steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'pr/bump' into 'master'

Browse source 
Pr/bump

See merge request steveeJ/infra!24
This commit is contained in:
steveej 2019-12-04 18:40:09 +00:00
commit a96588d9fd
26 changed files with 239 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Justfile
View file

@ -7,6 +7,7 @@ _DEFAULT_VERSION:
_usage: _usage:
just -l just -l
# Re-render the default versions
update-default-versions: update-default-versions:
#!/usr/bin/env bash #!/usr/bin/env bash
template="$(just _DEFAULT_VERSION_TMPL)" template="$(just _DEFAULT_VERSION_TMPL)"
@ -82,6 +83,7 @@ rebuild-this-device rebuildarg="dry-activate":
fi fi
fi fi
# Re-render the versions of a remote device and rebuild its environment
update-remote-device device target rebuildmode='switch': update-remote-device device target rebuildmode='switch':
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
@ -111,7 +113,7 @@ update-remote-device device target rebuildmode='switch':
git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions" git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions"
# Update the channel versions and (by default) switch to new environment # Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch': update-this-device rebuild-mode='switch':
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e

7
README.md
View file

@ -50,6 +50,9 @@ just --list
## Bootstrap ## Bootstrap
### A new machine ### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
1. boot with an install media * boot with an install media and go through setup
2. clone infra repository
#### Post-Install Setup
* `gpg2 --edit-card; fetch`

27
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -90,18 +90,18 @@ in {
nix-prefetch-github nix-prefetch-github
# Version Control Systems # Version Control Systems
unstablepkgs.pijul pijul
gitless gitless
gitRepo gitRepo
git-lfs git-lfs
# Cloud/Remote System Management # TODO: move Cloud/Remote System Management to a dev environment
google-cloud-sdk # google-cloud-sdk
ansible # ansible
nixops # nixops
unstablepkgs.terraform # terraform
awscli # awscli
hcloud # hcloud
# Process/System Administration # Process/System Administration
htop htop
@ -139,7 +139,7 @@ in {
aspellDicts.en aspellDicts.en
aspellDicts.de aspellDicts.de
unstablepkgs.skype unstablepkgs.skype
zoom-us zoom-us # broken as of 2019-10-30
unstablepkgs.bluejeans-gui unstablepkgs.bluejeans-gui
thunderbird thunderbird
gnome3.evolution # gnome4.glib_networking gnome3.evolution # gnome4.glib_networking
@ -338,16 +338,17 @@ in {
pypi2nix pypi2nix
## Webdev ## Webdev
nodejs-8_x # TODO: move this to dev environment
npm2nix # nodejs-8_x
emscripten # npm2nix
# emscripten
# Code generators # Code generators
unstablepkgs.swagger-codegen unstablepkgs.swagger-codegen
# Misc Desktop Tools # Misc Desktop Tools
ltunify ltunify
solaar # solaar # TODO: conflicts with solar over udev rules
dex dex
# kitty # kitty
busyboxStatic busyboxStatic

4
nix/home-manager/configuration/graphical-removable.nix
View file

@ -26,8 +26,6 @@ in {
gnutls = true; gnutls = true;
}; };
android_sdk.accept_license = true;
packageOverrides = pkgs: with pkgs; { packageOverrides = pkgs: with pkgs; {
myPython36 = python36Full.withPackages (ps: with ps; [ myPython36 = python36Full.withPackages (ps: with ps; [
pylint pep8 yapf flake8 pylint pep8 yapf flake8
@ -141,8 +139,6 @@ in {
python27Packages.binwalk python27Packages.binwalk
gptfdisk gptfdisk
androidsdk
## Python ## Python
myPython36 myPython36

