Remove doc
This commit is contained in:
parent
7d6e0b4ea5
commit
a87e74705b
28 changed files with 0 additions and 1048 deletions
1
doc/.gitignore
vendored
1
doc/.gitignore
vendored
|
@ -1 +0,0 @@
|
|||
book
|
|
@ -1,18 +0,0 @@
|
|||
# Pull Requests
|
||||
|
||||
## TL;DR;
|
||||
- **Target Branch**: `main`
|
||||
- **Merge Policy**: [`bors`][bors] is alwyas right (→ `bors try`)
|
||||
- **Docs**: every changeset is expected to contain doc updates
|
||||
- **Commit Msg**: be a poet! Comprehensive and explanatory commit messages
|
||||
should cover the motivation and use case in an easily understandable manner
|
||||
even when read after a few months.
|
||||
- **Test Driven Development**: please default to test driven development where possible.
|
||||
|
||||
### Within the Devshell (`nix develop`)
|
||||
- **Hooks**: please `git commit` within the devshell
|
||||
- **Fail Early**: please run from within the devshell on your local machine:
|
||||
- `nix flake check`
|
||||
|
||||
[bors]: https://bors.tech
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
# Summary
|
||||
|
||||
- [Introduction](../README.md)
|
||||
- [Quick Start](./start/index.md)
|
||||
- [ISO](./start/iso.md)
|
||||
- [Bootstrapping](./start/bootstrapping.md)
|
||||
- [From NixOS](./start/from-nixos.md)
|
||||
- [Key Concepts](./concepts/index.md)
|
||||
- [Hosts](./concepts/hosts.md)
|
||||
- [Overrides](./concepts/overrides.md)
|
||||
- [Profiles](./concepts/profiles.md)
|
||||
- [Suites](./concepts/suites.md)
|
||||
- [Users](./concepts/users.md)
|
||||
- [Outputs](./outputs/index.md)
|
||||
- [Modules](./outputs/modules.md)
|
||||
- [Overlays](./outputs/overlays.md)
|
||||
- [Packages](./outputs/pkgs.md)
|
||||
- [Concerns]()
|
||||
- [Secrets](./secrets.md)
|
||||
- [Tests](./tests.md)
|
||||
- [Helper Script – `bud`](./bud/index.md)
|
||||
- [get](./bud/get.md)
|
||||
- [Integrations](./integrations/index.md)
|
||||
- [Cachix](./integrations/cachix.md)
|
||||
- [Deploy RS](./integrations/deploy.md)
|
||||
- [NvFetcher](./integrations/nvfetcher.md)
|
||||
- [Hercules CI](./integrations/hercules.md)
|
||||
- [Contributing](./CONTRIBUTING.md)
|
|
@ -1,6 +0,0 @@
|
|||
[book]
|
||||
authors = ["Timothy DeHerrera"]
|
||||
language = "en"
|
||||
multilingual = false
|
||||
src = "."
|
||||
title = "devos docs"
|
|
@ -1,10 +0,0 @@
|
|||
# get
|
||||
The `get` subcommand is useful for getting a bare copy of devos without the
|
||||
git history.
|
||||
|
||||
## Usage
|
||||
```sh
|
||||
bud get DEST-DIR
|
||||
```
|
||||
|
||||
If DEST-DIR is ommitted, it defaults to _./devos_.
|
|
@ -1,24 +0,0 @@
|
|||
# [`bud`][bud] command
|
||||
The template incudes a convenient script for managing your system called [`bud`][bud].
|
||||
|
||||
It is a portable and highly composable system control tool that work anywhere on your host
|
||||
or in the flake's devshell.
|
||||
|
||||
Although it comes with some predefined standard helpers,
|
||||
it is very extensible and you are encouraged to write your own script snippets
|
||||
to ease your workflows. An example is the bud module for a `get` command that
|
||||
comes included with `devos`.
|
||||
|
||||
While writing scripts you can convenientely access smart environment variables
|
||||
that can tell the current architecture, user or host name, among others, regardless
|
||||
wether you invoke `bud` within the devshell or as the system-wide installed `bud`.
|
||||
|
||||
For details, please review the [bud repo][bud].
|
||||
|
||||
## Usage
|
||||
```sh
|
||||
bud help
|
||||
```
|
||||
|
||||
|
||||
[bud]: https://github.com/divnix/bud
|
|
@ -1,62 +0,0 @@
|
|||
# Hosts
|
||||
|
||||
Nix flakes contain an output called `nixosConfigurations` declaring an
|
||||
attribute set of valid NixOS systems. To simplify the management and creation
|
||||
of these hosts, devos automatically imports every _.nix_ file inside this
|
||||
directory to the mentioned attribute set, applying the projects defaults to
|
||||
each. The only hard requirement is that the file contain a valid NixOS module.
|
||||
|
||||
As an example, a file `hosts/system.nix` or `hosts/system/default.nix` will
|
||||
be available via the flake output `nixosConfigurations.system`. You can have
|
||||
as many hosts as you want and all of them will be automatically imported based
|
||||
on their name.
|
||||
|
||||
For each host, the configuration automatically sets the `networking.hostName`
|
||||
attribute to the folder name or name of the file minus the _.nix_ extension. This
|
||||
is for convenience, since `nixos-rebuild` automatically searches for a configuration
|
||||
matching the current systems hostname if one is not specified explicitly.
|
||||
|
||||
You can set channels, systems, and add extra modules to each host by editing the
|
||||
`nixos.hosts` argument in flake.nix. This is the perfect place to import
|
||||
host specific modules from external sources, such as the
|
||||
[nixos-hardware][nixos-hardware] repository.
