From 3d1b4c1b908a34a4ccee349fe760354229abaf9a Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Wed, 25 Dec 2024 02:41:09 +0000 Subject: [PATCH 1/8] vm-check: init --- .../machines/ignucius/config/vm-build.nix | 116 +++++++++++++++--- tasks/administration/default.nix | 1 + tasks/administration/vm/default.nix | 28 +++++ tasks/administration/vm/tasks-vm.sh | 77 ++++++++++++ 4 files changed, 208 insertions(+), 14 deletions(-) create mode 100644 tasks/administration/vm/default.nix create mode 100644 tasks/administration/vm/tasks-vm.sh diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index 92bb689b..f4d64bac 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -1,24 +1,112 @@ -{ ... }: +{ config, lib, pkgs, ... }: # VM configuration of IGNUCIUS, used for testing prior to deployment -{ - # FIXME(Krey): Neither of those are working right now, see https://github.com/nix-community/disko/issues/668 +# Relevant: https://github.com/nix-community/disko/issues/668 + +# Thank you Maroka-chan for the Cryptkey reference! <3 : https://github.com/Maroka-chan/NixOS-config/blob/c97494c2d725bfb79c0776907a6d89e4724ee21f/modules/base/default.nix#L87 + +let + inherit (lib) mkForce; +in { virtualisation = { - # build-vm - vmVariant = { + # nix run -L .#nixosConfigurations.nixos-ignucius-stable.config.system.build.vmWithDisko + vmVariantWithDisko = { virtualisation = { - memorySize = 1024 * 2; - cores = 2; - }; - }; + fileSystems."/nix/persist/system".neededForBoot = true; + fileSystems."/nix/persist/users".neededForBoot = true; - # build-vm-with-bootloader - vmVariantWithBootLoader = { - virtualisation = { - memorySize = 1024 * 2; - cores = 2; + # FIXME-BUG(Krey): This doesn't seem to work + resolution = { + x = 1280; + y = 720; + }; + + # error: EFI variables can be used only with a partition table of type: hybrid, efi, efixbootldr, or legacy+gpt. + # useBootLoader = true; + # # Resolve configuration config + # fileSystems."/boot".device = mkForce "/dev/disk/by-label/ESP"; + + # FIXME(Krey): Replace the secrets with dummies so that this can be used by others as well + # Mount local .ssh directory, so the secrets can be decrypted. + sharedDirectories."secrets_decryption_key" = { + source = "/nix/persist/users/kreyren/.ssh"; + target = dirOf (builtins.head config.age.identityPaths); + }; }; + + services.displayManager.autoLogin.user = "kreyren"; + + # services.xserver.enable = mkForce false; + # services.xserver.desktopManager.gnome.enable = mkForce false; + # services.xserver.displayManager.gdm.enable = mkForce false; + + # QEMU VM doesn't provide the relevant endpoints + services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon + + # No internet connection so these will fail on startup + services.tor.enable = mkForce false; + services.openssh.enable = mkForce false; + virtualisation.waydroid.enable = mkForce false; + # networking.useDHCP = mkForce false; + # networking.interfaces.wlp2s0.useDHCP = mkForce false; + # networking.interfaces.docker0.useDHCP = mkForce false; + # networking.interfaces.wwp0s29u1u4i6.useDHCP = mkForce false; + + # It errors out as we don't have the /proc/acpi/ibm/thermal in QEMU + services.thinkfan.enable = mkForce false; # Disable thinkfan service + + # Use a Dummy Cryptkey so that we don't have to input disk password + # disko.devices.disk.cryptkey = { + # type = "disk"; + # content.type = "gpt"; + + # content.partitions.cryptkey = { + # size = "4096"; + # label = "CRYPTKEY"; + + # content = { + # type = "filesystem"; + # format = "vfat"; + # }; + # }; + # }; + + # disko.devices.disk.system.content.preCreateHook = '' + # mkdir -p /dev/disk/by-partlabel/ + # dd bs=1024 count=4 if=/dev/zero of=/dev/disk/by-partlabel/CRYPTKEY iflag=fullblock + # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY + # ''; + + # disko.devices.disk.system.content.postCreateHook = '' + # mkdir -p /dev/disk/by-partlabel/ + # dd bs=1024 count=4 if=/dev/zero of=/dev/disk/by-partlabel/CRYPTKEY iflag=fullblock + # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY + # ''; + + # # Configure the system to use the CRYPTKEY + # disko.devices.disk.system.content.partitions.store.content.settings = { + # keyFileSize = 4096; + # keyFile = "/dev/disk/by-partlabel/CRYPTKEY"; + + # # passwordFile = mkForce ""; # Unset Disk Password for the store + # fallbackToPassword = false; + # }; + # disko.devices.disk.system.content.partitions.store.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + + # disko.devices.disk.system.content.partitions.swap.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + + + # It's not needed for VM tests and takes a significant amount of space (~30G) + # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition + + # Set Default Passwords For Users + users.users.kreyren = { + hashedPasswordFile = mkForce null; + password = "a"; # Fastest to brute force password + }; + + users.users.root.password = "a"; # Fastest to brute force password }; }; } diff --git a/tasks/administration/default.nix b/tasks/administration/default.nix index 23aa47b0..9b62f5e6 100644 --- a/tasks/administration/default.nix +++ b/tasks/administration/default.nix @@ -4,5 +4,6 @@ ./deploy ./install ./switch + ./vm ]; } diff --git a/tasks/administration/vm/default.nix b/tasks/administration/vm/default.nix new file mode 100644 index 00000000..f25e4738 --- /dev/null +++ b/tasks/administration/vm/default.nix @@ -0,0 +1,28 @@ +{ ... }: + +# The VM Task + +{ + perSystem = { pkgs, ... }: { + mission-control.scripts = { + "vm" = { + description = "Open the derivation in a Virtual Machine"; + category = "Administration"; + + exec = pkgs.writeShellApplication { + name = "tasks-wm"; + + runtimeInputs = [ + pkgs.nixos-install-tools + pkgs.nixos-rebuild + pkgs.gnused + pkgs.git + ]; + + # FIXME(Krey): This should use flake-root to set absolute path + text = builtins.readFile ./tasks-vm.sh; + }; + }; + }; + }; +} diff --git a/tasks/administration/vm/tasks-vm.sh b/tasks/administration/vm/tasks-vm.sh new file mode 100644 index 00000000..0679dbe2 --- /dev/null +++ b/tasks/administration/vm/tasks-vm.sh @@ -0,0 +1,77 @@ +# shellcheck shell=sh # POSIX +set +u # Do not fail on nounset as we use command-line arguments for logic + +hostname="$(hostname --short)" # Capture the hostname of the current system + +# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default +command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper + +command -v success 1>/dev/null || success() { printf "SUCCESS: %s\n" "$1"; exit 0 ;} # Termination Helper + +# Check current system if no argument is provided +[ "$#" != 0 ] || { + # FIXME(Krey): This needs logic to determine the distribution and release + echo "Opening a Virtual Machine for