ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

format json/yml/sh

Browse Source
This commit is contained in:
ahuston-0
2025-03-13 17:50:03 -04:00
parent 8294dbdd0b
commit 02b8a6bc6c
19 changed files with 522 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/CONTRIBUTING.md
View File

@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process
@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder
opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a
permanent solution
to either re-review the PR or to revert and replace the fix with a
permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed

120
docs/sample-setup.sh
View File

@ -1,9 +1,9 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
PROCEED="N"
@ -50,60 +50,58 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
sudo lvdisplay
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
# Mount partitions
@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap"
sudo swapon "/dev/$VOLGROUP/swap"
fi
# Clone the repo
@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups:
- pgp: *$OWNERORADMINS
age:
- *$MACHINENAME
EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi
read -r -p "press enter to continue"