From 80cb343f2a410ff21f5aac32fe55b362fb22fe4e Mon Sep 17 00:00:00 2001 From: Marcos Benevides Date: Mon, 25 Nov 2024 22:20:53 -0300 Subject: [PATCH] close #12 --- README.org | 2 ++ configuration.nix | 3 +++ flake.lock | 8 ++++---- flake.nix | 36 +++++++++++++++++++++--------------- modules/disko.nix | 39 +++++++++++++++++++++++++++++++++++++++ modules/extras.nix | 35 ----------------------------------- modules/networking.nix | 37 +++++++++++++++++++++++++++++++++++++ 7 files changed, 106 insertions(+), 54 deletions(-) create mode 100644 modules/disko.nix create mode 100644 modules/networking.nix diff --git a/README.org b/README.org index 41fb3c1..b0c79d3 100644 --- a/README.org +++ b/README.org @@ -51,3 +51,5 @@ deploys can be done in pure Nix. + The Terraform-based bootstrap is a modification from the great setup found in the [[https://github.com/Gabriella439/nixos-in-production][NixOS in Production]] book. ++ Many thanks to @Misterio77 for [[https://jaxy.discourse.group/t/criando-um-servidor-de-factorio-100-declarativo-com-nixos-e-terraform/48][figuring it out]] how to run this on Magalu cloud. + diff --git a/configuration.nix b/configuration.nix index dba8f42..2f0ee0f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -11,4 +11,7 @@ size = 8 * 1024; } ]; + + # Don't change this! + system.stateVersion = "24.05"; } diff --git a/flake.lock b/flake.lock index fe26456..fdc17c2 100644 --- a/flake.lock +++ b/flake.lock @@ -628,16 +628,16 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1717179513, - "narHash": "sha256-vboIEwIQojofItm2xGCdZCzW96U85l9nDW3ifMuAIdM=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "63dacb46bf939521bdc93981b4cbb7ecb58427a0", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { "owner": "NixOS", - "ref": "24.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 7e7bbb5..4690bfc 100644 --- a/flake.nix +++ b/flake.nix @@ -14,7 +14,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:NixOS/nixpkgs/24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; outputs = @@ -35,6 +35,21 @@ config.allowUnfree = true; }; + # Modules + bootstrap = [ + ./modules/extras.nix + ./modules/networking.nix + ./modules/users.nix + ]; + + cloud = [ + ./configuration.nix + ./modules/nginx.nix + ./modules/postgres.nix + ./modules/secrets.nix + ] ++ bootstrap; + + # Qemu Setup machine = nixpkgs.lib.nixosSystem { system = builtins.replaceStrings [ "darwin" ] [ "linux" ] system; @@ -43,6 +58,7 @@ ./modules/qemu.nix ./modules/erlang.nix ./modules/extras.nix + ./modules/networking.nix ./modules/nginx.nix ./modules/postgres.nix ./modules/users.nix @@ -73,11 +89,7 @@ # it contains the bare minimum for us to log in there with ssh bootstrap = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ - ./configuration.nix - ./modules/extras.nix - ./modules/users.nix - ]; + modules = bootstrap ++ [ disko.nixosModules.disko ]; specialArgs = { inherit pkgs; }; @@ -87,15 +99,9 @@ # this configuration here. nekoma = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ + modules = cloud ++ [ agenix.nixosModules.default - ./configuration.nix - ./modules/erlang.nix - ./modules/extras.nix - ./modules/nginx.nix - ./modules/postgres.nix - ./modules/users.nix - ./modules/secrets.nix + disko.nixosModules.disko ]; specialArgs = { inherit pkgs agenix; @@ -126,7 +132,7 @@ just ]; - languages.terraform = { + languages.opentofu = { enable = true; }; diff --git a/modules/disko.nix b/modules/disko.nix new file mode 100644 index 0000000..5345131 --- /dev/null +++ b/modules/disko.nix @@ -0,0 +1,39 @@ +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd"]; + kernelModules = ["kvm-intel"]; + }; + + disko.devices.disk.main = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + esp = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; +} diff --git a/modules/extras.nix b/modules/extras.nix index ffd1784..c6ff18e 100644 --- a/modules/extras.nix +++ b/modules/extras.nix @@ -4,7 +4,6 @@ documentation.enable = false; environment.systemPackages = with pkgs; [ - lsof docker-compose ]; @@ -17,23 +16,6 @@ }; }; - # Networking - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - networking.hostName = "trashcan"; - - services.fail2ban = { - enable = true; - maxretry = 5; - bantime = "1h"; - bantime-increment = { - multipliers = "1 2 4 8 16 32 64"; - # Do not ban for more than 1 week - maxtime = "168h"; - # Calculate the bantime based on all the violations - overalljails = true; - }; - }; - # Nix configuration nix.settings.trusted-users = ["@wheel"]; nix = { @@ -49,27 +31,10 @@ }; }; - services.openssh = { - enable = true; - ports = [ 22 ]; - settings = { - PasswordAuthentication = false; - AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ]; - X11Forwarding = false; - # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" - PermitRootLogin = "prohibit-password"; - }; - }; - # Magueta wants this - programs.mosh.enable = true; - # Extra stuff programs.neovim = { enable = true; viAlias = true; vimAlias = true; }; - - # Don't change this! - system.stateVersion = "24.05"; } diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..26fd2de --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,37 @@ +{ pkgs, ... }: + +{ + documentation.enable = false; + + environment.systemPackages = with pkgs; [ + lsof + ]; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.hostName = "trashcan"; + + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + multipliers = "1 2 4 8 16 32 64"; + # Do not ban for more than 1 week + maxtime = "168h"; + # Calculate the bantime based on all the violations + overalljails = true; + }; + }; + + services.openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = false; + AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ]; + X11Forwarding = false; + # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" + PermitRootLogin = "prohibit-password"; + }; + }; +}