diff --git a/.gitignore b/.gitignore index bdeb823..8b2c1a5 100644 --- a/.gitignore +++ b/.gitignore @@ -8,5 +8,6 @@ terraform.tfstate.* ### direnv ### .direnv +.pre-commit-config.yaml # End of https://www.toptal.com/developers/gitignore/api/direnv diff --git a/README.md b/README.md index fee35c1..4d911e8 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ If you're curious about the infrastructure behind [evilfactorylabs.org](https:// ## Prerequisites -You don't technically need to run or setup anything on your end. But if you want to setup for your own needs, you can take a look into [`shell.nix`](./shell.nix) and [`.envrc.example`](./.envrc.example) or you can just install [Terraform](https://terraform.io) on your machine (and messing with your own very [environment variables](https://direnv.net)). +You don't technically need to run or setup anything on your end. But if you want to setup for your own needs, you can take a look into [`development.nix`](./nix/development.nix#L37-L41) and [`.envrc.example`](./.envrc.example) or you can just install [Terraform](https://terraform.io) on your machine (and messing with your own very [environment variables](https://direnv.net)). You have to know a little knowledge in using Terraform so you know what you're doing ;) @@ -21,9 +21,36 @@ You have to know a little knowledge in using Terraform so you know what you're d You can just clone this repo, create a new branch, and push your changes. Anyone with direct write access to the repository (i.e: making a pull request from this repo) will propagate `terraform plan` command behind the scenes. Only repository maintainers can initialize `terraform apply` but who knows, right? +## Machines + +### Komunix + +**Raspberry Pi 4 Model B Rev 1.2** + +#### Flash Images + +we our using `NixOS` and creating sd-card image with command: + +```console +$ nix build github:evilfactorylabs/area13#nixosConfigurations.komunix.config.system.build.sdImage + +# verify image created in `result/sd-image/*.img` + +# write image with pv and dd - WARNING! rdiskX replace with actual id (e.g. rdisk5) +$ nix run nixpkgs#pv ./result/sd-image/*.img | sudo dd of=/dev/rdiskX bs=4M + +``` + +### Update System Configurations + +```console +$ nix run nixpkgs#nixos-rebuild --flake github:evilfactorylabs/area13#komunix switch --target-host --build-host +``` + ## Maintainers - [faultables](https://github.com/faultables), @evilfactorylabs +- [r17x](https://github.com/r17x), @evilfactorylabs ## License diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b2a3e0d --- /dev/null +++ b/flake.lock @@ -0,0 +1,161 @@ +{ + "nodes": { + "ez-configs": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737976685, + "narHash": "sha256-YGDoq5mHjaUiv79oICntM3nybdzvvBRZGe5cZ6kY73w=", + "owner": "ehllie", + "repo": "ez-configs", + "rev": "84cce474cc25b451e77fc05a1a3d32c47706ea3a", + "type": "github" + }, + "original": { + "owner": "ehllie", + "repo": "ez-configs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1735774679, + "narHash": "sha256-soePLBazJk0qQdDVhdbM98vYdssfs3WFedcq+raipRI=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f2f7418ce0ab4a5309a4596161d154cfc877af66", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760392170, + "narHash": "sha256-WftxJgr2MeDDFK47fQKywzC72L2jRc/PWcyGdjaDzkw=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "46d55f0aeb1d567a78223e69729734f3dca25a85", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1760106635, + "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1749903597, + "narHash": "sha256-jp0D4vzBcRKwNZwfY4BcWHemLGUs4JrS3X9w5k/JYDA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "41da1e3ea8e23e094e5e3eeb1e6b830468a7399e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "ez-configs": "ez-configs", + "flake-parts": "flake-parts", + "git-hooks": "git-hooks", + "nixos-hardware": "nixos-hardware", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..fb27fae --- /dev/null +++ b/flake.nix @@ -0,0 +1,36 @@ +{ + description = "Komunix.org Configurations"; + + outputs = + inputs: + inputs.flake-parts.lib.mkFlake { inherit inputs; } { + systems = [ + "aarch64-darwin" + "aarch64-linux" + "x86_64-linux" + ]; + + imports = [ ./nix ]; + }; + + inputs = { + ## -- nixpkgs + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + nixpkgs.follows = "nixpkgs-unstable"; + + ### -- hardware specific modules + nixos-hardware.url = "github:NixOS/nixos-hardware"; + + #### core for modularitation + flake-parts.url = "github:hercules-ci/flake-parts"; + + #### file-based configurations + ez-configs.url = "github:ehllie/ez-configs"; + ez-configs.inputs.nixpkgs.follows = "nixpkgs"; + ez-configs.inputs.flake-parts.follows = "flake-parts"; + + #### utilities + git-hooks.url = "github:cachix/git-hooks.nix"; + git-hooks.inputs.nixpkgs.follows = "nixpkgs"; + }; +} diff --git a/nix/configurations/nixos/komunix.nix b/nix/configurations/nixos/komunix.nix new file mode 100644 index 0000000..00d7619 --- /dev/null +++ b/nix/configurations/nixos/komunix.nix @@ -0,0 +1,99 @@ +{ + maintainers, + inputs, + ezModules, + pkgs, + ... +}: + +{ + system.stateVersion = "25.05"; + + imports = with ezModules; [ + # using for creating sd image + "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + # hardware support for raspberry pi 4 + inputs.nixos-hardware.nixosModules.raspberry-pi-4 + # our hardware configuration for raspberry pi 4 + rpi4 + ]; + + nix.settings = { + auto-optimise-store = true; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + + nixpkgs = { + hostPlatform = "aarch64-linux"; + config = { + allowUnfree = true; + }; + }; + + networking = { + networkmanager.enable = true; + firewall.allowedTCPPorts = [ + 22 + 80 + ]; + hostName = "komunix"; + }; + + time.timeZone = "Asia/Jakarta"; + + users.users.komunix = { + isNormalUser = true; + shell = pkgs.bash; + extraGroups = [ + "wheel" + "networkmanager" + ]; + description = "Komunix.org"; + openssh.authorizedKeys.keys = maintainers.getMaintainerKeysByRole "core"; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + services.openssh = { + enable = true; + banner = '' + + _ __ _ + | | / / (_) + | |/ / ___ _ __ ___ _ _ _ __ ___ __ + | \ / _ \| '_ ` _ \| | | | '_ \| \ \/ / + | |\ \ (_) | | | | | | |_| | | | | |> < + \_| \_/\___/|_| |_| |_|\__,_|_| |_|_/_/\_\ + + ;/nix/store/milik-bersama; + + ''; + }; + + # add swap + swapDevices = [ + { + device = "/swapfile"; + size = 2048; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + # simplify sudo + security = { + sudo = { + enable = true; + wheelNeedsPassword = false; + }; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; +} diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 0000000..fe87494 --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,65 @@ +{ inputs, ... }: + +{ + imports = [ + inputs.ez-configs.flakeModule + ./development.nix + ]; + + perSystem = + { system, ... }: + { + _module.args = { + pkgs = import inputs.nixpkgs { + inherit system; + config.allowUnfree = true; + }; + }; + }; + + ezConfigs = { + root = ./.; + /** + We can pass global arguments to all configurations and modules here. + + example: + + file under `nixos/configurations/my-config.nix` wants to use `inputs.something`. so we need to pass `inputs` to `globalArgs`. + ```nix + { inputs, self, ... }: + { + environment.systemPackages = with pkgs; [ + inputs.something + ]; + } + ``` + */ + globalArgs = { + inherit inputs; + + maintainers = rec { + all = import ./maintainers.nix; + + getMaintainerKeysByRole = + with inputs.nixpkgs.lib; + role: + pipe all [ + attrValues + (filter (maintainer: (maintainer.role or "") == role)) + (map (maintainer: maintainer.sshKeys)) + flatten + ]; + }; + }; + + /** + Setup layout with ez-configs + + All files under `nixos/configurations` will be treated as NixOS configurations. + All files under `nixos/modules` will be treated as NixOS modules.' + */ + nixos.modulesDirectory = ./modules/nixos; + nixos.configurationsDirectory = ./configurations/nixos; + }; + +} diff --git a/nix/development.nix b/nix/development.nix new file mode 100644 index 0000000..b8ae0f3 --- /dev/null +++ b/nix/development.nix @@ -0,0 +1,47 @@ +{ inputs, ... }: +{ + perSystem = + { + pkgs, + system, + self', + ... + }: + { + checks.pre-commit-check = inputs.git-hooks.lib.${system}.run { + src = ./../.; + hooks = { + actionlint.enable = true; + nixfmt-rfc-style.enable = true; + deadnix.enable = true; + }; + }; + + formatter = + let + gitHookConfig = self'.checks.pre-commit-check.config; + in + pkgs.writeShellScriptBin "format-all" '' + ${pkgs.lib.getExe gitHookConfig.package} run --all-files --config ${gitHookConfig.configFile} + ''; + + devShells.default = + let + gitHook = self'.checks.pre-commit-check; + in + pkgs.mkShell { + shellHook = gitHook.shellHook; + buildInputs = + with pkgs; + [ + terraform + tfsec + terrascan + ripgrep + bat + self'.formatter + ] + ++ gitHook.enabledPackages; + }; + }; +} diff --git a/nix/maintainers.nix b/nix/maintainers.nix new file mode 100644 index 0000000..66ec569 --- /dev/null +++ b/nix/maintainers.nix @@ -0,0 +1,17 @@ +{ + faultables = { + username = "faultables"; + role = "core"; + sshKeys = [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHnjecqMe2lrGzAvQ2VQRTXhjZ5q1tONgme+2/97Z3VSXdY0i2bEH3qGEIC7uMyWUfmLystXxqP0u6/Xspmm0Ck=" + ]; + }; + + r17x = { + username = "r17x"; + role = "core"; + sshKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvi3Co5fB1dSU2Qs1sR6LwdB1hM6HCyIWfXsC0wgz1pmeFlje24SzPCxDtsVMq28fDpEBsXPqKSZbUIyBtHRnpIc72Z8IV0KNtBjbKQTfHLTiDu43e+VLuAdFE7u2Wf5KPQIQ52r/jr9P7UKU2GKwV016OzrRiaZjm+gixmd8YRfidzG1bsL5fbKBjxCIUROdVpW5kNNtPZHpeuHCkZ7341USC6V2qnp1BNHIoHLjRYosV82apOxN/AWY/tMN2jlVQ/gKIUHbxXoILsG+XRFCen5TSSearx54KxifI1aIWbxVVmmYNuLXGWnVumaH6U7ARpz2cEXQB9z2lvJGYmod8qfloVdjXESu8OFe4RT+nj0JUQs7pMhiN6K1AsMQiyFc0ZmU2UNx4JcHre5STnSKUHUCx4zzoToFvIQRBTB3HePHy74FcXWaYDAN/6YF3JEA203nyYL4o5m/KhSXNkcT3H+r3IAqKnl7J7obsvNowwa1UB2NxVmq0VXXR8uZlT0=" + ]; + }; +} diff --git a/nix/modules/nixos/rpi4.nix b/nix/modules/nixos/rpi4.nix new file mode 100644 index 0000000..766f219 --- /dev/null +++ b/nix/modules/nixos/rpi4.nix @@ -0,0 +1,23 @@ +{ lib, pkgs, ... }: + +{ + # thanks to fzakaria.com - https://fzakaria.com/2024/08/13/nixos-raspberry-pi-me + boot.supportedFilesystems.zfs = lib.mkForce false; + sdImage.compressImage = false; + hardware.raspberry-pi."4".touch-ft5406.enable = false; + + nixpkgs.overlays = [ + # Workaround: https://github.com/NixOS/nixpkgs/issues/154163 + # modprobe: FATAL: Module sun4i-drm not found in directory + (_final: super: { + makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); + }) + ]; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + hardware.enableRedistributableFirmware = true; +} diff --git a/shell.nix b/shell.nix deleted file mode 100644 index e95205e..0000000 --- a/shell.nix +++ /dev/null @@ -1,13 +0,0 @@ -with import {}; - -pkgs.mkShell { - name = "area13"; - - buildInputs = [ - terraform - tfsec - terrascan - ripgrep - bat - ]; -}