template: add

USAGE.md

@@ -0,0 +1,67 @@
+# Using mgit nixos-common
+
+Note: This is mostly meant for employes of mgit GmbH, but you can feel free to use this for your personal cloud aswell.
+
+Note: When told to copy a file, its from the `template/` directory of this repo.
+
+# Creating a new repo from scratch
+
+You can either copy all files from `template/` or use `nix flake new my-repo -t github:mgit-at/nixos-common#default`
+
+# Installing a new machine: Native NixOS
+
+## Creating the necesarry files
+
+- Hetzner Cloud: Copy nixos/hosts/example-hcloud, adjust stateVersion and the IPv6 address and hostname
+- Physical machine:
+  - Use NixOS ISO on machine beforehand to generate nixos hardware-configuration.nix using `nixos-generate-config`
+  - Copy `nixos/hosts/example-physical` to `nixos/hosts/HOST`
+  - Copy `/etc/nixos/hardware-configuration.nix` to `nixos/hosts/HOST/hardware-configuration.nix`
+  - Strip filesystems section
+  - Add disko disk configuration as `nixos/hosts/HOST/disko.nix`. See [examples](https://github.com/nix-community/disko/tree/master/example).
+  - Adjust disko devices.
+
+Copy playbooks/example-nixos-native.yml, adjust the host.
+You can also use a group.
+Just make sure you have no unrelated hosts mixed together.
+
+## Doing the deployment
+
+Create the machine
+- Hetzner Cloud:
+  - Create the machine on Hetzner Cloud.
+    - Use ubuntu - version doesn't matter - as the os.
+    - Add your own ssh key
+  - Add the machine to ansible
+    - If the machine is part of a project that is indexed through dynamic inventory, simply reference it in the ansible playbook
+    - Otherwise add the host with it's IPv4 under inventory/hosts.ini `my-host ansible_host=1.2.3.4`
+
+Deploy the machine
+- Run `NIXOS_SKIP=1 ansible-playbook playbooks/PLAYBOOK.yml`
+  - This will create, among others, `playbooks/_nix_ansible_/your-host.sh`, which can be used for subsequent deploys - if only the nixos side of things was changed - or debugging of issues with nix files through interactive output.
+  - Note that this will not deploy or install anything as `NIXOS_SKIP=1` was set
+- Now run `NIXOS_ANYWHERE=1 playbooks/_nix_ansible/your-host.sh`
+  - This will start installing the machine using nixos-anywhere
+  - You can also use `NIXOS_ANYWHERE` with the playbooks, but this method is preferred in order to see the output
+
+# Installing nix unify on a machine
+
+## Creating the necesarry files
+
+Copy `nixos/hosts/example-unify`.
+Adjust the network details if you plan to use nix-unify networkd sharing, otherwise remove them and the `shareNetworkd.enable = true;` option.
+
+Adjust the firewall if you plan to use nftables sharing, or remove `networking.firewall` and `shareNftables.enable = true;`.
+
+Copy `playbooks/example-nix-unify.yml`, adjust the host.
+You can also use a group.
+Just make sure you have no unrelated hosts mixed together.
+
+## Doing the deployment
+
+Add the machine to ansible
+- If the machine is part of a project that is indexed through dynamic inventory, simply reference it in the ansible playbook.
+- Otherwise add the host with it's IPv4 under inventory/hosts.ini `my-host ansible_host=1.2.3.4`.
+
+Deploy with `ansible-playbook playbooks/PLAYBOOK.yml`, without any extra flags.
+- This will create, among others, `playbooks/_nix_ansible_/your-host.sh`, which can be used for subsequent deploys - if only the nixos side of things was changed - or debugging of issues with nix files through interactive output.

flake.nix

@@ -59,6 +59,7 @@
           onlypath
         ];
         hcloud_base = import ./os/hcloud/configuration.nix disko;
+        _disko = disko.nixosModules.disko;
       });
 
     checks = forAllSystems (system:
@@ -117,5 +118,10 @@
         })
       ];
     };
+
+    templates.default = {
+      path = ./template;
+      description = "Default mgit nixos+ansible configuration";
+    };
   };
 }

template/flake.nix

@@ -0,0 +1,44 @@
+{
+  description = "Repository for mgIT internal servers (and some smaller customers without an own Ansible repository)";
+
+  inputs.nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+  inputs.nix-unify.url = "github:mgit-at/nix-unify/master";
+  inputs.nix-unify.inputs.nixpkgs.follows = "nixpkgs";
+  inputs.common.url = "github:mgit-at/nixos-common/master";
+  inputs.common.inputs.nixpkgs.follows = "nixpkgs";
+  inputs.common.inputs.nix-unify.follows = "nix-unify";
+
+  outputs = { self, nixpkgs, nix-unify, common }@inputs: let
+    inherit (self) outputs;
+    supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
+    forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
+  in {
+    nixosConfigurations = nixpkgs.lib.mapAttrs (host: _: nixpkgs.lib.nixosSystem {
+      specialArgs = {
+        inherit inputs outputs;
+      };
+      modules = [
+        ({
+          nixpkgs.overlays = [
+            common.overlays.default
+            (import ./nixos/common/overlay.nix)
+            # add extra global overlays here
+          ];
+        })
+        "${./.}/nixos/hosts/${host}"
+        # add extra global modules here
+      ];
+    }) (builtins.readDir ./nixos/hosts);
+
+    devShells = forAllSystems (system: let
+      pkgs = import nixpkgs {
+        inherit system;
+        overlays = [
+          common.overlays.default
+        ];
+      };
+    in {
+      default = pkgs.mkAnsibleDevShell {};
+    });
+  };
+}