40
nix/os/devices/disk.nix
View file

@ -28,11 +28,11 @@ in rec {
diskUmount = pkgs.writeScript "script" '' diskUmount = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -x
sudo umount -R ${mntRootVol} sudo umount -Rl ${mntRootVol}
sudo rmdir ${mntRootVol} sudo rmdir ${mntRootVol}
sudo vgchange -an ${ownLib.disk.volumeGroup diskId} sudo vgchange -an ${ownLib.disk.volumeGroup diskId}
sudo cryptsetup luksClose ${ownLib.disk.luksName diskId} sudo cryptsetup close ${ownLib.disk.luksName diskId}
sync sync
''; '';
@ -66,7 +66,7 @@ in rec {
# Partition # Partition
sync sync
{ {
fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF sudo fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF
g g
n n
1 1
@ -95,30 +95,32 @@ in rec {
EOF EOF
} || { } || {
sync sync
partprobe ${ownLib.disk.bootGrubDevice diskId} sudo partprobe ${ownLib.disk.bootGrubDevice diskId}
} }
sleep 1
# Encrypt # Encrypt
cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
# LVM # LVM
vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId} sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
# Filesystem # Filesystem
mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId} sudo mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId}
mkfs.btrfs ${ownLib.disk.rootFsDevice diskId} sudo mkfs.btrfs ${ownLib.disk.rootFsDevice diskId}
mkswap ${ownLib.disk.swapFsDevice diskId} sudo mkswap ${ownLib.disk.swapFsDevice diskId}
# Subvolume and FS hierharchy # Subvolume and FS hierharchy
mkdir -p /mnt sudo mkdir -p /mnt
mkdir ${mntRootVol} sudo mkdir ${mntRootVol}
mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
btrfs subvolume create ${mntRootVol}/nixos sudo btrfs subvolume create ${mntRootVol}/nixos
btrfs subvolume create ${mntRootVol}/home sudo btrfs subvolume create ${mntRootVol}/home
mkdir ${mntRootVol}/nixos/{boot,home} sudo mkdir ${mntRootVol}/nixos/{boot,home}
${diskUmount} ${diskUmount}
''; '';

13
nix/os/devices/steveej-nuc7pjyh-work/configuration.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix
../../modules/encryptedDisk.nix
./system.nix
./hw.nix
../../profiles/removable-medium/pkg.nix
];
}

2
nix/os/devices/steveej-rmvbl-sduusb3128g/hw.nix → nix/os/devices/steveej-nuc7pjyh-work/hw.nix
View file

@ -4,6 +4,6 @@
# TASK: new device # TASK: new device
hardware.encryptedDisk = { hardware.encryptedDisk = {
enable = true; enable = true;
diskId = "usb-SanDisk_Ultra_USB_3.0_4C530001280509108321-0:0"; diskId = "ata-KINGSTON_SV100S2128G_08BAB0020855";
}; };
} }

29
nix/os/devices/steveej-nuc7pjyh-work/system.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, ... }:
let
sgx_linuxpackages = let
linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args:
buildLinux (args // rec {
version = "5.4.0-rc3";
modDirVersion = version;
src = fetchurl {
url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz";
sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20";
};
kernelPatches = [];
extraConfig = ''
INTEL_SGX y
'';
extraMeta.branch = "5.4";
} // (args.argsOverride or {}));
linux_sgx = pkgs.callPackage linux_sgx_pkg{};
in
pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx);
in {
networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
boot.kernelPackages = lib.mkForce sgx_linuxpackages;
}

20
nix/os/devices/steveej-nuc7pjyh-work/versions.nix Normal file
View file

@ -0,0 +1,20 @@
{
channelsNixosStable = {
ref = "nixos-19.09";
rev = "4ad6f1404a8cd69a11f16edba09cc569e5012e42";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "e89b21504f3e61e535229afa0b121defb52d2a50";
};
nixpkgsMaster = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "35d99698aecce66f5b6597d3b8efa2b23e120636";
};
homeManagerModule = {
url = "https://github.com/rycee/home-manager";
ref = "master";
rev = "9781f3766de7293a67aa8098edb5dbe367939b36";
};
}

0
nix/os/devices/steveej-rmvbl-sduusb3128g/configuration.nix → nix/os/devices/steveej-rmvbl-sdep0/configuration.nix
View file

9
nix/os/devices/steveej-rmvbl-sdep0/hw.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
# TASK: new device
hardware.encryptedDisk = {
enable = true;
diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0";
};
}

5
nix/os/devices/steveej-rmvbl-sdep0/system.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname.
}

20
nix/os/devices/steveej-rmvbl-sdep0/versions.nix Normal file
View file

@ -0,0 +1,20 @@
{
channelsNixosStable = {
ref = "nixos-19.09";
rev = "e6d584f6dd22b587d5cdf5019f5e7dd2be370f61";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "41d921292e922a6cd1aba64259341c244d4c2cc7";
};
nixpkgsMaster = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "a6934e36534f8a87a78f877eee65c08fa9867ba5";
};
homeManagerModule = {
url = "https://github.com/rycee/home-manager";
ref = "master";
rev = "286dd9b3088298e5a4625b517f8e72b1c62e4f74";
};
}

5
nix/os/devices/steveej-rmvbl-sduusb3128g/system.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostName = "steveej-rmvbl-sduusb3128g"; # Define your hostname.
}

