initial commit

2022-07-29 23:42:48 +08:00 · 2022-07-29 23:42:48 +08:00 · 6f28880d89
commit 6f28880d89
10 changed files with 408 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,7 @@
+.vscode
+result
+.direnv
+*.qcow2
+source
+.envrc
+*.img
--- a/LICENSE.md
+++ b/LICENSE.md
@ -0,0 +1,22 @@
+The MIT License (MIT)
+=====================
+
+**Copyright (c) 2022 Fernando Ayats (ayatsfer@gmail.com)**
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.org
+++ b/README.org
@ -0,0 +1,38 @@
+#+begin_quote
+The Golgi apparatus is responsible for transporting, modifying, and packaging
+proteins and lipids into vesicles for delivery to targeted destinations. It is
+located in the cytoplasm next to the endoplasmic reticulum and near the cell
+nucleus. --- Encyclopedia Britanica
+#+end_quote
+
+This server will be an apparatus for better managing my personal projects. It
+sits near the idea-generation and idea-translation components of my workflow. It
+will be responsible for storing my work as a remote repository, transporting the
+work between local development machines, and as a web server to improve the ease
+of access of my work, both for myself and anybody curious.
+
+Let's hope it works well.
+
+* Setup
+
+I'm using Hetnezer as a host. Their value for money with VPS offerings is pretty
+alluring.
+
+Additionally I've found a handy [[https://ayats.org/blog/deploy-rs-example/][blog post]] about =deploy-rs= on Hetzner, which is
+remarkably convenient. They were even kind enough to link to a [[https://github.com/viperML/deploy-rs-example][repo]] which I've
+shamelessly used as a starting point.
+
+
+Unfortunately, Hetnezer doesn't offer a NixOS image, but they do allow you to
+mount a NixOS install volume (22.05 as of writing) to your server after creating
+it. After doing so, starting the VM we can get it set up simply with:
+
+#+begin_src shell
+sudo -s
+nix-shell -p git
+git clone https://github.com/tecosaur/golgi
+cd golgi
+./install.sh
+# wait a bit, then create root password
+shutdown -h now
+#+end_src
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,115 @@
+{
+  "nodes": {
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1653594315,
+        "narHash": "sha256-kJ0ENmnQJ4qL2FeYKZba9kvv1KmIuB3NVpBwMeI7AJQ=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "184349d8149436748986d1bdba087e4149e9c160",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1648199409,
+        "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1644229661,
+        "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils-plus": {
+      "inputs": {
+        "flake-utils": "flake-utils"
+      },
+      "locked": {
+        "lastModified": 1657226504,
+        "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=",
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1658985539,
+        "narHash": "sha256-aRVZGndeuUct3S3T6vqOO64D9qY1F7qNTljd0zuwzak=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "174e938d593817f2eb5ae363684dea7c412eb96a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "deploy-rs": "deploy-rs",
+        "flake-utils-plus": "flake-utils-plus",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1648297722,
+        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,58 @@
+{
+  description = "My server flake";
+
+  inputs = {
+    nixpkgs.url = github:NixOS/nixpkgs/nixos-22.05;
+    flake-utils-plus.url = github:gytis-ivaskevicius/flake-utils-plus;
+    deploy-rs = {
+      url = github:serokell/deploy-rs;
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = inputs@{ self, nixpkgs, flake-utils-plus, ... }:
+    let
+      nixosModules = flake-utils-plus.lib.exportModules (
+        nixpkgs.lib.mapAttrsToList (name: value: ./nixosModules/${name}) (builtins.readDir ./nixosModules)
+      );
+    in
+    flake-utils-plus.lib.mkFlake {
+      inherit self inputs nixosModules;
+
+      hosts = {
+        golgi.modules = with nixosModules; [
+          common
+          admin
+          hardware-hetzner
+          # docker
+        ];
+      };
+
+      deploy.nodes = {
+        my-node = {
+          hostname = "5.161.98.27";
+          fastConnection = false;
+          profiles = {
+            my-profile = {
+              sshUser = "admin";
+              path =
+                inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.golgi;
+              user = "root";
+            };
+          };
+        };
+      };
+
+      outputsBuilder = (channels: {
+        devShell = channels.nixpkgs.mkShell {
+          name = "my-deploy-shell";
+          buildInputs = with channels.nixpkgs; [
+            nixUnstable
+            inputs.deploy-rs.defaultPackage.${system}
+          ];
+        };
+      });
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
+    };
+}
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,51 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash gptfdisk util-linux btrfs-progs
+set -ex
+
+if [ "$EUID" -ne 0 ]
+  then echo "Please run as root for mount permissions!"
