diff --git a/flake.nix b/flake.nix index 7d7f5ec..914abc2 100644 --- a/flake.nix +++ b/flake.nix @@ -53,8 +53,9 @@ in { default = pkgs.mkShell { - nativeBuildInputs = [ + nativeBuildInputs = with pkgs; [ mod_worktrees + deploy-rs ]; shellHook = '' diff --git a/hosts/h002/flake.nix b/hosts/h002/flake.nix index bc9377c..f3e7e17 100644 --- a/hosts/h002/flake.nix +++ b/hosts/h002/flake.nix @@ -5,6 +5,7 @@ ros_neovim.url = "git+https://git.joshuabell.xyz/nvim"; mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common"; mod_common.inputs.nixpkgs.follows = "nixpkgs"; + mod_secrets.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_secrets"; mod_boot_grub.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_boot_grub"; mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd"; mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula"; diff --git a/hosts/l003/configuration.nix b/hosts/linode/l003/configuration.nix similarity index 71% rename from hosts/l003/configuration.nix rename to hosts/linode/l003/configuration.nix index d648982..016d4ad 100644 --- a/hosts/l003/configuration.nix +++ b/hosts/linode/l003/configuration.nix @@ -2,7 +2,6 @@ ... }: { - networking.hostName = "l003"; boot.loader.grub.enable = true; system.stateVersion = "24.11"; } diff --git a/hosts/linode/l003/flake.lock b/hosts/linode/l003/flake.lock new file mode 100644 index 0000000..cc7b75b --- /dev/null +++ b/hosts/linode/l003/flake.lock @@ -0,0 +1,135 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1727447169, + "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "mod_common": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736191002, + "narHash": "sha256-t39PCeJFgIXzniqjUIIFnbv6AE15WyoPTCE3k3Xuyz0=", + "ref": "mod_common", + "rev": "ac3c0c2422842edba1887279bddd02b895ec5ed2", + "revCount": 4, + "type": "git", + "url": "https://git.joshuabell.xyz/dotfiles" + }, + "original": { + "ref": "mod_common", + "type": "git", + "url": "https://git.joshuabell.xyz/dotfiles" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "mod_common": "mod_common", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/l003/flake.nix b/hosts/linode/l003/flake.nix similarity index 78% rename from hosts/l003/flake.nix rename to hosts/linode/l003/flake.nix index 5e58f8a..04f93f7 100644 --- a/hosts/l003/flake.nix +++ b/hosts/linode/l003/flake.nix @@ -1,16 +1,17 @@ { inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + deploy-rs.url = "github:serokell/deploy-rs"; mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common"; mod_common.inputs.nixpkgs.follows = "nixpkgs"; - mod_common.inputs.ragenix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, + deploy-rs, ... }@inputs: let @@ -36,16 +37,14 @@ ./configuration.nix ./hardware-configuration.nix ./linode.nix - ./common.nix ( { pkgs, ... }: { users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN2nsLmAlF6zj5dEBkNSJaqcCya+aB6I0imY8Q5Ew0S nix2lio" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002" ]; mods = { common = { - flakeLocationOverride = "/home/luser/.config/nixos-config"; disableRemoteBuildsOnLio = true; systemName = configuration_name; allowUnfree = true; @@ -73,5 +72,20 @@ }; }); }; + + deploy = { + sshUser = "root"; + sshOpts = [ + "-i" + "/run/agenix/nix2l002" + ]; + nodes.${configuration_name} = { + hostname = "172.234.26.141"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name}; + }; + }; + }; }; } diff --git a/hosts/l003/hardware-configuration.nix b/hosts/linode/l003/hardware-configuration.nix similarity index 100% rename from hosts/l003/hardware-configuration.nix rename to hosts/linode/l003/hardware-configuration.nix diff --git a/hosts/l003/linode.nix b/hosts/linode/l003/linode.nix similarity index 100% rename from hosts/l003/linode.nix rename to hosts/linode/l003/linode.nix diff --git a/hosts/linode/l004/configuration.nix b/hosts/linode/l004/configuration.nix new file mode 100644 index 0000000..016d4ad --- /dev/null +++ b/hosts/linode/l004/configuration.nix @@ -0,0 +1,7 @@ +{ + ... +}: +{ + boot.loader.grub.enable = true; + system.stateVersion = "24.11"; +} diff --git a/hosts/linode/l004/flake.lock b/hosts/linode/l004/flake.lock new file mode 100644 index 0000000..cc7b75b --- /dev/null +++ b/hosts/linode/l004/flake.lock @@ -0,0 +1,135 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1727447169, + "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "mod_common": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736191002, + "narHash": "sha256-t39PCeJFgIXzniqjUIIFnbv6AE15WyoPTCE3k3Xuyz0=", + "ref": "mod_common", + "rev": "ac3c0c2422842edba1887279bddd02b895ec5ed2", + "revCount": 4, + "type": "git", + "url": "https://git.joshuabell.xyz/dotfiles" + }, + "original": { + "ref": "mod_common", + "type": "git", + "url": "https://git.joshuabell.xyz/dotfiles" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "mod_common": "mod_common", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/linode/l004/flake.nix b/hosts/linode/l004/flake.nix new file mode 100644 index 0000000..d44cbe5 --- /dev/null +++ b/hosts/linode/l004/flake.nix @@ -0,0 +1,91 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + deploy-rs.url = "github:serokell/deploy-rs"; + + mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common"; + mod_common.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { + self, + nixpkgs, + deploy-rs, + ... + }@inputs: + let + configuration_name = "l004"; + lib = nixpkgs.lib; + in + { + nixosConfigurations = { + nixos = self.nixosConfigurations.${configuration_name}; + "${configuration_name}" = + let + auto_modules = builtins.concatMap ( + input: + lib.optionals + (builtins.hasAttr "nixosModules" input && builtins.hasAttr "default" input.nixosModules) + [ + input.nixosModules.default + ] + ) (builtins.attrValues inputs); + in + (lib.nixosSystem { + modules = [ + ./configuration.nix + ./hardware-configuration.nix + ./linode.nix + ( + { pkgs, ... }: + { + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002" + ]; + mods = { + common = { + disableRemoteBuildsOnLio = true; + systemName = configuration_name; + allowUnfree = true; + primaryUser = "luser"; + docker = true; + users = { + luser = { + extraGroups = [ + "wheel" + "networkmanager" + ]; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002" + ]; + }; + }; + }; + }; + } + ) + ] ++ auto_modules; + specialArgs = { + inherit inputs; + }; + }); + }; + + deploy = { + sshUser = "root"; + sshOpts = [ + "-i" + "/run/agenix/nix2l002" + ]; + nodes.${configuration_name} = { + hostname = "172.232.20.245"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name}; + }; + }; + }; + }; +} diff --git a/hosts/linode/l004/hardware-configuration.nix b/hosts/linode/l004/hardware-configuration.nix new file mode 100644 index 0000000..6507949 --- /dev/null +++ b/hosts/linode/l004/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/3612d65e-719c-4b33-af08-561b790d6d33"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} + diff --git a/hosts/linode/l004/linode.nix b/hosts/linode/l004/linode.nix new file mode 100644 index 0000000..2fca20d --- /dev/null +++ b/hosts/linode/l004/linode.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: +{ + # https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + + boot.loader.grub.forceInstall = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + # TODO disable after first startup with ssh keys + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + settings.PasswordAuthentication = false; + }; + users.users.root.openssh.authorizedKeys.keys = config.users.users.luser.openssh.authorizedKeys.keys; + + networking.usePredictableInterfaceNames = false; + networking.useDHCP = false; # Disable DHCP globally as we will not need it. + # required for ssh? + networking.interfaces.eth0.useDHCP = true; + + environment.systemPackages = with pkgs; [ + inetutils + mtr + sysstat + ]; +} diff --git a/hosts/l003/readme.md b/hosts/linode/l004/readme.md similarity index 50% rename from hosts/l003/readme.md rename to hosts/linode/l004/readme.md index 234dbb7..3a96486 100644 --- a/hosts/l003/readme.md +++ b/hosts/linode/l004/readme.md @@ -5,13 +5,6 @@ https://nixos.org/download/ `export HOSTNAME=NAME && sudo nixos-rebuild switch --flake ~/.config/nixos-config` -# My config - -```sh -rsync -e "ssh -i /run/agenix/nix2l002" -Pahz \ - --delete-after \ - --exclude 'flake.lock' \ - ~/.config/nixos-config/hosts/l003/ \ - luser@172.234.26.141:~/.config/nixos-config/ -``` +# Deploying +`cd hosts/NAME && deploy` diff --git a/hosts/linode/linode.nix b/hosts/linode/linode.nix new file mode 100644 index 0000000..53cc77f --- /dev/null +++ b/hosts/linode/linode.nix @@ -0,0 +1,39 @@ +{ pkgs, ... }: +{ + # https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + + boot.loader.grub.forceInstall = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + # TODO disable after first startup with ssh keys + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + settings.PasswordAuthentication = false; + }; + + networking.usePredictableInterfaceNames = false; + networking.useDHCP = false; # Disable DHCP globally as we will not need it. + # required for ssh? + networking.interfaces.eth0.useDHCP = true; + + environment.systemPackages = with pkgs; [ + inetutils + mtr + sysstat + gitMinimal + vim + nano + ]; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002" + ]; +} diff --git a/hosts/linode/readme.md b/hosts/linode/readme.md new file mode 100644 index 0000000..95c9186 --- /dev/null +++ b/hosts/linode/readme.md @@ -0,0 +1,59 @@ +# Linode setup + + + + +- shutdown linode +- delete existing disks and configuration profiles +- Create Disks + - `installer`: `ext4` `1280 MB` + - `swap`: `swap` `512 MB` + - `nixos`: `ext4` all remaining space +- Create two configuration profiles, one for the installer and one to boot NixOS. For each profile, disable all of the options under Filesystem/Boot Helpers and set the Configuration Profile to match the following: + - installer profile + - Label: installer + - Kernel: Direct Disk + - /dev/sda: nixos + - /dev/sdb: swap + - /dev/sdc: installer + - root / boot device: Standard: `/dev/sdc` + - nixos profile + - Label: nixos + - Kernel: GRUB 2 + - /dev/sda: nixos + - /dev/sdb: swap + - root / boot device: Standard: `/dev/sda` +- Setup installer. + - rescue mode with installer as /dev/sda + - Open LISH + +```bash +# Update SSL certificates to allow HTTPS connections: +update-ca-certificates +# set the iso url to a variable +iso=https://channels.nixos.org/nixos-24.11/latest-nixos-minimal-x86_64-linux.iso +# verify sda disk is installer (~1GB) +lsblk +curl -L https://channels.nixos.org/nixos-24.11/latest-nixos-minimal-x86_64-linux.iso.sha256 +# Download the ISO, write it to the installer disk, and verify the checksum: +curl -L $iso | tee >(dd of=/dev/sda) | sha256sum +# verify the shas are the same then shutdown system +shutdown 0 +``` + +- Boot the installer configuration profile and install nixos +(open GLISH and `sudo -i && passwd #simple pass` ssh into machine for easier copy paste, rerun `passwd` with a more secure password here if desired) + - mount /dev/sda /mnt + - swapon /dev/sdb + - nixos-generate-config --root /mnt + - cd /mnt/etc/nixos + +- # TODO rewrite device modifiers like they say in the tutorial? I had issues with linode's device labeling so I am leaving it to uuids, this could bite me in the future idk + + - copy `linode.nix` into remote server and import it into `configuration.nix` + - update ssh key for root user if needed + - `nixos-install` + - `shutdown 0` +- delete the installer configuration profile in linode, boot into nixos configuration profile + +tada, should be able to ssh with root and ssh key defined in earlier in linode.nix diff --git a/readme.md b/readme.md index b0f52c1..601e0d6 100644 --- a/readme.md +++ b/readme.md @@ -87,3 +87,8 @@ efi /EFI/Microsoft/Boot/bootmgfw.efi - work on secrets pre ragenix, stormd pre install for all the above bootstrapping steps would be ideal - reduce home manager, make per user modules support instead - Ensure my neovim undohistory/auto saves don't save `.age` files as they can be sensitive. + + +# Server hosts + +simply run `deploy` in the host root and it will push changes to the server