current system: $hostname" + + rm "$FLAKE_ROOT/*.fd" || true # Remove all fd files as those cause impurity + + nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$hostname-stable.config.system.build.vmWithDisko" --option builders "" + + exit 0 +} + +# Assume that we are always checking against nixos distribution with stable release +[ "$#" != 1 ] || { + echo "Opening a Virtual machine for stable release of system '$1' in NixOS distribution" + + nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$1-stable.config.system.build.vmWithDisko" --option builders "" + + exit 0 +} + +# TBD(Krey) + +# nixosSystems="$(find "$FLAKE_ROOT/src/nixos/machines/"* -maxdepth 0 -type d | sed "s#^$FLAKE_ROOT/src/nixos/machines/##g" | tr '\n' ' ')" # Get a space-separated list of all systems in the nixos distribution of NiXium + +# # Process Arguments +# distro="$1" # e.g. nixos +# machine="$2" # e.g. tupac, tsvetan, sinnenfreude +# release="$3" # Optional argument uses stable as default, ability to set supported release e.g. unstable or master + +# case "$distro" in +# "nixos") # NixOS Management + +# # Process all systems in NixOS distribution if `nixos all` is used +# [ "$machine" != "all" ] || { +# for system in $nixosSystems; do +# status="$(cat "$FLAKE_ROOT/src/nixos/machines/$system/status")" +# case "$status" in +# "OK") +# echo "Building system '$system' in distribution '$distro'" + +# nixos-rebuild \ +# build \ +# --flake "git+file://$FLAKE_ROOT#nixos-$system-${release:-"stable"}" \ +# --option eval-cache false \ +# --show-trace || echo "WARNING: System '$system' in distribution '$distro' failed build!" +# ;; +# "WIP") echo "Configuration for system '$system' in distribution '$distro' is marked a Work-in-Progress, skipping build.." ;; +# *) echo "System '$system' reports undeclared status state: $status" +# esac +# done +# } + +# # Check if the system is defined +# [ -d "$FLAKE_ROOT/src/nixos/machines/$machine" ] || die 1 "This system '$machine' is not implemented in NiXium's management of distribution '$distro'" + +# # Process the system +# echo "Building system '$machine' in distribution '$distro'" + +# nixos-rebuild \ +# build \ +# --flake "git+file://$FLAKE_ROOT#nixos-$machine-${release:-"stable"}" \ +# --option eval-cache false \ +# --show-trace || echo "WARNING: System '$machine' in distribution '$distro' failed evaluation!" +# ;; +# *) die 1 "Distribution '$distro' is not implemented!" +# esac From 264ef099c49322ee385a6fb32dc71499f73310ae Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Sun, 29 Dec 2024 18:42:39 +0000 Subject: [PATCH 2/8] sync --- ignucius-efi-vars.fd | Bin 0 -> 540672 bytes src/nixos/machines/ignucius/config/disks.nix | 54 ++++++++-------- .../machines/ignucius/config/vm-build.nix | 60 ++++++++++-------- 3 files changed, 61 insertions(+), 53 deletions(-) create mode 100644 ignucius-efi-vars.fd diff --git a/ignucius-efi-vars.fd b/ignucius-efi-vars.fd new file mode 100644 index 0000000000000000000000000000000000000000..6578a1a676499b0a54dd38967210b818bc621ef0 GIT binary patch literal 540672 zcmeI(U5s2+9RTn%JKJuBLaikbnL_uSXPY^>Q5fWlBMjz~Y&g|Un?CiarGdr_8+xB;x z>7AW9bLX7jJ@cnu^ z5{@2=FAN<>ufDkPR^z`g#Mf)_k+xHh>r*YSi*Kf~7arfd?f4Jh zyYb#@es}*RtG54lYuFoZ4ioXQJKPf1$7d5^EbIyU;(A9I4>!cW#?xn~rlux$UfuC~ zMq}BR#|m%Udie*gdG5UJ4?K4718;qDWaaEFUlcBj<>oA@f{kVU#KhR1eG?azmMRJj zX#L>I0e$i5^R>@(>W!yQQ~F-hnLgh4EuT3XY{Z(pm^Kt!J@1${)ZdtPdD$LF6>Ka; zOe-x_6dKT4OzQ|Qrd1P(Y1KBxJ6*)IGFc$%D~mR?u4irt7jdn$RO=@O@LXK$h%T;G6NzipHpM%cxnY{uk>-f>7}r+x^ZMFb ziZ-;aQzaWq5!Xsf6@>=07S}q$i)+uc_QN4Pcqn>{xzgz0><(>7lcw|CVkws~oo{ujcF;+|X^cE(w8>*Gwg zeepBHBctKbhmPIx?0>GDS~C~yDom`o;c_3*6_*L%CzLQ?G>?Px-Hx8b#0v0w>xg>#<<1txaIBf zuf5@>SaNJ{+;ro7wv*dAv2?mU(!TB1ZQayGJ=0JJZ|K#82Zh7d>SN`?x4}W>` z`dF{=urWTy8#Ue3sCTMos$=JQl4(-jYf9?4A#QDNNV6QHcWq^Oe0@DNC)8^30z$3% zO5=WZ+H-l|b$0U4x$5f|#DjoYd8H(dqdA~Y4kI6`1Uv+LeE$^ zHVe_FRH+>2bW0>%SF8GMZ@NC1vz-+G2ATiO8V}}-7R`%nwPjsi(a1XwPb2ap@lhTp z7d_^*9&cqs=e#j;`$5^YtA*&}{cK!L+tPksLOI2P?C0j`P%mkJR@_PPVvu?N0>q1c z&}G}n`(pxsrotwz{@^4r6W3bLSXG}4o>^}WMoDcUa=Sx!&a@!{7n>{zEi@6?U;cq54i@PBE z)_dGgTg>TS0-W0qUoUb*C$F9|O{w3$@W*)QqeDgn^`jzvgdw{v|PtGUjOXpm2J~`jW+|%({ zucUq==W9J%$iJ>F=bP1)X8j@Olk>H9h|(V+$oX1{W<5{GkGY-mKkt_F9o*k$&=}Zq za|k)#{QKT?&e!?(-JRxkrXK<4?k_o?oG*_an4X=gfXbH2{!gL1yqb>@HG-Inh(ds~ hwclock: Cannot access the Hardware Clock via any known method. vmVariantWithDisko = { virtualisation = { fileSystems."/nix/persist/system".neededForBoot = true; @@ -35,26 +36,21 @@ in { }; }; - services.displayManager.autoLogin.user = "kreyren"; + # Setup autologin + # FIXME(Krey): This will make the system to hang on black screen after initrd phase for some reason + # services.displayManager.autoLogin.user = "kreyren"; - # services.xserver.enable = mkForce false; - # services.xserver.desktopManager.gnome.enable = mkForce false; - # services.xserver.displayManager.gdm.enable = mkForce false; + # Enable Graphical User Interface + # FIXME(Krey): We should have e.g. `, vm-gui ...` task to deploy the system with these + services.xserver.enable = mkForce false; + services.xserver.desktopManager.gnome.enable = mkForce false; + services.xserver.displayManager.gdm.enable = mkForce false; - # QEMU VM doesn't provide the relevant endpoints - services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon + # Disable S.M.A.R.T. as QEMU VM doesn't provide the relevant endpoints + services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon - # No internet connection so these will fail on startup - services.tor.enable = mkForce false; - services.openssh.enable = mkForce false; - virtualisation.waydroid.enable = mkForce false; - # networking.useDHCP = mkForce false; - # networking.interfaces.wlp2s0.useDHCP = mkForce false; - # networking.interfaces.docker0.useDHCP = mkForce false; - # networking.interfaces.wwp0s29u1u4i6.useDHCP = mkForce false; - - # It errors out as we don't have the /proc/acpi/ibm/thermal in QEMU - services.thinkfan.enable = mkForce false; # Disable thinkfan service + # Disable ThinkFan as it errors out as we don't have the /proc/acpi/ibm/thermal in QEMU + services.thinkfan.enable = mkForce false; # Disable thinkfan service # Use a Dummy Cryptkey so that we don't have to input disk password # disko.devices.disk.cryptkey = { @@ -78,12 +74,6 @@ in { # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY # ''; - # disko.devices.disk.system.content.postCreateHook = '' - # mkdir -p /dev/disk/by-partlabel/ - # dd bs=1024 count=4 if=/dev/zero of=/dev/disk/by-partlabel/CRYPTKEY iflag=fullblock - # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY - # ''; - # # Configure the system to use the CRYPTKEY # disko.devices.disk.system.content.partitions.store.content.settings = { # keyFileSize = 4096; @@ -92,14 +82,32 @@ in { # # passwordFile = mkForce ""; # Unset Disk Password for the store # fallbackToPassword = false; # }; - # disko.devices.disk.system.content.partitions.store.