NixOS + home-manager configs, mirrored from GitLab SaaS.
gitlab.com/andreijiroh-dev/nixops-config
nix-flake
nixos
home-manager
nixpkgs
nix-flakes
feat(raspi-base): fork https://github.com/dfrankland/nixos-rpi-sd-image for that Raspberry Pi 5 I got from @hackclub High Seas
Currently handling off the build part to GHA atm to save storage on my laptop.
Signed-off-by: Andrei Jiroh Halili <ajhalili2006@andreijiroh.dev>
+327
-3
+48
-3
.github/workflows/update-flakes.yml
+48
-3
.github/workflows/update-flakes.yml
···
14
14
update-lockfile:
15
15
runs-on: ubuntu-latest
16
16
steps:
17
-
- uses: actions/checkout@v2
17
+
- uses: actions/checkout@v4
18
18
19
19
- name: Setup Deterinate Nix
20
20
uses: DeterminateSystems/nix-installer-action@main
···
46
46
name: Build recovery ISO
47
47
runs-on: ubuntu-latest
48
48
steps:
49
-
- uses: actions/checkout@v2
49
+
- uses: actions/checkout@v4
50
50
with:
51
51
fetch-depth: 0
52
52
ref: main
···
70
70
uses: actions/upload-artifact@v4
71
71
with:
72
72
name: nixos-recoverykit-iso
73
-
path: dist
73
+
path: dist
74
+
build-raspi-sdim:
75
+
concurrency:
76
+
cancel-in-progress: false
77
+
group: recoverykit-iso-builds
78
+
needs: [update-lockfile]
79
+
name: Build custom Raspberry Pi SD image
80
+
runs-on: ubuntu-latest
81
+
env:
82
+
PREBUILD_TAG: build-1743086698
83
+
steps:
84
+
- uses: actions/checkout@v4
85
+
with:
86
+
fetch-depth: 0
87
+
ref: main
88
+
89
+
- name: Setup Deterinate Nix
90
+
uses: DeterminateSystems/nix-installer-action@main
91
+
with:
92
+
determinate: true
93
+
94
+
- name: Show flake metadata
95
+
run: nix flake metadata
96
+
97
+
# https://github.com/docker/setup-qemu-action
98
+
- name: Set up QEMU
99
+
uses: docker/setup-qemu-action@v3
100
+
101
+
# https://github.com/docker/setup-buildx-action
102
+
- name: Set up Docker Buildx
103
+
id: buildx
104
+
uses: docker/setup-buildx-action@v1
105
+
106
+
- name: Prepare build environment
107
+
run: |
108
+
docker pull ghcr.io/andreijiroh-dev/nixops-config/rpi-sd-imager:${{env.PREBUILD_TAG}}
109
+
docker tag ghcr.io/andreijiroh-dev/nixops-config/rpi-sd-imager:${{env.PREBUILD_TAG}} ghcr.io/andreijiroh-dev/nixops-config/rpi-sd-imager:dev
110
+
111
+
- name: Build the SD image
112
+
run: cd hosts/raspi-base && docker compose up
113
+
114
+
- name: Upload as artifact
115
+
uses: actions/upload-artifact@v4
116
+
with:
117
+
name: nixos-raspi-sd-img
118
+
path: hosts/raspi-base/output
hosts/raspi-base/builder/.gitkeep
hosts/raspi-base/builder/.gitkeep
This is a binary file and will not be displayed.
