beastie/dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Jérémie SALVI
2025-07-23 04:27:38 +02:00
commit caba04d493
18 changed files with 829 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
README.md Normal file
View File

@@ -0,0 +1,71 @@
# NixOS dotfiles
## Structure des fichiers
+ hosts
| |
| + generic <- Iso minimal pour nixos-anywhere
| |
| + myhost <- Tout ce qui est unique à une machine vient ici
|
+ modules
| |
| + core <- Modules partagés entre toutes les machines
| |
| + optionnal <- Modules pour au moins deux machines
|
+ flake.nix
|
+ custom.iso
Si un seul fichier nix, pas de sous dossier (openfortivpn)
Si plusieurs fihchiers nix, un sous dossier (ex desktop)
## Workflow
1. Création d'une iso (push en ligne pour kexec)
2. Copie de l'iso sur le repo
3. nixos-anywhere (pour déployer une install minimale)
4. copie du disk-config.nix et du hardware-config.nix dans le dossier host qui va bien
5. deploy-rs pour push une config sur une image generic ou maj existant.
## Création d'une iso
```
nixos-generate --format iso --configuration ./customiso.nix -o ~/Downloads/nixos.iso
```
si on veut utiliser kexec, il faut pousser l'iso en ligne pour que le serveur cible puisse la télécharger.
## Nixos anywhere
On ajoute à `~/.ssh/config`
```
nixos-anywhere --flake .#generic --target-host root@192.168.122.204 -i ~/.ssh/id_ed25519_beastie --generate-hardware-config nixos-generate-config ./hosts/generic/hardware-configuration.nix
```
si l'installation est en local, on peux créer le partitionnement avec la commande suivante :
```
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --yes-wipe-all-disks --mode destroy,format,mount ./disko.nix
```
et faire une installation standard.
Le mieux est de download le repo et de faire un nixos-anywhere en ssh sur localhost ou depuis un autre pc
Une fois la manipulation finie, on copie `hosts/generic` dans `hosts/hostname`. Ainsi, on garde le bon `disk-config.nix` et `hardware-configuration.nix`
## déployer la bonne configuration
Avant de déployer la configuration, il faut ajouter la clé sops-nix
```
```
On édite `hosts/hostname/default.nix` et on inclus les bons modules.
On lance le rebuild :
```
nixos-rebuild switch --flake ~/dev#test-kvm --target-host beastie@192.168.122.204 --sudo
```

88
flake.lock generated Normal file
View File

@@ -0,0 +1,88 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752718651,
"narHash": "sha256-PkaR0qmyP9q/MDN3uYa+RLeBA0PjvEQiM0rTDDBXkL8=",
"owner": "nix-community",
"repo": "disko",
"rev": "d5ad4485e6f2edcc06751df65c5e16572877db88",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"mysecrets": {
"flake": false,
"locked": {
"lastModified": 1753141577,
"narHash": "sha256-MNbm7KCEqML5l72GppVoxXX03UtVGIzUsgaW+A+FBDQ=",
"ref": "main",
"rev": "c1edf4983cba959f93daa9c7ef0c1acbd958c755",
"shallow": true,
"type": "git",
"url": "ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git"
},
"original": {
"ref": "main",
"shallow": true,
"type": "git",
"url": "ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1752364307,
"narHash": "sha256-o0Cm4fhz/ukV/excbnwkRB2sqknenkb/0T4pcgXjrp0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b6071be3c0d9404113988e5e253eb6d71d1ddbef",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"mysecrets": "mysecrets",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752544651,
"narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2c8def626f54708a9c38a5861866660395bb3461",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

