;
default = "ccr";
};
};
config.overlays = with inputs;
[
agenix.overlays.default
comma.overlays.default
helix.overlays.default
nur.overlay
]
++ config.fleet.overlays;
}));
default = {};
};
_mkNixosConfiguration = lib.mkOption {
description = "Function returning a proper NixOS configuration";
type = lib.types.functionTo (lib.types.functionTo lib.types.attrs); # TODO improve this type
internal = true;
default = hostname: config:
inputs.nixpkgsUnstable.lib.nixosSystem {
inherit (config) system;
modules =
[
({lib, ...}: {
networking.hostName = lib.mkForce hostname;
nixpkgs.overlays = config.overlays;
networking.hosts =
lib.mapAttrs' (hostname: ip: {
name = ip;
value = ["${hostname}.fleet"];
})
(import "${self}/lib").ips;
})
"${self.outPath}/hosts/${hostname}"
]
++ (lib.optionals (config.secrets != []) [
inputs.agenix.nixosModules.default
({lib, ...}: let
allSecrets = lib.mapAttrs' (name: value: {
name = lib.removeSuffix ".age" name;
inherit value;
}) (import "${self.outPath}/secrets");
filteredSecrets =
lib.filterAttrs
(name: _: builtins.hasAttr name config.secrets)
allSecrets;
in {
age.secrets =
lib.mapAttrs' (name: _: {
name = builtins.baseNameOf name;
value = {
inherit (config.secrets.${name}) owner group file mode;
};
})
filteredSecrets;
})
])
++ (lib.optionals config.enableHomeManager (let
user = config.extraHmModulesUser;
extraHmModules = config.extraHmModules;
in [
inputs.homeManager.nixosModule
({config, ...}: {
home-manager.users."${user}" = {
imports = extraHmModules;
_module.args = {
age = config.age or {};
fleetFlake = self;
};
};
})
]))
++ config.extraModules;
specialArgs = {
fleetModules = builtins.map (moduleName: "${self.outPath}/modules/${moduleName}");
fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}");
fleetFlake = self;
};
};
imports = [./module.nix];
fleet.hosts = {
# thinkpad = {
# extraModules = with inputs; [
# nixosHardware.nixosModules.lenovo-thinkpad-x1-7th-gen
# buildbot-nix.nixosModules.buildbot-master
# buildbot-nix.nixosModules.buildbot-worker
# ];
# extraHmModules = with inputs; [
# ccrEmacs.hmModules.default
# {
# # TODO: remove after https://github.com/nix-community/home-manager/pull/3811
# imports = let
# hmModules = "${inputs.homeManagerGitWorkspace}/modules";
# in [
# "${hmModules}/services/git-workspace.nix"
# ];
# }
# ];
# overlays = [inputs.nil.overlays.default];
# secrets = {
# "thinkpad-wireguard-private-key" = {};
# "cachix-personal-token".owner = "ccr";
# "autistici-password".owner = "ccr";
# "git-workspace-tokens".owner = "ccr";
# "chatgpt-token".owner = "ccr";
# };
# };
# rock5b = {
# system = "aarch64-linux";
# extraModules = with inputs; [
# disko.nixosModules.disko
# rock5b.nixosModules.default
# ];
# secrets = {
# "rock5b-wireguard-private-key" = {};
# "hercules-ci-join-token".owner = "hercules-ci-agent";
# "hercules-ci-binary-caches".owner = "hercules-ci-agent";
# "cachix-personal-token".owner = "ccr";
# "home-planimetry".owner = "hass";
# "cloudflare-dyndns-api-token" = {};
# # "nextcloud-admin-pass".owner = "nextcloud";
# # "aws-credentials" = {};
# };
# colmena.deployment.buildOnTarget = true;
# };
# pbp = {
# system = "aarch64-linux";
# extraModules = with inputs; [
# nixosHardware.nixosModules.pine64-pinebook-pro
# disko.nixosModules.disko
# ];
# extraHmModules = [
# inputs.ccrEmacs.hmModules.default
# ];
# secrets = {
# "pbp-wireguard-private-key" = {};
# "cachix-personal-token".owner = "ccr";
# "chatgpt-token".owner = "ccr";
# };
# };
picard = {
extraModules = [
inputs.disko.nixosModules.disko
];