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; - # disko.devices.disk.system.content.partitions.swap.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # FIXME(Krey): For some reason this results in no option type even when the same configuration works outside of vmVariantWithDisko? + # error: No type option set in + # disko.devices.disk.system.content.partitions.store.content.passwosssrdFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + + # disko.devices.disk.system.content.partitions.swap.content.passsssswordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # Also doesn't work: + # disko.devices.disk.system.content.preCreateHook = '' + # mkdir -p /run/agenix/ + # echo 000000 > /run/agenix/ignucius-disks-password + # ''; - # It's not needed for VM tests and takes a significant amount of space (~30G) + # Doesn't seem to deploy the files + # system.activationScripts.set-dummy-secrets = '' + # mkdir -p /run/agenix + # echo 000000 > /run/agenix/ignucius-disks-password + # ''; # Set Permission Of the Persistent Users Directory + + # Disable Swap as it's not needed during VM and only takes space + # FIXME(Krey): Fails with **No Type option set in**, apparently we can't change disko.* in here? # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition + # FIXME(Krey): Using Impermanence seems to cause failure of **Transport endpoint is not connected** for the declared pathnames (fuse issues in QEMU?) + home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; + # Set Default Passwords For Users users.users.kreyren = { hashedPasswordFile = mkForce null; From 9fd86251c9615e8c11ee89bfe4d06fc142a6a693 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Sun, 29 Dec 2024 18:59:10 +0000 Subject: [PATCH 3/8] sync --- .../machines/ignucius/config/vm-build.nix | 60 ++++++++----------- 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index 5ca549c5..f4d64bac 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -11,7 +11,6 @@ let in { virtualisation = { # nix run -L .#nixosConfigurations.nixos-ignucius-stable.config.system.build.vmWithDisko - # FIXME(Krey): ignucius-disko-images> hwclock: Cannot access the Hardware Clock via any known method. vmVariantWithDisko = { virtualisation = { fileSystems."/nix/persist/system".neededForBoot = true; @@ -36,21 +35,26 @@ in { }; }; - # Setup autologin - # FIXME(Krey): This will make the system to hang on black screen after initrd phase for some reason - # services.displayManager.autoLogin.user = "kreyren"; + services.displayManager.autoLogin.user = "kreyren"; - # Enable Graphical User Interface - # FIXME(Krey): We should have e.g. `, vm-gui ...` task to deploy the system with these - services.xserver.enable = mkForce false; - services.xserver.desktopManager.gnome.enable = mkForce false; - services.xserver.displayManager.gdm.enable = mkForce false; + # services.xserver.enable = mkForce false; + # services.xserver.desktopManager.gnome.enable = mkForce false; + # services.xserver.displayManager.gdm.enable = mkForce false; - # Disable S.M.A.R.T. as QEMU VM doesn't provide the relevant endpoints - services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon + # QEMU VM doesn't provide the relevant endpoints + services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon - # Disable ThinkFan as it errors out as we don't have the /proc/acpi/ibm/thermal in QEMU - services.thinkfan.enable = mkForce false; # Disable thinkfan service + # No internet connection so these will fail on startup + services.tor.enable = mkForce false; + services.openssh.enable = mkForce false; + virtualisation.waydroid.enable = mkForce false; + # networking.useDHCP = mkForce false; + # networking.interfaces.wlp2s0.useDHCP = mkForce false; + # networking.interfaces.docker0.useDHCP = mkForce false; + # networking.interfaces.wwp0s29u1u4i6.useDHCP = mkForce false; + + # It errors out as we don't have the /proc/acpi/ibm/thermal in QEMU + services.thinkfan.enable = mkForce false; # Disable thinkfan service # Use a Dummy Cryptkey so that we don't have to input disk password # disko.devices.disk.cryptkey = { @@ -74,6 +78,12 @@ in { # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY # ''; + # disko.devices.disk.system.content.postCreateHook = '' + # mkdir -p /dev/disk/by-partlabel/ + # dd bs=1024 count=4 if=/dev/zero of=/dev/disk/by-partlabel/CRYPTKEY iflag=fullblock + # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY + # ''; + # # Configure the system to use the CRYPTKEY # disko.devices.disk.system.content.partitions.store.content.settings = { # keyFileSize = 4096; @@ -82,32 +92,14 @@ in { # # passwordFile = mkForce ""; # Unset Disk Password for the store # fallbackToPassword = false; # }; + # disko.devices.disk.system.content.partitions.store.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; - # FIXME(Krey): For some reason this results in no option type even when the same configuration works outside of vmVariantWithDisko? - # error: No type option set in - # disko.devices.disk.system.content.partitions.store.content.passwosssrdFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; - - # disko.devices.disk.system.content.partitions.swap.content.passsssswordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # disko.devices.disk.system.content.partitions.swap.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; - # Also doesn't work: - # disko.devices.disk.system.content.preCreateHook = '' - # mkdir -p /run/agenix/ - # echo 000000 > /run/agenix/ignucius-disks-password - # ''; - # Doesn't seem to deploy the files - # system.activationScripts.set-dummy-secrets = '' - # mkdir -p /run/agenix - # echo 000000 > /run/agenix/ignucius-disks-password - # ''; # Set Permission Of the Persistent Users Directory - - # Disable Swap as it's not needed during VM and only takes space - # FIXME(Krey): Fails with **No Type option set in**, apparently we can't change disko.* in here? + # It's not needed for VM tests and takes a significant amount of space (~30G) # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition - # FIXME(Krey): Using Impermanence seems to cause failure of **Transport endpoint is not connected** for the declared pathnames (fuse issues in QEMU?) - home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; - # Set Default Passwords For Users users.users.kreyren = { hashedPasswordFile = mkForce null; From a904e66d7f9d44bfe11b7aab577891fb079d9c83 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Sun, 29 Dec 2024 19:11:28 +0000 Subject: [PATCH 4/8] sync --- .../machines/ignucius/config/vm-build.nix | 60 +++++++++++-------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index f4d64bac..5ca549c5 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -11,6 +11,7 @@ let in { virtualisation = { # nix run -L .