10
nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix
View file

@ -1,10 +0,0 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "eebd1a9263716a04689a37b6537e50801d376b5e";
};
}

1
nix/os/devices/steveej-t480s-work/configuration.nix
View file

@ -15,6 +15,7 @@
./system.nix ./system.nix
./hw.nix ./hw.nix
./pkg.nix ./pkg.nix
./user.nix
../../profiles/podman/configuration.nix ../../profiles/podman/configuration.nix
]; ];

6
nix/os/devices/steveej-t480s-work/system.nix
View file

@ -65,8 +65,12 @@ in {
}; };
virtualbox.host.enable = true; virtualbox.host.enable = true;
virtualbox.host.addNetworkInterface = true; virtualbox.host.addNetworkInterface = true;
docker.enable = true; docker = {
enable = true;
extraOptions = "--experimental";
}; };
};
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;

27
nix/os/devices/steveej-t480s-work/user.nix Normal file
View file

@ -0,0 +1,27 @@
{ config
, pkgs
, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix { }) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
subUidRanges = [{ startUid = 200000; count = 100000; }];
subGidRanges = [{ startGid = 200000; count = 100000; }];
};
users.extraUsers.steveej3 = mkUser {
uid = 1002;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
shell = pkgs.posh { image = "quay.io/enarx/fedora"; };
subUidRanges = [{ startUid = 300000; count = 100000; }];
subGidRanges = [{ startGid = 300000; count = 100000; }];
};
}

10
nix/os/devices/steveej-t480s-work/versions.nix
View file

@ -1,20 +1,20 @@
{ {
channelsNixosStable = { channelsNixosStable = {
ref = "nixos-19.03"; ref = "nixos-19.09";
rev = "aef662d2eb532eeb9976068fd1705e3cf3663054"; rev = "e6d584f6dd22b587d5cdf5019f5e7dd2be370f61";
}; };
channelsNixosUnstable = { channelsNixosUnstable = {
ref = "nixos-unstable"; ref = "nixos-unstable";
rev = "73392e79aa62e406683d6a732eb4f4101f4732be"; rev = "41d921292e922a6cd1aba64259341c244d4c2cc7";
}; };
nixpkgsMaster = { nixpkgsMaster = {
url = "https://github.com/NixOS/nixpkgs/"; url = "https://github.com/NixOS/nixpkgs/";
ref = "master"; ref = "master";
rev = "51aa3cc4855c5964a6e71adcf7b79c1a0c23f322"; rev = "a6934e36534f8a87a78f877eee65c08fa9867ba5";
}; };
homeManagerModule = { homeManagerModule = {
url = "https://github.com/rycee/home-manager"; url = "https://github.com/rycee/home-manager";
ref = "master"; ref = "master";
rev = "95382060ebaa19ec49a861921216b1db8460b314"; rev = "286dd9b3088298e5a4625b517f8e72b1c62e4f74";
}; };
} }

3
nix/os/profiles/common/user.nix
View file

@ -11,6 +11,9 @@ in {
users.extraUsers.root = mkRoot { }; users.extraUsers.root = mkRoot { };
users.extraUsers.steveej = mkUser { users.extraUsers.steveej = mkUser {
uid = 1000; uid = 1000;
subUidRanges = [{ startUid = 100000; count = 100000; }];
subGidRanges = [{ startGid = 100000; count = 100000; }];
}; };
security.pam.u2f.enable = true; security.pam.u2f.enable = true;

19
nix/os/profiles/graphical/system.nix
View file

@ -68,19 +68,24 @@
}; };
}; };
services.gvfs.enable = true;
programs.seahorse.enable = true;
programs.gpaste.enable = false;
programs.gnome-terminal.enable = false;
programs.gnome-documents.enable = false;
programs.gnome-disks.enable = false;
services.gnome3 = { services.gnome3 = {
gnome-disks.enable = false; # gnome-online-miners.enable = false; TODO: enable this again
gnome-documents.enable = false; games.enable = false;
gnome-online-miners.enable = false; gnome-remote-desktop.enable = false;
gnome-user-share.enable = false; gnome-user-share.enable = false;
gnome-terminal-server.enable = false; rygel.enable = false;
gpaste.enable = false;
sushi.enable = false; sushi.enable = false;
tracker.enable = false; tracker.enable = false;
tracker-miners.enable = false;
# FIXME: gnome should be moved to user session # FIXME: gnome should be moved to user session
seahorse.enable = true;
gvfs.enable = true;
at-spi2-core.enable = true; at-spi2-core.enable = true;
evolution-data-server.enable = true; evolution-data-server.enable = true;
gnome-online-accounts.enable = true; gnome-online-accounts.enable = true;