extraHmModules = [
inputs.ccrEmacs.hmModules.default
"${inputs.homeManagerGitWorkspace}/modules/services/git-workspace.nix"
];
secrets = {
"chatgpt-token".owner = "ccr";
"cachix-personal-token".owner = "ccr";
"hercules-ci-join-token".owner = "hercules-ci-agent";
"hercules-ci-binary-caches".owner = "hercules-ci-agent";
"git-workspace-tokens".owner = "ccr";
};
};
};
# TODO Add per host:
# - apps to run as VMs
# - checks
# - deploy scripts (`nixos-rebuild`)
config = {
fleet.hosts = {
thinkpad = {
extraModules = with inputs; [
nixosHardware.nixosModules.lenovo-thinkpad-x1-7th-gen
];
extraHmModules = with inputs; [
ccrEmacs.hmModules.default
{
# TODO: remove after https://github.com/nix-community/home-manager/pull/3811
imports = let
hmModules = "${inputs.homeManagerGitWorkspace}/modules";
in [
"${hmModules}/services/git-workspace.nix"
];
}
];
overlays = [inputs.nil.overlays.default];
secrets = {
"thinkpad-wireguard-private-key" = {};
"cachix-personal-token".owner = "ccr";
"autistici-password".owner = "ccr";
"git-workspace-tokens".owner = "ccr";
"chatgpt-token".owner = "ccr";
};
};
rock5b = {
system = "aarch64-linux";
extraModules = with inputs; [
disko.nixosModules.disko
rock5b.nixosModules.default
];
secrets = {
"rock5b-wireguard-private-key" = {};
"hercules-ci-join-token".owner = "hercules-ci-agent";
"hercules-ci-binary-caches".owner = "hercules-ci-agent";
"cachix-personal-token".owner = "ccr";
"home-planimetry".owner = "hass";
# "nextcloud-admin-pass".owner = "nextcloud";
# "aws-credentials" = {};
};
colmena.deployment.buildOnTarget = true;
};
pbp = {
system = "aarch64-linux";
extraModules = with inputs; [
nixosHardware.nixosModules.pine64-pinebook-pro
disko.nixosModules.disko
];
extraHmModules = [
inputs.ccrEmacs.hmModules.default
];
secrets = {
"pbp-wireguard-private-key" = {};
"cachix-personal-token".owner = "ccr";
"chatgpt-token".owner = "ccr";
};
};
# hs = {};
mothership = {
extraModules = with inputs; [
disko.nixosModules.disko
# nix-serve-ng.nixosModules.default
# hydra.nixosModules.hydra
];
extraHmModules = [
inputs.ccrEmacs.hmModules.default
{
# TODO: remove after https://github.com/nix-community/home-manager/pull/3811
imports = let
hmModules = "${inputs.homeManagerGitWorkspace}/modules";
in [
"${hmModules}/services/git-workspace.nix"
];
}
];
overlays = [inputs.nil.overlays.default];
secrets = {
"mothership-wireguard-private-key" = {};
"cachix-personal-token".owner = "ccr";
"git-workspace-tokens".owner = "ccr";
"magit-forge-github-token".owner = "ccr";
# "hydra-admin-password".owner = "root";
# "hydra-github-token".group = "hydra";
# "cache-private-key".owner = "nix-serve";
"hercules-ci-join-token".owner = "hercules-ci-agent";
"hercules-ci-binary-caches".owner = "hercules-ci-agent";
# "minio-credentials".owner = "minio";
# "aws-credentials" = {};
"chatgpt-token".owner = "ccr";
};
};
};
flake.nixosConfigurations =
lib.mapAttrs
config.fleet._mkNixosConfiguration
config.fleet.hosts;
flake.colmena =
{
meta = {
nixpkgs = inputs.nixpkgsUnstable.legacyPackages.x86_64-linux;
nodeNixpkgs = builtins.mapAttrs (name: value: value.pkgs) self.nixosConfigurations;
nodeSpecialArgs = builtins.mapAttrs (name: value: value._module.specialArgs) self.nixosConfigurations;
};
}
// builtins.mapAttrs (name: host:
lib.recursiveUpdate {
imports = self.nixosConfigurations.${name}._module.args.modules;
deployment.targetHost = "${name}.fleet";
}
host.colmena)
config.fleet.hosts;
};
flake.nixosConfigurations =
lib.mapAttrs
config.fleet._mkNixosConfiguration
config.fleet.hosts;
}

