From e5e4d3688c3f768656e62aa4f454372df8775e09 Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Mon, 22 Nov 2021 14:00:07 +0100 Subject: [PATCH] Add capetillo Added the hetzner VPS capetillo and enabled nginx, simple-nixos-mailserver and backups. --- .gitattributes | 1 + .gitignore | 1 + .../pubkeys/despondos_host_ed25519_key.pub | 1 + config/common/services/nginx.nix | 43 +++++ config/common/services/ssh.nix | 25 +++ config/hosts/capetillo/configuration.nix | 70 +++++++ .../data/secrets/mail_emelie_nixaalb_org | Bin 0 -> 83 bytes .../data/secrets/mail_noreply_anarkafem_dev | Bin 0 -> 84 bytes .../data/secrets/mail_sebastian_nixaalb_org | Bin 0 -> 83 bytes .../hosts/capetillo/data/secrets/restic_pass | Bin 0 -> 367 bytes .../hosts/capetillo/data/secrets/secrets.nix | Bin 0 -> 468 bytes config/hosts/capetillo/data/secrets/ssh_key | Bin 0 -> 421 bytes .../hosts/capetillo/data/secrets/ssh_key.pub | Bin 0 -> 113 bytes .../capetillo/hardware-configuration.nix | 42 +++++ config/hosts/capetillo/services/acme.nix | 9 + config/hosts/capetillo/services/mail.nix | 32 ++++ config/hosts/capetillo/services/nginx.nix | 15 ++ config/hosts/capetillo/services/restic.nix | 0 config/sources/default.nix | 10 + config/sources/nix/sources.json | 50 +++++ config/sources/nix/sources.nix | 174 ++++++++++++++++++ deploy/default.nix | 23 +++ 22 files changed, 496 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 config/common/data/pubkeys/despondos_host_ed25519_key.pub create mode 100644 config/common/services/nginx.nix create mode 100644 config/common/services/ssh.nix create mode 100644 config/hosts/capetillo/configuration.nix create mode 100644 config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org create mode 100644 config/hosts/capetillo/data/secrets/mail_noreply_anarkafem_dev create mode 100644 config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org create mode 100644 config/hosts/capetillo/data/secrets/restic_pass create mode 100644 config/hosts/capetillo/data/secrets/secrets.nix create mode 100644 config/hosts/capetillo/data/secrets/ssh_key create mode 100644 config/hosts/capetillo/data/secrets/ssh_key.pub create mode 100644 config/hosts/capetillo/hardware-configuration.nix create mode 100644 config/hosts/capetillo/services/acme.nix create mode 100644 config/hosts/capetillo/services/mail.nix create mode 100644 config/hosts/capetillo/services/nginx.nix create mode 100644 config/hosts/capetillo/services/restic.nix create mode 100644 config/sources/default.nix create mode 100644 config/sources/nix/sources.json create mode 100644 config/sources/nix/sources.nix create mode 100644 deploy/default.nix diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..2376958 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +**/secrets/** filter=git-crypt diff=git-crypt diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c4a847d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/result diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub new file mode 100644 index 0000000..6367ffa --- /dev/null +++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7 diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix new file mode 100644 index 0000000..89a13a4 --- /dev/null +++ b/config/common/services/nginx.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + + commonHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'same-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; +} diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix new file mode 100644 index 0000000..1f57e0f --- /dev/null +++ b/config/common/services/ssh.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + challengeResponseAuthentication = false; + hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ]; + kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + }; + + programs.ssh.knownHosts = { + despondos = { + hostNames = [ "despondos.nao.sh" ]; + publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub; + }; + }; + + services.sshguard = { + enable = true; + blocktime = 300; + }; +} + diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix new file mode 100644 index 0000000..c35da9d --- /dev/null +++ b/config/hosts/capetillo/configuration.nix @@ -0,0 +1,70 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ../../common/services/ssh.nix + ./services/acme.nix + ./services/nginx.nix + ./services/mail.nix + ./data/secrets/secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; + + networking.hostName = "capetillo"; # Define your hostname. + networking.hostId = "17a9ec46"; + time.timeZone = "Europe/Copenhagen"; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ]; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + + users.users.emelie = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + + users.users.deploy = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap" + ]; + }; + + users.groups.backup.members = [ "virtualMail" ]; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + vim + htop + iotop + dig + ]; + + nix.trustedUsers = [ + "root" + "deploy" + "@wheel" + ]; + + services.openssh.enable = true; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + + + system.stateVersion = "21.05"; + +} diff --git a/config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org b/config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org new file mode 100644 index 0000000000000000000000000000000000000000..d66bfcfcd627b981fe3472b6a90e31064473003c GIT binary patch literal 83 zcmV-Z0IdH2M@dveQdv+`009J?m*|0JL4561rv*?G+EXKeExJFBO;vF9g(Bu_lxN literal 0 HcmV?d00001 diff --git a/config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org b/config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org new file mode 100644 index 0000000000000000000000000000000000000000..f9518c63cd6528234512abc6c99f05b3a6eb576b GIT binary patch literal 83 zcmV-Z0IdH2M@dveQdv+`0N%@}$N!T`rB}UKm#|V?{%zhEf=0sK0CI8vB_3Cfc-)xF piD0YO^W$O-PYvL>BN&>|6guvt<1#?Pc@ah2hTZmFF9}uwx=WHzC^7&5 literal 0 HcmV?d00001 diff --git a/config/hosts/capetillo/data/secrets/restic_pass b/config/hosts/capetillo/data/secrets/restic_pass new file mode 100644 index 0000000000000000000000000000000000000000..dc303097e3a23164d9773baca233369ad1290d6a GIT binary patch literal 367 zcmV-#0g(OxM@dveQdv+`0F~~26(C$|fgaep5*}4l9{Zfwq=Z~B&}Q**b;Ikk%QkC|biTHO)g{eYk)O4WehfIDRu+>5 zZZAA#X>op*9&w<*Yce7ad>_2YW6aJMnW5c@WZ zbfECvLK*&^5%CrIpWS4A`-&!8q$2Fly4E}I@{!Y`WC2<9_YpIvx4*13cJ%axBH?p2 NbKxU|-hPMcogZfa!|DJ4 literal 0 HcmV?d00001 diff --git a/config/hosts/capetillo/data/secrets/secrets.nix b/config/hosts/capetillo/data/secrets/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..2872c1c12dbe79a33724bc872dd1782d3e854c4f GIT binary patch literal 468 zcmV;_0W1ChM@dveQdv+`0NbCmXFia0$SCl9*L9H^`zGJhRb47wJP@3S@Y&O#u zY#eeO;xbke8s~(&&{IX@J8^FJwZ+@3R!9r7HeK9UrEqZ;U^SqOQxy%Uj*-l=P2?J< zw|@@wqcK9t5`*yUAEI(Yi#X7(G>*P)&Y2Le;rnn)nMYhqj^qCS6CT4mAD$sh-(Xcb zQK2k_v@n3C{tl5?q2qba9A*m+|HTQ1G#kJ4{L3PGgDR0R&SJPqxSEVdsKQ-S%DMQ} zc9`}4JQ!LzaIHUAnTx3m8U2;26gqA{aDzZx_rJIOs~)jv17m8#+Cq5$I1R1zpkfC` z4HU=HtC%ZH;CYDDYSHn)*&?Ha%mwihe&Z4YVba2v?qdb1~p7cWSL^&d| zNthSBd@k})Ad?EY*|lw-J8t@KL)3j4qNGpS1Mu+z3J0<}&b2|p5jFw8u^}h>z)0l| zpQY{Tv1v8U`q-2`m$WmNBa8gO|7WGDzf1rdJ<(!KS=kk<91)kd_sDE)$nm}f9sWn? zJ$*`#{@&O_>W&B0d%VpSg4mfTzuL=5%bqc#0YE4k88T0Jhu!+dNjWFB(Q< zp<>?Vob3yKQ}(293N=jwEmGGrL~v)>*(%{Q5uyWwoUJVr<*=u98T3p^*1u0JdM=S* z4xIkv^4Swp!&KnsflJA*c*uokwHm_>YQN^m89$-@ONd)x={2rPJ31(Gvh=GPTk6oHXdu9U#lG|zN7_oxXg4<9iEI_Yw)?bk{O%dgt z^U9mJ4gBLZRt0E&k8sQ6E`wztYRg@>B?X>(8GtPw)w3$On(wo*ZNEyHejkVG%*1=l z-ymsevaMl%1=WW8W)>aq6JwS4*PeE-n{?GcHelULXY|F TT4ZquW6MY(En1jD);M>4PtP;l literal 0 HcmV?d00001 diff --git a/config/hosts/capetillo/hardware-configuration.nix b/config/hosts/capetillo/hardware-configuration.nix new file mode 100644 index 0000000..812083f --- /dev/null +++ b/config/hosts/capetillo/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/profiles/minimal.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/var/www" = + { device = "rpool/safe/webroot"; + fsType = "zfs"; + }; + fileSystems."/var/vmail" = + { device = "rpool/safe/mail"; + fsType = "zfs"; + }; + fileSystems."/nix" = + { device = "rpool/local/nix"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + +} diff --git a/config/hosts/capetillo/services/acme.nix b/config/hosts/capetillo/services/acme.nix new file mode 100644 index 0000000..d8f7b7d --- /dev/null +++ b/config/hosts/capetillo/services/acme.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + email = "admin+certs@nixaalb.org"; + }; +} + diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix new file mode 100644 index 0000000..8058063 --- /dev/null +++ b/config/hosts/capetillo/services/mail.nix @@ -0,0 +1,32 @@ +{ config, ... }: + +{ + imports = [ + (builtins.fetchTarball { + # Pick a commit from the branch you are interested in + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; + # And set its hash + sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; + }) + ]; + + mailserver = { + enable = true; + fqdn = "nixaalb.org"; + domains = [ "nixaalb.org" ]; + + loginAccounts = { + "emelie@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; + aliases = [ "admin@nixaalb.org" ]; + }; + "sebastian@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; + }; + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; + }; + }; + certificateScheme = 3; + }; +} diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix new file mode 100644 index 0000000..189e7ae --- /dev/null +++ b/config/hosts/capetillo/services/nginx.nix @@ -0,0 +1,15 @@ +{ + imports = [ ../../../common/services/nginx.nix ]; + services.nginx.virtualHosts = { + "nixaalb.org" = { + enableACME = true; + forceSSL = true; + root = "/var/www/nixaalb.org/public"; + }; + "mta-sts.nixaalb.org" = { + enableACME = true; + forceSSL = true; + root = "/var/www/mta-sts/public"; + }; + }; +} diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix new file mode 100644 index 0000000..e69de29 diff --git a/config/sources/default.nix b/config/sources/default.nix new file mode 100644 