56
flake.nix Normal file
View File

@@ -0,0 +1,56 @@
{
description = "A very basic flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
mysecrets = {
url = "git+ssh://gitea@git.unixyourbrain.org/beastie/nixos-secrets.git?ref=main&shallow=1";
flake = false;
};
};
outputs =
{ ... }@inputs:
let
mkSystem =
pkgs: system: hostname: username:
pkgs.lib.nixosSystem {
# inherit system;
pkgs = import pkgs {
inherit system;
config.allowUnfree = true;
};
specialArgs = {
inherit hostname username inputs;
};
modules = [
# General configuration, for all machines
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko
./hosts/${hostname}
];
};
in
{
nixosConfigurations = {
#nixos-anywhere -- --flake './#generic' --generate-hardware-config nixos-generate-config ./hosts/generic/hardware-configuration.nix --target-host beastie@192.168.122.204
generic = mkSystem inputs.nixpkgs "x86_64-linux" "generic" "beastie";
test-kvm = mkSystem inputs.nixpkgs "x86_64-linux" "test-kvm" "beastie";
# live-usb = mkSystem inputs.nixpkgs "x86_64-linux" "live-usb" "beastie";
#nixos-rebuild switch --flake ./#home-nix --sudo
#home-nix = mkSystem inputs.nixpkgs "x86_64-linux" "home-nix" "beastie";
};
};
}

88
hosts/generic/default.nix Normal file
View File

@@ -0,0 +1,88 @@
{
pkgs,
username,
hostname,
...
}:
{
imports = [
./disk-config.nix
./hardware-configuration.nix
../../modules/core/grub.nix
../../modules/optionnal/sops-desktop.nix
];
boot.kernelPackages = pkgs.linuxPackages_latest;
time.timeZone = "Europe/Paris";
nix = {
settings = {
## Enable flakes
experimental-features = [
"nix-command"
"flakes"
];
## Users trusted to use flake command
trusted-users = [
"root"
"${username}"
];
};
};
users.users = {
${username} = {
isNormalUser = true;
createHome = true;
description = "Admin account";
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ"
];
};
root = {
password = null;
};
};
system.activationScripts.setup-ssh-keys = {
text = ''
mkdir -p /home/${username}/.ssh
chown ${username}:users /home/${username}/.ssh
chmod 700 /home/${username}/.ssh
'';
};
security.sudo = {
enable = true;
extraRules = [
{
users = [ "${username}" ];
host = "ALL";
runAs = "ALL:ALL";
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
#extraConfig = "#includedir /etc/sudoers.d";
};
environment.systemPackages = [
pkgs.neovim
pkgs.git
pkgs.curl
pkgs.nixos-anywhere
pkgs.nixos-generators
];
services.openssh.enable = true;
networking.hostName = "${hostname}";
system.stateVersion = "25.11";
}

36
hosts/generic/disk-config.nix Normal file
View File

@@ -0,0 +1,36 @@
{
...
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
type = "8300";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
}

17
hosts/generic/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,17 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

44
hosts/test-kvm/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{
pkgs,
username,
hostname,
modulesPath,
inputs,
...
}:
let
in
{
imports = builtins.trace "${inputs.mysecrets}" [
(modulesPath + "/installer/scan/not-detected.nix")
./disk-config.nix
./hardware-configuration.nix
../../modules/core
../../modules/optionnal/hosts/${hostname}.nix
];
boot.kernelPackages = pkgs.linuxPackages_latest;
time.timeZone = "Europe/Paris";
nix = {
settings = {
## Enable flakes
experimental-features = [
"nix-command"
"flakes"
];
## Users trusted to use flake command
trusted-users = [
"root"
"${username}"
];
};
};
services.openssh.enable = true;
networking.hostName = "${hostname}";
system.stateVersion = "25.11";
}

36
hosts/test-kvm/disk-config.nix Normal file
View File

@@ -0,0 +1,36 @@
{
...
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
type = "8300";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
}