+  exit
+fi
+
+BTRFS_OPTS="compress=zstd,noatime"
+MNT="/mnt"
+TARGET="/dev/sda"
+
+# GPT labels
+# /dev/sda1 -> BIOS boot
+# /dev/sda2 -> BTRFS partition, with
+#   @rootfs mounted at /
+#   @nix    mounted at /nix
+#   @boot   mounted at /boot
+#   @swap   mounted at /swap
+
+# Mount everything at /mnt to install the system
+
+sgdisk --zap-all "${TARGET}"
+sgdisk -a1 -n1:2048:4095 -t1:EF02 "${TARGET}"
+sgdisk     -n2:0:0       -t2:8300 "${TARGET}"
+
+fdisk -l "${TARGET}"
+
+mkfs.btrfs -f -L NIXOS "${TARGET}2"
+
+mkdir -p "${MNT}"
+umount -R "${MNT}" || :
+mount "${TARGET}2" "${MNT}"
+btrfs subvolume create "${MNT}"/@rootfs
+btrfs subvolume create "${MNT}"/@nix
+btrfs subvolume create "${MNT}"/@boot
+btrfs subvolume create "${MNT}"/@swap
+umount "${MNT}"
+
+mount -o "$BTRFS_OPTS,subvol=@rootfs" "${TARGET}2" "${MNT}"
+mkdir "${MNT}"/{nix,boot,swap}
+mount -o "$BTRFS_OPTS,subvol=@nix" "${TARGET}2" "${MNT}"/nix
+mount -o "$BTRFS_OPTS,subvol=@swap" "${TARGET}2" "${MNT}"/swap
+mount -o "$BTRFS_OPTS,subvol=@boot" "${TARGET}2" "${MNT}"/boot
+
+findmnt -R --target "${MNT}"
+
+# .#golgi is our hostname defined by our flake
+nix-shell -p nixUnstable -p git --run "nixos-install --root ${MNT} --flake .#golgi"
+umount -R /mnt
--- a/nixosModules/admin.nix
+++ b/nixosModules/admin.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.admin = {
+    name = "admin";
+    initialPassword = "1234";
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt  tec@tranquillity" ];
+  };
+  security.sudo.wheelNeedsPassword = false;
+  nix.trustedUsers = [ "@wheel" ]; # https://github.com/serokell/deploy-rs/issues/25
+}
--- a/nixosModules/common.nix
+++ b/nixosModules/common.nix
@ -0,0 +1,28 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  time.timeZone = "UTC";
+  services.openssh = { enable = true; };
+  system.stateVersion = "22.05";
+
+  nix = {
+    # Currently needed for flake support, might not be needed in the future
+    package = pkgs.nixUnstable;
+
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    # from flake-utils-plus
+    # Sets NIX_PATH to follow this flake's nix inputs
+    # So legacy nix-channel is not needed
+    generateNixPathFromInputs = true;
+    linkInputs = true;
+    # Pin our nixpkgs flake to the one used to build the system
+    generateRegistryFromInputs = true;
+  };
+
+  # Set the system revision to the flake revision
+  # You can query this value with: $ nix-info -m
+  system.configurationRevision = (if inputs.self ? rev then inputs.self.rev else null);
+}
--- a/nixosModules/docker.nix
+++ b/nixosModules/docker.nix
@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+{
+  virtualisation.docker.enable = true;
+  users.users.admin.extraGroups = [ "docker" ];
+}
--- a/nixosModules/hardware-hetzner.nix
+++ b/nixosModules/hardware-hetzner.nix
@ -0,0 +1,71 @@
+{ config, pkgs, modulesPath, ... }:
+
+{
+  networking.networkmanager.enable = true;
+
+  # systemd-timesyncd failed beacuse it didn't wait for network
+  systemd.services.systemd-timesyncd.after = [ "network-online.target" ];
+  systemd.services.systemd-timesyncd.wants = [ "network-online.target" ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-label/NIXOS";
+      fsType = "btrfs";
+      options = [ "subvol=@rootfs" "noatime" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-label/NIXOS";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
+    };
+
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-label/NIXOS";
+      fsType = "btrfs";
+      options = [ "subvol=@boot" "noatime" "compress=zstd" ];
+    };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-label/NIXOS";
+    fsType = "btrfs";
+    options = [ "subvol=@swap" "noatime" "compress=zstd" ];
+  };
+
+  systemd.services = {
+    create-swapfile = {
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "swap-swapfile.swap" ];
+      script = ''
+        ${pkgs.coreutils}/bin/truncate -s 0 /swap/swapfile
+        ${pkgs.e2fsprogs}/bin/chattr +C /swap/swapfile
+        ${pkgs.btrfs-progs}/bin/btrfs property set /swap/swapfile compression none
+      '';
+    };
+  };
+
+  swapDevices = [{
+    device = "/swap/swapfile";
+    size = (1024 * 2);
+  }];
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+}