|
||||
|
||||
It is recommended that the host modules only contain configuration information
|
||||
specific to a particular piece of hardware. Anything reusable across machines
|
||||
is best saved for [profile modules](./profiles.md).
|
||||
|
||||
This is a good place to import sets of profiles, called [suites](./suites.md),
|
||||
that you intend to use on your machine.
|
||||
|
||||
|
||||
## Example
|
||||
|
||||
flake.nix:
|
||||
```nix
|
||||
{
|
||||
nixos = {
|
||||
imports = [ (devos.lib.importHosts ./hosts) ];
|
||||
hosts = {
|
||||
librem = {
|
||||
channelName = "latest";
|
||||
modules = [ nixos-hardware.nixosModules.purism-librem-13v3 ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
hosts/librem.nix:
|
||||
```nix
|
||||
{ suites, ... }:
|
||||
{
|
||||
imports = suites.laptop;
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
|
||||
}
|
||||
```
|
||||
|
||||
[nixos-hardware]: https://github.com/NixOS/nixos-hardware
|
|
@ -1,10 +0,0 @@
|
|||
# Key Concepts
|
||||
|
||||
Key concepts are derived from [digga][digga]. Please refer to its
|
||||
[docs][digga-docs] for more details.
|
||||
|
||||
This section is dedicated to helping you develop a more hands on
|
||||
understanding of them them.
|
||||
|
||||
[digga-docs]: https://digga.divnix.com
|
||||
[digga]: https://github.com/divnix/digga
|
|
@ -1,42 +0,0 @@
|
|||
# Overrides
|
||||
Each NixOS host follows one channel. But many times it is useful to get packages
|
||||
or modules from different channels.
|
||||
|
||||
## Packages
|
||||
You can make use of `overlays/overrides.nix` to override specific packages in the
|
||||
default channel to be pulled from other channels. That file is simply an example
|
||||
of how any overlay can get `channels` as their first argument.
|
||||
|
||||
You can add overlays to any channel to override packages from other channels.
|
||||
|
||||
Pulling the manix package from the `latest` channel:
|
||||
```nix
|
||||
channels: final: prev: {
|
||||
__dontExport = true;
|
||||
inherit (pkgs.latest) manix;
|
||||
}
|
||||
```
|
||||
|
||||
It is recommended to set the `__dontExport` property for override specific
|
||||
overlays. `overlays/overrides.nix` is the best place to consolidate all package
|
||||
overrides and the property is already set for you.
|
||||
|
||||
## Modules
|
||||
|
||||
You can also pull modules from other channels. All modules have access to the
|
||||
`modulesPath` for each channel as `<channelName>ModulesPath`. And you can use
|
||||
`disabledModules` to remove modules from the current channel.
|
||||
|
||||
To pull zsh module from the `latest` channel this code can be placed in any module, whether its your host file, a profile, or a module in ./modules etc:
|
||||
```nix
|
||||
{ latestModulesPath }:
|
||||
{
|
||||
imports = [ "${latestModulesPath}/programs/zsh/zsh.nix" ];
|
||||
disabledModules = [ "programs/zsh/zsh.nix" ];
|
||||
}
|
||||
```
|
||||
|
||||
> ##### _Note:_
|
||||
> Sometimes a modules name will change from one branch to another.
|
||||
|
||||
[nixpkgs-modules]: https://github.com/NixOS/nixpkgs/tree/master/nixos/modules
|
|
@ -1,67 +0,0 @@
|
|||
# Profiles
|
||||
|
||||
Profiles are a convenient shorthand for the [_definition_][definition] of
|
||||
[options][options] in contrast to their [_declaration_][declaration]. They're
|
||||
built into the NixOS module system for a reason: to elegantly provide a clear
|
||||
separation of concerns.
|
||||
|
||||
## Creation
|
||||
Profiles are created with the `rakeLeaves` function which recursively collects
|
||||
`.nix` files from within a folder. The recursion stops at folders with a `default.nix`
|
||||
in them. You end up with an attribute set with leaves(paths to profiles) or
|
||||
nodes(attrsets leading to more nodes or leaves).
|
||||
|
||||
A profile is used for quick modularization of [interelated bits](./profiles.md#subprofiles).
|
||||
|
||||
> ##### _Notes:_
|
||||
> * For _declaring_ module options, there's the [modules](../outputs/modules.md) directory.
|
||||
> * This directory takes inspiration from
|
||||
> [upstream](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/profiles)
|
||||
> .
|
||||
|
||||
### Nested profiles
|
||||
Profiles can be nested in attribute sets due to the recursive nature of `rakeLeaves`.
|
||||
This can be useful to have a set of profiles created for a specific purpose. It is
|
||||
sometimes useful to have a `common` profile that has high level concerns related
|
||||
to all its sister profiles.
|
||||
|
||||
### Example
|
||||
|
||||
profiles/develop/common.nix:
|
||||
```nix
|
||||
{
|
||||
imports = [ ./zsh ];
|
||||
# some generic development concerns ...
|
||||
}
|
||||
```
|
||||
|
||||
profiles/develop/zsh.nix:
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
programs.zsh.enable = true;
|
||||
# zsh specific options ...
|
||||
}
|
||||
```
|
||||
|
||||
The examples above will end up with a profiles set like this:
|
||||
```nix
|
||||
{
|
||||
develop = {
|
||||
common = ./profiles/develop/common.nix;
|
||||
zsh = ./profiles/develop/zsh.nix;
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Conclusion
|
||||
Profiles are the most important concept in DevOS. They allow us to keep our
|
||||
Nix expressions self contained and modular. This way we can maximize reuse
|
||||
across hosts while minimizing boilerplate. Remember, anything machine
|
||||
specific belongs in your [host](hosts.md) files instead.