#nixosConfigurations.nixos-ignucius-stable.config.system.build.vmWithDisko + # FIXME(Krey): ignucius-disko-images> hwclock: Cannot access the Hardware Clock via any known method. vmVariantWithDisko = { virtualisation = { fileSystems."/nix/persist/system".neededForBoot = true; @@ -35,26 +36,21 @@ in { }; }; - services.displayManager.autoLogin.user = "kreyren"; + # Setup autologin + # FIXME(Krey): This will make the system to hang on black screen after initrd phase for some reason + # services.displayManager.autoLogin.user = "kreyren"; - # services.xserver.enable = mkForce false; - # services.xserver.desktopManager.gnome.enable = mkForce false; - # services.xserver.displayManager.gdm.enable = mkForce false; + # Enable Graphical User Interface + # FIXME(Krey): We should have e.g. `, vm-gui ...` task to deploy the system with these + services.xserver.enable = mkForce false; + services.xserver.desktopManager.gnome.enable = mkForce false; + services.xserver.displayManager.gdm.enable = mkForce false; - # QEMU VM doesn't provide the relevant endpoints - services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon + # Disable S.M.A.R.T. as QEMU VM doesn't provide the relevant endpoints + services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon - # No internet connection so these will fail on startup - services.tor.enable = mkForce false; - services.openssh.enable = mkForce false; - virtualisation.waydroid.enable = mkForce false; - # networking.useDHCP = mkForce false; - # networking.interfaces.wlp2s0.useDHCP = mkForce false; - # networking.interfaces.docker0.useDHCP = mkForce false; - # networking.interfaces.wwp0s29u1u4i6.useDHCP = mkForce false; - - # It errors out as we don't have the /proc/acpi/ibm/thermal in QEMU - services.thinkfan.enable = mkForce false; # Disable thinkfan service + # Disable ThinkFan as it errors out as we don't have the /proc/acpi/ibm/thermal in QEMU + services.thinkfan.enable = mkForce false; # Disable thinkfan service # Use a Dummy Cryptkey so that we don't have to input disk password # disko.devices.disk.cryptkey = { @@ -78,12 +74,6 @@ in { # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY # ''; - # disko.devices.disk.system.content.postCreateHook = '' - # mkdir -p /dev/disk/by-partlabel/ - # dd bs=1024 count=4 if=/dev/zero of=/dev/disk/by-partlabel/CRYPTKEY iflag=fullblock - # chmod 0400 /dev/disk/by-partlabel/CRYPTKEY - # ''; - # # Configure the system to use the CRYPTKEY # disko.devices.disk.system.content.partitions.store.content.settings = { # keyFileSize = 4096; @@ -92,14 +82,32 @@ in { # # passwordFile = mkForce ""; # Unset Disk Password for the store # fallbackToPassword = false; # }; - # disko.devices.disk.system.content.partitions.store.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; - # disko.devices.disk.system.content.partitions.swap.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # FIXME(Krey): For some reason this results in no option type even when the same configuration works outside of vmVariantWithDisko? + # error: No type option set in + # disko.devices.disk.system.content.partitions.store.content.passwosssrdFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + + # disko.devices.disk.system.content.partitions.swap.content.passsssswordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # Also doesn't work: + # disko.devices.disk.system.content.preCreateHook = '' + # mkdir -p /run/agenix/ + # echo 000000 > /run/agenix/ignucius-disks-password + # ''; - # It's not needed for VM tests and takes a significant amount of space (~30G) + # Doesn't seem to deploy the files + # system.activationScripts.set-dummy-secrets = '' + # mkdir -p /run/agenix + # echo 000000 > /run/agenix/ignucius-disks-password + # ''; # Set Permission Of the Persistent Users Directory + + # Disable Swap as it's not needed during VM and only takes space + # FIXME(Krey): Fails with **No Type option set in**, apparently we can't change disko.* in here? # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition + # FIXME(Krey): Using Impermanence seems to cause failure of **Transport endpoint is not connected** for the declared pathnames (fuse issues in QEMU?) + home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; + # Set Default Passwords For Users users.users.kreyren = { hashedPasswordFile = mkForce null; From 15395a0a470cb875b10b7b20e96886d0575ada11 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Sun, 29 Dec 2024 20:49:26 +0000 Subject: [PATCH 5/8] sync --- src/nixos/machines/ignucius/config/vm-build.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index 5ca549c5..651af857 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -9,6 +9,7 @@ let inherit (lib) mkForce; in { + # The end Goal Of this configuration is to provide ideally 1:1 emulation of the system to be used as a part of Quality Assurance and to test various deployments virtualisation = { # nix run -L .#nixosConfigurations.nixos-ignucius-stable.config.system.build.vmWithDisko # FIXME(Krey): ignucius-disko-images> hwclock: Cannot access the Hardware Clock via any known method. @@ -106,7 +107,8 @@ in { # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition # FIXME(Krey): Using Impermanence seems to cause failure of **Transport endpoint is not connected** for the declared pathnames (fuse issues in QEMU?) - home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; + # Apparently we can't even change home-manager configurations this way: error: The option `virtualisation.vmVariantWithDisko.home-manager.users.kreyren.boot' does not exist. Definition values: + # home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; # Set Default Passwords For Users users.users.kreyren = { From 88adcccf13d5508b4ef1fe5bf0b8fa6b7008aaf6 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Tue, 31 Dec 2024 04:47:18 +0000 Subject: [PATCH 6/8] sync --- src/nixos/machines/ignucius/config/disks.nix | 2 +- .../machines/ignucius/config/vm-build.nix | 45 ++++++++++--------- .../system/impermenance/impermenance.nix | 24 +++++----- .../system/impermanence/impermanence.nix | 2 +- src/nixos/users/users/kreyren/kreyren.nix | 5 --- 5 files changed, 37 insertions(+), 41 deletions(-) diff --git a/src/nixos/machines/ignucius/config/disks.nix b/src/nixos/machines/ignucius/config/disks.nix index 2233f993..3fa63c89 100644 --- a/src/nixos/machines/ignucius/config/disks.nix +++ b/src/nixos/machines/ignucius/config/disks.nix @@ -48,7 +48,7 @@ in mkMerge [ system = { device = diskoDevice; type = "disk"; - imageSize = "50G"; # Size of the generated image + imageSize = "30G"; # Size of the generated image content = { type = "gpt"; partitions = { diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index 651af857..be1cf0c2 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -16,13 +16,20 @@ in { vmVariantWithDisko = { virtualisation = { fileSystems."