diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index fbe9d0f..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,101 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.72.1" - constraints = "~> 5.72" - hashes = [ - "h1:BkYfMmqLJIqLkLLz9sDRWJR5+7GCXTocNPN4pIHkhQo=", - "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", - "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", - "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", - "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", - "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", - "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", - "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", - "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", - "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", - "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", - "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", - "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", - "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.4" - hashes = [ - "h1:XWkRZOLKMjci9/JAtE8X8fWOt7A4u+9mgXSUjc4Wuyo=", - "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", - "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", - "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", - "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", - "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", - "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", - "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", - "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", - "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", - "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.5.2" - hashes = [ - "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", - "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", - "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", - "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", - "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", - "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", - "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", - "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", - "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", - "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", - "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.6" - hashes = [ - "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", - "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", - "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", - "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", - "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", - "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", - "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", - "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", - "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", - "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", - "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", - "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/README.org b/README.org index 41fb3c1..b0c79d3 100644 --- a/README.org +++ b/README.org @@ -51,3 +51,5 @@ deploys can be done in pure Nix. + The Terraform-based bootstrap is a modification from the great setup found in the [[https://github.com/Gabriella439/nixos-in-production][NixOS in Production]] book. ++ Many thanks to @Misterio77 for [[https://jaxy.discourse.group/t/criando-um-servidor-de-factorio-100-declarativo-com-nixos-e-terraform/48][figuring it out]] how to run this on Magalu cloud. + diff --git a/configuration.nix b/configuration.nix index dba8f42..1901155 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,14 +1,29 @@ -{ modulesPath, ... }: +{ modulesPath, pkgs, ... }: { - imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + imports = [ + ./hardware-configuration.nix + ]; - zramSwap.enable = true; + # Nix configuration + nix.settings.trusted-users = ["@wheel"]; + nix = { + package = pkgs.nixVersions.stable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + # Clean up /nix/store/ after a week + gc = { + automatic = true; + dates = "weekly UTC"; + options = "--delete-older-than 7d"; + }; + }; + nixpkgs = { + hostPlatform = "x86_64-linux"; + config.allowUnfree = true; + }; - swapDevices = [ - { - device = "/swapfile"; - size = 8 * 1024; - } - ]; + # Don't change this! + system.stateVersion = "24.11"; } diff --git a/flake.lock b/flake.lock index fe26456..fea4b6a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,203 +1,53 