|
||||
|
||||
[definition]: https://nixos.org/manual/nixos/stable/index.html#sec-option-definitions
|
||||
[declaration]: https://nixos.org/manual/nixos/stable/index.html#sec-option-declarations
|
||||
[options]: https://nixos.org/manual/nixos/stable/index.html#sec-writing-modules
|
||||
[spec]: https://github.com/divnix/devos/tree/core/lib/devos/mkProfileAttrs.nix
|
||||
[config]: https://nixos.wiki/wiki/Module#structure
|
|
@ -1,25 +0,0 @@
|
|||
# Suites
|
||||
Suites provide a mechanism for users to easily combine and name collecitons of
|
||||
profiles.
|
||||
|
||||
`suites` are defined in the `importables` argument in either the `home` or `nixos`
|
||||
namespace. They are a special case of an `importable` which get passed as a special
|
||||
argument (one that can be use in an `imports` line) to your hosts. All lists defined
|
||||
in `suites` are flattened and type-checked as paths.
|
||||
|
||||
## Definition
|
||||
```nix
|
||||
rec {
|
||||
workstation = [ profiles.develop profiles.graphical users.nixos ];
|
||||
mobileWS = workstation ++ [ profiles.laptop ];
|
||||
}
|
||||
```
|
||||
|
||||
## Usage
|
||||
`hosts/my-laptop.nix`:
|
||||
```nix
|
||||
{ suites, ... }:
|
||||
{
|
||||
imports = suites.mobileWS;
|
||||
}
|
||||
```
|
|
@ -1,77 +0,0 @@
|
|||
> ##### _Note:_
|
||||
> This section and its semantics need a conceptiual rework.
|
||||
> Since recently [portable home configurations][portableuser]
|
||||
> that are not bound to any specific host are a thing.
|
||||
|
||||
# Users
|
||||
|
||||
Users are a special case of [profiles](profiles.md) that define system
|
||||
users and [home-manager][home-manager] configurations. For your convenience,
|
||||
home manager is wired in by default so all you have to worry about is declaring
|
||||
your users. For a fully fleshed out example, check out the developers personal
|
||||
[branch](https://github.com/divnix/devos/tree/nrd/users/nrd/default.nix).
|
||||
|
||||
## Basic Usage
|
||||
`users/myuser/default.nix`:
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
users.users.myuser = {
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
||||
home-manager.users.myuser = {
|
||||
programs.mpv.enable = true;
|
||||
};
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
## Home Manager
|
||||
Home Manager support follows the same principles as regular nixos configurations,
|
||||
it even gets its own namespace in your `flake.nix` as `home`.
|
||||
|
||||
All modules defined in [user modules][modules-list] will be imported to
|
||||
Home Manager.
|
||||
User profiles can be collected in a similar fashion as system ones into a `suites`
|
||||
argument that gets passed to your home-manager users.
|
||||
|
||||
### Example
|
||||
```nix
|
||||
{
|
||||
home-manager.users.nixos = { suites, ... }: {
|
||||
imports = suites.base;
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## External Usage
|
||||
You can easily use the defined home-manager configurations outside of NixOS
|
||||
using the `homeConfigurations` flake output. The [flk](../flk/index.md) helper
|
||||
script makes this even easier.
|
||||
|
||||
This is great for keeping your environment consistent across Unix systems,
|
||||
including OSX.
|
||||
|
||||
### From within the projects devshell:
|
||||
```sh
|
||||
# builds the nixos user defined in the NixOS host
|
||||
flk home NixOS nixos
|
||||
|
||||
# build and activate
|
||||
flk home NixOS nixos switch
|
||||
```
|
||||
|
||||
### Manually from outside the project:
|
||||
```sh
|
||||
# build
|
||||
nix build "github:divnix/devos#homeConfigurations.nixos@NixOS.home.activationPackage"
|
||||
|
||||
# activate
|
||||
./result/activate && unlink result
|
||||
```
|
||||
|
||||
[home-manager]: https://nix-community.github.io/home-manager
|
||||
[modules-list]: https://github.com/divnix/devos/tree/core/users/modules/module-list.nix
|
||||
[portableuser]: https://digga.divnix.com/api-reference-home.html#homeusers
|
|
@ -1,17 +0,0 @@
|
|||
# Cachix
|
||||
The system will automatically pull a cachix.nix at the root if one exists.
|
||||
This is usually created automatically by a `sudo cachix use`. If you're more
|
||||
inclined to keep the root clean, you can drop any generated files in the
|
||||
`cachix` directory into the `profiles/cachix` directory without further
|
||||
modification.
|
||||
|
||||
For example, to add your own cache, assuming the template lives in /etc/nixos,
|
||||
by simply running `sudo cachix use yourcache`. Then, optionally, move
|
||||
`cachix/yourcache.nix` to `profiles/cachix/yourcache.nix`
|
||||
|
||||
These caches are only added to the system after a `nixos-rebuild switch`, so it
|
||||
is recommended to call `cachix use nrdxp` before the initial deployment, as it
|
||||
will save a lot of build time.
|
||||
|
||||
In the future, users will be able to skip this step once the ability to define
|
||||
the nix.conf within the flake is fully fleshed out upstream.