/nix/persist/system".neededForBoot = true; - fileSystems."/nix/persist/users".neededForBoot = true; - # FIXME-BUG(Krey): This doesn't seem to work - resolution = { - x = 1280; - y = 720; - }; + restrictNetwork = false; # Whether to Enable Network Connection + + # More efficient space management as it won't be re-creating store paths in VM + mountHostNixStore = true; + + # This is enabled by default and it will set up small (~500MB) /nix/rw-store mount that will cause most of the services to fail loading due to lack of space + writableStoreUseTmpfs = false; + + # Set Virtual Resolution + resolution = { + x = 1280; + y = 720; + }; # error: EFI variables can be used only with a partition table of type: hybrid, efi, efixbootldr, or legacy+gpt. # useBootLoader = true; @@ -31,29 +38,29 @@ in { # FIXME(Krey): Replace the secrets with dummies so that this can be used by others as well # Mount local .ssh directory, so the secrets can be decrypted. - sharedDirectories."secrets_decryption_key" = { - source = "/nix/persist/users/kreyren/.ssh"; - target = dirOf (builtins.head config.age.identityPaths); - }; + sharedDirectories."secrets_decryption_key" = { + source = "/nix/persist/users/kreyren/.ssh"; + target = dirOf (builtins.head config.age.identityPaths); + }; }; + # Do not perform distributed builds as it's not subject of this VM check + nix.distributedBuilds = mkForce false; + # Setup autologin # FIXME(Krey): This will make the system to hang on black screen after initrd phase for some reason # services.displayManager.autoLogin.user = "kreyren"; - # Enable Graphical User Interface - # FIXME(Krey): We should have e.g. `, vm-gui ...` task to deploy the system with these - services.xserver.enable = mkForce false; - services.xserver.desktopManager.gnome.enable = mkForce false; - services.xserver.displayManager.gdm.enable = mkForce false; - # Disable S.M.A.R.T. as QEMU VM doesn't provide the relevant endpoints + # FIXME(Krey): Figure out how to emulate the end-point services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon # Disable ThinkFan as it errors out as we don't have the /proc/acpi/ibm/thermal in QEMU + # FIXME(Krey): Figure out how to emulate the end-point services.thinkfan.enable = mkForce false; # Disable thinkfan service # Use a Dummy Cryptkey so that we don't have to input disk password + # FIXME(Krey): Any changes to `disko.*` appears to cause `no type option set in` error # disko.devices.disk.cryptkey = { # type = "disk"; # content.type = "gpt"; @@ -86,7 +93,7 @@ in { # FIXME(Krey): For some reason this results in no option type even when the same configuration works outside of vmVariantWithDisko? # error: No type option set in - # disko.devices.disk.system.content.partitions.store.content.passwosssrdFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; + # disko.devices.disk.system.content.partitions.store.content.passwordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; # disko.devices.disk.system.content.partitions.swap.content.passsssswordFile = mkForce (pkgs.writeText "ignucius-disks-password" "000000").outPath; @@ -106,10 +113,6 @@ in { # FIXME(Krey): Fails with **No Type option set in**, apparently we can't change disko.* in here? # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition - # FIXME(Krey): Using Impermanence seems to cause failure of **Transport endpoint is not connected** for the declared pathnames (fuse issues in QEMU?) - # Apparently we can't even change home-manager configurations this way: error: The option `virtualisation.vmVariantWithDisko.home-manager.users.kreyren.boot' does not exist. Definition values: - # home-manager.users.kreyren.boot.home.impermanence.enable = mkForce false; - # Set Default Passwords For Users users.users.kreyren = { hashedPasswordFile = mkForce null; diff --git a/src/nixos/modules/system/impermenance/impermenance.nix b/src/nixos/modules/system/impermenance/impermenance.nix index 2d61aae1..084f70f6 100644 --- a/src/nixos/modules/system/impermenance/impermenance.nix +++ b/src/nixos/modules/system/impermenance/impermenance.nix @@ -1,4 +1,4 @@ -{ config, lib, ...}: +{ config, lib, pkgs, ...}: # Global Management of Impermanence @@ -36,18 +36,16 @@ in mkIf config.boot.impermanence.enable { boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ]; systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ]; - - # The configuration will deploy the user directories owned by root:root which will cause the user's home manager to fail deployment due to permission denied error, so we need to change the ownership before home-manager setup - # Plan A - # system.activationScripts.change-ownership-persist-users = ''chown root:users /nix/persist/users''; # Set Permission Of the Persistent Users Directory - - # Plan B - # systemd.tmpfiles.rules = [ - # "d /persist/home/${username} 0700 ${username} users" - # # We need to explicitly set ownership on the home directory when using impermanence. - # # Otherwise, it will be owned as root, and home-manager will fail. - # "d /home/${username} 0700 ${username} users" - # ]; + # Set permission for the users directory + systemd.services.setUserPersistPermissions = { + description = "Set ownership and permissions for /nix/persist/users"; + wantedBy = [ "multi-user.target" ]; + after = [ "local-fs.target" ]; # Ensure this runs after the filesystem is mounted + script = builtins.concatStringsSep "\n" [ + "${pkgs.coreutils}/bin/chown root:users /nix/persist/users" + "${pkgs.coreutils}/bin/chmod 770 /nix/persist/users" + ]; + }; age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; # Add impermenant path for keys diff --git a/src/nixos/users/users/kreyren/home/modules/system/impermanence/impermanence.nix b/src/nixos/users/users/kreyren/home/modules/system/impermanence/impermanence.nix index 7a5308cc..f9cb5719 100644 --- a/src/nixos/users/users/kreyren/home/modules/system/impermanence/impermanence.nix +++ b/src/nixos/users/users/kreyren/home/modules/system/impermanence/impermanence.nix @@ -64,5 +64,5 @@ in { allowOther = true; # FIXME-DOCS(Krey): What is this used for? }; - home.stateVersion = nixosConfig.system.nixos.release; # Impermanence does not have state + home.stateVersion = nixosConfig.system.nixos.release; # Impermanence enables declarative state management so we don't need to set any } diff --git a/src/nixos/users/users/kreyren/kreyren.nix