From 87ead51331bc57326882055e1635a84c2d409af7 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Fri, 20 Dec 2024 13:57:22 -0500 Subject: Create a bootstrap image for Digital Ocean droplets I need a way to reliably get a NixOS VM provisioned in the cloud, and the easiest way to do this is to create a qcow2 image, upload it to Digital Ocean, and use that to start a droplet. This is very much a manual process, but that's fine, I shouldn't need to do it very often (for now). --- Omni/Bild.hs | 1 + Omni/Bild.nix | 9 +++++++++ Omni/Cloud.nix | 2 +- Omni/Dev/Beryllium.nix | 2 +- Omni/Dev/Lithium.nix | 2 +- Omni/Os/Base.nix | 35 +++++++++++++++++++++++++++++++++++ Omni/Os/Boot.nix | 14 ++++++++++++++ Omni/OsBase.nix | 42 ------------------------------------------ Omni/Packages.nix | 11 +++++++++++ 9 files changed, 73 insertions(+), 45 deletions(-) create mode 100644 Omni/Os/Base.nix create mode 100644 Omni/Os/Boot.nix delete mode 100644 Omni/OsBase.nix diff --git a/Omni/Bild.hs b/Omni/Bild.hs index 659619b..2d3d729 100644 --- a/Omni/Bild.hs +++ b/Omni/Bild.hs @@ -464,6 +464,7 @@ isBuildableNs = \case ["Omni", "Dev"], ["Omni", "Dev", "Lithium"], ["Omni", "Dev", "Beryllium"], + ["Omni", "Os", "Boot"], ["Biz", "Dragons", "Analysis"] ] diff --git a/Omni/Bild.nix b/Omni/Bild.nix index 90fa979..a7c4e32 100644 --- a/Omni/Bild.nix +++ b/Omni/Bild.nix @@ -240,6 +240,15 @@ let # build an operating system. 'cfg' is the NixOS config os = cfg: (stable.nixos (_args: cfg)).toplevel; + # build an os image for a digital ocean droplet + droplet = cfg: + (stable.nixos ({ modulesPath, ... }: { + imports = [ + "${toString modulesPath}/virtualisation/digital-ocean-image.nix" + (_args: cfg) + ]; + })).digitalOceanImage; + # build a docker image image = stable.dockerTools.buildImage; }; diff --git a/Omni/Cloud.nix b/Omni/Cloud.nix index 2ec801f..5111373 100644 --- a/Omni/Cloud.nix +++ b/Omni/Cloud.nix @@ -3,7 +3,7 @@ bild.os { imports = [ - ./OsBase.nix + ./Os/Base.nix ./Packages.nix ./Users.nix ./Cloud/Chat.nix diff --git a/Omni/Dev/Beryllium.nix b/Omni/Dev/Beryllium.nix index 82374c3..b9fe363 100644 --- a/Omni/Dev/Beryllium.nix +++ b/Omni/Dev/Beryllium.nix @@ -1,7 +1,7 @@ { bild }: bild.os { imports = [ - ../OsBase.nix + ../Os/Base.nix ../Packages.nix ../Users.nix ./Beryllium/Configuration.nix diff --git a/Omni/Dev/Lithium.nix b/Omni/Dev/Lithium.nix index 1716d51..9eb8304 100644 --- a/Omni/Dev/Lithium.nix +++ b/Omni/Dev/Lithium.nix @@ -3,7 +3,7 @@ bild.os { imports = [ - ../OsBase.nix + ../Os/Base.nix ../Packages.nix ../Users.nix ./Lithium/Configuration.nix diff --git a/Omni/Os/Base.nix b/Omni/Os/Base.nix new file mode 100644 index 0000000..8e301e1 --- /dev/null +++ b/Omni/Os/Base.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +# This module defines common default settings that all OS builds should include. + +let ports = import ../Cloud/Ports.nix; +in { + boot.tmp.cleanOnBoot = true; + networking.firewall.allowPing = true; + nix.settings.substituters = + [ "https://cache.nixos.org" ]; # "ssh://dev.simatime.com" ]; + nix.gc.automatic = true; + nix.gc.dates = "Sunday 02:15"; + nix.optimise.automatic = true; + nix.optimise.dates = [ "Sunday 02:30" ]; + nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + nix.settings.trusted-users = [ "ben" ]; + programs.ccache.enable = true; + programs.mosh.enable = true; + programs.mosh.withUtempter = true; + security.acme.defaults.email = "ben@bsima.me"; + security.acme.acceptTerms = true; + security.sudo.wheelNeedsPassword = false; + services.clamav.daemon.enable = true; # security + services.clamav.updater.enable = true; # security + services.fail2ban.enable = true; # security + services.fail2ban.ignoreIP = [ ports.bensIp ]; # my home IP + services.fail2ban.maxretry = 10; + services.openssh.enable = true; + services.openssh.openFirewall = true; + services.openssh.settings.X11Forwarding = true; + services.openssh.settings.PasswordAuthentication = false; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin + zramSwap.enable = true; +} diff --git a/Omni/Os/Boot.nix b/Omni/Os/Boot.nix new file mode 100644 index 0000000..c789d89 --- /dev/null +++ b/Omni/Os/Boot.nix @@ -0,0 +1,14 @@ +{ bild }: +/* This target creates a qcow2 image of a barebones NixOS VM which should be used + to bootstrap a deployment target. + + The workflow is like this: + + - bild this, you get a qcow2 image + - go to https://cloud.digitalocean.com/images/custom_images + - upload the image + - start a new droplet with this image + - once fully provisioned and accessible via ssh, the new droplet can be a deploy + target for any other namespace +*/ +bild.droplet { imports = [ ./Base.nix ../Users.nix ]; } diff --git a/Omni/OsBase.nix b/Omni/OsBase.nix deleted file mode 100644 index 3e69d8e..0000000 --- a/Omni/OsBase.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, config, ... }: -let ports = import ./Cloud/Ports.nix; -in { - boot.tmp.cleanOnBoot = true; - fonts.fonts = with pkgs; [ - google-fonts - mononoki - source-code-pro - fantasque-sans-mono - hack-font - fira - fira-code - fira-code-symbols - ]; - networking.firewall.allowPing = true; - nix.settings.substituters = - [ "https://cache.nixos.org" ]; # "ssh://dev.simatime.com" ]; - nix.gc.automatic = true; - nix.gc.dates = "Sunday 02:15"; - nix.optimise.automatic = true; - nix.optimise.dates = [ "Sunday 02:30" ]; - nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; - nix.settings.trusted-users = [ "ben" ]; - programs.ccache.enable = true; - programs.mosh.enable = true; - programs.mosh.withUtempter = true; - security.acme.defaults.email = "ben@bsima.me"; - security.acme.acceptTerms = true; - security.sudo.wheelNeedsPassword = false; - services.clamav.daemon.enable = true; # security - services.clamav.updater.enable = true; # security - services.fail2ban.enable = true; # security - services.fail2ban.ignoreIP = [ ports.bensIp ]; # my home IP - services.fail2ban.maxretry = 10; - services.openssh.enable = true; - services.openssh.openFirewall = true; - services.openssh.settings.X11Forwarding = true; - services.openssh.settings.PasswordAuthentication = false; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin - zramSwap.enable = true; -} diff --git a/Omni/Packages.nix b/Omni/Packages.nix index d04dfc3..66c1983 100644 --- a/Omni/Packages.nix +++ b/Omni/Packages.nix @@ -5,6 +5,17 @@ with pkgs; { + fonts.fonts = with pkgs; [ + google-fonts + mononoki + source-code-pro + fantasque-sans-mono + hack-font + fira + fira-code + fira-code-symbols + ]; + environment.systemPackages = [ file fd -- cgit v1.2.3