|
|
@ -1,49 +0,0 @@
|
|||
# deploy-rs
|
||||
[Deploy-rs][d-rs] is a tool for managing NixOS remote machines. It was
|
||||
chosen for devos after the author experienced some frustrations with the
|
||||
stateful nature of nixops' db. It was also designed from scratch to support
|
||||
flake based deployments, and so is an excellent tool for the job.
|
||||
|
||||
By default, all the [hosts](../concepts/hosts.md) are also available as deploy-rs nodes,
|
||||
configured with the hostname set to `networking.hostName`; overridable via
|
||||
the command line.
|
||||
|
||||
## Usage
|
||||
|
||||
Just add your ssh key to the host:
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
users.users.${sshUser}.openssh.authorizedKeys.keyFiles = [
|
||||
../secrets/path/to/key.pub
|
||||
];
|
||||
}
|
||||
```
|
||||
|
||||
And the private key to your user:
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
home-manager.users.${sshUser}.programs.ssh = {
|
||||
enable = true;
|
||||
|
||||
matchBlocks = {
|
||||
${host} = {
|
||||
host = hostName;
|
||||
identityFile = ../secrets/path/to/key;
|
||||
extraOptions = { AddKeysToAgent = "yes"; };
|
||||
};
|
||||
};
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
And run the deployment:
|
||||
```sh
|
||||
deploy "flk#hostName" --hostname host.example.com
|
||||
```
|
||||
|
||||
> ##### _Note:_
|
||||
> Your user will need **passwordless** sudo access
|
||||
|
||||
[d-rs]: https://github.com/serokell/deploy-rs
|
|
@ -1,36 +0,0 @@
|
|||
# Hercules CI
|
||||
If you start adding your own packages and configurations, you'll probably have
|
||||
at least a few binary artifacts. With hercules we can build every package in
|
||||
our configuration automatically, on every commit. Additionally, we can have it
|
||||
upload all our build artifacts to a binary cache like [cachix][cachix].
|
||||
|
||||
This will work whether your copy is a fork, or a bare template, as long as your
|
||||
repo is hosted on GitHub.
|
||||
|
||||
## Setup
|
||||
Just head over to [hercules-ci.com](https://hercules-ci.com) to make an account.
|
||||
|
||||
Then follow the docs to set up an [agent][agent], if you want to deploy to a
|
||||
binary cache (and of course you do), be sure _not_ to skip the
|
||||
[binary-caches.json][cache].
|
||||
|
||||
## Ready to Use
|
||||
The repo is already set up with the proper _default.nix_ file, building all
|
||||
declared packages, checks, profiles and shells. So you can see if something
|
||||
breaks, and never build the same package twice!
|
||||
|
||||
If you want to get fancy, you could even have hercules
|
||||
[deploy your configuration](https://docs.hercules-ci.com/hercules-ci-effects/guide/deploy-a-nixos-machine/)!
|
||||
|
||||
> ##### _Note:_
|
||||
> Hercules doesn't have access to anything encrypted in the
|
||||
> [secrets folder](../../secrets), so none of your secrets will accidentally get
|
||||
> pushed to a cache by mistake.
|
||||
>
|
||||
> You could pull all your secrets via your user, and then exclude it from
|
||||
> [allUsers](https://github.com/nrdxp/devos/blob/nrd/suites/default.nix#L17)
|
||||
> to keep checks passing.
|
||||
|
||||
[agent]: https://docs.hercules-ci.com/hercules-ci/getting-started/#github
|
||||
[cache]: https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nixos/#_3_configure_a_binary_cache
|
||||
[cachix]: https://cachix.org
|
|
@ -1,5 +0,0 @@
|
|||
# Integrations
|
||||
This section explores some of the optional tools included with devos to provide
|
||||
a solution to common concerns such as ci and remote deployment. An effort is
|
||||
made to choose tools that treat nix, and where possible flakes, as first class
|
||||
citizens.
|
|
@ -1,43 +0,0 @@
|
|||
# nvfetcher
|
||||
[NvFetcher][nvf] is a workflow companion for updating nix sources.
|
||||
|
||||
You can specify an origin source and an update configuration, and
|
||||
nvfetcher can for example track updates to a specific branch and
|
||||
automatically update your nix sources configuration on each run
|
||||
to the tip of that branch.
|
||||
|
||||
All package source declaration is done in [sources.toml][sources.toml].
|
||||
|
||||
From within the devshell of this repo, run `nvfetcher`, a wrapped
|
||||
version of `nvfetcher` that knows where to find and place its files
|
||||
and commit the results.
|
||||
|
||||
## Usage
|
||||
|
||||
Statically fetching (not tracking) a particular tag from a github repo:
|
||||
```toml
|
||||
[manix]
|
||||
src.manual = "v0.6.3"
|
||||
fetch.github = "mlvzk/manix"
|
||||
```
|
||||
|
||||
Tracking the latest github _release_ from a github repo:
|
||||
```toml
|
||||
[manix]
|
||||
src.github = "mlvzk/manix" # responsible for tracking
|
||||
fetch.github = "mlvzk/manix" # responsible for fetching
|
||||
```
|
||||
|
||||
Tracking the latest commit of a git repository and fetch from a git repo:
|
||||
```toml
|
||||
[manix]
|
||||
src.git = "https://github.com/mlvzk/manix.git" # responsible for tracking
|
||||
fetch.git = "https://github.com/mlvzk/manix.git" # responsible for fetching
|
||||
```
|
||||
|
||||
> ##### _Note:_
|
||||
> Please refer to the [NvFetcher Readme][nvf-readme] for more options.