b/src/nixos/users/users/kreyren/kreyren.nix index 98956b0f..619d3e2f 100644 --- a/src/nixos/users/users/kreyren/kreyren.nix +++ b/src/nixos/users/users/kreyren/kreyren.nix @@ -26,11 +26,6 @@ in { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzh6FRxWUemwVeIDsr681fgJ2Q2qCnwJbvFe4xD15ve kreyren@fsfe.org" ]; }; - # system.activationScripts.make-homedir-kreyren = builtins.concatStringsSep "\n" [ - # "mkdir /nix/persist/users/kreyren" - # "chown kreyren:users /nix/persist/users/kreyren" # Set Permission Of the Persistent Users Directory - # ]; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzh6FRxWUemwVeIDsr681fgJ2Q2qCnwJbvFe4xD15ve kreyren@fsfe.org" ]; # Allow root access for all systems for kreyren nix.settings.trusted-users = [ "kreyren" ]; # Add Kreyren in Trusted-Users From dd1d884ec1ce3a2e6a37d680b043135c379e7f40 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Tue, 31 Dec 2024 17:00:29 +0000 Subject: [PATCH 7/8] sync --- .gitignore | 3 + .../machines/ignucius/config/vm-build.nix | 7 +- tasks/administration/build/tasks-build.sh | 35 ++++-- tasks/administration/default.nix | 1 - tasks/administration/deploy/tasks-deploy.sh | 33 +++++- tasks/administration/install/tasks-install.sh | 37 ++++++- tasks/administration/switch/tasks-switch.sh | 33 +++++- tasks/administration/vm/tasks-vm.sh | 77 -------------- tasks/checks/default.nix | 5 +- tasks/checks/verify/tasks-verify.sh | 32 +++++- .../{administration => checks}/vm/default.nix | 2 +- tasks/checks/vm/tasks-vm.sh | 100 ++++++++++++++++++ tasks/docs/tree/tasks-tree.sh | 33 +++++- .../direnv-reload/tasks-direnv-reload.sh | 34 +++++- 14 files changed, 323 insertions(+), 109 deletions(-) delete mode 100644 tasks/administration/vm/tasks-vm.sh rename tasks/{administration => checks}/vm/default.nix (93%) create mode 100644 tasks/checks/vm/tasks-vm.sh diff --git a/.gitignore b/.gitignore index 0fff805b..3ff9e736 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ result system.raw *.log tmp + +# QEMU Files +*.fd diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index be1cf0c2..40d7ea32 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -15,6 +15,7 @@ in { # FIXME(Krey): ignucius-disko-images> hwclock: Cannot access the Hardware Clock via any known method. vmVariantWithDisko = { virtualisation = { + # FIXME-QA(Krey): It's weird that this is needed when it's already set in disks.nix fileSystems."/nix/persist/system".neededForBoot = true; restrictNetwork = false; # Whether to Enable Network Connection @@ -22,7 +23,7 @@ in { # More efficient space management as it won't be re-creating store paths in VM mountHostNixStore = true; - # This is enabled by default and it will set up small (~500MB) /nix/rw-store mount that will cause most of the services to fail loading due to lack of space + # This is enabled by default and it will set up small (~500MB) /nix/.rw-store mount that will cause most of the services to fail loading due to lack of space writableStoreUseTmpfs = false; # Set Virtual Resolution @@ -32,9 +33,9 @@ in { }; # error: EFI variables can be used only with a partition table of type: hybrid, efi, efixbootldr, or legacy+gpt. - # useBootLoader = true; + useBootLoader = true; # # Resolve configuration config - # fileSystems."/boot".device = mkForce "/dev/disk/by-label/ESP"; + fileSystems."/boot".device = mkForce "/dev/disk/by-partlabel/disk-system-boot"; # FIXME(Krey): Replace the secrets with dummies so that this can be used by others as well # Mount local .ssh directory, so the secrets can be decrypted. diff --git a/tasks/administration/build/tasks-build.sh b/tasks/administration/build/tasks-build.sh index d809e0cc..7ea42988 100644 --- a/tasks/administration/build/tasks-build.sh +++ b/tasks/administration/build/tasks-build.sh @@ -1,12 +1,35 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. -hostname="$(hostname --short)" # Capture the hostname of the current system +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used +hostname="$(hostname --short)" # Capture the hostname of the current system -command -v success 1>/dev/null || success() { printf "SUCCESS: %s\n" "$1"; exit 0 ;} # Termination Helper +### [END] Export this outside [END] ### # Check current system if no argument is provided [ "$#" != 0 ] || { diff --git a/tasks/administration/default.nix b/tasks/administration/default.nix index 9b62f5e6..23aa47b0 100644 --- a/tasks/administration/default.nix +++ b/tasks/administration/default.nix @@ -4,6 +4,5 @@ ./deploy ./install ./switch - ./vm ]; } diff --git a/tasks/administration/deploy/tasks-deploy.sh b/tasks/administration/deploy/tasks-deploy.sh index abb8e1cb..09cb5b5b 100644 --- a/tasks/administration/deploy/tasks-deploy.sh +++ b/tasks/administration/deploy/tasks-deploy.sh @@ -1,10 +1,35 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used hostname="$(hostname --short)" # Capture the hostname of the current system -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper +### [END] Export this outside [END] ### # Check current system if no argument is provided [ "$#" != 0 ] || { diff --git a/tasks/administration/install/tasks-install.sh b/tasks/administration/install/tasks-install.sh index c4f9821d..10913462 100644 --- a/tasks/administration/install/tasks-install.sh +++ b/tasks/administration/install/tasks-install.sh @@ -1,10 +1,37 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. -# Refer to https://github.com/nix-community/disko/issues/657#issuecomment-2146978563 for implementation notes +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used +hostname="$(hostname --short)" # Capture the hostname of the current system + +### [END] Export this outside [END] ### + +# Refer to https://github.com/nix-community/disko/issues/657#issuecomment-2146978563 for implementation notes distro="$1" system="$2" diff --git a/tasks/administration/switch/tasks-switch.sh b/tasks/administration/switch/tasks-switch.sh index b8e00c99..bfde636a 100644 --- a/tasks/administration/switch/tasks-switch.sh +++ b/tasks/administration/switch/tasks-switch.sh @@ -1,11 +1,36 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper +### [START] Export this outside [START] ### +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used hostname="$(hostname --short)" # Capture the hostname of the current system +### [END] Export this outside [END] ### + # FIXME-QA(Krey): Hacky af derivation="$(grep "$hostname" "$FLAKE_ROOT/config/machine-derivations.conf" | sed -E 's#^(\w+)(\s)([a-z\-]+)#\3#g')" diff --git a/tasks/administration/vm/tasks-vm.sh b/tasks/administration/vm/tasks-vm.sh deleted file mode 100644 index 0679dbe2..00000000 --- a/tasks/administration/vm/tasks-vm.sh +++ /dev/null @@ -1,77 +0,0 