+18
hosts/raspi-base/builder/Dockerfile
+18
hosts/raspi-base/builder/Dockerfile
···
1
+
# Adopted from https://github.com/dfrankland/nixos-rpi-sd-image/blob/f0ad101a1d555e2310d4e238d55b7f068e2f6951/nixos-rpi-sd-image/Dockerfile,
2
+
# but updated the commit hash for nixos-generators
3
+
FROM multiarch/qemu-user-static:x86_64-aarch64 as qemu
4
+
5
+
FROM nixos/nix as nixos
6
+
7
+
COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin
8
+
9
+
RUN \
10
+
set -e; \
11
+
echo 'extra-platforms = aarch64-linux' >> /etc/nix/nix.conf; \
12
+
nix-env -f https://github.com/nix-community/nixos-generators/archive/42ee229088490e3777ed7d1162cb9e9d8c3dbb11.tar.gz -i;
13
+
14
+
COPY ./builder/generate-sd-image.sh /
15
+
COPY . /build/src/
16
+
17
+
WORKDIR /build/src
18
+
CMD ["/generate-sd-image.sh"]
+28
hosts/raspi-base/builder/generate-sd-image.sh
+28
hosts/raspi-base/builder/generate-sd-image.sh
···
1
+
#!/bin/sh
2
+
3
+
set -e
4
+
5
+
/root/.nix-profile/bin/nixos-generate \
6
+
--format sd-aarch64-installer \
7
+
--system aarch64-linux \
8
+
--configuration /build/src/sd-image.nix \
9
+
| tee /build/src/nixos-generate-output.txt
10
+
11
+
ARTIFACT="$(tail -1 /build/src/nixos-generate-output.txt)"
12
+
13
+
if echo $ARTIFACT | grep -q -E 'system$'
14
+
then
15
+
ARTIFACT="$(dirname $ARTIFACT)/hydra-build-products"
16
+
fi
17
+
18
+
if echo $ARTIFACT | grep -q -E 'hydra-build-products$'
19
+
then
20
+
IMG="$(head -1 $ARTIFACT | awk '{ print $3 }')"
21
+
else
22
+
IMG=$ARTIFACT
23
+
fi
24
+
25
+
echo "Found img file: $IMG"
26
+
27
+
mkdir -pv /build/out || true
28
+
cp -v $IMG /build/out/
+89
hosts/raspi-base/configuration.nix
+89
hosts/raspi-base/configuration.nix
···
1
+
2
+
{ config, lib, pkgs, ... }:
3
+
4
+
{
5
+
imports = [
6
+
# Include the results of the hardware scan.
7
+
./hardware-configuration.nix
8
+
# Needed to continue SD image initialization after installer removes its own unit.
9
+
./sd-image-init.nix
10
+
];
11
+
12
+
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
13
+
boot.loader.grub.enable = false;
14
+
# Enables the generation of /boot/extlinux/extlinux.conf
15
+
boot.loader.generic-extlinux-compatible.enable = true;
16
+
17
+
# Enable OpenSSH out of the box.
18
+
services.sshd.enable = true;
19
+
20
+
# Since we are customizing things bts, we'll disabled the default nixos user.
21
+
users.extraUsers.nixos = {
22
+
enable = false;
23
+
};
24
+
25
+
users.extraUsers.ajhalili2006 = {
26
+
description = "~ajhalili2006";
27
+
openssh.authorizedKeys.keys = [
28
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev"
29
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUnTexcVQTGT+UhX8MRPkMvM6FPuskbY2Dn0ScZ3+ot ~ajhalili2006 [passwordless key for sshfs]"
30
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEYDna7HlVN6FL+Mxaof+WH5EoVmaUrM7GFAdQSveTJ ajhalili2006@crew.recaptime.dev"
31
+
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzMlrUe7qMA1P0lP56lq2dKTrwFU6CrVltQ9um+PhOMLkoi31kAlujHtWF6mqGRLXcK0Ao/0Wqug++r82Zu0u7dpAv8LCExtaRRMzagwPkEe4OOqUBOpS6mggfsik8mNA+1UtpkXJ+ZiB4cXtNKEZC0jtxWOTXSV67qgkSxuO+YBWB+7pnESkB0KorqwOoWGGUVfYQtbKUAt6VqM4s6dn7saXqwmN0tCPO6a+4L4mazkYjFD11HhktYsjP9dvnxYSOtMrSFb9JOXRST2LdiIJgwg+HTqBSWGO7aBRHMJaTF3ajlbMtKDQI/EcNQLyGgX6yFdjjzz9DRY+2oU0vPTytdqM2BKsfLlR0GVg7BVL7TZPaLJ1lgpCl4Z1oClW9FOzhnYJVT0W+IKPsnYsFPfv/BVgjWF7YtLdc5zqFJ31PULtikCyd0I6Kt95YD0HdrlR2faWcBHI8KKEAwCCanodGnK/xTOxisTX2dXOxx3mvR/L3Wil2ca5hnD+vt500/o8= gildedguy@andreijiroh"
32
+
];
33
+
};