|
||||
|
||||
[nvf]: https://github.com/berberman/nvfetcher
|
||||
[nvf-readme]: https://github.com/berberman/nvfetcher#readme
|
||||
[sources.toml]: https://github.com/divnix/devos/tree/core/pkgs/sources.toml
|
|
@ -1,3 +0,0 @@
|
|||
# Layout
|
||||
Each of the following sections is a directory whose contents are output to the
|
||||
outside world via the flake's outputs. Check each chapter for details.
|
|
@ -1,79 +0,0 @@
|
|||
# Modules
|
||||
The modules directory is a replica of nixpkg's NixOS [modules][nixpkgs-modules]
|
||||
, and follows the same semantics. This allows for trivial upstreaming into
|
||||
nixpkgs proper once your module is sufficiently stable.
|
||||
|
||||
All modules linked in _module-list.nix_ are automatically exported via
|
||||
`nixosModules.<file-basename>`, and imported into all [hosts](../concepts/hosts.md).
|
||||
|
||||
|
||||
> ##### _Note:_
|
||||
> This is reserved for declaring brand new module options. If you just want to
|
||||
> declare a coherent configuration of already existing and related NixOS options
|
||||
> , use [profiles](../concepts/profiles.md) instead.
|
||||
|
||||
## Semantics
|
||||
In case you've never written a module for nixpkgs before, here is a brief
|
||||
outline of the process.
|
||||
|
||||
### Declaration
|
||||
modules/services/service-category/my-service.nix:
|
||||
```nix
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.services.myService;
|
||||
in
|
||||
{
|
||||
options.services.myService = {
|
||||
enable = lib.mkEnableOption "Description of my new service.";
|
||||
|
||||
# additional options ...
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# implementation ...
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
### Import
|
||||
modules/module-list.nix:
|
||||
```nix
|
||||
[
|
||||
./services/service-category/my-service.nix
|
||||
]
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
### Internal
|
||||
profiles/profile-category/my-profile.nix:
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
services.MyService.enable = true;
|
||||
}
|
||||
```
|
||||
|
||||
### External
|
||||
flake.nix:
|
||||
```nix
|
||||
{
|
||||
# inputs omitted
|
||||
|
||||
outputs = { self, devos, nixpkgs, ... }: {
|
||||
nixosConfigurations.myConfig = nixpkgs.lib.nixosSystem {
|
||||
system = "...";
|
||||
|
||||
modules = [
|
||||
devos.nixosModules.my-service
|
||||
({ ... }: {
|
||||
services.MyService.enable = true;
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
[nixpkgs-modules]: https://github.com/NixOS/nixpkgs/tree/master/nixos/modules
|
|
@ -1,25 +0,0 @@
|
|||
# Overlays
|
||||
Writing overlays is a common occurence when using a NixOS system. Therefore,
|
||||
we want to keep the process as simple and straightforward as possible.
|
||||
|
||||
Any _.nix_ files declared in this directory will be assumed to be a valid
|
||||
overlay, and will be automatically imported into all [hosts](../concepts/hosts.md), and
|
||||
exported via `overlays.<channel>/<pkgName>` _as well as_
|
||||
`packages.<system>.<pkgName>` (for valid systems), so all you have to do is
|
||||
write it.
|
||||
|
||||
## Example
|
||||
overlays/kakoune.nix:
|
||||
```nix
|
||||
final: prev: {
|
||||
kakoune = prev.kakoune.override {
|
||||
configure.plugins = with final.kakounePlugins; [
|
||||
(kak-fzf.override { fzf = final.skim; })
|
||||
kak-auto-pairs
|
||||
kak-buffers
|
||||
kak-powerline
|
||||
kak-vertical-selection
|
||||
];
|
||||
};
|
||||
}
|
||||
```
|
|
@ -1,54 +0,0 @@
|
|||
# Packages
|
||||
Similar to [modules](./modules.md), the pkgs directory mirrors the upstream
|
||||
[nixpkgs/pkgs][pkgs], and for the same reason; if you ever want to upstream
|
||||
your package, it's as simple as dropping it into the nixpkgs/pkgs directory.
|
||||
|
||||
The only minor difference is that, instead of adding the `callPackage` call to
|
||||
`all-packages.nix`, you just add it the the _default.nix_ in this directory,
|
||||
which is defined as a simple overlay.
|
||||
|
||||
All the packages are exported via `packages.<system>.<pkg-name>`, for all
|
||||
the supported systems listed in the package's `meta.platforms` attribute.
|
||||
|
||||
And, as usual, every package in the overlay is also available to any NixOS
|
||||
[host](../concepts/hosts.md).
|
||||
|
||||
## Example
|
||||
pkgs/development/libraries/libinih/default.nix:
|
||||
```nix
|
||||
{ stdenv, meson, ninja, lib, srcs, ... }:
|
||||
let inherit (srcs) libinih; in
|
||||
stdenv.mkDerivation {
|
||||
pname = "libinih";
|
||||
|
||||
# version will resolve to 53, as specified in the final example below
|
||||
inherit (libinih) version;
|
||||
|
||||
src = libinih;
|
||||
|
||||
buildInputs = [ meson ninja ];
|
||||
|
||||
# ...
|
||||
}
|
||||
```
|
||||
|
||||
pkgs/default.nix:
|
||||
```nix
|
||||
final: prev: {
|
||||
libinih = prev.callPackage ./development/libraries/libinih { };
|
||||
}
|
||||
```
|
||||
|
||||
pkgs/flake.nix:
|
||||
```nix
|
||||
{
|
||||
description = "Package sources";
|
||||
|
||||
inputs = {
|
||||
libinih.url = "github:benhoyt/inih/r53";
|
||||
libinih.flake = false;
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
[pkgs]: https://github.com/NixOS/nixpkgs/tree/master/pkgs
|
110
doc/secrets.md
110
doc/secrets.md
|
@ -1,110 +0,0 @@
|
|||
# Secrets
|
||||
Secrets are managed using [git-crypt][git-crypt] and [agenix][agenix]
|
||||
so you can keep your flake in a public repository like GitHub without
|
||||
exposing your password or other sensitive data.
