From c6c77c6b0a2eb0e7af4a57a06f71d13e7fa700b1 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Wed, 29 Jan 2025 12:19:26 +0100 Subject: [PATCH 1/2] Define the initial NixOS configuration of webforge in a flake Signed-off-by: Benoit Donneaux --- flake.lock | 30 ++++++++++++++++ flake.nix | 23 ++++++++++++ nix/hosts/webforge/configuration.nix | 16 +++++++++ nix/hosts/webforge/hardware-configuration.nix | 8 +++++ nix/hosts/webforge/networking.nix | 35 +++++++++++++++++++ 5 files changed, 112 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 nix/hosts/webforge/configuration.nix create mode 100644 nix/hosts/webforge/hardware-configuration.nix create mode 100644 nix/hosts/webforge/networking.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..20c0c2f --- /dev/null +++ b/flake.lock @@ -0,0 +1,30 @@ +{ + "nodes": { + "nixpkgs-24_11": { + "locked": { + "lastModified": 1738112643, + "narHash": "sha256-Y09D3YAi8iIVm3V6S0Y4jjr5DP8a9heXq1056D8IIP4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "95568291fa92a2807b3669cc576ab0592e2293b9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": [ + "nixpkgs-24_11" + ], + "nixpkgs-24_11": "nixpkgs-24_11" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..db7e596 --- /dev/null +++ b/flake.nix @@ -0,0 +1,23 @@ +{ + inputs = { + # The nixpkgs channels we want to consume + nixpkgs-24_11.url = "github:NixOS/nixpkgs/nixos-24.11-small"; + + # Some links to the above channels for consistent naming in outputs + nixpkgs.follows = "nixpkgs-24_11"; + }; + outputs = { self, nixpkgs, ... }@attrs: { + # Generate an attrset of nixosConfigurations based on their system name + nixosConfigurations = nixpkgs.lib.attrsets.genAttrs [ + "webforge" + ] (sysname: nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + { system.name = sysname; } + ./nix/hosts/${sysname}/configuration.nix + ]; + } + ); + }; +} diff --git a/nix/hosts/webforge/configuration.nix b/nix/hosts/webforge/configuration.nix new file mode 100644 index 0000000..a7e6548 --- /dev/null +++ b/nix/hosts/webforge/configuration.nix @@ -0,0 +1,16 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "webforge"; + networking.domain = ""; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlPneIaRT/mqu13N83ctEftub4O6zAfi6qgzZKerU5o florian@leastauthority.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZtWY7t8HVnaz6bluYsrAlzZC3MZtb8g0nO5L5fCQKR benoit@leastauthority.com" ]; + system.stateVersion = "23.11"; +} diff --git a/nix/hosts/webforge/hardware-configuration.nix b/nix/hosts/webforge/hardware-configuration.nix new file mode 100644 index 0000000..6679bdf --- /dev/null +++ b/nix/hosts/webforge/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} diff --git a/nix/hosts/webforge/networking.nix b/nix/hosts/webforge/networking.nix new file mode 100644 index 0000000..3e7ff0f --- /dev/null +++ b/nix/hosts/webforge/networking.nix @@ -0,0 +1,35 @@ +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ + "2a01:4ff:ff00::add:2" + "2a01:4ff:ff00::add:1" + "185.12.64.1" + "185.12.64.2" + ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="135.181.155.146"; prefixLength=32; } + ]; + ipv6.addresses = [ + { address="2a01:4f9:c011:b882::1"; prefixLength=64; } + { address="fe80::9400:4ff:fe03:57eb"; prefixLength=64; } + ]; + ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ]; + ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ]; + }; + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:04:03:57:eb", NAME="eth0" + ''; +} From 5bd6222ca37eae4f751af7502d6f9640200dcdf2 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 27 Jan 2025 11:17:19 +0100 Subject: [PATCH 2/2] Implement a Countinuous Integration workflow for Nix Signed-off-by: Benoit Donneaux --- .github/workflows/nix.yml | 99 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/nix.yml diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml new file mode 100644 index 0000000..0850c11 --- /dev/null +++ b/.github/workflows/nix.yml @@ -0,0 +1,99 @@ +name: Nix + +on: + push: + branches: + - main + paths: + - '.github/workflows/nix.yml' + - 'nix/**' + - 'flake.*' + pull_request: + paths: + - '.github/workflows/nix.yml' + - 'nix/**' + - 'flake.*' + +jobs: + check: + name: Check + runs-on: ubuntu-24.04 + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Checkout + id: checkout + uses: actions/checkout@v4 + + - name: Install Nix + id: install_nix + uses: nixbuild/nix-quick-install-action@v28 + + - name: Check Nix Flake + id: check + run: | + nix flake show + nix flake check + + - name: Set matrix + id: set-matrix + run: | + # Extract targets from the flake + IFS="," + target_arr=( $(nix eval --json --apply 'builtins.attrNames' .#nixosConfigurations | sed -r -e 's/\[([^\[]+)\]/\1/' -e 's/"//g') ) + index=0 + size=${#target_arr[@]} + output="matrix={\"include\":[" + IFS=" " + for target in ${target_arr[@]}; do + output+="{\"target\":\"${target}\"," + output+="\"hostname\":$(nix eval .#nixosConfigurations.${target}.config.networking.hostName)," + output+="\"domain\":$(nix eval .#nixosConfigurations.${target}.config.networking.domain)}" + if [[ $((index++)) -lt $((size -1)) ]]; then + output+="," + fi + done + output+="]}" + echo $output + echo $output >> $GITHUB_OUTPUT + + build: + name: Build + runs-on: ubuntu-22.04 + if: github.event_name == 'pull_request' + needs: check + strategy: + fail-fast: false + matrix: ${{fromJson(needs.check.outputs.matrix)}} + steps: + - name: Checkout + id: checkout + uses: actions/checkout@v4 + + - name: Install Nix + id: install_nix + uses: nixbuild/nix-quick-install-action@v28 + + - name: Restore and cache Nix store ${{ matrix.target }} + uses: nix-community/cache-nix-action@v5 + with: + # restore and save a cache using this key + primary-key: ${{ runner.os }}-Nix-${{ matrix.target }}-${{ hashFiles('flake.*', 'nix/common/*.nix', 'nix/modules/**.nix', format('nix/hosts/{0}/*.nix', matrix.target)) }} + # if there's no cache hit, restore a cache by this prefix + restore-prefixes-first-match: ${{ runner.os }}-Nix-${{ matrix.target }}- + # collect garbage until Nix store size (in bytes) is at most this number + # before trying to save a new cache + gc-max-store-size-linux: 1073741824 + # do purge caches + purge: true + # purge all versions of the cache + purge-prefixes: ${{ runner.os }}-Nix-${{ matrix.target }}- + # created more than 0 seconds ago relative to the start of the `Post Restore` phase + purge-created: 0 + # except the version with the `primary-key`, if it exists + purge-primary-key: never + + - name: Build nixosConfiguration for ${{ matrix.target }} + id: check_target + run: | + nix build .#nixosConfigurations.${{ matrix.target }}.config.system.build.toplevel