From 26ac1087477d3a51544efe0e7e50eacbc3a72895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= Date: Fri, 5 Apr 2024 21:59:35 +0200 Subject: [PATCH] template: add --- USAGE.md | 67 +++++++++++++++++++ flake.nix | 6 ++ template/flake.nix | 44 ++++++++++++ template/nixos/common/default.nix | 3 + template/nixos/common/overlay.nix | 2 + template/nixos/common/pkgs/stub/default.nix | 1 + .../nixos/hosts/example-hcloud/default.nix | 26 +++++++ .../nixos/hosts/example-physical/default.nix | 41 ++++++++++++ .../nixos/hosts/example-unify/default.nix | 43 ++++++++++++ template/playbooks/example-nix-unify.yml | 8 +++ template/playbooks/example-nixos-native.yml | 7 ++ template/requirements.yml | 27 ++++++++ 12 files changed, 275 insertions(+) create mode 100644 USAGE.md create mode 100644 template/flake.nix create mode 100644 template/nixos/common/default.nix create mode 100644 template/nixos/common/overlay.nix create mode 100644 template/nixos/common/pkgs/stub/default.nix create mode 100644 template/nixos/hosts/example-hcloud/default.nix create mode 100644 template/nixos/hosts/example-physical/default.nix create mode 100644 template/nixos/hosts/example-unify/default.nix create mode 100644 template/playbooks/example-nix-unify.yml create mode 100644 template/playbooks/example-nixos-native.yml create mode 100644 template/requirements.yml diff --git a/USAGE.md b/USAGE.md new file mode 100644 index 0000000..79ff4a7 --- /dev/null +++ b/USAGE.md @@ -0,0 +1,67 @@ +# Using mgit nixos-common + +Note: This is mostly meant for employes of mgit GmbH, but you can feel free to use this for your personal cloud aswell. + +Note: When told to copy a file, its from the `template/` directory of this repo. + +# Creating a new repo from scratch + +You can either copy all files from `template/` or use `nix flake new my-repo -t github:mgit-at/nixos-common#default` + +# Installing a new machine: Native NixOS + +## Creating the necesarry files + +- Hetzner Cloud: Copy nixos/hosts/example-hcloud, adjust stateVersion and the IPv6 address and hostname +- Physical machine: + - Use NixOS ISO on machine beforehand to generate nixos hardware-configuration.nix using `nixos-generate-config` + - Copy `nixos/hosts/example-physical` to `nixos/hosts/HOST` + - Copy `/etc/nixos/hardware-configuration.nix` to `nixos/hosts/HOST/hardware-configuration.nix` + - Strip filesystems section + - Add disko disk configuration as `nixos/hosts/HOST/disko.nix`. See [examples](https://github.com/nix-community/disko/tree/master/example). + - Adjust disko devices. + +Copy playbooks/example-nixos-native.yml, adjust the host. +You can also use a group. +Just make sure you have no unrelated hosts mixed together. + +## Doing the deployment + +Create the machine +- Hetzner Cloud: + - Create the machine on Hetzner Cloud. + - Use ubuntu - version doesn't matter - as the os. + - Add your own ssh key + - Add the machine to ansible + - If the machine is part of a project that is indexed through dynamic inventory, simply reference it in the ansible playbook + - Otherwise add the host with it's IPv4 under inventory/hosts.ini `my-host ansible_host=1.2.3.4` + +Deploy the machine +- Run `NIXOS_SKIP=1 ansible-playbook playbooks/PLAYBOOK.yml` + - This will create, among others, `playbooks/_nix_ansible_/your-host.sh`, which can be used for subsequent deploys - if only the nixos side of things was changed - or debugging of issues with nix files through interactive output. + - Note that this will not deploy or install anything as `NIXOS_SKIP=1` was set +- Now run `NIXOS_ANYWHERE=1 playbooks/_nix_ansible/your-host.sh` + - This will start installing the machine using nixos-anywhere + - You can also use `NIXOS_ANYWHERE` with the playbooks, but this method is preferred in order to see the output + +# Installing nix unify on a machine + +## Creating the necesarry files + +Copy `nixos/hosts/example-unify`. +Adjust the network details if you plan to use nix-unify networkd sharing, otherwise remove