|
||||
|
||||
By default, everything in the secrets folder is automatically encrypted. Just
|
||||
be sure to run `git-crypt init` before putting anything in here.
|
||||
|
||||
## Agenix
|
||||
Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets
|
||||
within the nix store because it is world-readable.
|
||||
|
||||
Most NixOS modules have the ability to set options to files in the system, outside
|
||||
the nix store, that contain sensitive information. You can use [agenix][agenix]
|
||||
to easily setup those secret files declaratively.
|
||||
|
||||
[agenix][agenix] encrypts secrets and stores them as .age files in your repository.
|
||||
Age files are encrypted with multiple ssh public keys, so any host or user with a
|
||||
matching ssh private key can read the data. The [age module][age module] will add those
|
||||
encrypted files to the nix store and decrypt them on activation to `/run/secrets`.
|
||||
|
||||
### Setup
|
||||
All hosts must have openssh enabled, this is done by default in the core profile.
|
||||
|
||||
You need to populate your `secrets/secrets.nix` with the proper ssh public keys.
|
||||
Be extra careful to make sure you only add public keys, you should never share a
|
||||
private key!!
|
||||
|
||||
secrets/secrets.nix:
|
||||
```nix
|
||||
let
|
||||
system = "<system ssh key>";
|
||||
user = "<user ssh key>";
|
||||
allKeys = [ system user ];
|
||||
in
|
||||
```
|
||||
|
||||
On most systems, you can get your systems ssh public key from `/etc/ssh/ssh_host_ed25519_key.pub`. If
|
||||
this file doesn't exist you likely need to enable openssh and rebuild your system.
|
||||
|
||||
Your users ssh public key is probably stored in `~/.ssh/id_ed25519.pub` or
|
||||
`~/.ssh/id_rsa.pub`. If you haven't generated a ssh key yet, be sure do so:
|
||||
```sh
|
||||
ssh-keygen -t ed25519
|
||||
```
|
||||
|
||||
> ##### _Note:_
|
||||
> The underlying tool used by agenix, rage, doesn't work well with password protected
|
||||
> ssh keys. So if you have lots of secrets you might have to type in your password many
|
||||
> times.
|
||||
|
||||
|
||||
### Secrets
|
||||
You will need the `agenix` command to create secrets. DevOS conveniently provides that
|
||||
in the devShell, so just run `nix develop` whenever you want to edit secrets. Make sure
|
||||
to always run `agenix` while in the `secrets/` folder, so it can pick up your `secrets.nix`.
|
||||
|
||||
To create secrets, simply add lines to your `secrets/secrets.nix`:
|
||||
```
|
||||
let
|
||||
...
|
||||
allKeys = [ system user ];
|
||||
in
|
||||
{
|
||||
"secret.age".publicKeys = allKeys;
|
||||
}
|
||||
```
|
||||
That would tell agenix to create a `secret.age` file that is encrypted with the `system`
|
||||
and `user` ssh public key.
|
||||
|
||||
Then go into the `secrets` folder and run:
|
||||
```sh
|
||||
agenix -e secret.age
|
||||
```
|
||||
This will create the `secret.age`, if it doesn't already exist, and allow you to edit it.
|
||||
|
||||
If you ever change the `publicKeys` entry of any secret make sure to rekey the secrets:
|
||||
```sh
|
||||
agenix --rekey
|
||||
```
|
||||
|
||||
### Usage
|
||||
Once you have your secret file encrypted and ready to use, you can utilize the [age module][age module]
|
||||
to ensure that your secrets end up in `/run/secrets`.
|
||||
|
||||
In any profile that uses a NixOS module that requires a secret you can enable a particular secret like so:
|
||||
|
||||
```nix
|
||||
{ self, ... }:
|
||||
{
|
||||
age.secrets.mysecret.file = "${self}/secrets/mysecret.age";
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
Then you can just pass the path `/run/secrets/mysecret` to the module.
|
||||
|
||||
You can make use of the many options provided by the age module to customize where and how
|
||||
secrets get decrypted. You can learn about them by looking at the
|
||||
[age module][age module].
|
||||
|
||||
|
||||
> ##### _Note:_
|
||||
> You can take a look at the [agenix repository][agenix] for more information
|
||||
> about the tool.
|
||||
|
||||
[git-crypt]: https://github.com/AGWA/git-crypt
|
||||
[agenix]: https://github.com/ryantm/agenix
|
||||
[age module]: https://github.com/ryantm/agenix/blob/master/modules/age.nix
|
||||
[secrets-issue]: https://github.com/NixOS/nix/issues/8
|
|
@ -1,99 +0,0 @@
|
|||
# Bootstrapping
|
||||
|
||||
This will help you boostrap a bare host with the help of the
|
||||
[bespoke iso](./iso.md) live installer.
|
||||
|
||||
_Note: nothing prevents you from remotely executing the boostrapping
|
||||
process. See below._
|
||||
|
||||
Once your target host has booted into the live iso, you need to partion
|
||||
and format your disk according to the [official manual][manual].