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic - -hostname="$(hostname --short)" # Capture the hostname of the current system - -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper - -command -v success 1>/dev/null || success() { printf "SUCCESS: %s\n" "$1"; exit 0 ;} # Termination Helper - -# Check current system if no argument is provided -[ "$#" != 0 ] || { - # FIXME(Krey): This needs logic to determine the distribution and release - echo "Opening a Virtual Machine for current system: $hostname" - - rm "$FLAKE_ROOT/*.fd" || true # Remove all fd files as those cause impurity - - nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$hostname-stable.config.system.build.vmWithDisko" --option builders "" - - exit 0 -} - -# Assume that we are always checking against nixos distribution with stable release -[ "$#" != 1 ] || { - echo "Opening a Virtual machine for stable release of system '$1' in NixOS distribution" - - nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$1-stable.config.system.build.vmWithDisko" --option builders "" - - exit 0 -} - -# TBD(Krey) - -# nixosSystems="$(find "$FLAKE_ROOT/src/nixos/machines/"* -maxdepth 0 -type d | sed "s#^$FLAKE_ROOT/src/nixos/machines/##g" | tr '\n' ' ')" # Get a space-separated list of all systems in the nixos distribution of NiXium - -# # Process Arguments -# distro="$1" # e.g. nixos -# machine="$2" # e.g. tupac, tsvetan, sinnenfreude -# release="$3" # Optional argument uses stable as default, ability to set supported release e.g. unstable or master - -# case "$distro" in -# "nixos") # NixOS Management - -# # Process all systems in NixOS distribution if `nixos all` is used -# [ "$machine" != "all" ] || { -# for system in $nixosSystems; do -# status="$(cat "$FLAKE_ROOT/src/nixos/machines/$system/status")" -# case "$status" in -# "OK") -# echo "Building system '$system' in distribution '$distro'" - -# nixos-rebuild \ -# build \ -# --flake "git+file://$FLAKE_ROOT#nixos-$system-${release:-"stable"}" \ -# --option eval-cache false \ -# --show-trace || echo "WARNING: System '$system' in distribution '$distro' failed build!" -# ;; -# "WIP") echo "Configuration for system '$system' in distribution '$distro' is marked a Work-in-Progress, skipping build.." ;; -# *) echo "System '$system' reports undeclared status state: $status" -# esac -# done -# } - -# # Check if the system is defined -# [ -d "$FLAKE_ROOT/src/nixos/machines/$machine" ] || die 1 "This system '$machine' is not implemented in NiXium's management of distribution '$distro'" - -# # Process the system -# echo "Building system '$machine' in distribution '$distro'" - -# nixos-rebuild \ -# build \ -# --flake "git+file://$FLAKE_ROOT#nixos-$machine-${release:-"stable"}" \ -# --option eval-cache false \ -# --show-trace || echo "WARNING: System '$machine' in distribution '$distro' failed evaluation!" -# ;; -# *) die 1 "Distribution '$distro' is not implemented!" -# esac diff --git a/tasks/checks/default.nix b/tasks/checks/default.nix index 6419fce6..ac6d249e 100644 --- a/tasks/checks/default.nix +++ b/tasks/checks/default.nix @@ -1,3 +1,6 @@ { - imports = [ ./verify ]; + imports = [ + ./verify + ./vm + ]; } diff --git a/tasks/checks/verify/tasks-verify.sh b/tasks/checks/verify/tasks-verify.sh index 0329f4ec..a8b098fd 100644 --- a/tasks/checks/verify/tasks-verify.sh +++ b/tasks/checks/verify/tasks-verify.sh @@ -1,10 +1,34 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. + +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" hostname="$(hostname --short)" # Capture the hostname of the current system -# FIXME(Krey): Implement better management for this so that ideally `die` is always present by default -command -v die 1>/dev/null || die() { printf "FATAL: %s\n" "$2"; exit 1 ;} # Termination Helper +### [END] Export this outside [END] ### # Check current system if no argument is provided [ "$#" != 0 ] || { diff --git a/tasks/administration/vm/default.nix b/tasks/checks/vm/default.nix similarity index 93% rename from tasks/administration/vm/default.nix rename to tasks/checks/vm/default.nix index f25e4738..6fc3a697 100644 --- a/tasks/administration/vm/default.nix +++ b/tasks/checks/vm/default.nix @@ -7,7 +7,7 @@ mission-control.scripts = { "vm" = { description = "Open the derivation in a Virtual Machine"; - category = "Administration"; + category = "Checks"; exec = pkgs.writeShellApplication { name = "tasks-wm"; diff --git a/tasks/checks/vm/tasks-vm.sh b/tasks/checks/vm/tasks-vm.sh new file mode 100644 index 00000000..ef707408 --- /dev/null +++ b/tasks/checks/vm/tasks-vm.sh @@ -0,0 +1,100 @@ +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. + +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +hostname="$(hostname --short)" # Capture the hostname of the current system + +### [END] Export this outside [END] ### + +case "$#" in + "0") # No Arguments + # FIXME(Krey): This needs logic to determine the distribution and release + status "Opening a Virtual Machine for current system: $hostname" + + nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$hostname-stable.config.system.build.vmWithDisko" --verbose --show-trace + + success "" + ;; + "1") # One Argument + status "Opening a Virtual machine for stable release of system '$1' in NixOS distribution" + + nix run -L "$FLAKE_ROOT#nixosConfigurations.nixos-$1-stable.config.system.build.vmWithDisko" --verbose --show-trace + + success + ;; + *) die 125 "These arguments are not implemented: $*" +esac + + + + +# TBD(Krey): Decide how to handle these + +# nixosSystems="$(find "$FLAKE_ROOT/src/nixos/machines/"* -maxdepth 0 -type d | sed "s#^$FLAKE_ROOT/src/nixos/machines/##g" | tr '\n' ' ')" # Get a space-separated list of all systems in the nixos distribution of NiXium + +# # Process Arguments +# distro="$1" # e.g. nixos +# machine="$2" # e.g. tupac, tsvetan, sinnenfreude +# release="$3" # Optional argument uses stable as default, ability to set supported release e.g. unstable or master + +# case "$distro" in +# "nixos") # NixOS Management + +# # Process all systems in NixOS distribution if `nixos all` is used +# [ "$machine" != "all" ] || { +# for system in $nixosSystems; do +# status="$(cat "$FLAKE_ROOT/src/nixos/machines/$system/status")" +# case "$status" in +# "OK") +# echo "Building system '$system' in distribution '$distro'" + +# nixos-rebuild \ +# build \ +# --flake "git+file://$FLAKE_ROOT#nixos-$system-${release:-"stable"}" \ +# --option eval-cache false \ +# --show-trace || echo "WARNING: System '$system' in distribution '$distro' failed build!" +# ;; +# "WIP") echo "Configuration for system '$system' in distribution '$distro' is marked a Work-in-Progress, skipping build.." ;; +# *) echo "System '$system' reports undeclared status