From 259c621a2fe494b140e2f5c536370f6c83dc3057 Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Thu, 17 Jul 2025 19:39:38 +0000 Subject: [PATCH] Create base test-corp environmnt This creates more commonality between a nixos-anywhere bootstrapped system and a locally built nixos image, which is good. --- flake.nix | 35 ++++++++++++++++ host/test-corp/configuration.nix | 12 ++++++ host/test-corp/hardware-configuration.nix | 9 ++++ host/test-corp/networking.nix | 50 +++++++++++++++++++++++ host/test-corp/secrets/secrets.yaml | 45 ++++++++++++++++++++ modules/system/base.nix | 39 ++++++++++++++++++ modules/system/default.nix | 2 + modules/system/fish.nix | 5 +-- modules/system/openssh.nix | 5 +++ modules/system/tmux.nix | 16 +++----- nixos-anywhere/configuration.nix | 18 -------- 11 files changed, 204 insertions(+), 32 deletions(-) create mode 100644 host/test-corp/configuration.nix create mode 100644 host/test-corp/hardware-configuration.nix create mode 100644 host/test-corp/networking.nix create mode 100644 host/test-corp/secrets/secrets.yaml create mode 100644 modules/system/base.nix create mode 100644 modules/system/openssh.nix diff --git a/flake.nix b/flake.nix index 181dcd2..d3f3bec 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,41 @@ }; system = "${system}"; }; + test-corp = nixpkgs.lib.nixosSystem { + modules = [ + home-manager.nixosModules.home-manager + { + home-manager.extraSpecialArgs = { inherit configFiles; }; + home-manager.sharedModules = [ + nixvim.homeManagerModules.nixvim + ./modules/home/nixvim.nix + ]; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + ./host/test-corp/configuration.nix + ./modules + sops-nix.nixosModules.sops { + sops = { + age.generateKey = true; + age.keyFile = "/var/libs/sops-nix/key.txt"; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets/secrets.yaml; + }; + } + ./users + ]; + pkgs = import nixpkgs { + config = { + allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) allowed-unfree-packages; + }; + system = "${system}"; + }; + specialArgs = { + inherit configFiles; + }; + system = "${system}"; + }; }; }; } diff --git a/host/test-corp/configuration.nix b/host/test-corp/configuration.nix new file mode 100644 index 0000000..a5e8da1 --- /dev/null +++ b/host/test-corp/configuration.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + ]; + + myModules = { + cloud-init.enable = true; + do-agent.enable = true; + }; + virtualisation.podman.enable = true; +} diff --git a/host/test-corp/hardware-configuration.nix b/host/test-corp/hardware-configuration.nix new file mode 100644 index 0000000..d634744 --- /dev/null +++ b/host/test-corp/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; + +} diff --git a/host/test-corp/networking.nix b/host/test-corp/networking.nix new file mode 100644 index 0000000..0511d20 --- /dev/null +++ b/host/test-corp/networking.nix @@ -0,0 +1,50 @@ +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + hostName = "corp"; + defaultGateway = "159.89.144.1"; + defaultGateway6 = { + address = "2604:a880:2:d1::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + domain = "gleipnir.technology"; + firewall.enable = false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="159.89.154.99"; prefixLength=20; } + { address="10.46.0.5"; prefixLength=16; } + ]; + ipv4.routes = [ { address = "159.89.144.1"; prefixLength = 32; } ]; + ipv6.addresses = [ + { address="2604:a880:2:d1::7f9a:6001"; prefixLength=64; } + { address="fe80::d4a8:45ff:fe46:cd11"; prefixLength=64; } + ]; + ipv6.routes = [ { address = "2604:a880:2:d1::1"; prefixLength = 128; } ]; + }; + eth1 = { + ipv4.addresses = [ + { address="10.120.0.2"; prefixLength=20; } + ]; + ipv6.addresses = [ + { address="fe80::4ac:1fff:fe36:cb24"; prefixLength=64; } + ]; + }; + }; + nameservers = [ + "67.207.67.3" + "67.207.67.2" + "67.207.67.3" + "67.207.67.2" + "67.207.67.3" + "67.207.67.2" + ]; + usePredictableInterfaceNames = lib.mkForce false; + }; + services.udev.extraRules = '' + ATTR{address}=="d6:a8:45:46:cd:11", NAME="eth0" + ATTR{address}=="06:ac:1f:36:cb:24", NAME="eth1" + ''; +} diff --git a/host/test-corp/secrets/secrets.yaml b/host/test-corp/secrets/secrets.yaml new file mode 100644 index 0000000..4021e79 --- /dev/null +++ b/host/test-corp/secrets/secrets.yaml @@ -0,0 +1,45 @@ +vikunja: + auth: + openid: + providers: + clientid: ENC[AES256_GCM,data:mg2upgLEQdpZEnwG76/INggkZmo6dQI1JQ2h1MtDqJZihXYpyCQlpQ==,iv:TgtzUXEyd9mlDTBujo8kVsrAhncVnCxBw3SzhNZxpG4=,tag:FkxmtHayYFfG/XOBNxgygQ==,type:str] + clientsecret: ENC[AES256_GCM,data:xcbWGC5HUUPECiKGr/ueQvphT3tzou5Wvl/RzqRXN3PLgFT/mZtenBrKlf/mjhSwGHkNJHdZrm6RAK3Uhu+FNFZalrAO2wR+YXoPIRKoBjNwmq2eO5nVIWpXNnkhME9Tzc2OwyafJ6+rFh84Oynx5/+Ely0v041iLM6LHXKSVVE=,iv:/lyeEUh3YH3QN7LFe83InVtywFP6ChlXYCASOfl/C4M=,tag:2gtFCCruyGbijH1njNnOsw==,type:str] + database: + host: ENC[AES256_GCM,data:1WYHQ+x+wJ+F5KXYuZ95HMoQCmVN6M+wQ6pIzMqFJgvcnIphq1/uePA0bAq87+b0lGSor0c4mPqkb28EUt6hOcYcEcoawViXrb7DscJGljddeUl9Dtc=,iv:u+AATslu+oUdSvPRu5xUMUYPlTDugyKpJARy7D3wurc=,tag:GBLHimUoJiInSvJ3guv+hA==,type:str] + password: ENC[AES256_GCM,data:CloDvjAt+N2B7ubewNQP1EdYhA==,iv:7g0W2EkFjAnw7d+VPDe6eiRv7XpriIg/0g53eRGDe3o=,tag:LrNAT2tqFOMJ1C3yrjIaaQ==,type:str] + user: ENC[AES256_GCM,data:/JsWYTb/YRQDyy0P,iv:N+slGsGKqD0is0WWNXxrTMAC/Puo4ZgHC7s2m7PzYNs=,tag:lO9wl1uHind1Y1jssySZBA==,type:str] + mailer: + fromemail: ENC[AES256_GCM,data:6R29Cxg29t68qgc48QZCAeF2eUPtt5795C/YdNY=,iv:EcF2zwvgs1IwlQlCoRsrfbsufRtslhY0Iyy+UdUwArI=,tag:6Dx4sp9t0qmzVGfuzGTAOQ==,type:str] + host: ENC[AES256_GCM,data:NxsCNMJMl1qG4EgbDfTS0maHHsQ8,iv:SOs/rGY8hq8AEW+bDUCulAbV4YGoF4mIdNX6qOL1/ik=,tag:9j7jey8e/jcKYXM3rsSqbA==,type:str] + port: ENC[AES256_GCM,data:nr+LpQ==,iv:6jtsaHr5FYmUL0Mw3HSeyeI4rnlHVSTdKWEDBNBDuwo=,tag:L89e9tUBJqpMQM82J2RG+w==,type:int] + password: ENC[AES256_GCM,data:8zQeI0GtMPTy+L4JjCwLePejy9KEfx2b,iv:hOWwnCKSLJ5Uuu17r35FH++WE7AM9F/cxc3e+ETkdRY=,tag:RDtZvrJp0p/qqRVM5xWDMA==,type:str] + username: ENC[AES256_GCM,data:II7dPDmoZGD05wwrupUR3nDWyMhZ3RGhSWwSwSA=,iv:C/X9W7RkV/rLfWsZf+PlIi5LWxIwnDRSDcpDVQsgyvE=,tag:IQf29fGa1HuBblkd1F/lnQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kgwk20cc6t68kqj5nhem6swvx6k4e7zjx2xdwy382360h8tdyqrq0nn3gf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUHhKNXYydHVPK3cxNzhj + TlgyOFc5QXlhOEdjcXhRR2x0UHNxbjQyWm5JCkxUcGgyZUpPT0kzejVjcDZFbU1M + aktLbFFsZE5PaCsvb1oxSjRSK2hZNzgKLS0tIGJnUWFMQWhWSWV2WkZVMFBsN09a + bXNjYThSVkxRaHVCUzBFVWUwMWJDV00KS8CbS1qaS44PceePrLRzNW1ykCxOdeH+ + d0QMQIb73/n1MIDyqBX/zIIqEGsvBKqOX3JQ7U2G62opHnosGBFN0A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z8gnjnye5d0czrluvvs468h05sjugcdapngdmjpwlk6l26y2n3asa0phg7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZU1Wby9RL1pXS0tweTZ5 + aCtGQUw0NjRMYXFzSjF1TDhPWnZLVWdlM21RCnBSSnhZYkRHQkp3VFVGbGpNMHpB + NWhTMXlXa1Ewb1JpTENDWTJ4U0R6MncKLS0tIDdLSjJpTnZ3QUlDVUtldmdmenNH + OEdlQmtPdDAyZlRUbU1oVWR3Y1U2ak0Kt+IIpRpTz+VcG4Iur2UcP91t7r79qNet + 9oDJxwta0DmbjHN/PIaqzrObJzeijGWpiILBN6RvB1HQ+4Gdi1FWUA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-09T18:49:41Z" + mac: ENC[AES256_GCM,data:0OFrVM/sqkpVDtB7PxizOnRhcbZUjrSpA24jC9ViD7sueSe633fSfGEJTsUvF/RqUniVWTyWghVstS2HzhxORElQ0ZNjqD7K1GBkNK5XGzfo/aRQ+MWFu0g1Fu7wUe+Yc6ZAF0yExQgpl10Gt9tZysCcwlEFZIYOFWwyY8SiVtU=,iv:xvcsIQij3H16IJOfH0RjwPJKk0KbmnAupDQ1ozHDmOA=,tag:ozr9gaBinE9PF77N9a6UVQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/modules/system/base.nix b/modules/system/base.nix new file mode 100644 index 0000000..9990561 --- /dev/null +++ b/modules/system/base.nix @@ -0,0 +1,39 @@ +{ config, configFiles, lib, pkgs, ... }: + +{ + boot.tmp.cleanOnBoot = true; + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.htop + pkgs.git + ]; + i18n.defaultLocale = "en_US.UTF-8"; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + services.swapspace.enable = true; + time.timeZone = "UTC"; + zramSwap.enable = true; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; +} diff --git a/modules/system/default.nix b/modules/system/default.nix index fc3e814..83afe61 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -1,9 +1,11 @@ { imports = [ + ./base.nix ./cloud-init.nix ./do-agent.nix ./fish.nix ./onlyoffice.nix + ./openssh.nix ./seafile.nix ./sudo.nix ./synapse.nix diff --git a/modules/system/fish.nix b/modules/system/fish.nix index a195b7f..e7d7bed 100644 --- a/modules/system/fish.nix +++ b/modules/system/fish.nix @@ -3,8 +3,5 @@ with lib; { - options.myModules.fish.enable = mkEnableOption "custom fish configuration"; - config = mkIf config.myModules.fish.enable { - environment.systemPackages = [ pkgs.fish ]; - }; + environment.systemPackages = [ pkgs.fish ]; } diff --git a/modules/system/openssh.nix b/modules/system/openssh.nix new file mode 100644 index 0000000..d35e98c --- /dev/null +++ b/modules/system/openssh.nix @@ -0,0 +1,5 @@ +{ config, configFiles, lib, pkgs, ... }: + +{ + services.openssh.enable = true; +} diff --git a/modules/system/tmux.nix b/modules/system/tmux.nix index 5214cb8..7b5d731 100644 --- a/modules/system/tmux.nix +++ b/modules/system/tmux.nix @@ -3,16 +3,12 @@ with lib; { - options.myModules.tmux.enable = mkEnableOption "custom tmux configuration"; + environment.systemPackages = [ pkgs.tmux ]; - config = mkIf config.myModules.tmux.enable { - environment.systemPackages = [ pkgs.tmux ]; + environment.etc."tmux.conf".source = "${configFiles}/tmux/tmux.conf"; - environment.etc."tmux.conf".source = "${configFiles}/tmux/tmux.conf"; - - # Alternative: if you want per-user configs - # users.users = mkMerge (map (user: { - # ${user}.home = "${configPath}/configs/tmux/tmux.conf"; - # }) config.myModules.tmux.users); - }; + # Alternative: if you want per-user configs + # users.users = mkMerge (map (user: { + # ${user}.home = "${configPath}/configs/tmux/tmux.conf"; + # }) config.myModules.tmux.users); } diff --git a/nixos-anywhere/configuration.nix b/nixos-anywhere/configuration.nix index 7196eef..0c3cdc0 100644 --- a/nixos-anywhere/configuration.nix +++ b/nixos-anywhere/configuration.nix @@ -17,26 +17,8 @@ efiInstallAsRemovable = true; }; - environment.systemPackages = map lib.lowPrio [ - pkgs.curl - pkgs.gitMinimal - ]; - myModules = { cloud-init.enable = true; do-agent.enable = true; - fish.enable = true; - tmux.enable = true; }; - - services.openssh.enable = true; - services.swapspace.enable = true; - - system.stateVersion = "25.05"; - - users.users.root.openssh.authorizedKeys.keys = - [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvhtF6nRWlA6PVs71Eek7p0p2PxTd3P6ZEGFV2t75MB eliribble@nixos" - ] ++ (args.extraPublicKeys or []); # this is used for unit-testing this module and can be removed if not needed - }