|
||||
|
||||
## Mount partitions
|
||||
|
||||
Then properly mount the formatted partitions at `/mnt`, so that you can
|
||||
install your system to those new partitions.
|
||||
|
||||
Mount `nixos` partition to `/mnt` and — for UEFI — `boot`
|
||||
partition to `/mnt/boot`:
|
||||
|
||||
```console
|
||||
$ mount /dev/disk/by-label/nixos /mnt
|
||||
$ mkdir -p /mnt/boot && mount /dev/disk/by-label/boot /mnt/boot # UEFI only
|
||||
$ swapon /dev/$your_swap_partition
|
||||
```
|
||||
|
||||
## Install
|
||||
|
||||
Install using the `flk` wrapper baked into the iso off of a copy of devos
|
||||
from the time the iso was built:
|
||||
|
||||
```console
|
||||
$ cd /iso/devos
|
||||
$ nix develop
|
||||
$ flk install NixOS --impure # use same host as above
|
||||
```
|
||||
|
||||
<!-- TODO: find out why --impure is necesary / PRs welcome! -->
|
||||
|
||||
## Notes of interest
|
||||
|
||||
### Remote access to the live installer
|
||||
|
||||
The iso live installer comes preconfigured with a network configuration
|
||||
which announces it's hostname via [MulticastDNS][mDNS] as `hostname.local`,
|
||||
that is `NixOS.local` in the [iso example](./iso).
|
||||
|
||||
In the rare case that [MulticastDNS][mDNS] is not availabe or turned off
|
||||
in your network, there is a static link-local IPv6 address configured to
|
||||
`fe80::47`(mnemonic from the letter's position in the english alphabet:
|
||||
`n=14 i=9 x=24; 47 = n+i+x`).
|
||||
|
||||
Provided that you have added your public key to the authorized keys of the
|
||||
`root` user _(hint: [`deploy-rs`](../integrations/deploy.md) needs passwordless
|
||||
sudo access)_:
|
||||
|
||||
```nix
|
||||
{ ... }:
|
||||
{
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
../secrets/path/to/key.pub
|
||||
];
|
||||
}
|
||||
```
|
||||
|
||||
You can then ssh into the live installer through one of the
|
||||
following options:
|
||||
|
||||
```console
|
||||
ssh root@NixOS.local
|
||||
|
||||
ssh root@fe80::47%eno1 # where eno1 is your network interface on which you are linked to the target
|
||||
```
|
||||
|
||||
_Note: the [static link-local IPv6 address][staticLLA] and [MulticastDNS][mDNS] is only
|
||||
configured on the live installer. If you wish to enable [MulticastDNS][mDNS]
|
||||
for your environment, you ought to configure that in a regular [profile](../concepts/profiles.md)._
|
||||
|
||||
### EUI-64 LLA & Host Identity
|
||||
|
||||
The iso's IPv6 Link Local Address (LLA) is configured with a static 64-bit Extended
|
||||
Unique Identifiers (EUI-64) that is derived from the host interface's Message
|
||||
Authentication Code (MAC) address.
|
||||
|
||||
After a little while (a few seconds), you can remotely discover this unique and host
|
||||
specific address over [NDP][NDP] for example with:
|
||||
|
||||
```console
|
||||
ip -6 neigh show # also shows fe80::47
|
||||
```
|
||||
|
||||
***This LLA is stable for the host, unless you need to swap that particular network card.***
|
||||
Under this reservation, though, you may use this EUI-64 to wire up a specific
|
||||
(cryptographic) host identity.
|
||||
|
||||
|
||||
[manual]: https://nixos.org/manual/nixos/stable/index.html#sec-installation-partitioning
|
||||
[mDNS]: https://en.wikipedia.org/wiki/Multicast_DNS
|
||||
[NDP]: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
|
||||
[staticLLA]: https://tools.ietf.org/html/rfc7404
|
|
@ -1,54 +0,0 @@
|
|||
# From NixOS
|
||||
|
||||
## Generate Configuration
|
||||
Assuming you're happy with your existing partition layout, you can generate a
|
||||
basic NixOS configuration for your system using:
|
||||
```sh
|
||||
flk up
|
||||
```
|
||||
|
||||
This will make a new file `hosts/up-$(hostname).nix`, which you can edit to
|
||||
your liking.
|
||||
|
||||
You must then add a host to `nixos.hosts` in flake.nix:
|
||||
```nix
|
||||
{
|
||||
nixos.hosts = {
|
||||
modules = hosts/NixOS.nix;
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
Make sure your `i18n.defaultLocale` and `time.timeZone` are set properly for
|
||||
your region. Keep in mind that `networking.hostName` will be automatically
|
||||
set to the name of your host;
|
||||
|
||||
Now might be a good time to read the docs on [suites](../concepts/suites.md) and
|
||||
[profiles](../concepts/profiles.md) and add or create any that you need.
|
||||
|
||||
> ##### _Note:_
|
||||
> While the `up` sub-command is provided as a convenience to quickly set up and
|
||||
> install a "fresh" NixOS system on current hardware, committing these files is
|
||||
> discouraged.
|
||||
>
|
||||
> They are placed in the git staging area automatically because they would be
|
||||
> invisible to the flake otherwise, but it is best to move what you need from
|
||||
> them directly into a host module of your own making, and commit that instead.
|
||||
# Installation
|
||||
|
||||
Once you're ready to deploy `hosts/my-host.nix`:
|
||||
```sh
|
||||
flk my-host switch
|
||||
```
|
||||
|
||||
|
||||
This calls `nixos-rebuild` with sudo to build and install your configuration.
|
||||
|
||||
> ##### _Notes:_
|
||||
> - Instead of `switch`, you can pass `build`, `test`, `boot`, etc just as with
|
||||
> `nixos-rebuild`.
|
||||
>
|
||||
> - It is convenient to have the template living at `/etc/nixos` so you can
|
||||
> simply `sudo nixos-rebuild switch` from anywhere on the system, but it is
|
||||
> not required.