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" - }, - "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", - "owner": "ryantm", - "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "cachix": { "inputs": { - "devenv": "devenv_2", - "flake-compat": [ - "devenv", - "flake-compat" - ], - "git-hooks": [ - "devenv", - "pre-commit-hooks" + "devenv": [ + "devenv" ], - "nixpkgs": [ - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726520618, - "narHash": "sha256-jOsaBmJ/EtX5t/vbylCdS7pWYcKGmWOKg4QKUzKr6dA=", - "owner": "cachix", - "repo": "cachix", - "rev": "695525f9086542dfb09fde0871dbf4174abbf634", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "cachix", - "type": "github" - } - }, - "cachix_2": { - "inputs": { - "devenv": "devenv_3", "flake-compat": [ - "devenv", - "cachix", - "devenv", - "flake-compat" + "devenv" ], - "nixpkgs": [ - "devenv", - "cachix", - "devenv", - "nixpkgs" + "git-hooks": [ + "devenv" ], - "pre-commit-hooks": [ - "devenv", - "cachix", - "devenv", - "pre-commit-hooks" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1712055811, - "narHash": "sha256-7FcfMm5A/f02yyzuavJe06zLa9hcMHsagE28ADcmQvk=", + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", "owner": "cachix", "repo": "cachix", - "rev": "02e38da89851ec7fec3356a5c04bc8349cae0e30", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", "type": "github" }, "original": { "owner": "cachix", + "ref": "latest", "repo": "cachix", "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "devenv": { "inputs": { "cachix": "cachix", - "flake-compat": "flake-compat_2", - "nix": "nix_3", - "nixpkgs": [ - "nixpkgs" - ], - "pre-commit-hooks": "pre-commit-hooks_2" - }, - "locked": { - "lastModified": 1729681848, - "narHash": "sha256-9PKexVMEAyElpL1mB9iZShnZjWvCTfsm8pDbVQDAIRA=", - "owner": "cachix", - "repo": "devenv", - "rev": "2634c4c9e9226a3fb54550ad4115df1992d502c5", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "devenv_2": { - "inputs": { - "cachix": "cachix_2", - "flake-compat": [ - "devenv", - "cachix", - "flake-compat" - ], - "nix": "nix_2", + "flake-compat": "flake-compat", + "git-hooks": "git-hooks", + "nix": "nix", "nixpkgs": [ - "devenv", - "cachix", "nixpkgs" - ], - "pre-commit-hooks": [ - "devenv", - "cachix", - "git-hooks" - ] - }, - "locked": { - "lastModified": 1723156315, - "narHash": "sha256-0JrfahRMJ37Rf1i0iOOn+8Z4CLvbcGNwa2ChOAVrp/8=", - "owner": "cachix", - "repo": "devenv", - "rev": "ff5eb4f2accbcda963af67f1a1159e3f6c7f5f91", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "devenv_3": { - "inputs": { - "flake-compat": [ - "devenv", - "cachix", - "devenv", - "cachix", - "flake-compat" - ], - "nix": "nix", - "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix", - "pre-commit-hooks": [ - "devenv", - "cachix", - "devenv", - "cachix", - "pre-commit-hooks" ] }, "locked": { - "lastModified": 1708704632, - "narHash": "sha256-w+dOIW60FKMaHI1q5714CSibk99JfYxm0CzTinYWr+Q=", + "lastModified": 1732585607, + "narHash": "sha256-6ffeaSMuaL326f7KrCeScpSJtdHsFKS9gPrsSZkndvU=", "owner": "cachix", "repo": "devenv", - "rev": "2ee4450b0f4b95a1b90f2eb5ffea98b90e48c196", + "rev": "a520f05c40ebecaf5e17064b27e28ba8e70c49fb", "type": "github" }, "original": { "owner": "cachix", - "ref": "python-rewrite", "repo": "devenv", "type": "github" } @@ -209,11 +59,11 @@ ] }, "locked": { - "lastModified": 1728673344, - "narHash": "sha256-O0QVhsj9I/hmcIqJ4qCqFyzvjYL+dtzJP0C5MFd8O/Y=", + "lastModified": 1730135292, + "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=", "owner": "nix-community", "repo": "disko", - "rev": "ff0a471763faaaca1859fd6de80f44fa0fce91a6", + "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5", "type": "github" }, "original": { @@ -224,22 +74,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -278,39 +112,6 @@ } }, "flake-utils": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { "locked": { "lastModified": 1652776076, "narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=", @@ -326,46 +127,53 @@ "type": "github" } }, - "gitignore": { + "git-hooks": { "inputs": { + "flake-compat": [ + "devenv" + ], + "gitignore": "gitignore", "nixpkgs": [ "devenv", - "pre-commit-hooks", "nixpkgs" + ], + "nixpkgs-stable": [ + "devenv" ] }, "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "lastModified": 1730302582, + "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", "type": "github" }, "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", + "owner": "cachix", + "repo": "git-hooks.nix", "type": "github" } }, - "home-manager": { + "gitignore": { "inputs": { "nixpkgs": [ - "agenix", + "devenv", + "git-hooks", "nixpkgs" ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "home-manager", + "owner": "hercules-ci", + "repo": "gitignore.nix", "type": "github" } }, @@ -386,102 +194,22 @@ } }, "nix": { - "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": [ - "devenv", - "cachix", - "devenv", - "cachix", - "devenv", - "nixpkgs" - ], - "nixpkgs-regression": "nixpkgs-regression" - }, - "locked": { - "lastModified": 1712911606, - "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", - "owner": "domenkozar", - "repo": "nix", - "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", - "type": "github" - }, - "original": { - "owner": "domenkozar", - "ref": "devenv-2.21", - "repo": "nix", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "devenv", - "cachix", - "devenv", - "cachix", - "devenv", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688870561, - "narHash": "sha256-4UYkifnPEw1nAzqqPOTL2MvWtm3sNGw1UTYTalkTcGY=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "165b1650b753316aa7f1787f3005a8d2da0f5301", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix_2": { "inputs": { "flake-compat": [ - "devenv", - "cachix", - "devenv", - "flake-compat" - ], - "nixpkgs": [ - "devenv", - "cachix", - "devenv", - "nixpkgs" - ], - "nixpkgs-regression": "nixpkgs-regression_2" - }, - "locked": { - "lastModified": 1712911606, - "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", - "owner": "domenkozar", - "repo": "nix", - "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", - "type": "github" - }, - "original": { - "owner": "domenkozar", - "ref": "devenv-2.21", - "repo": "nix", - "type": "github" - } - }, - "nix_3": { - "inputs": { - "flake-compat": [ - "devenv", - "flake-compat" + "devenv" ], "flake-parts": "flake-parts", "libgit2": "libgit2", - "nixpkgs": "nixpkgs_3", - "nixpkgs-23-11": "nixpkgs-23-11", - "nixpkgs-regression": "nixpkgs-regression_3", - "pre-commit-hooks": "pre-commit-hooks" + "nixpkgs": "nixpkgs_2", + "nixpkgs-23-11": [ + "devenv" + ], + "nixpkgs-regression": [ + "devenv" + ], + "pre-commit-hooks": [ + "devenv" + ] }, "locked": { "lastModified": 1727438425, @@ -500,11 +228,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "type": "github" }, "original": { @@ -514,103 +242,7 @@ "type": "github" } }, - "nixpkgs-23-11": { - "locked": { - "lastModified": 1717159533, - "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", - "type": "github" - } - }, - "nixpkgs-regression": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-regression_2": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-regression_3": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { - "locked": { - "lastModified": 1692808169, - "narHash": "sha256-x9Opq06rIiwdwGeK2Ykj69dNc2IvUH1fY55Wm7atwrE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9201b5ff357e781bf014d0330d18555695df7ba8", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1717432640, "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", @@ -626,148 +258,48 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { - "lastModified": 1717179513, - "narHash": "sha256-vboIEwIQojofItm2xGCdZCzW96U85l9nDW3ifMuAIdM=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "63dacb46bf939521bdc93981b4cbb7ecb58427a0", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { "owner": "NixOS", - "ref": "24.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "poetry2nix": { + "root": { "inputs": { + "devenv": "devenv", + "disko": "disko", "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "devenv", - "cachix", - "devenv", - "cachix", - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1692876271, - "narHash": "sha256-IXfZEkI0Mal5y1jr6IRWMqK8GW2/f28xJenZIPQqkY0=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "d5006be9c2c2417dafb2e2e5034d83fabd207ee3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" + "nixpkgs": "nixpkgs_3", + "sops-nix": "sops-nix" } }, - "pre-commit-hooks": { + "sops-nix": { "inputs": { - "flake-compat": [ - "devenv", - "nix" - ], - "flake-utils": "flake-utils_2", - "gitignore": [ - "devenv", - "nix" - ], "nixpkgs": [ - "devenv", - "nix", - "nixpkgs" - ], - "nixpkgs-stable": [ - "devenv", - "nix", "nixpkgs" ] }, "locked": { - "lastModified": 1712897695, - "narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_2": { - "inputs": { - "flake-compat": [ - "devenv", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "devenv", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1726745158, - "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "root": { - "inputs": { - "agenix": "agenix", - "devenv": "devenv", - "disko": "disko", - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_4" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "lastModified": 