34
+
35
+
# Use a default root SSH login.
36
+
# services.openssh.permitRootLogin = "yes";
37
+
# users.users.root.password = "nixos";
38
+
users.users.root.openssh = {
39
+
authorizedKeys.keys = [
40
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev"
41
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUnTexcVQTGT+UhX8MRPkMvM6FPuskbY2Dn0ScZ3+ot ~ajhalili2006 [passwordless key for sshfs]"
42
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEYDna7HlVN6FL+Mxaof+WH5EoVmaUrM7GFAdQSveTJ ajhalili2006@crew.recaptime.dev"
43
+
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzMlrUe7qMA1P0lP56lq2dKTrwFU6CrVltQ9um+PhOMLkoi31kAlujHtWF6mqGRLXcK0Ao/0Wqug++r82Zu0u7dpAv8LCExtaRRMzagwPkEe4OOqUBOpS6mggfsik8mNA+1UtpkXJ+ZiB4cXtNKEZC0jtxWOTXSV67qgkSxuO+YBWB+7pnESkB0KorqwOoWGGUVfYQtbKUAt6VqM4s6dn7saXqwmN0tCPO6a+4L4mazkYjFD11HhktYsjP9dvnxYSOtMrSFb9JOXRST2LdiIJgwg+HTqBSWGO7aBRHMJaTF3ajlbMtKDQI/EcNQLyGgX6yFdjjzz9DRY+2oU0vPTytdqM2BKsfLlR0GVg7BVL7TZPaLJ1lgpCl4Z1oClW9FOzhnYJVT0W+IKPsnYsFPfv/BVgjWF7YtLdc5zqFJ31PULtikCyd0I6Kt95YD0HdrlR2faWcBHI8KKEAwCCanodGnK/xTOxisTX2dXOxx3mvR/L3Wil2ca5hnD+vt500/o8= gildedguy@andreijiroh"
44
+
];
45
+
};
46
+
47
+
# Wireless networking (1). You might want to enable this if your Pi is not attached via Ethernet.
48
+
networking.wireless = {
49
+
enable = true;
50
+
interfaces = [ "wlan0" ];
51
+
networks = {
52
+
"UnattendedNixosSetup_2.4G" = {
53
+
psk = "82a240704f00a476a28dc53b";
54
+
hidden = true;
55
+
};
56
+
"UnattendedNixosSetup_5G" = {
57
+
psk = "82a240704f00a476a28dc53b";
58
+
hidden = true;
59
+
};
60
+
};
61
+
allowAuxiliaryImperativeNetworks = true;
62
+
};
63
+
64
+
# Wireless networking (2). Enables `wpa_supplicant` on boot.
65
+
systemd.services.wpa_supplicant.wantedBy = lib.mkOverride 10 [ "default.target" ];
66
+
67
+
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
68
+
# Per-interface useDHCP will be mandatory in the future, so this generated config
69
+
# replicates the default behaviour.
70
+
networking.useDHCP = false;
71
+
networking.interfaces.eth0.useDHCP = true;
72
+
networking.interfaces.wlan0.useDHCP = true;
73
+
74
+
# NTP time sync.
75
+
services.timesyncd.enable = true;
76
+
77
+
# This value determines the NixOS release from which the default
78
+
# settings for stateful data, like file locations and database versions
79
+
# on your system were taken. It‘s perfectly fine and recommended to leave
80
+
# this value at the release version of the first install of this system.
81
+
# Before changing this value read the documentation for this option
82
+
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
83
+
system.stateVersion = "24.11"; # Did you read the comment?
84
+
85
+
# NGINX sample
86
+
networking.firewall.allowedTCPPorts = [
87
+
80
88
+
];
89
+
}
+9
hosts/raspi-base/docker-compose.yml
+9
hosts/raspi-base/docker-compose.yml
hosts/raspi-base/outpt/.keep
hosts/raspi-base/outpt/.keep
This is a binary file and will not be displayed.
+63
hosts/raspi-base/sd-image-init.nix
+63
hosts/raspi-base/sd-image-init.nix
···
1
+
{ config, pkgs, ... }:
2
+
3
+
{
4
+
# Adapted from https://github.com/NixOS/nixpkgs/blob/e89ecac0a26cdf4546298c565e880f00d4ab8649/nixos/modules/virtualisation/amazon-init.nix
5
+
systemd.services.sd-image-init = {
6
+
description = "Reconfigure the system from SD image userdata on startup";
7
+
8
+
wantedBy = [ "multi-user.target" ];
9
+
after = [ "multi-user.target" ];
10
+
requires = [ "network-online.target" ];
11
+
12
+
restartIfChanged = false;
13
+
unitConfig.X-StopOnRemoval = false;
14
+
15
+
script = ''
16
+
#!${pkgs.runtimeShell} -eu
17
+
18
+
echo "attempting to fetch configuration from SD image user data..."