168
hosts/module.nix Normal file
View file

@ -0,0 +1,168 @@
# TODO Add per host:
# - apps to run as VMs
# - checks
# - deploy scripts (`nixos-rebuild`)
{
self,
lib,
config,
inputs,
...
}: {
options.fleet = {
hosts = lib.mkOption {
description = "Host configuration";
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
name = lib.mkOption {
description = "Host name";
type = lib.types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
default = name;
};
system = lib.mkOption {
description = "NixOS architecture (a.k.a. system)";
type = lib.types.str;
default = "x86_64-linux";
};
colmena = lib.mkOption {
description = "Set colmena.<host>";
type = lib.types.attrs;
default = {};
};
secrets = lib.mkOption {
description = "List of secrets names in the `secrets` folder";
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
file = lib.mkOption {
type = lib.types.path;
default = "${self.outPath}/secrets/${name}.age";
};
mode = lib.mkOption {
# TODO improve type
type = lib.types.str;
default = "0440";
};
};
}));
default = {};
};
enableHomeManager = lib.mkOption {
description = "Enable home-manager module";
type = lib.types.bool;
default = true;
};
overlays = lib.mkOption {
description = "Enabled Nixpkgs overlays";
type = lib.types.listOf (lib.mkOptionType {
name = "nixpkgs-overlay";
description = "nixpkgs overlay";
check = lib.isFunction;
merge = lib.mergeOneOption;
});
default = [];
};
extraModules = lib.mkOption {
description = "Extra NixOS modules";
type = lib.types.listOf lib.types.deferredModule;
default = [];
};
extraHmModules = lib.mkOption {
description = "Extra home-manager modules";
type = lib.types.listOf lib.types.deferredModule;
default = [];
};
extraHmModulesUser = lib.mkOption {
description = "User for which to import extraHmModulesUser";
type = lib.types.str;
default = "ccr";
};
};
config.overlays = with inputs;
[
nur.overlay
]
++ config.fleet.overlays;
}));
default = {};
};
_mkNixosConfiguration = lib.mkOption {
description = "Function returning a proper NixOS configuration";
type = lib.types.functionTo (lib.types.functionTo lib.types.attrs); # TODO improve this type
internal = true;
default = hostname: config:
inputs.nixpkgsUnstable.lib.nixosSystem {
inherit (config) system;
modules =
[
({lib, ...}: {
networking.hostName = lib.mkForce hostname;
nixpkgs.overlays = config.overlays;
networking.hosts =
lib.mapAttrs' (hostname: ip: {
name = ip;
value = ["${hostname}.fleet"];
})
(import "${self}/lib").ips;
})
"${self.outPath}/hosts/${hostname}"
]
++ (lib.optionals (config.secrets != []) [
inputs.agenix.nixosModules.default
({lib, ...}: let
allSecrets = lib.mapAttrs' (name: value: {
name = lib.removeSuffix ".age" name;
inherit value;
}) (import "${self.outPath}/secrets");
filteredSecrets =
lib.filterAttrs
(name: _: builtins.hasAttr name config.secrets)
allSecrets;
in {
age.secrets =
lib.mapAttrs' (name: _: {
name = builtins.baseNameOf name;
value = {
inherit (config.secrets.${name}) owner group file mode;
};
})
filteredSecrets;
})
])
++ (lib.optionals config.enableHomeManager (let
user = config.extraHmModulesUser;
extraHmModules = config.extraHmModules;
in [
inputs.homeManager.nixosModule
({
config,
pkgs,
...
}: {
home-manager.users."${user}" = {
imports = extraHmModules;
_module.args = {
age = config.age or {};
fleetFlake = self;
pkgsStable = inputs.nixpkgsStable.legacyPackages.${pkgs.system};
};
};
})
]))
++ config.extraModules;
specialArgs = {
fleetModules = builtins.map (moduleName: "${self.outPath}/modules/${moduleName}");
fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}");
fleetFlake = self;
};
};
};
};
}

