infra/nix/os/lib/default.nix

{ lib
, config
,
}:
let
  keys = import ../../variables/keys.nix;
in
{
  mkUser = args: (
    lib.attrsets.recursiveUpdate
      {
        isNormalUser = true;
        extraGroups = [
          "docker"
          "wheel"
          "libvirtd"
          "networkmanager"
          "vboxusers"
          "users"
          "input"
          "audio"
          "video"
          "cdrom"
          "adbusers"
          "dialout"
          "cdrom"
          "fuse"
        ];
        openssh.authorizedKeys.keys = keys.users.steveej.openssh;

        # TODO: investigate why this secret cannot be found
        # openssh.authorizedKeys.keyFiles = [
        #   config.sops.secrets.sharedSshKeys-steveej.path
        # ];
      }
      args
  );

  disk = rec {
    # TODO: verify the GPT PARTLABEL cap at 36 chars
    shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);

    # LVM doesn't allow most characters in VG names
    # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]
    volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId;

    # This is important at install-time
    bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;

    # These are guaranteed by LVM
    rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";
    swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";

    # Cannot use the disk ID here because might be different at install vs. runtime.
    # Example: MMC card which is used in the internal reader vs. USB reader
    bootFsDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));
    bootLuksDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));
    luksName = diskId: (volumeGroup diskId) + "pv";
    luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);
    lvmPv = diskId: encrypted:
      if encrypted == true
      then luksPhysicalVolume diskId
      else bootLuksDevice diskId;
  };
}
lib/default: format 2024-01-19 11:49:33 +01:00			`{ lib`
			`, config`
			`,`
			`}:`
			`let`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00			`keys = import ../../variables/keys.nix;`
lib/default: format 2024-01-19 11:49:33 +01:00			`in`
			`{`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`mkUser = args: (`
lib/default: format 2024-01-19 11:49:33 +01:00			`lib.attrsets.recursiveUpdate`
			`{`
			`isNormalUser = true;`
			`extraGroups = [`
			`"docker"`
			`"wheel"`
			`"libvirtd"`
			`"networkmanager"`
			`"vboxusers"`
			`"users"`
			`"input"`
			`"audio"`
			`"video"`
			`"cdrom"`
			`"adbusers"`
			`"dialout"`
			`"cdrom"`
lib/default: add fuse to default groups 2024-01-19 11:49:49 +01:00			`"fuse"`
lib/default: format 2024-01-19 11:49:33 +01:00			`];`
			`openssh.authorizedKeys.keys = keys.users.steveej.openssh;`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00
lib/default: format 2024-01-19 11:49:33 +01:00			`# TODO: investigate why this secret cannot be found`
			`# openssh.authorizedKeys.keyFiles = [`
			`# config.sops.secrets.sharedSshKeys-steveej.path`
			`# ];`
			`}`
			`args`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`);`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00
			`disk = rec {`
			`# TODO: verify the GPT PARTLABEL cap at 36 chars`
			`shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);`

			`# LVM doesn't allow most characters in VG names`
			`# TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]`
lib/default: format 2024-01-19 11:49:33 +01:00			`volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId;`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00
			`# This is important at install-time`
			`bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;`

			`# These are guaranteed by LVM`
			`rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";`
			`swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";`

			`# Cannot use the disk ID here because might be different at install vs. runtime.`
			`# Example: MMC card which is used in the internal reader vs. USB reader`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`bootFsDevice = diskId:`
			`"/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));`
			`bootLuksDevice = diskId:`
			`"/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));`
			`luksName = diskId: (volumeGroup diskId) + "pv";`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);`
support unencrypted disk provisioning 2020-12-31 02:12:29 +01:00			`lvmPv = diskId: encrypted:`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`if encrypted == true`
			`then luksPhysicalVolume diskId`
			`else bootLuksDevice diskId;`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`};`
make * composable; add install medium; archive prevoius code 2018-10-30 13:38:36 +01:00			`}`