index 0000000..6bf04c6 --- /dev/null +++ b/config/sources/default.nix @@ -0,0 +1,10 @@ +let + sources = import ./nix/sources.nix; + + # just use standard pkgs from sources + # so that we have our applyPattches function + pkgs = import sources.nixpkgs {}; + +in { + nixus = sources.nixus; +} // sources diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json new file mode 100644 index 0000000..88375ac --- /dev/null +++ b/config/sources/nix/sources.json @@ -0,0 +1,50 @@ +{ + "niv": { + "branch": "master", + "description": "Easy dependency management for Nix projects", + "homepage": "https://github.com/nmattia/niv", + "owner": "nmattia", + "repo": "niv", + "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c", + "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm", + "type": "tarball", + "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "08cda8e3a5a4e685af525e5a589dfeb74267d505", + "sha256": "0bf3mbss7c3lyf5h8g1vwjbs0cg4h0c8ixbaz1kv24ahyy8n61y3", + "type": "tarball", + "url": "https://github.com/nixos/nixos-hardware/archive/08cda8e3a5a4e685af525e5a589dfeb74267d505.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixpkgs": { + "branch": "release-21.05", + "description": "Nix Packages collection", + "homepage": "", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d", + "sha256": "163xpxkav524pq7wbc6sbsl9fkzc4wshpjq0h7vq7csnsb8w6p77", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixus": { + "branch": "master", + "description": null, + "homepage": "", + "owner": "infinisil", + "repo": "nixus", + "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57", + "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb", + "type": "tarball", + "url": "https://github.com/infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix new file mode 100644 index 0000000..1938409 --- /dev/null +++ b/config/sources/nix/sources.nix @@ -0,0 +1,174 @@ +# This file has been generated by Niv. + +let + + # + # The fetchers. fetch_ fetches specs of type . + # + + fetch_file = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + + fetch_tarball = pkgs: name: spec: + let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + + fetch_git = name: spec: + let + ref = + if spec ? ref then spec.ref else + if spec ? branch then "refs/heads/${spec.branch}" else + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + in + builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: throw + ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: throw + ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: + ( + concatMapStrings (s: if builtins.isList s then "-" else s) + ( + builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) + ) + ); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: + let + sourcesNixpkgs = + import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import {} + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + + if ! builtins.hasAttr "type" spec then + abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" then fetch_file pkgs name spec + else if spec.type == "tarball" then fetch_tarball pkgs name spec + else if spec.type == "git" then fetch_git name spec + else if spec.type == "local" then fetch_local spec + else if spec.type == "builtin-tarball" then fetch_builtin-tarball name + else if spec.type == "builtin-url" then fetch_builtin-url name + else + abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: + let + saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = builtins.mapAttrs or ( + f: set: with builtins; + listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) + ); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: if cond then as else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { url, name ? null, sha256 }@attrs: + let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) + else + fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs ( + name: spec: + if builtins.hasAttr "outPath" spec + then abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) config.sources; + + # The "config" used by the fetchers + mkConfig = + { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null + , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , system ? builtins.currentSystem + , pkgs ? mkPkgs sources system + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; + +in +mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/deploy/default.nix b/deploy/default.nix new file mode 100644 index 0000000..dad5a6d --- /dev/null +++ b/deploy/default.nix @@ -0,0 +1,23 @@ +let + sources = import ../config/sources; +in import "${sources.nixus}" {} ({ config, ... }: { + + defaults = { name, ... }: { + configuration = { lib, ... }: { + networking.hostName = lib.mkDefault name; + }; + + # use our nixpkgs from niv + nixpkgs = sources.nixpkgs; + }; + + nodes = { + capetillo = { lib, config, ... }: { + host = "deploy@nixaalb.org"; + configuration = ../config/hosts/capetillo/configuration.nix; + switchTimeout = 300; + successTimeout = 300; + #ignoreFailingSystemdUnits = true; + }; + }; +})