29
hosts/test-kvm/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

102
iso/config/nvim/init.lua Normal file
View File

@@ -0,0 +1,102 @@
vim.g.mapleader = " "
vim.opt.title = true
vim.opt.mouse = ""
vim.opt.wrap = true
vim.opt.fileencoding = "utf-8"
vim.opt.clipboard = "unnamedplus"
vim.opt.completeopt = { "menu", "menuone", "preview", "noselect" }
vim.opt.termguicolors = false
vim.opt.laststatus = 3
--- Search
vim.opt.ignorecase = true
vim.opt.smartcase = true
--- Numbers
vim.opt.number = true
vim.opt.relativenumber = true
--- Tab Options
vim.opt.smartindent = true
vim.opt.smarttab = true
vim.opt.expandtab = true
vim.opt.tabstop = 2
vim.opt.shiftwidth = 2
vim.opt.softtabstop = 2
vim.opt.showtabline = 2
--- Explorer
vim.g.netrw_banner = 0
vim.g.netrw_browse_split = 4
vim.g.netrw_altv = 1
vim.g.netrw_liststyle = 3
vim.g.netrw_winsize = 20
vim.opt.scrolloff = 6
vim.opt.sidescrolloff = 8
--- Swapfile
vim.opt.swapfile = false
vim.opt.backup = false
--- Keymap
-- Resource
vim.keymap.set("n", "<leader>r", ":source ~/.config/nvim/init.lua<cr>")
-- Explorer
vim.keymap.set("n", "<C-e>", ":Lexplore<cr>")
-- Windows
vim.keymap.set("n", "<C-Left>", "<C-w>h")
vim.keymap.set("n", "<C-Right>", "<C-w>l")
vim.keymap.set("n", "<C-Up>", "<C-w>k")
vim.keymap.set("n", "<C-Down>", "<C-w>j")
-- Resize
vim.keymap.set("n", "-", ":vertical resize -3<cr>")
vim.keymap.set("n", "+", ":vertical resize +3<cr>")
-- Buffer
vim.keymap.set("n", "<Tab>", ":buffer ")
-- Tabs
vim.keymap.set("n", "<leader>tn", ":tabnew<cr>")
vim.keymap.set("n", "<leader>tc", ":tabclose<cr>")
vim.keymap.set("n", "<S-Tab>", ":tabnext<cr>")
-- Cheatsheet
vim.keymap.set("n", "<C-s>", ":terminal ~/.config/nvim/nvim_help.sh<cr>i")
-- No highlight
vim.keymap.set("n", "<leader>nh", ":nohl<cr>")
--- Automaticly close brackets
vim.keymap.set("i", "'", "''<Left>")
vim.keymap.set("i", "\"", "\"\"<Left>")
vim.keymap.set("i", "(", "()<Left>")
vim.keymap.set("i", "{", "{}<Left>")
vim.keymap.set("i", "[", "[]<Left>")
--- Statusline
vim.cmd("highlight StatusNormal ctermbg=blue ctermfg=black")
vim.cmd("highlight StatusModified ctermbg=red ctermfg=black")
vim.cmd("highlight StatusGitBranch ctermbg=yellow ctermfg=black")
vim.cmd("highlight StatusGitDiffAdd ctermbg=green ctermfg=black")
vim.cmd("highlight StatusGitdiffRemove ctermbg=red ctermfg=black")
local function command(cmd)
local handle = io.popen(cmd)
local result = handle:read()
handle:close()
return result or ""
end
vim.o.statusline = "%#StatusNormal# "
.. "%#StatusGitBranch#"
.. command("git branch 2> /dev/null | sed -e 's/..//'")
.. "%#StatusNormal# "
.. "%#StatusGitDiffAdd#"
.. command("git diff --numstat | awk '{print \"+\"$1}'")
.. "%#StatusNormal# "
.. "%#StatusGitDiffRemove#"
.. command("git diff --numstat | awk '{print \"-\"$2}'")
.. "%#StatusNormal# "
.. ">>"
.. " %F "
.. "%#StatusModified#"
.. "%M"
.. "%#StatusNormal#"
.. " >>"
.. "%="
.. "<<"
.. " %Y "
.. "<<"
.. " %l,%c "
.. "<<"
.. " %p%% "

