From b2aca0a8455a42bde3511d8cfb146105699e1170 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Tue, 11 Mar 2025 00:38:47 +0100 Subject: [PATCH] Init --- .envrc | 1 + .gitignore | 3 + .sops.yaml | 3 + flake.lock | 139 +++++++++++++++++++++++++++++++++++++ flake.nix | 37 ++++++++++ flake/dev-shells.nix | 12 ++++ flake/formatter.nix | 16 +++++ flake/image-generators.nix | 48 +++++++++++++ formats/minimal-iso.nix | 28 ++++++++ justfile | 19 +++++ secrets.yaml | 21 ++++++ 11 files changed, 327 insertions(+) create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 .sops.yaml create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 flake/dev-shells.nix create mode 100644 flake/formatter.nix create mode 100644 flake/image-generators.nix create mode 100644 formats/minimal-iso.nix create mode 100644 justfile create mode 100644 secrets.yaml diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..07fd338 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake . \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6ae9a6e --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.direnv/ +result +*.dec \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..4e852ac --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,3 @@ +creation_rules: + - age: >- + age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a385b4a --- /dev/null +++ b/flake.lock @@ -0,0 +1,139 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741684000, + "narHash": "sha256-NQykaWIrn5zilncefIvW4jPQ76YMXVK/dMTzkSVDmdk=", + "owner": "nix-community", + "repo": "disko", + "rev": "2db1d64fc084b1d15e3871dffc02c62a94ed6ed7", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740947705, + "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "507911df8c35939050ae324caccc7cf4ffb76565", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1741600792, + "narHash": "sha256-yfDy6chHcM7pXpMF4wycuuV+ILSTG486Z/vLx/Bdi6Y=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe2788eafd539477f83775ef93c3c7e244421d3", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.11", + "type": "indirect" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1740877520, + "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "flake-parts": "flake-parts", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1739829690, + "narHash": "sha256-mL1szCeIsjh6Khn3nH2cYtwO5YXG6gBiTw1A30iGeDU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "3d0579f5cc93436052d94b73925b48973a104204", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..86c63ac --- /dev/null +++ b/flake.nix @@ -0,0 +1,37 @@ +{ + inputs = { + nixpkgs.url = "nixpkgs/nixos-24.11"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { flake-parts, ... }@inputs: + flake-parts.lib.mkFlake { inherit inputs; } ( + { inputs, ... }: + { + systems = [ "x86_64-linux" ]; + + imports = [ + ./flake/dev-shells.nix + ./flake/formatter.nix + ./flake/image-generators.nix + ]; + } + ); +} diff --git a/flake/dev-shells.nix b/flake/dev-shells.nix new file mode 100644 index 0000000..3d9cc29 --- /dev/null +++ b/flake/dev-shells.nix @@ -0,0 +1,12 @@ +{ + perSystem = + { pkgs, system, ... }: + { + devShells.default = pkgs.mkShell { + packages = [ + pkgs.sops + pkgs.age + ]; + }; + }; +} diff --git a/flake/formatter.nix b/flake/formatter.nix new file mode 100644 index 0000000..cdccc7b --- /dev/null +++ b/flake/formatter.nix @@ -0,0 +1,16 @@ +{ inputs, ... }: +{ + perSystem = + { pkgs, ... }: + { + formatter = + (inputs.treefmt-nix.lib.evalModule pkgs { + projectRootFile = "flake.nix"; + programs = { + nixfmt.enable = true; + prettier.enable = true; + just.enable = true; + }; + }).config.build.wrapper; + }; +} diff --git a/flake/image-generators.nix b/flake/image-generators.nix new file mode 100644 index 0000000..5f61088 --- /dev/null +++ b/flake/image-generators.nix @@ -0,0 +1,48 @@ +{ inputs, self, ... }: +{ + perSystem = + { + system, + inputs', + lib, + ... + }: + { + packages = + let + mkImage = + { + name, + format, + config ? { }, + }: + { + ${name} = inputs.nixos-generators.nixosGenerate { + customFormats.minimal-iso = "${self}/formats/minimal-iso.nix"; + inherit system format; + specialArgs = { inherit inputs'; }; + modules = [ + { isoImage.isoBaseName = name; } + config + ]; + }; + }; + in + lib.mkMerge [ + + (mkImage { + name = "minimal"; + format = "minimal-iso"; + }) + + (mkImage { + name = "minimal-wlan"; + format = "minimal-iso"; + config = { + networking.networkmanager.enable = true; + }; + }) + + ]; + }; +} diff --git a/formats/minimal-iso.nix b/formats/minimal-iso.nix new file mode 100644 index 0000000..8b2aabc --- /dev/null +++ b/formats/minimal-iso.nix @@ -0,0 +1,28 @@ +{ + modulesPath, + inputs', + lib, + ... +}: +{ + imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; + + formatAttr = "isoImage"; + fileExtension = ".iso"; + + services.openssh.enable = lib.mkForce false; + networking.wireless.enable = false; + + console.keyMap = "de-latin1-nodeadkeys"; + + environment.systemPackages = [ inputs'.disko.packages.default ]; + + services.tailscale = { + enable = true; + openFirewall = true; + extraUpFlags = [ "--ssh" ]; + + # Ephemeral + not pre-approved + authKeyFile = ../tailscale-auth-key.dec; + }; +} diff --git a/justfile b/justfile new file mode 100644 index 0000000..7bce824 --- /dev/null +++ b/justfile @@ -0,0 +1,19 @@ +set quiet := true + +default: + just --list --unsorted + +generate image: decrypt && encrypt + -nix build path:.#{{ image }} + +decrypt: + sops decrypt --extract '["tailscale-auth-key"]' --output tailscale-auth-key.dec secrets.yaml + +encrypt: + rm tailscale-auth-key.dec + +update: + nix flake update --commit-lock-file + +fmt: + nix fmt diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..002749c --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,21 @@ +tailscale-auth-key: ENC[AES256_GCM,data:3zUdiJyZtgFEABk3bAC1R60h3MMvssssc+vDW80EVGVNoSdudMnzBhmZEsMkaBFZYiTQ0evyPDqV1/jhb6g=,iv:bEn6kMKOrf+K2fIwFd0dTRpd86ia5H/ZwvbzTiTFOW0=,tag:r41zSXHqYJrsVbBxbpvONg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMGk2UjBudmQ2eTJIZkFw + b212VXdGd09nMmY0dnhDcStnUHF3SFpKSFRjCnFFYmkrbVh0N3ozMXJIR0VOa2h4 + S09BUjI0dGVWOEdqbUZ2eVEzb3R1aTgKLS0tIHpRdHFBSnBhaWdJUEMveFhselRV + QXd5WUd2NnV4OHNhVG41SngrRmh6KzgKVGxnz3esV5y2c4gYm03Qtcm8TPWcYOBK + Ns9q18/XQYYknOvZUB2QQLNVLphvx36wTlVQU6+nmqIVlZjRTfX0ug== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-11T19:50:10Z" + mac: ENC[AES256_GCM,data:csoXmToEAyKrDk5uTZnwau0FiJrdlZJTEmqaOS76/rq+iuxHGHnNk8esC7pjU4fvqkyyQDrbVtew/9c9DodjI6kx/gx1N/aEsE8sp68MpeOt75xVEwC8RUZjVzjhhE/5x/8gd5hakv01ySZXHhHvNnhINPjJnpQVtt6p63Thuc0=,iv:eVY+oWP8A5LEkNvKVX4mr1y9LrTtvaHjFfhS8OeX5r4=,tag:VPXXcFAdV2AsATgjSn7KdA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4