them and the `shareNetworkd.enable = true;` option. + +Adjust the firewall if you plan to use nftables sharing, or remove `networking.firewall` and `shareNftables.enable = true;`. + +Copy `playbooks/example-nix-unify.yml`, adjust the host. +You can also use a group. +Just make sure you have no unrelated hosts mixed together. + +## Doing the deployment + +Add the machine to ansible +- If the machine is part of a project that is indexed through dynamic inventory, simply reference it in the ansible playbook. +- Otherwise add the host with it's IPv4 under inventory/hosts.ini `my-host ansible_host=1.2.3.4`. + +Deploy with `ansible-playbook playbooks/PLAYBOOK.yml`, without any extra flags. +- This will create, among others, `playbooks/_nix_ansible_/your-host.sh`, which can be used for subsequent deploys - if only the nixos side of things was changed - or debugging of issues with nix files through interactive output. diff --git a/flake.nix b/flake.nix index deb1b47..d2639b2 100644 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ onlypath ]; hcloud_base = import ./os/hcloud/configuration.nix disko; + _disko = disko.nixosModules.disko; }); checks = forAllSystems (system: @@ -117,5 +118,10 @@ }) ]; }; + + templates.default = { + path = ./template; + description = "Default mgit nixos+ansible configuration"; + }; }; } diff --git a/template/flake.nix b/template/flake.nix new file mode 100644 index 0000000..9e35c24 --- /dev/null +++ b/template/flake.nix @@ -0,0 +1,44 @@ +{ + description = "Repository for mgIT internal servers (and some smaller customers without an own Ansible repository)"; + + inputs.nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + inputs.nix-unify.url = "github:mgit-at/nix-unify/master"; + inputs.nix-unify.inputs.nixpkgs.follows = "nixpkgs"; + inputs.common.url = "github:mgit-at/nixos-common/master"; + inputs.common.inputs.nixpkgs.follows = "nixpkgs"; + inputs.common.inputs.nix-unify.follows = "nix-unify"; + + outputs = { self, nixpkgs, nix-unify, common }@inputs: let + inherit (self) outputs; + supportedSystems = [ "x86_64-linux" "aarch64-linux" ]; + forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system); + in { + nixosConfigurations = nixpkgs.lib.mapAttrs (host: _: nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs outputs; + }; + modules = [ + ({ + nixpkgs.overlays = [ + common.overlays.default + (import ./nixos/common/overlay.nix) + # add extra global overlays here + ]; + }) + "${./.}/nixos/hosts/${host}" + # add extra global modules here + ]; + }) (builtins.readDir ./nixos/hosts); + + devShells = forAllSystems (system: let + pkgs = import nixpkgs { + inherit system; + overlays = [ + common.overlays.default + ]; + }; + in { + default = pkgs.mkAnsibleDevShell {}; + }); + }; +} diff --git a/template/nixos/common/default.nix b/template/nixos/common/default.nix new file mode 100644 index 0000000..fd41646 --- /dev/null +++ b/template/nixos/common/default.nix @@ -0,0 +1,3 @@ +{ inputs, config, lib, ... }: { + imports = inputs.common.nixosModules.ansible_default; +} diff --git a/template/nixos/common/overlay.nix b/template/nixos/common/overlay.nix new file mode 100644 index 0000000..738d28f --- /dev/null +++ b/template/nixos/common/overlay.nix @@ -0,0 +1,2 @@ +final: prev: + (prev.lib.mapAttrs (pkg: _: prev.callPackage "${./pkgs}/${pkg}" {}) (builtins.readDir ./pkgs)) diff --git a/template/nixos/common/pkgs/stub/default.nix b/template/nixos/common/pkgs/stub/default.nix new file mode 100644 index 0000000..19e1f7a --- /dev/null +++ b/template/nixos/common/pkgs/stub/default.nix @@ -0,0 +1 @@ +{ writeShellScriptBin }: writeShellScriptBin "stub" "echo hello world" diff --git a/template/nixos/hosts/example-hcloud/default.nix b/template/nixos/hosts/example-hcloud/default.nix new file mode 100644 index 0000000..5d1d67d --- /dev/null +++ b/template/nixos/hosts/example-hcloud/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, inputs, ... }: + +with lib; + +{ + imports = [ + ../../common/. + inputs.common.nixosModules.hcloud_base + ]; + + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "ens3"; # either ens3 (amd64) or enp1s0 (arm64) + networkConfig.DHCP = "ipv4"; + address = [ + # replace this address with the one assigned to your instance + "2a01:4f8:aaaa:bbbb::2/64" + ]; + routes = [ + { routeConfig.Gateway = "fe80::1"; } + ]; + }; + + networking.hostName = "example-hcloud"; + system.stateVersion = "24.05"; +} diff --git a/template/nixos/hosts/example-physical/default.nix b/template/nixos/hosts/example-physical/default.nix new file mode 100644 index 0000000..9941eef --- /dev/null +++ b/template/nixos/hosts/example-physical/default.nix @@ -0,0 +1,41 @@ +{ config, pkgs, lib, inputs, ... }: + +with lib; + +{ + imports = [ + ../../common/. + + disko.nixosModules.disko + # See examples https://github.com/nix-community/disko/tree/master/example + ./disko.nix + # Generated from nixos-generate-config on iso + ./hardware-configuration.nix + ({ + # Devices disko will touch. Adjust. + _module.args.disks = [ "/dev/sdX" ]; + }) + ]; + + # Network. + systemd.network = { + enable = true; + networks."40-enp195s0" = { + matchConfig = { + Name = "enp195s0"; + }; + gateway = [ "fe80::1" "1.2.3.99" ]; + networkConfig = { + Address = "2a01:4f8:aaaa:bbbb::2/128"; + }; + addresses = [ + { addressConfig = { Address = "1.2.3.99/26"; Peer = "1.2.3.1"; }; } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; + }; +} diff --git a/template/nixos/hosts/example-unify/default.nix b/template/nixos/hosts/example-unify/default.nix new file mode 100644 index 0000000..86d7b24 --- /dev/null +++ b/template/nixos/hosts/example-unify/default.nix @@ -0,0 +1,43 @@ +{ config, pkgs, lib, inputs, ... }: + +with lib; + +{ + imports = [ + inputs.nix-unify.nixosModules.unify + ../../common/. + ]; + + systemd.network = { + enable = true; + networks."40-enp195s0" = { + matchConfig = { + Name = "enp195s0"; + }; + gateway = [ "fe80::1" "1.2.3.99" ]; + networkConfig = { + Address = "2a01:4f8:aaaa:bbbb::2/128"; + }; + addresses = [ + { addressConfig = { Address = "1.2.3.99/26"; Peer = "1.2.3.1"; }; } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; + }; + + nix-unify = { + /* modules.shareSystemd.units = [ + "my.service" + "my.timer" + ]; */ + /* files.etc = { + "my-folder" = {}; + }; */ + modules.shareNftables.enable = true; + modules.shareNetworkd.enable = true; + }; +} diff --git a/template/playbooks/example-nix-unify.yml b/template/playbooks/example-nix-unify.yml new file mode 100644 index 0000000..f37b249 --- /dev/null +++ b/template/playbooks/example-nix-unify.yml @@ -0,0 +1,8 @@ +--- +- name: Deploy HOSTORGROUP + hosts: + - HOSTORGROUP + roles: + - role: mgit_at.nix_unify.local_nix + - role: mgit_at.nix_unify.nix + - role: mgit_at.nix_unify.nixos_rebuild diff --git a/template/playbooks/example-nixos-native.yml b/template/playbooks/example-nixos-native.yml new file mode 100644 index 0000000..af9a8f4 --- /dev/null +++ b/template/playbooks/example-nixos-native.yml @@ -0,0 +1,7 @@ +--- +- name: Deploy HOSTORGROUP + hosts: + - HOSTORGROUP + roles: + - role: mgit_at.nix_unify.local_nix + - role: mgit_at.nix_unify.nixos_rebuild diff --git a/template/requirements.yml b/template/requirements.yml new file mode 100644 index 0000000..13f08a9 --- /dev/null +++ b/template/requirements.yml @@ -0,0 +1,27 @@ +--- +# Lists of versions used upstream: +# https://github.com/ansible-community/ansible-build-data + +# This current set of versions corresponds to: +# Ansible 5.7.1 + +collections: + # inventory plugin, hcloud_server module + - name: hetzner.hcloud + version: 1.6.0 + source: https://galaxy.ansible.com + + # mgssl module + - name: mgit_at.mgssl + version: 2.1.3 + source: https://galaxy.ansible.com + + # nix-unify module + - name: mgit_at.nix_unify + version: 0.4.5 + + # mgit_at.roles collection + # various roles + - name: https://github.com/mgit-at/ansible-collection-roles + version: main # just follow git for now + type: git