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
# Quick Start
|
||||
The only dependency is nix, so make sure you have it [installed][install-nix].
|
||||
|
||||
## Get the Template
|
||||
Here is a snippet that will get you the template without the git history:
|
||||
```sh
|
||||
nix-shell -p cachix --run "cachix use nrdxp"
|
||||
|
||||
nix-shell https://github.com/divnix/devos/archive/core.tar.gz -A shell \
|
||||
--run "flk get core"
|
||||
|
||||
cd flk
|
||||
|
||||
nix-shell
|
||||
|
||||
git init
|
||||
git add .
|
||||
git commit -m init
|
||||
```
|
||||
|
||||
This will place you in a new folder named `flk` with git initialized, and a
|
||||
nix-shell that provides all the dependencies, including the unstable nix
|
||||
version required.
|
||||
|
||||
In addition, the [binary cache](../integrations/cachix.md) is added for faster deployment.
|
||||
|
||||
> ##### _Notes:_
|
||||
> - Flakes ignore files that have not been added to git, so be sure to stage new
|
||||
> files before building the system.
|
||||
> - You can choose to simply clone the repo with git if you want to follow
|
||||
> upstream changes.
|
||||
> - If the `nix-shell -p cachix --run "cachix use nrdxp"` line doesn't work
|
||||
> you can try with sudo: `sudo nix-shell -p cachix --run "cachix use nrdxp"`
|
||||
|
||||
## Next Steps:
|
||||
- [Make installable ISO](./iso.md)
|
||||
- [Bootstrap Host](./bootstrapping.md)
|
||||
- [Already on NixOS](./from-nixos.md)
|
||||
|
||||
|
||||
[install-nix]: https://nixos.org/manual/nix/stable/#sect-multi-user-installation
|
|
@ -1,24 +0,0 @@
|
|||
# ISO
|
||||
|
||||
Making and writing an installable iso for `hosts/NixOS.nix` is as simple as:
|
||||
```sh
|
||||
bud build NixOS bootstrapIso
|
||||
|
||||
dd bs=4M if=result/iso/*.iso of=/dev/$your_installation_device \
|
||||
status=progress oflag=sync
|
||||
```
|
||||
|
||||
This works for any host.
|
||||
|
||||
## ISO image nix store & cache
|
||||
|
||||
The iso image holds the store to the live environment and _also_ acts as a binary cache
|
||||
to the installer. To considerably speed up things, the image already includes all flake
|
||||
`inputs` as well as the `devshell` closures.
|
||||
|
||||
While you _could_ provision any machine with a single stick, a custom-made iso for
|
||||
the host you want to install DevOS to, maximises those local cache hits.
|
||||
|
||||
For hosts that don't differ too much, a single usb stick might be ok, whereas when
|
||||
there are bigger differences, a custom-made usb stick will be considerably faster.
|
||||
|
33
doc/tests.md
33
doc/tests.md
|
@ -1,33 +0,0 @@
|
|||
# Testing
|
||||
|
||||
Testing is always an important aspect of any software development project, and
|
||||
NixOS offers some incredibly powerful tools to write tests for your
|
||||
configuration, and, optionally, run them in
|
||||
[CI](./integrations/hercules.md).
|
||||
|
||||
## Unit Tests
|
||||
Unit tests can be created from regular derivations, and they can do
|
||||
almost anything you can imagine. By convention, it is best to test your
|
||||
packages during their [check phase][check]. All packages and their tests will
|
||||
be built during CI.
|
||||
|
||||
## Integration Tests
|
||||
All your profiles defined in suites will be tested in a NixOS VM.
|
||||
|
||||
You can write integration tests for one or more NixOS VMs that can,
|
||||
optionally, be networked together, and yes, it's as awesome as it sounds!
|
||||
|
||||
Be sure to use the `mkTest` function from digga, `digga.lib.pkgs-lib.mkTest`
|
||||
which wraps the official [testing-python][testing-python] function to ensure
|
||||
that the system is setup exactly as it is for a bare DevOS system. There are
|
||||
already great resources for learning how to use these tests effectively,
|
||||
including the official [docs][test-doc], a fantastic [blog post][test-blog],
|
||||
and the examples in [nixpkgs][nixos-tests].
|
||||
|
||||
[test-doc]: https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests
|
||||
[test-blog]: https://www.haskellforall.com/2020/11/how-to-use-nixos-for-lightweight.html
|
||||
[default]: https://github.com/divnix/devos/tree/core/tests/default.nix
|
||||
[run-test]: https://github.com/NixOS/nixpkgs/blob/6571462647d7316aff8b8597ecdf5922547bf365/lib/debug.nix#L154-L166
|
||||
[nixos-tests]: https://github.com/NixOS/nixpkgs/tree/master/nixos/tests
|
||||
[testing-python]: https://github.com/NixOS/nixpkgs/tree/master/nixos/lib/testing-python.nix
|
||||
[check]: https://nixos.org/manual/nixpkgs/stable/#ssec-check-phase
|
6
doc/theme/highlight.js
vendored
6
doc/theme/highlight.js
vendored
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue