infra/nix/os/lib/default.nix

{
  lib,
  config,
}: let
  keys = import ../../variables/keys.nix;
in {
  mkUser = args: (
    lib.attrsets.recursiveUpdate {
      isNormalUser = true;
      extraGroups = [
        "docker"
        "wheel"
        "libvirtd"
        "networkmanager"
        "vboxusers"
        "users"
        "input"
        "audio"
        "video"
        "cdrom"
        "adbusers"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;

      # TODO: investigate why this secret cannot be found
      # openssh.authorizedKeys.keyFiles = [
      #   config.sops.secrets.sharedSshKeys-steveej.path
      # ];
    }
    args
  );

  disk = rec {
    # TODO: verify the GPT PARTLABEL cap at 36 chars
    shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);

    # LVM doesn't allow most characters in VG names
    # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]
    volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId;

    # This is important at install-time
    bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;

    # These are guaranteed by LVM
    rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";
    swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";

    # Cannot use the disk ID here because might be different at install vs. runtime.
    # Example: MMC card which is used in the internal reader vs. USB reader
    bootFsDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));
    bootLuksDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));
    luksName = diskId: (volumeGroup diskId) + "pv";
    luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);
    lvmPv = diskId: encrypted:
      if encrypted == true
      then luksPhysicalVolume diskId
      else bootLuksDevice diskId;
  };
}
make * composable; add install medium; archive prevoius code 2018-10-30 13:38:36 +01:00			`{`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`lib,`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00			`config,`
			`}: let`
			`keys = import ../../variables/keys.nix;`
			`in {`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`mkUser = args: (`
			`lib.attrsets.recursiveUpdate {`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`isNormalUser = true;`
			`extraGroups = [`
			`"docker"`
			`"wheel"`
			`"libvirtd"`
			`"networkmanager"`
			`"vboxusers"`
			`"users"`
			`"input"`
			`"audio"`
			`"video"`
			`"cdrom"`
			`"adbusers"`
			`];`
			`openssh.authorizedKeys.keys = keys.users.steveej.openssh;`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00
			`# TODO: investigate why this secret cannot be found`
			`# openssh.authorizedKeys.keyFiles = [`
			`# config.sops.secrets.sharedSshKeys-steveej.path`
			`# ];`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`}`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`args`
			`);`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00
			`disk = rec {`
			`# TODO: verify the GPT PARTLABEL cap at 36 chars`
			`shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);`

			`# LVM doesn't allow most characters in VG names`
			`# TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId;`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00
			`# This is important at install-time`
			`bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;`

			`# These are guaranteed by LVM`
			`rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";`
			`swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";`

			`# Cannot use the disk ID here because might be different at install vs. runtime.`
			`# Example: MMC card which is used in the internal reader vs. USB reader`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`bootFsDevice = diskId:`
			`"/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));`
			`bootLuksDevice = diskId:`
			`"/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));`
			`luksName = diskId: (volumeGroup diskId) + "pv";`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);`
support unencrypted disk provisioning 2020-12-31 02:12:29 +01:00			`lvmPv = diskId: encrypted:`
chore: format with alejandra 2023-02-07 18:24:28 +01:00			`if encrypted == true`
			`then luksPhysicalVolume diskId`
			`else bootLuksDevice diskId;`
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`};`
make * composable; add install medium; archive prevoius code 2018-10-30 13:38:36 +01:00			`}`