223 lines
6.8 KiB
Nix
223 lines
6.8 KiB
Nix
{
|
|
|
|
description = "StuRa HTWD NixOS Configurations";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
|
|
authentik = {
|
|
url = "github:nix-community/authentik-nix";
|
|
};
|
|
mailserver = {
|
|
url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver?ref=nixos-25.11";
|
|
};
|
|
sops = {
|
|
url = "github:Mic92/sops-nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
disko = {
|
|
url = "github:nix-community/disko";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
git-hooks = {
|
|
url = "github:cachix/git-hooks.nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
};
|
|
|
|
outputs =
|
|
{
|
|
self,
|
|
nixpkgs,
|
|
authentik,
|
|
mailserver,
|
|
disko,
|
|
sops,
|
|
git-hooks,
|
|
}:
|
|
let
|
|
sshkeys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSwdCtJZNZzrVa6m4I3OBZHGgWYhEBCBdnCR5rSJimz ocxe@nix"
|
|
];
|
|
in
|
|
rec {
|
|
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
|
|
|
|
devShells.x86_64-linux.default =
|
|
let
|
|
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
|
pre-commit-check = git-hooks.lib.x86_64-linux.run {
|
|
src = ./.;
|
|
hooks = {
|
|
nixfmt-rfc-style.enable = true;
|
|
};
|
|
};
|
|
in
|
|
pkgs.mkShell {
|
|
# Import GPG keys from keys directory
|
|
sopsPGPKeyDirs = [
|
|
"${toString ./.}/keys/hosts"
|
|
"${toString ./.}/keys/users"
|
|
];
|
|
|
|
# Isolate sops GPG keys to .git/gnupg (optional)
|
|
# sopsCreateGPGHome = true;
|
|
|
|
shellHook = ''
|
|
${pre-commit-check.shellHook}
|
|
'';
|
|
|
|
nativeBuildInputs = [
|
|
sops.packages.x86_64-linux.sops-import-keys-hook
|
|
];
|
|
|
|
buildInputs = pre-commit-check.enabledPackages ++ [
|
|
pkgs.sops
|
|
];
|
|
};
|
|
packages.x86_64-linux =
|
|
let
|
|
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
|
|
|
# Hugo documentation site package
|
|
docs-site = pkgs.stdenv.mkDerivation {
|
|
name = "stura-infra-docs";
|
|
src = ./.;
|
|
|
|
nativeBuildInputs = [ pkgs.hugo ];
|
|
|
|
buildPhase = ''
|
|
# Create Hugo structure
|
|
mkdir -p hugo-site
|
|
cp ${./docs/hugo.yaml} hugo-site/hugo.yaml
|
|
|
|
# Install hugo-book theme
|
|
mkdir -p hugo-site/themes
|
|
cp -r ${
|
|
pkgs.fetchFromGitHub {
|
|
owner = "alex-shpak";
|
|
repo = "hugo-book";
|
|
rev = "v13";
|
|
sha256 = "sha256-r2KfmWK7BC7LjnZVvwb2Mbqnd8a6Q32fBqiQfZTpGy4=";
|
|
}
|
|
} hugo-site/themes/hugo-book
|
|
|
|
# Build content from README files
|
|
bash ${./docs/build-docs.sh} . hugo-site/content
|
|
|
|
# Build Hugo site
|
|
cd hugo-site
|
|
hugo --minify
|
|
'';
|
|
|
|
installPhase = ''
|
|
mkdir -p $out
|
|
cp -r public/* $out/
|
|
'';
|
|
};
|
|
in
|
|
builtins.foldl'
|
|
(
|
|
result: name:
|
|
result
|
|
// {
|
|
# run nixos-rebuild switch on the target system
|
|
# the config will be built locally and copied over
|
|
"${name}-update" = pkgs.writeShellScriptBin "update" ''
|
|
nixos-rebuild switch --flake .#${name} --target-host root@${
|
|
(builtins.head (
|
|
nixosConfigurations.${name}.config.networking.interfaces.${
|
|
builtins.head (builtins.attrNames nixosConfigurations.${name}.config.networking.interfaces)
|
|
}.ipv4.addresses
|
|
)).address
|
|
}
|
|
'';
|
|
}
|
|
)
|
|
{ inherit docs-site; }
|
|
(
|
|
# filter all nixos configs containing installer
|
|
builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (builtins.attrNames nixosConfigurations)
|
|
)
|
|
// (
|
|
let
|
|
iso-config = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
"${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"
|
|
{
|
|
users.users.administration = {
|
|
password = "test";
|
|
isNormalUser = true;
|
|
};
|
|
users.users.root.openssh.authorizedKeys.keys = sshkeys;
|
|
networking.interfaces.ens18.ipv4.addresses = [
|
|
{
|
|
address = "141.56.51.98";
|
|
prefixLength = 24;
|
|
}
|
|
];
|
|
services.getty.autologinUser = "root";
|
|
services.openssh.enable = true;
|
|
system.stateVersion = "25.11";
|
|
networking.dhcpcd.enable = nixpkgs.lib.mkForce false;
|
|
networking.defaultGateway.address = "141.56.51.254";
|
|
networking.nameservers = [ "141.56.1.1" ];
|
|
}
|
|
];
|
|
};
|
|
in
|
|
{
|
|
installer-iso = iso-config.config.system.build.isoImage;
|
|
installer-vm = iso-config.config.system.build.vm;
|
|
}
|
|
)
|
|
// (
|
|
# Container tarballs for LXC deployment to Proxmox
|
|
# Only generates tarballs for hosts that import proxmox-lxc.nix
|
|
let
|
|
lxcHosts = builtins.filter (
|
|
name:
|
|
let
|
|
hostPath = ./hosts/${name}/default.nix;
|
|
content = builtins.readFile hostPath;
|
|
in
|
|
builtins.match ".*proxmox-lxc.nix.*" content != null
|
|
) (builtins.attrNames (builtins.readDir ./hosts));
|
|
in
|
|
builtins.foldl' (
|
|
result: name:
|
|
result
|
|
// {
|
|
"containers-${name}" = nixosConfigurations.${name}.config.system.build.tarball;
|
|
}
|
|
) { } lxcHosts
|
|
);
|
|
|
|
nixosConfigurations = builtins.foldl' (
|
|
result: input:
|
|
result
|
|
// {
|
|
"${input}" = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules =
|
|
let
|
|
modulesPath = "${nixpkgs}";
|
|
in
|
|
[
|
|
./hosts/${input}
|
|
./default.nix
|
|
disko.nixosModules.disko
|
|
authentik.nixosModules.default
|
|
mailserver.nixosModules.mailserver
|
|
{
|
|
_module.args = { inherit self modulesPath; };
|
|
}
|
|
];
|
|
};
|
|
}
|
|
) { } (builtins.attrNames (builtins.readDir ./hosts));
|
|
};
|
|
|
|
}
|