template/nixos/common/default.nix

@@ -0,0 +1,3 @@
+{ inputs, config, lib, ... }: {
+  imports = inputs.common.nixosModules.ansible_default;
+}

template/nixos/common/overlay.nix

@@ -0,0 +1,2 @@
+final: prev:
+  (prev.lib.mapAttrs (pkg: _: prev.callPackage "${./pkgs}/${pkg}" {}) (builtins.readDir ./pkgs))

template/nixos/common/pkgs/stub/default.nix

@@ -0,0 +1 @@
+{ writeShellScriptBin }: writeShellScriptBin "stub" "echo hello world"

template/nixos/hosts/example-hcloud/default.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, inputs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../common/.
+    inputs.common.nixosModules.hcloud_base
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens3"; # either ens3 (amd64) or enp1s0 (arm64)
+    networkConfig.DHCP = "ipv4";
+    address = [
+      # replace this address with the one assigned to your instance
+      "2a01:4f8:aaaa:bbbb::2/64"
+    ];
+    routes = [
+      { routeConfig.Gateway = "fe80::1"; }
+    ];
+  };
+
+  networking.hostName = "example-hcloud";
+  system.stateVersion = "24.05";
+}

template/nixos/hosts/example-physical/default.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, inputs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../common/.
+
+    disko.nixosModules.disko
+    # See examples https://github.com/nix-community/disko/tree/master/example
+    ./disko.nix
+    # Generated from nixos-generate-config on iso
+    ./hardware-configuration.nix
+    ({
+      # Devices disko will touch. Adjust.
+      _module.args.disks = [ "/dev/sdX" ];
+    })
+  ];
+
+  # Network.
+  systemd.network = {
+    enable = true;
+    networks."40-enp195s0" = {
+      matchConfig = {
+        Name = "enp195s0";
+      };
+      gateway = [ "fe80::1" "1.2.3.99" ];
+      networkConfig = {
+        Address = "2a01:4f8:aaaa:bbbb::2/128";
+      };
+      addresses = [
+        { addressConfig = { Address = "1.2.3.99/26"; Peer = "1.2.3.1"; }; }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPorts = [ 443 ];
+  };
+}

template/nixos/hosts/example-unify/default.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, inputs, ... }:
+
+with lib;
+
+{
+  imports = [
+    inputs.nix-unify.nixosModules.unify
+    ../../common/.
+  ];
+
+  systemd.network = {
+    enable = true;
+    networks."40-enp195s0" = {
+      matchConfig = {
+        Name = "enp195s0";
+      };
+      gateway = [ "fe80::1" "1.2.3.99" ];
+      networkConfig = {
+        Address = "2a01:4f8:aaaa:bbbb::2/128";
+      };
+      addresses = [
+        { addressConfig = { Address = "1.2.3.99/26"; Peer = "1.2.3.1"; }; }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPorts = [ 443 ];
+  };
+
+  nix-unify = {
+    /* modules.shareSystemd.units = [
+      "my.service"
+      "my.timer"
+    ]; */
+    /* files.etc = {
+      "my-folder" = {};
+    }; */
+    modules.shareNftables.enable = true;
+    modules.shareNetworkd.enable = true;
+  };
+}

template/playbooks/example-nix-unify.yml

@@ -0,0 +1,8 @@
+---
+- name: Deploy HOSTORGROUP
+  hosts:
+    - HOSTORGROUP
+  roles:
+    - role: mgit_at.nix_unify.local_nix
+    - role: mgit_at.nix_unify.nix
+    - role: mgit_at.nix_unify.nixos_rebuild

template/playbooks/example-nixos-native.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy HOSTORGROUP
+  hosts:
+    - HOSTORGROUP
+  roles:
+    - role: mgit_at.nix_unify.local_nix
+    - role: mgit_at.nix_unify.nixos_rebuild

template/requirements.yml

@@ -0,0 +1,27 @@
+---
+# Lists of versions used upstream:
+# https://github.com/ansible-community/ansible-build-data
+
+# This current set of versions corresponds to:
+# Ansible 5.7.1
+
+collections:
+  # inventory plugin, hcloud_server module
+  - name: hetzner.hcloud
+    version: 1.6.0
+    source: https://galaxy.ansible.com
+
+  # mgssl module
+  - name: mgit_at.mgssl
+    version: 2.1.3
+    source: https://galaxy.ansible.com
+
+  # nix-unify module
+  - name: mgit_at.nix_unify
+    version: 0.4.5
+
+  # mgit_at.roles collection
+  # various roles
+  - name: https://github.com/mgit-at/ansible-collection-roles
+    version: main # just follow git for now
+    type: git