1732575825, + "narHash": "sha256-xtt95+c7OUMoqZf4OvA/7AemiH3aVuWHQbErYQoPwFk=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "3433ea14fbd9e6671d0ff0dd45ed15ee4c156ffa", "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", + "owner": "mic92", + "repo": "sops-nix", "type": "github" } } diff --git a/flake.nix b/flake.nix index 7e7bbb5..2f8fe9f 100644 --- a/flake.nix +++ b/flake.nix @@ -2,19 +2,22 @@ inputs = { flake-utils.url = "github:numtide/flake-utils/v1.0.0"; + devenv = { + url = "github:cachix/devenv"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko = { url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; }; - agenix.url = "github:ryantm/agenix"; - - devenv = { - url = "github:cachix/devenv"; + sops-nix = { + url = "github:mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:NixOS/nixpkgs/24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; outputs = @@ -22,9 +25,9 @@ self, nixpkgs, flake-utils, - agenix, devenv, disko, + sops-nix, ... }@inputs: flake-utils.lib.eachDefaultSystem ( @@ -35,21 +38,37 @@ config.allowUnfree = true; }; + # Modules + bootstrap = [ + ./modules/configuration.nix + ./modules/extras.nix + ./modules/networking.nix + ./modules/users.nix + ]; + + cloud = [ + ./configuration.nix + ./modules/nginx.nix + ./modules/postgres.nix + ./modules/secrets.nix + ] ++ bootstrap; + + # Qemu Setup machine = nixpkgs.lib.nixosSystem { system = builtins.replaceStrings [ "darwin" ] [ "linux" ] system; modules = [ - agenix.nixosModules.default + sops-nix.nixosModules.sops ./modules/qemu.nix ./modules/erlang.nix ./modules/extras.nix + ./modules/networking.nix ./modules/nginx.nix - ./modules/postgres.nix ./modules/users.nix ]; specialArgs = { - inherit pkgs; + inherit pkgs inputs; }; }; @@ -73,13 +92,9 @@ # it contains the bare minimum for us to log in there with ssh bootstrap = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ - ./configuration.nix - ./modules/extras.nix - ./modules/users.nix - ]; + modules = bootstrap ++ [ disko.nixosModules.disko ]; specialArgs = { - inherit pkgs; + inherit pkgs inputs; }; }; @@ -87,18 +102,12 @@ # this configuration here. nekoma = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ - agenix.nixosModules.default - ./configuration.nix - ./modules/erlang.nix - ./modules/extras.nix - ./modules/nginx.nix - ./modules/postgres.nix - ./modules/users.nix - ./modules/secrets.nix + modules = cloud ++ [ + disko.nixosModules.disko + sops-nix.nixosModules.sops ]; specialArgs = { - inherit pkgs agenix; + inherit pkgs inputs; }; }; }; @@ -126,7 +135,7 @@ just ]; - languages.terraform = { + languages.opentofu = { enable = true; }; diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..af68635 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,47 @@ +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd"]; + kernelModules = ["kvm-intel"]; + }; + + zramSwap.enable = true; + swapDevices = [ + { + device = "/swapfile"; + size = 8 * 1024; + } + ]; + + disko.devices.disk.main = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + esp = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; +} diff --git a/main.tf b/main.tf index 67e97b9..4678562 100644 --- a/main.tf +++ b/main.tf @@ -1,136 +1,94 @@ -terraform { - required_version = ">= 1.8.3" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.72" - } - } -} - -variable "ami_version" { - type = string - default = "24.05" +# ---------- +# Variables +# ---------- +variable "api_key" { + type = string + nullable = false } -variable "vm_private_ip" { +variable "prefix" { type = string - default = "10.0.0.12" + default = "trashcan" } variable "region" { - type = string - nullable = false + type = string + default = "br-se1" } variable "flake" { - type = string - nullable = false -} - -provider "aws" { - profile = "nekoma" - region = var.region -} - -locals { - availability_zone = "${var.region}c" -} - -# ----------- -# Networking -# ----------- -# VPC -resource "aws_vpc" "vpc" { - cidr_block = "10.0.0.0/16" - - tags = { - Category = "network" - Project = "trashcan" - } -} - -# Gateway -resource "aws_internet_gateway" "gw" { - vpc_id = aws_vpc.vpc.id -} - -# Subnet -resource "aws_subnet" "subnet" { - vpc_id = aws_vpc.vpc.id - cidr_block = "10.0.0.0/24" - availability_zone = local.availability_zone - - # This makes it a public subnet - map_public_ip_on_launch = true - depends_on = [aws_internet_gateway.gw] - - tags = { - Category = "network" - Project = "trashcan" - } + type = string + default = "bootstrap" } -# Create Route Table -resource "aws_route_table" "rt" { - vpc_id = aws_vpc.vpc.id - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.gw.id +# --------- +# Provider +# --------- +terraform { + backend "local" { + path = ".terraform.tfstate" } - tags = { - Category = "network" - Project = "trashcan" + required_providers { + mgc = { + source = "registry.terraform.io/magalucloud/mgc" + } } } -# Associate Route Table with Subnet -resource "aws_route_table_association" "rta" { - subnet_id = aws_subnet.subnet.id - route_table_id = aws_route_table.rt.id +provider "mgc" { + alias = "se" + region = var.region + api_key = var.api_key } -# Security Group -resource "aws_security_group" "sg" { - vpc_id = aws_vpc.vpc.id - - # The "nixos" Terraform module requires SSH access to the machine to deploy - # our desired NixOS configuration. - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - Category = "network" - Project = "trashcan" - } +# ----------- +# Networking +# ----------- +resource "mgc_network_vpcs" "vpc" { + name = "${var.prefix}-vpc" + description = "VPC" +} + +resource "mgc_network_security_groups" "sg" { + name = "${var.prefix}-${var.region}-sg" + description = "Security Group" +} + +resource "mgc_network_security_groups_rules" "allow_ingress_ssh" { + depends_on = [mgc_network_security_groups.sg] + description = "Allow Ingress SSH" + direction = "ingress" + ethertype = "IPv4" + port_range_min = 22 + port_range_max = 22 + protocol = "tcp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = mgc_network_security_groups.sg.id +} + +resource "mgc_network_security_groups_rules" "allow_ingress_http" { + depends_on = [mgc_network_security_groups.sg] + description = "Allow Ingress HTTP" + direction = "ingress" + ethertype = "IPv4" + port_range_min = 80 + port_range_max = 80 + protocol = "tcp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = mgc_network_security_groups.sg.id +} + +resource "mgc_network_security_groups_rules" "allow_egress_http" { + depends_on = [mgc_network_security_groups.sg] + description = "Allow Egress HTTP" + direction = "egress" + ethertype = "IPv4" + port_range_min = 80 + port_range_max = 80 + protocol = "tcp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = mgc_network_security_groups.sg.id } # ----- @@ -140,8 +98,8 @@ resource "tls_private_key" "ssh_key" { algorithm = "ED25519" } -# Synchronize the SSH private key to a local file that the "nixos" module can -# use +# Synchronize the SSH private key to a local file that +# the "nixos" module can use it. resource "local_sensitive_file" "ssh_private_key" { filename = "${path.module}/id_ed25519" content = tls_private_key.ssh_key.private_key_openssh @@ -152,72 +110,60 @@ resource "local_file" "ssh_public_key" { content = tls_private_key.ssh_key.public_key_openssh } -resource "aws_key_pair" "ssh_key" { - public_key = tls_private_key.ssh_key.public_key_openssh +resource "mgc_ssh_keys" "ssh_key" { + provider = mgc.se + name = "${var.prefix}-ssh" + key = tls_private_key.ssh_key.public_key_openssh } -# ------------ -# EC2 Instance -# ------------ -data "aws_ami" "nixos_ami" { - most_recent = true - - filter { - name = "architecture" - values = ["x86_64"] - } - - filter { - name = "name" - values = ["nixos/${var.ami_version}*"] +# --------------------- +# VM Instace + Volumes +# --------------------- +resource "mgc_block_storage_volumes" "volume" { + name = "${var.prefix}-volume" + size = 80 + type = { + name = "cloud_nvme" } - - owners = ["427812963091"] } -resource "aws_instance" "vm" { - ami = data.aws_ami.nixos_ami.id - subnet_id = aws_subnet.subnet.id - vpc_security_group_ids = [aws_security_group.sg.id] - key_name = aws_key_pair.ssh_key.key_name - private_ip = var.vm_private_ip - associate_public_ip_address = false +resource "mgc_virtual_machine_instances" "vm" { + provider = mgc.sudeste + name = var.prefix - # We could use a smaller instance size, but at the time of this writing the - # t3.micro instance type is available for 750 hours under the AWS free tier. - instance_type = "t3.micro" + machine_type = { + name = "cloud-bs1.xsmall" + } - root_block_device { - volume_size = 80 - volume_type = "gp3" + image = { + name = "cloud-ubuntu-22.04 LTS" } - user_data = <<-EOF - #!