2
hosts/mothership/default.nix
View file

@ -22,7 +22,7 @@
"cgit"
"docker"
# "minio"
"proxy"
"mothership-proxy"
"binfmt"
"xdg"
# "remote-xfce"

94
hosts/picard/default.nix Normal file
View file

@ -0,0 +1,94 @@
{
fleetModules,
lib,
config,
...
}: {
imports =
fleetModules [
"common"
"ssh"
"ccr"
"nix"
"networkmanager"
"bluetooth"
"dbus"
"docker"
"fonts"
"qmk-udev"
"mosh"
"udisks2"
"xdg"
"pipewire"
"nix-development"
"waydroid"
"virt-manager"
"ssh-initrd"
"hercules-ci"
]
++ [
./disko.nix
];
ccr = {
enable = true;
autologin = true;
modules = [
"git"
"git-workspace"
"helix"
"shell"
"element"
"emacs"
"firefox"
"gpg"
"mpv"
"password-store"
"slack"
"hyprland"
"udiskie"
"xdg"
"spotify"
"lutris"
"wine"
"cura"
];
extraGroups = [];
};
boot.kernelParams = ["ip=dhcp"];
boot.initrd.kernelModules = ["amdgpu"];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"r8169"
];
boot.kernelModules = ["kvm-amd"];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot = {
enable = true;
configurationLimit = 20;
};
networking.hostId = "5b02e763";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.enableRedistributableFirmware = lib.mkDefault true;
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
# TODO move away from here (how can the interface name be retrieved programmatically?)
networking.interfaces.enp11s0.wakeOnLan = {
enable = true;
policy = ["broadcast" "magic"];
};
}

72
hosts/picard/disko.nix Normal file
View file

@ -0,0 +1,72 @@
{
disko.devices = {
disk = {
nvme = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions = {
compression = "lz4";
acltype = "posixacl";
xattr = "sa";
"com.sun:auto-snapshot" = "true";
mountpoint = "none";
};
datasets = {
"root" = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "prompt";
};
};
"root/nixos" = {
type = "zfs_fs";
options.mountpoint = "/";
mountpoint = "/";
};
"root/home" = {
type = "zfs_fs";
options.mountpoint = "/home";
mountpoint = "/home";
};
"root/tmp" = {
type = "zfs_fs";
mountpoint = "/tmp";
options = {
mountpoint = "/tmp";
sync = "disabled";
};
};
};
};
};
};
}

9
hosts/rock5b/default.nix
View file

@ -20,8 +20,13 @@
# "nextcloud"
"home-assistant"
# "immich"
"adguard-home"
# "adguard-home"
# "mount-hetzner-box"
"cloudflare-dyndns"
"rock5b-proxy"
"invidious"
"searx"
"rock5b-samba"
]
++ [
./disko.nix
@ -29,6 +34,8 @@
ccr.enable = true;
networking.firewall.enable = lib.mkForce false;
services.rock5b-fan-control.enable = true;
nixpkgs.hostPlatform = "aarch64-linux";

7
hosts/thinkpad/default.nix
View file

@ -33,6 +33,7 @@
"nix-development"
"clamav"
"waydroid"
"buildboot-nix"
# "gnome-keyring"
];
@ -45,6 +46,7 @@
"digikam"
"discord"
"element"
"email"
# "nheko"
# "thunderbird"
# "aerc"
@ -54,7 +56,7 @@
"gpg"
"gnome-keyring"
"helix"
"mopidy"
# "mopidy"
"mpv"
"openscad"
"password-store"
@ -79,7 +81,6 @@
];
packages = with pkgs; [
comma
dolphin-emu-beta
sc-controller
libreoffice
];
@ -218,4 +219,6 @@
Sunshine
KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput"
'';
services.teamviewer.enable = true;
}

2
hosts/thinkpad/zfs.nix
View file

@ -1,6 +1,7 @@
{
config,
pkgs,
lib,
...
}: {
boot.supportedFilesystems = ["zfs"];
@ -22,6 +23,7 @@
mount /boot/efi
'';
boot.loader.grub.extraInstallCommands = ''
export PATH=$PATH:${lib.makeBinPath [pkgs.coreutils]}
ESP_MIRROR=$(mktemp -d)
cp -r /boot/efi/EFI $ESP_MIRROR
for i in /boot/efis/*; do