diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-06-30 10:36:00 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-06-30 10:36:00 -0700 |
| commit | ce68c0a9e4c4ce78c48868219e4e5bcda849e228 (patch) | |
| tree | 208bd056e4dfdd37bc1bd1c2134145c0d04b7da7 | |
| parent | only include some home-manager configurations on Darwin (diff) | |
| download | infra-ce68c0a9e4c4ce78c48868219e4e5bcda849e228.tar.gz | |
add configuration for vm-synology
This is a VM running on the Synology NAS. For now it only run
`gitolite`, but we may host additional services in the future.
Diffstat (limited to '')
| -rw-r--r-- | docs/install.org | 14 | ||||
| -rw-r--r-- | flake.lock | 21 | ||||
| -rw-r--r-- | flake.nix | 18 | ||||
| -rw-r--r-- | nix/lib/mkSystem.nix | 2 | ||||
| -rw-r--r-- | nix/machines/vm-synology/default.nix | 71 | ||||
| -rw-r--r-- | nix/machines/vm-synology/disk.nix | 55 | ||||
| -rw-r--r-- | nix/machines/vm-synology/git.nix | 61 | ||||
| -rw-r--r-- | nix/machines/vm-synology/hardware.nix | 32 |
8 files changed, 274 insertions, 0 deletions
diff --git a/docs/install.org b/docs/install.org new file mode 100644 index 0000000..e4e279c --- /dev/null +++ b/docs/install.org @@ -0,0 +1,14 @@ +#+TITLE: Installation +#+AUTHOR: Franck Cuny +#+EMAIL: franck@fcuny.net + +* Virtual machine running on the Synology NAS +** Creating the VM +- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck) +** Install NixOS on the VM +1. Boot to the installer +2. Copy the local configuration to the remote host ~rsync -avz --exclude='.git' --exclude='result' world/ nixos@192.168.1.151:~/world/~ +3. On the VM, from the =world= directory: + 1. Run =sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount nix/machines/vm-synology/disk.nix= + 2. Run =nixos-install --root /mnt/ --flake .#vm-synology= +4. Reboot the VM @@ -66,6 +66,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750903843, + "narHash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs=", + "owner": "nix-community", + "repo": "disko", + "rev": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "emacs-overlay": { "inputs": { "nixpkgs": [ @@ -240,6 +260,7 @@ "inputs": { "agenix": "agenix", "darwin": "darwin_2", + "disko": "disko", "emacs-overlay": "emacs-overlay", "home-manager": "home-manager_2", "nixpkgs": "nixpkgs", @@ -16,6 +16,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -150,6 +155,12 @@ pre-commit-check = mkPreCommitHooks system ./.; }); + # my VM running on the synology NAS + nixosConfigurations.vm-synology = mkSystem "vm-synology" { + system = "x86_64-linux"; + user = "fcuny"; + }; + # my personal MacBook Air darwinConfigurations.mba-m2 = mkSystem "mba-m2" { system = "aarch64-darwin"; @@ -189,6 +200,12 @@ echo "> darwin-rebuild build was successful ✅" echo "> macOS config was successfully applied 🚀" '') + (pkgs.writeScriptBin "switch-vm-synology" '' + set -e + echo "> Running nixos-rebuild switch ..." + ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#vm-synology --target-host vm-synology --build-host vm-synology --fast --use-remote-sudo --use-substitutes + echo "> nixos-rebuild switch was successful ✅" + '') (pkgs.writeScriptBin "sync-agenix-key" '' set -e echo "> Copying agenix SSH key from 1password ..." @@ -234,6 +251,7 @@ packages = with pkgs; [ + nixos-rebuild git inputs.agenix.packages."${system}".default ] diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix index 94d1b35..2bd36bd 100644 --- a/nix/lib/mkSystem.nix +++ b/nix/lib/mkSystem.nix @@ -35,6 +35,8 @@ systemFunc rec { # Add overlays { nixpkgs.overlays = overlays; } + inputs.disko.nixosModules.disko + machineConfig userOSConfig home-manager.home-manager diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix new file mode 100644 index 0000000..8ced4e1 --- /dev/null +++ b/nix/machines/vm-synology/default.nix @@ -0,0 +1,71 @@ +{ pkgs, ... }: +{ + imports = [ + ./hardware.nix + ./git.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "vm-synology"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + nix = { + package = pkgs.nixVersions.latest; + settings = { + trusted-users = [ + "@admin" + "fcuny" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + + time.timeZone = "America/Los_Angeles"; + + # Don't require password for sudo + security.sudo.wheelNeedsPassword = false; + + # Virtualization settings + virtualisation.docker.enable = true; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.mutableUsers = false; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + curl + git + vim + jq + ]; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = true; + services.openssh.settings.PermitRootLogin = "no"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + + networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/nix/machines/vm-synology/disk.nix b/nix/machines/vm-synology/disk.nix new file mode 100644 index 0000000..1641339 --- /dev/null +++ b/nix/machines/vm-synology/disk.nix @@ -0,0 +1,55 @@ +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix new file mode 100644 index 0000000..6ca6ec7 --- /dev/null +++ b/nix/machines/vm-synology/git.nix @@ -0,0 +1,61 @@ +{ pkgs, ... }: +{ + + services.gitolite = { + enable = true; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + # let's make sure the default branch is `main'. + systemd.tmpfiles.rules = [ + "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" '' + [init] + defaultBranch = main + ''}" + ]; + + # # TODO also rsync the backups to the nas + # # TODO need the ssh key for the nas for rsync ? + # age.secrets.restic = { + # file = ../../../secrets/restic-backups.age; + # owner = "root"; + # group = "root"; + # path = "/etc/restic/secret"; + # mode = "600"; + # }; + + # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix + # services.restic.backups.git = { + # passwordFile = "/etc/restic/secret"; + # repository = "/srv/backups/git"; + # initialize = true; + # paths = [ "/var/lib/gitolite" ]; + # exclude = [ + # "/var/lib/gitolite/.bash_history" + # "/var/lib/gitolite/.ssh" + # "/var/lib/gitolite/.viminfo" + # ]; + # extraBackupArgs = [ + # "--exclude-caches" + # "--compression=max" + # ]; + # timerConfig = { + # OnCalendar = "daily"; + # }; + # pruneOpts = [ + # "--keep-daily 7" + # "--keep-weekly 4" + # "--keep-monthly 3" + # ]; + # }; +} diff --git a/nix/machines/vm-synology/hardware.nix b/nix/machines/vm-synology/hardware.nix new file mode 100644 index 0000000..c894a80 --- /dev/null +++ b/nix/machines/vm-synology/hardware.nix @@ -0,0 +1,32 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ./disk.nix + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} |