From e52897cd14aef5a9f8c244e70962ac9cbcec8285 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Fri, 1 Mar 2024 03:18:54 +1000 Subject: [PATCH] flemming: initial commit --- README.rst | 11 ++++ hardware/pi3B.nix | 80 +++++++++++++++++++++++++++ hardware/raspberry_pi_3_model_B.nix | 86 +++++++++++++++++++++++++++++ modules/piCommon/default.nix | 14 +++++ networks/pi3B_rack.nix | 26 +++++++++ nixos/hosts/flemming/default.nix | 25 +++++++++ outputs.nix | 6 ++ secrets/fiscalvelvetpoet.age | 26 +++++---- secrets/forgejo.age | 19 ++++--- secrets/root.age | 26 ++++----- secrets/secrets.nix | 8 ++- 11 files changed, 292 insertions(+), 35 deletions(-) create mode 100644 hardware/pi3B.nix create mode 100644 hardware/raspberry_pi_3_model_B.nix create mode 100644 modules/piCommon/default.nix create mode 100644 networks/pi3B_rack.nix create mode 100644 nixos/hosts/flemming/default.nix diff --git a/README.rst b/README.rst index b66c356..44d2a90 100644 --- a/README.rst +++ b/README.rst @@ -8,3 +8,14 @@ https://reciproka.dev/reciproka/reciproka-ops .. _Colmena: https://colmena.cli.rs/ .. _Reciproka Kolektivo: https://reciproka.co/ + +.. toctree:: + +Building for aarch64 Targets +---------------------------- + +If you don't have your own ``aarch64`` build server, you can apply to use the +`aarch64 build box`_ provided by the `Nix Community`_. + +.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box +.. _Nix Community: https://github.com/nix-community diff --git a/hardware/pi3B.nix b/hardware/pi3B.nix new file mode 100644 index 0000000..2af5ac2 --- /dev/null +++ b/hardware/pi3B.nix @@ -0,0 +1,80 @@ +# Configuration common to all Raspberry Pi 3 Model B devices +{ + config, + pkgs, + lib, + ... +}: { + boot = { + initrd = { + availableKernelModules = [ + "bcm2835_dma" # Allows early (earlier) mode setting + "i2c_bcm2835" # Allows early (earlier) mode setting + "usbhid" + "usb_storage" + "vc4" # Allows early (earlier) mode setting + ]; + }; + kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3) + kernelParams = [ + "cma=32M" # Needed for the virtual console to work on the RPi 3 + "console=ttyS0,115200n8" # Enable the serial console + "console=tty0" + ]; + loader = { + generic-extlinux-compatible = { + enable = true; # Enables the generation of /boot/extlinux/extlinux.conf + }; + grub = { + enable = false; # NixOS wants to enable GRUB by default. + }; + raspberryPi = { + enable = false; + version = 3; + uboot.enable = true; + firmwareConfig = '' + arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel + hdmi_force_hotplug=1 # Enable headless booting + ''; + }; + }; + }; + + # File systems configuration for using the installer's partition layout + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + "/boot/firmware" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + # Alternatively, this could be removed from the configuration. + # The filesystem is not needed at runtime, it could be treated + # as an opaque blob instead of a discrete FAT32 filesystem. + options = ["nofail" "noauto"]; + }; + }; + + # !!! Adding a swap file is optional, but strongly recommended! + swapDevices = [ + { + device = "/swapfile"; + size = 1024; + } + ]; + + hardware = { + enableRedistributableFirmware = true; # Enable support for Pi firmware blobs + }; + + networking = { + enableB43Firmware = true; # If true, enable Pi wireless firmware + }; + + nixpkgs.config.allowUnfree = true; # required by B34Firmare above + + environment.systemPackages = with pkgs; [ + libraspberrypi # Userland tools for the Raspberry Pi board + ]; +} diff --git a/hardware/raspberry_pi_3_model_B.nix b/hardware/raspberry_pi_3_model_B.nix new file mode 100644 index 0000000..35eb268 --- /dev/null +++ b/hardware/raspberry_pi_3_model_B.nix @@ -0,0 +1,86 @@ +# Configuration common to all Raspberry Pi 3 Model B devices +{ + config, + pkgs, + lib, + ... +}: { + boot = { + initrd = { + availableKernelModules = [ + "bcm2835_dma" # Allows early (earlier) mode setting + "i2c_bcm2835" # Allows early (earlier) mode setting + "usbhid" + "usb_storage" + "vc4" # Allows early (earlier) mode setting + ]; + }; + kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3) + kernelParams = [ + "cma=320M" # Needed for the virtual console to work on the RPi 3 + "console=ttyS0,115200n8" # Enable the serial console + "console=tty0" + ]; + loader = { + generic-extlinux-compatible = { + enable = true; # Enables the generation of /boot/extlinux/extlinux.conf + }; + grub = { + enable = false; # NixOS wants to enable GRUB by default. + }; + raspberryPi = { + enable = false; + version = 3; + uboot.enable = true; + firmwareConfig = '' + arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel + display_auto_detect=1 # Enable auto detection of screen resolution + gpu_mem=128 + hdmi_force_hotplug=1 # Enable headless booting + ''; + }; + }; + }; + + # File systems configuration for using the installer's partition layout + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + "/boot/firmware" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + # Alternatively, this could be removed from the configuration. + # The filesystem is not needed at runtime, it could be treated + # as an opaque blob instead of a discrete FAT32 filesystem. + options = ["nofail" "noauto"]; + }; + #"/var" = { + # device = "/dev/disk/by-label/var"; + # fsType = "ext4"; + #}; + }; + + # !!! Adding a swap file is optional, but strongly recommended! + swapDevices = [ + { + device = "/swapfile"; + size = 1024; + } + ]; + + hardware = { + enableRedistributableFirmware = true; # Enable support for Pi firmware blobs + }; + + networking = { + enableB43Firmware = true; # If true, enable Pi wireless firmware + }; + + nixpkgs.config.allowUnfree = true; # required by B34Firmare above + + environment.systemPackages = with pkgs; [ + libraspberrypi # Userland tools for the Raspberry Pi board + ]; +} diff --git a/modules/piCommon/default.nix b/modules/piCommon/default.nix new file mode 100644 index 0000000..fb45389 --- /dev/null +++ b/modules/piCommon/default.nix @@ -0,0 +1,14 @@ +# Configuration common to all my servers +{ + config, + pkgs, + lib, + ... +}: { + environment = { + # Set the system-wide environment + systemPackages = with pkgs; [ + usbutils # Tools for working with USB devices, such as lsusb + ]; + }; +} diff --git a/networks/pi3B_rack.nix b/networks/pi3B_rack.nix new file mode 100644 index 0000000..1219eb9 --- /dev/null +++ b/networks/pi3B_rack.nix @@ -0,0 +1,26 @@ +# NixOps configuration for the Raspberry Pi 3B Rack +{ + imports = [ + + ../hardware/raspberry_pi_3_model_B.nix + ../profiles/host_common.nix + ../profiles/server_common.nix + ]; + + # Ensure the right package architecture is used + nixpkgs.localSystem = { + system = "aarch64-linux"; + config = "aarch64-unknown-linux-gnu"; + allowUnfree = true; + }; + + systemd.network.networks.eth0.ipv6SendRAConfig = { + EmitDNS = true; + Managed = true; + OtherInformation = true; + }; + + documentation = { + nixos.enable = false; # Save some space by disabling the manual + }; +} diff --git a/nixos/hosts/flemming/default.nix b/nixos/hosts/flemming/default.nix new file mode 100644 index 0000000..861a240 --- /dev/null +++ b/nixos/hosts/flemming/default.nix @@ -0,0 +1,25 @@ +# NixOS configuration for flemming +# +# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist +# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its +# grave diggers in Australia +# +# https://en.wikipedia.org/wiki/Andy_Fleming_(activist) +# https://slackbastard.anarchobase.com/ +# https://www.3cr.org.au/yeahnahpasaran +{ + config, + pkgs, + lib, + ... +}: { + imports = [ + ../../../networks/pi3B_rack.nix + ]; + + # Comment out deployment when building the SD Image. + deployment.targetHost = "10.42.0.202"; + networking.hostName = "flemming"; # Define your hostname. + + system.stateVersion = "23.11"; # The version of NixOS originally installed +} diff --git a/outputs.nix b/outputs.nix index 0da9cdf..33f3421 100644 --- a/outputs.nix +++ b/outputs.nix @@ -32,6 +32,12 @@ in { overlays = []; }; }; + flemming = { + imports = [ + ./nixos/hosts/flemming + ragenix.nixosModules.default + ]; + }; toscano = { imports = [ ./nixos/hosts/toscano/configuration.nix diff --git a/secrets/fiscalvelvetpoet.age b/secrets/fiscalvelvetpoet.age index df3c33a..9fc2784 100644 --- a/secrets/fiscalvelvetpoet.age +++ b/secrets/fiscalvelvetpoet.age @@ -1,14 +1,16 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl -K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY -VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1 -MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x -Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR -MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4 -KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp -MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv -RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG -CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP -4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc -NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBXZGxN +eVRsL3QyT1BPc1dOWmt4Z213czlHV1gwV0JldkRQREZ1YkZtRjNnCm9yMlpSV1dK +R2szbEtnQ2tUOXJzWGMyUk9BQldkbjVCa1RwejJ6U01JdGsKLT4gc3NoLWVkMjU1 +MTkgUWQwZXBRIFJ0TmhHZHVqam1wWkFRbUFHSWFEYk9CbzVmWnYwUWtjZ3hsQ3Z5 +Y1JYRDgKajR1a3Nnay9SeFlId2ZDTDd6VVNlZXRpY0h3cTh0R3ExUWRRcGovbVl3 +cwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgN3BhVlk2Q0Z4RksvL1dLUmhCZFd1VUNs +ZmtqREtpMDAzWkRyMGZML016cwpKKzloVUxLWWcxcjZOQ2czaSt1b1hqTkFrSUc2 +bUJUV2crYUl3TVhQUzBzCi0+IDxSI243aidNLWdyZWFzZSBPIVk1J2QKa3RGampV +dlBKMitIV0ltUGhDNFcwK0c5dGFOSHJaRjlRZUppNXJPbmFFZnkwZkZKOHBmMk9P +ZmV2L1NZbzF5Kwo3Vlk5Ci0tLSA3MkZtc2V5QXRBLzg3eTNGZkRTZVo4K1hQbkR5 +cDUwakRsMjBXWms1U0YwCuls+HqLpYE1XR6thkvMuUi/HALGGLyrzLhgDQp/2fDd +qf27fBHxGH+LUVE/AtkcEuYvqRGOV92MFHP42wARbzTHPoT+JEtbJH9pghCRHE8l +Zi52BJ+9Erk+AGvDyS02ziP5bstBs2uWt9y143tjuZAPLEcKAeWaPmUzxpj+zd4w +3/5keHREdbw9xhJiXYYz55K26V/vyqHm9fz5tP32GhN0 -----END AGE ENCRYPTED FILE----- diff --git a/secrets/forgejo.age b/secrets/forgejo.age index 7a5dfc2..0fe9805 100644 --- a/secrets/forgejo.age +++ b/secrets/forgejo.age @@ -1,11 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC -eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu -Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1 -MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG -aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy -RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0 -d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG -d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM -0xrmCMh3IsOvPa60vuY= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyB1VGRL +OHRURUVFSjhzMmRmQWI1MnNrMUJDNlVEeHYrTTNQN0syV0xNSHlFCnBLSFNIMUpw +akZZenB4WWNwRWZ1WHh3ZmZURkZDUmR3WVFHMC9QZXZSZTQKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDIvUmk5NTZ2N29zRTE4MG9NRjk2VEtZbHdMZ3U4bHpVMnFCbHgr +NXlXMUkKcmtkVE4rRnRyWGRDd1RVK2djVlkxRnArQWJSOTJRTEIySjRKZUtvYWtB +dwotPiBhdi1ncmVhc2UgeFlgICp7MXZ4ClBBVUUzQTVKMDFZMVFUdlRvUE9GaXFv +clBVUlcvTDhmMVpCWHdjenJpTlIrNlJ6MDJZZTFEWE5QN3Y1dUFFZDMKYWdRaWor +Nk1lSzZoZFlGSG1WVTVxTVRJdjlmNFdGK3k2RnMKLS0tIE5Dcmh2THcvWmNCbXVS +V3lIbHB6UVlnUm10TjhRMURvbEFVdVhURVM0UGcKQ9Mo+lNHm5eeutxfecchV7Yb +593Y2GZGoxQTzIWXoWZkzPkeDxLOpUk+OTkgnNclDJ9xPXyanTSS -----END AGE ENCRYPTED FILE----- diff --git a/secrets/root.age b/secrets/root.age index f8653d1..f976633 100644 --- a/secrets/root.age +++ b/secrets/root.age @@ -1,15 +1,15 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ -M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5 -SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1 -MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR -UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD -NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy -Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz -Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW -d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG -WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0 -cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv -g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8 -QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBaeFBB +cWc4V2pHNU40Q0xMRXgxRVdFZWRRZTh5NDhPNlhDZEd3Tk4zc0c4CmJrSTFoanBw +dG9pYmJIVCs2TzkxazJjV1ptRzlSZkRmU2NGT0dtWkZHR0kKLT4gc3NoLWVkMjU1 +MTkgUWQwZXBRIFdBWmljU0F0U3UrWXEyZnl2MGY5VThxVmE1QkwyMmswRVRFRGFl +YnpYMDQKekZQOTFQeStBUTNTSW1ibUdHM05YSDBxUFY4dGVhTkpHejUwTklCTUpM +YwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgSzAzMGFvVERReU1nRVhvdHdVK0FzajJj +VFZ3aXY1aWl1UW5ReDl4VHBrMApJYm9iRlVQUGNPWlpxcy9MTExhcnZrT0J6UDE0 +WUtTTUduOFlPNVFZTUs0Ci0+IHhxKC1ncmVhc2UgWl9vNyA7NilCVVshWSBEcEgv +RGBpIGgmWAoxVjVrRHVndzI4MmJhN3EwQVEKLS0tIFJabHFPdmtseWhyaTBjV1o0 +Zm1LVEJZY0F0NFJuZUk0anhGdTRkVlFOMmcKRtPfpCjUf05Jnow5FU3OvZc3FLGm +R462mLJoaBg4qhPr7+kxYRrGy2T0yoZLdglOJV4rHwvYWpNglY1o2Jo+I/mG1yAd +F+afAb9mQVYreWyQuj7t71Vm1VUdQrsG85lFxdbLbS7ZzITCOrjejgoj6wMPwAgl +iPHgOccOAPoiDQTSOdGEm3H4k8we/HSfpW7cPowwExtQCK7PSs30XeJsg4o= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 05d04e4..2d39616 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,12 +1,18 @@ # Used by ragenix nix only. # Ensure that $RULES has been set via direnv +# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age` +# run `ragenix -r -i /path/to/your/key` after modifying any keys below +# +# Re-keying is required after adding new hosts or keys: +# run `ragenix -r -i /path/to/your/key` let fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; ops = [fiscalvelvetpoet]; users = [fiscalvelvetpoet]; + flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu"; toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE"; - systems = [toscano]; + systems = [flemming toscano]; in { "root.age".publicKeys = ops ++ systems; "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;