7
nix/os/profiles/podman/configuration.nix
View file

@ -177,11 +177,4 @@
"${pkgs.runc}/bin/runc" "${pkgs.runc}/bin/runc"
] ]
''; '';
environment.etc."subuid".text = ''
steveej:10000:65536
'';
environment.etc."subgid".text = ''
steveej:10000:65536
'';
} }

43
nix/overlay.nix
View file

@ -23,15 +23,9 @@ in {
''; '';
}; };
podman = nixpkgs-master.podman;
conmon = nixpkgs-master.conmon;
duplicacy = super.callPackage ./pkgs/duplicacy {}; duplicacy = super.callPackage ./pkgs/duplicacy {};
just = super.callPackage ./pkgs/just.nix {}; just = super.callPackage ./pkgs/just.nix {};
mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {}; mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {};
slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {};
staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; }; staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; };
roxterm = super.stdenv.mkDerivation { roxterm = super.stdenv.mkDerivation {
@ -71,4 +65,41 @@ in {
}); });
rdedup = super.callPackages ./pkgs/rdedup {}; rdedup = super.callPackages ./pkgs/rdedup {};
# TODO: facetimehd is currfently broken (https://github.com/NixOS/nixpkgs/pull/72804)
facetimehd-firmware = super.hello;
qtile = nixpkgs-master.qtile;
inherit (nixpkgs-master) podman conmon slirp4netns;
# posh makes use of podman to run an encapsulated shell session
posh = { image, pull ? "always", global_args ? "", run_args ? "" }:
(super.writeScriptBin "posh" ''
#! ${super.bash}/bin/bash
source /etc/profile
test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK"
tty -s && tty="-t" || quiet="-q"
# define these as variables so we can override them at runtime
POSH_IMAGE=${image}
POSH_PULL=${pull}
if [ "$1" == "-c" ]; then
# We've most likely been spawned by sshd and are interested in $2 whitch contains the command string
shift
# TODO parse the beginning of the command for POSH_* overrides
fi
exec ${self.podman}/bin/podman \
${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
${run_args} ''${POSH_IMAGE} $@
'')
.overrideAttrs(attrs: attrs // {
passthru = {
shellPath = "/bin/posh";
};
});
} }

10
nix/variables/versions.nix
View file

@ -1,20 +1,20 @@
{ {
channelsNixosStable = { channelsNixosStable = {
ref = "nixos-19.03"; ref = "nixos-19.09";
rev = "3a4ffdd38b56801ce616aa08791121d36769e884"; rev = "c5aabb0d603e2c1ea05f5a93b3be82437f5ebf31";
}; };
channelsNixosUnstable = { channelsNixosUnstable = {
ref = "nixos-unstable"; ref = "nixos-unstable";
rev = "07b42ccf2de451342982b550657636d891c4ba35"; rev = "7827d3f4497ed722fedca57fd4d5ca1a65c38256";
}; };
nixpkgsMaster = { nixpkgsMaster = {
url = "https://github.com/NixOS/nixpkgs/"; url = "https://github.com/NixOS/nixpkgs/";
ref = "master"; ref = "master";
rev = "d8c7f0bd3f42bc9e687b12ce7f0a4ef747f27933"; rev = "abe853b84c58ddbb7c5c07e80090d47480d56c11";
}; };
homeManagerModule = { homeManagerModule = {
url = "https://github.com/rycee/home-manager"; url = "https://github.com/rycee/home-manager";
ref = "master"; ref = "master";
rev = "03162970cd6dadfac58f169cd50aed5a5aeec14f"; rev = "450571056552c9311fcb2894328696b535265593";
}; };
} }

4
nix/variables/versions.tmpl.nix
View file

@ -1,7 +1,7 @@
{ {
channelsNixosStable = { channelsNixosStable = {
ref = "nixos-19.03"; ref = "nixos-19.09";
rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.03 | awk '{ print $1 }' | tr -d '\n' -%>"; rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>";
}; };
channelsNixosUnstable = { channelsNixosUnstable = {
ref = "nixos-unstable"; ref = "nixos-unstable";

4
shell.nix
View file

@ -22,10 +22,6 @@ stdenv.mkDerivation {
esh esh
xorg.xwininfo xorg.xwininfo
# testing
alacritty
]; ];
# Set Environment Variables # Set Environment Variables