state: $status" +# esac +# done +# } + +# # Check if the system is defined +# [ -d "$FLAKE_ROOT/src/nixos/machines/$machine" ] || die 1 "This system '$machine' is not implemented in NiXium's management of distribution '$distro'" + +# # Process the system +# echo "Building system '$machine' in distribution '$distro'" + +# nixos-rebuild \ +# build \ +# --flake "git+file://$FLAKE_ROOT#nixos-$machine-${release:-"stable"}" \ +# --option eval-cache false \ +# --show-trace || echo "WARNING: System '$machine' in distribution '$distro' failed evaluation!" +# ;; +# *) die 1 "Distribution '$distro' is not implemented!" +# esac diff --git a/tasks/docs/tree/tasks-tree.sh b/tasks/docs/tree/tasks-tree.sh index 2e9dbfcf..0a735ccf 100644 --- a/tasks/docs/tree/tasks-tree.sh +++ b/tasks/docs/tree/tasks-tree.sh @@ -1,4 +1,35 @@ -# shellcheck shell=sh # POSIX +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. + +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used +hostname="$(hostname --short)" # Capture the hostname of the current system + +### [END] Export this outside [END] ### # Function to print the directory tree with .about descriptions print_tree() { diff --git a/tasks/tools/direnv-reload/tasks-direnv-reload.sh b/tasks/tools/direnv-reload/tasks-direnv-reload.sh index a5aeb18a..3eb5a045 100644 --- a/tasks/tools/direnv-reload/tasks-direnv-reload.sh +++ b/tasks/tools/direnv-reload/tasks-direnv-reload.sh @@ -1,5 +1,35 @@ -# shellcheck shell=sh # POSIX -set +u # Do not fail on nounset as we use command-line arguments for logic +#@ This POSIX Shell Script is executed in an isolated reproducible environment managed by Nix , which handles dependencies, ensures deterministic function imports, sets any needed variables and performs strict linting prior to script execution to capture common issues for quality assurance. + +### [START] Export this outside [START] ### + +# FIXME-QA(Krey): This should be a runtimeInput +die() { printf "FATAL: %s\n" "$2"; exit ;} # Termination Helper + +# FIXME-QA(Krey): This should be a runtimeInput +status() { printf "STATUS: %s\n" "$1" ;} # Status Helper + +# FIXME-QA(Krey): This should be a runtimeInput +warn() { printf "WARNING: %s\n" "$1" ;} # Warning Helper + +# Termination Helper +command -v success 1>/dev/null || success() { + case "$1" in + "") : ;; + *) printf "SUCCESS: %s\n" "$1" + esac + + exit 0 +} + +# FIXME(Krey): This should be managed for all used scripts e.g. runtimeEnv +# Refer to https://github.com/srid/flake-root/discussions/5 for details tldr flake-root doesn't currently allow parsing the specific commit +#[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits" | jq -r '.[0].sha')" +[ -n "$FLAKE_ROOT" ] || FLAKE_ROOT="github:NiXium-org/NiXium/$(curl -s -X GET "https://api.github.com/repos/NiXium-org/NiXium/commits?sha=central" | jq -r '.[0].sha')" + +# shellcheck disable=SC2034 # It's not expected to be always used +hostname="$(hostname --short)" # Capture the hostname of the current system + +### [END] Export this outside [END] ### direnv reload From 0bae4be04c0576c56e96dc8a9df08ceac48a30d6 Mon Sep 17 00:00:00 2001 From: Jacob Hrbek Date: Wed, 1 Jan 2025 12:41:50 +0000 Subject: [PATCH 8/8] sync --- .../machines/ignucius/config/vm-build.nix | 35 +++++++++---------- src/nixos/users/users/kreyren/kreyren.nix | 6 ++++ 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/src/nixos/machines/ignucius/config/vm-build.nix b/src/nixos/machines/ignucius/config/vm-build.nix index 40d7ea32..1fb168f3 100644 --- a/src/nixos/machines/ignucius/config/vm-build.nix +++ b/src/nixos/machines/ignucius/config/vm-build.nix @@ -32,26 +32,31 @@ in { y = 720; }; - # error: EFI variables can be used only with a partition table of type: hybrid, efi, efixbootldr, or legacy+gpt. - useBootLoader = true; - # # Resolve configuration config - fileSystems."/boot".device = mkForce "/dev/disk/by-partlabel/disk-system-boot"; - - # FIXME(Krey): Replace the secrets with dummies so that this can be used by others as well - # Mount local .ssh directory, so the secrets can be decrypted. + # Set up the bootloader + # FIXME-BUG(Krey): Can't be made to work rn as we can't modify `disko.*` to adjust the filesystems for it + # error: EFI variables can be used only with a partition table of type: hybrid, efi, efixbootldr, or legacy+gpt. + # useBootLoader = true; + # # Resolve configuration config + # fileSystems."/boot".device = mkForce "/dev/disk/by-partlabel/disk-system-boot"; + # useEFIBoot = true; + + # Secret Management + # FIXME(Krey): Replace the secrets with dummies so that this can be used by others as well + # Mount local .ssh directory, so the secrets can be decrypted. sharedDirectories."secrets_decryption_key" = { source = "/nix/persist/users/kreyren/.ssh"; target = dirOf (builtins.head config.age.identityPaths); }; }; + # Disable GUI + services.xserver.enable = mkForce false; + services.xserver.displayManager.gdm.enable = mkForce false; + services.xserver.desktopManager.gnome.enable = mkForce false; + # Do not perform distributed builds as it's not subject of this VM check nix.distributedBuilds = mkForce false; - # Setup autologin - # FIXME(Krey): This will make the system to hang on black screen after initrd phase for some reason - # services.displayManager.autoLogin.user = "kreyren"; - # Disable S.M.A.R.T. as QEMU VM doesn't provide the relevant endpoints # FIXME(Krey): Figure out how to emulate the end-point services.smartd.enable = mkForce false; # Disable S.M.A.R.T. Daemon @@ -113,14 +118,6 @@ in { # Disable Swap as it's not needed during VM and only takes space # FIXME(Krey): Fails with **No Type option set in**, apparently we can't change disko.* in here? # disko.devices.disk.system.content.partitions.swap.size = mkForce null; # Unset swap partition - - # Set Default Passwords For Users - users.users.kreyren = { - hashedPasswordFile = mkForce null; - password = "a"; # Fastest to brute force password - }; - - users.users.root.password = "a"; # Fastest to brute force password }; }; } diff --git a/src/nixos/users/users/kreyren/kreyren.nix b/src/nixos/users/users/kreyren/kreyren.nix index 619d3e2f..4da2d1d3 100644 --- a/src/nixos/users/users/kreyren/kreyren.nix +++ b/src/nixos/users/users/kreyren/kreyren.nix @@ -29,4 +29,10 @@ in { users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzh6FRxWUemwVeIDsr681fgJ2Q2qCnwJbvFe4xD15ve kreyren@fsfe.org" ]; # Allow root access for all systems for kreyren nix.settings.trusted-users = [ "kreyren" ]; # Add Kreyren in Trusted-Users + + # Set Password for Virtual Machine Checks + virtualisation.vmVariantWithDisko.users.users.kreyren = { + hashedPasswordFile = mkForce null; + password = "a"; # Fastest to brute force password + }; }