87
iso/customiso.nix Normal file
View File

@@ -0,0 +1,87 @@
{
pkgs,
modulesPath,
lib,
...
}:
{
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
];
# Use the latest Linux kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
# Create admin user
users.users = {
nixos = {
isNormalUser = true;
description = "Admin account";
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ"
];
};
root = {
password = null;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ"
];
};
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
};
};
# Allow sudo from admin user without password
security.sudo = {
enable = true;
extraRules = [
{
users = [ "nixos" ];
host = "ALL";
runAs = "ALL:ALL";
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
};
# Packages for maintenance mode
environment.systemPackages = [
pkgs.neovim
pkgs.git
pkgs.curl
pkgs.nixos-anywhere
pkgs.nixos-generators
];
# Needed for https://github.com/NixOS/nixpkgs/issues/58959
boot.supportedFilesystems = lib.mkForce [
"btrfs"
"reiserfs"
"vfat"
"f2fs"
"xfs"
"ntfs"
"cifs"
"nfs"
];
environment.etc."xdg/nvim/init.lua" = {
source = ./config/nvim/init.lua;
mode = "0440";
};
}
# Config nvim

10
modules/core/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{
...
}:
{
imports = [
./grub.nix
./packages.nix
./users.nix
];
}

18
modules/core/grub.nix Normal file
View File

@@ -0,0 +1,18 @@
{
...
}:
{
## Configure boot loader
boot.loader = {
# Use grub without NVRAM
grub = {
enable = true;
efiSupport = true;
device = "nodev";
efiInstallAsRemovable = true;
useOSProber = true;
};
# Do not edit NVRAM
efi.canTouchEfiVariables = false;
};
}

19
modules/core/packages.nix Normal file
View File

@@ -0,0 +1,19 @@
{
pkgs,
...
}:
{
environment.systemPackages = [
pkgs.curl
pkgs.pciutils
# pkgs.clinfo <- IDC info, move to GPU
pkgs.git
pkgs.htop
pkgs.killall
pkgs.bind
pkgs.git
pkgs.neovim
pkgs.unzip
];
}

27
modules/core/users.nix Normal file
View File

@@ -0,0 +1,27 @@
{
config,
username,
...
}:
{
users = {
users = {
${username} = {
isNormalUser = true;
createHome = true;
hashedPasswordFile = config.sops.secrets."users_password/beastie".path;
description = "Admin account";
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ"
];
};
root = {
password = null;
};
};
mutableUsers = false;
};
}

9
modules/optionnal/hosts/test-kvm.nix Normal file
View File

@@ -0,0 +1,9 @@
{
...
}:
{
imports = [
../sops-desktop.nix
../sudo-nopasswd.nix
];
}

68
modules/optionnal/sops-desktop.nix Normal file
View File

@@ -0,0 +1,68 @@
{
inputs,
username,
...
}:
let
secretsPath = builtins.toString inputs.mysecrets;
in
{
sops = {
defaultSopsFile = "${secretsPath}/secrets.yaml";
age = {
sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
"ldap_password/beastie" = {
};
"users_password/beastie" = {
neededForUsers = true;
};
"ssh_keys/default_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519.pub";
};
"ssh_keys/default_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519";
};
"ssh_keys/ansible_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
};
"ssh_keys/ansible_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_ansible";
};
"ssh_keys/beastie_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
};
"ssh_keys/beastie_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_beastie";
};
"ssh_keys/gitea_semaphore_pub" = {
owner = "${username}";
mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
};
"ssh_keys/gitea_semaphore_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
};
};
};
}

24
modules/optionnal/sudo-nopasswd.nix Normal file
View File

@@ -0,0 +1,24 @@
{
username,
...
}:
{
# https://dev.to/patimapoochai/how-to-edit-the-sudoers-file-in-nixos-with-examples-4k34
security.sudo = {
enable = true;
extraRules = [
{
users = [ "${username}" ];
host = "ALL";
runAs = "ALL:ALL";
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
#extraConfig = "#includedir /etc/sudoers.d";
};
}