/bin/sh - (umask 377; echo '${tls_private_key.ssh_key.private_key_openssh}' > /var/lib/id_ed25519) - EOF + network = { + associate_public_ip = true + delete_public_ip = true - tags = { - Category = "vm" - Project = "trashcan" + interface = { + security_groups = [{ + id = mgc_network_security_groups.sg.id + }] + } } + + ssh_key_name = mgc_ssh_keys.ssh_key.name } -# ---------- -# Static IP -# ---------- -resource "aws_eip" "eip" { - domain = "vpc" - instance = aws_instance.vm.id - associate_with_private_ip = var.vm_private_ip - depends_on = [aws_internet_gateway.gw] +# Attaching the VM with Block Storage +resource "mgc_block_storage_volume-attachment" "attached_block_storage" { + block_storage_id = mgc_block-storage_volumes.volume.id + virtual_machine_id = mgc_virtual-machine_instances.vm.id } # This ensures that the instance is reachable via `ssh` before we deploy NixOS resource "null_resource" "wait" { provisioner "remote-exec" { connection { - host = aws_eip.eip.public_ip + host = mgc_virtual_machine_instances.vm.network.public_address private_key = tls_private_key.ssh_key.private_key_openssh } @@ -225,20 +171,26 @@ resource "null_resource" "wait" { } } -module "nixos" { - source = "github.com/Gabriella439/terraform-nixos-ng//nixos?ref=af1a0af57287851f957be2b524fcdc008a21d9ae" - host = "root@${aws_eip.eip.public_ip}" - flake = var.flake - arguments = [] - ssh_options = "-o StrictHostKeyChecking=accept-new -i ${local_sensitive_file.ssh_private_key.filename}" - depends_on = [null_resource.wait] + +# ------------- +# Provisioning +# ------------- +module "deploy" { + source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one" + nixos_system_attr = ".#nixosConfigurations.${var.flake}.config.system.build.toplevel" + nixos_partitioner_attr = ".#nixosConfigurations.${var.flake}.config.system.build.diskoScript" + debug_logging = true + + instance_id = mgc_virtual_machine_instances.vm.id + target_host = mgc_virtual_machine_instances.vm.network.public_address + install_user = "debian" } # ------- # Outputs # ------- -output "public_dns" { - value = aws_eip.eip.public_dns +output "public_ip" { + value = mgc_virtual_machine_instances.vm.network.public_address } resource "local_file" "nix_output" { @@ -251,8 +203,7 @@ resource "local_file" "nix_output" { resource "local_file" "output" { content = jsonencode({ - public_dns = aws_eip.eip.public_dns - public_ip = aws_eip.eip.public_ip + public_ip = mgc_virtual_machine_instances.vm.network.public_address }) filename = "${path.module}/output.json" } diff --git a/modules/disko.nix b/modules/disko.nix new file mode 100644 index 0000000..5345131 --- /dev/null +++ b/modules/disko.nix @@ -0,0 +1,39 @@ +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd"]; + kernelModules = ["kvm-intel"]; + }; + + disko.devices.disk.main = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + esp = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; +} diff --git a/modules/extras.nix b/modules/extras.nix index ffd1784..fdcbb78 100644 --- a/modules/extras.nix +++ b/modules/extras.nix @@ -4,7 +4,6 @@ documentation.enable = false; environment.systemPackages = with pkgs; [ - lsof docker-compose ]; @@ -17,59 +16,10 @@ }; }; - # Networking - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - networking.hostName = "trashcan"; - - services.fail2ban = { - enable = true; - maxretry = 5; - bantime = "1h"; - bantime-increment = { - multipliers = "1 2 4 8 16 32 64"; - # Do not ban for more than 1 week - maxtime = "168h"; - # Calculate the bantime based on all the violations - overalljails = true; - }; - }; - - # Nix configuration - nix.settings.trusted-users = ["@wheel"]; - nix = { - package = pkgs.nixVersions.stable; - extraOptions = '' - experimental-features = nix-command flakes - ''; - # Clean up /nix/store/ after a week - gc = { - automatic = true; - dates = "weekly UTC"; - options = "--delete-older-than 7d"; - }; - }; - - services.openssh = { - enable = true; - ports = [ 22 ]; - settings = { - PasswordAuthentication = false; - AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ]; - X11Forwarding = false; - # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" - PermitRootLogin = "prohibit-password"; - }; - }; - # Magueta wants this - programs.mosh.enable = true; - # Extra stuff programs.neovim = { enable = true; viAlias = true; vimAlias = true; }; - - # Don't change this! - system.stateVersion = "24.05"; } diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..b483392 --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,35 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + lsof + ]; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.hostName = "trashcan"; + + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + multipliers = "1 2 4 8 16 32 64"; + # Do not ban for more than 1 week + maxtime = "168h"; + # Calculate the bantime based on all the violations + overalljails = true; + }; + }; + + services.openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = false; + AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ]; + X11Forwarding = false; + # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" + PermitRootLogin = "prohibit-password"; + }; + }; +}