19
+
20
+
export HOME=/root
21
+
export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused config.system.build.nixos-rebuild config.system.build.nixos-generate-config]}:$PATH
22
+
export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels
23
+
24
+
userData=/etc/sd-image-metadata/configuration.nix
25
+
userDataExtra=/etc/sd-image-metadata/sd-image-init.nix
26
+
27
+
if [ -s "$userData" ]; then
28
+
# If the user-data looks like it could be a nix expression,
29
+
# copy it over. Also, look for a magic three-hash comment and set
30
+
# that as the channel.
31
+
if sed '/^\(#\|SSH_HOST_.*\)/d' < "$userData" | grep -q '\S'; then
32
+
channels="$(grep '^###' "$userData" | sed 's|###\s*||')"
33
+
while IFS= read -r channel; do
34
+
echo "writing channel: $channel"
35
+
done < <(printf "%s\n" "$channels")
36
+
37
+
if [[ -n "$channels" ]]; then
38
+
printf "%s" "$channels" > /root/.nix-channels
39
+
nix-channel --update
40
+
fi
41
+
42
+
echo "generating hardware configuration"
43
+
nixos-generate-config
44
+
echo "setting configuration from SD image user data"
45
+
cp "$userData" "$userDataExtra" /etc/nixos/
46
+
else
47
+
echo "user data does not appear to be a Nix expression; ignoring"
48
+
exit
49
+
fi
50
+
else
51
+
echo "no user data is available"
52
+
exit
53
+
fi
54
+
55
+
nixos-rebuild switch
56
+
'';
57
+
58
+
serviceConfig = {
59
+
Type = "oneshot";
60
+
RemainAfterExit = true;
61
+
};
62
+
};
63
+
}
+72
hosts/raspi-base/sd-image.nix
+72
hosts/raspi-base/sd-image.nix
···
1
+
{ config, lib, pkgs, ... }:
2
+
3
+
{
4
+
imports = [
5
+
<nixpkgs/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix>
6
+
./sd-image-init.nix
7
+
];
8
+
9
+
# bzip2 compression takes loads of time with emulation, skip it. Enable
10
+
# this if you're low on space.
11
+
sdImage.compressImage = false;
12
+
13
+
sdImage.populateRootCommands = ''
14
+
mkdir -p ./files/etc/sd-image-metadata/
15
+
cp ./configuration.nix ./files/etc/sd-image-metadata/configuration.nix
16
+
cp ./sd-image-init.nix ./files/etc/sd-image-metadata/sd-image-init.nix
17
+
'';
18
+
19
+
# OpenSSH is forced to have an empty `wantedBy` on the installer system[1], this won't allow it
20
+
# to be automatically started. Override it with the normal value.
21
+
# [1] https://github.com/NixOS/nixpkgs/blob/9e5aa25/nixos/modules/profiles/installation-device.nix#L76
22
+
systemd.services.sshd.wantedBy = lib.mkOverride 40 [ "multi-user.target" ];
23
+
24
+
# Enable OpenSSH out of the box.
25
+
services.sshd.enable = true;
26
+
27
+
# The installer starts with a "nixos" user to allow installation, so add the SSH key to
28
+
# that user. Note that the key is, at the time of writing, put in `/etc/ssh/authorized_keys.d`
29
+
users.extraUsers.nixos.openssh.authorizedKeys.keys = [
30
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev"
31
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUnTexcVQTGT+UhX8MRPkMvM6FPuskbY2Dn0ScZ3+ot ~ajhalili2006 [passwordless key for sshfs]"
32
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEYDna7HlVN6FL+Mxaof+WH5EoVmaUrM7GFAdQSveTJ ajhalili2006@crew.recaptime.dev"
33
+
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzMlrUe7qMA1P0lP56lq2dKTrwFU6CrVltQ9um+PhOMLkoi31kAlujHtWF6mqGRLXcK0Ao/0Wqug++r82Zu0u7dpAv8LCExtaRRMzagwPkEe4OOqUBOpS6mggfsik8mNA+1UtpkXJ+ZiB4cXtNKEZC0jtxWOTXSV67qgkSxuO+YBWB+7pnESkB0KorqwOoWGGUVfYQtbKUAt6VqM4s6dn7saXqwmN0tCPO6a+4L4mazkYjFD11HhktYsjP9dvnxYSOtMrSFb9JOXRST2LdiIJgwg+HTqBSWGO7aBRHMJaTF3ajlbMtKDQI/EcNQLyGgX6yFdjjzz9DRY+2oU0vPTytdqM2BKsfLlR0GVg7BVL7TZPaLJ1lgpCl4Z1oClW9FOzhnYJVT0W+IKPsnYsFPfv/BVgjWF7YtLdc5zqFJ31PULtikCyd0I6Kt95YD0HdrlR2faWcBHI8KKEAwCCanodGnK/xTOxisTX2dXOxx3mvR/L3Wil2ca5hnD+vt500/o8= gildedguy@andreijiroh"
34
+
];
35
+
36
+
# Use a default root SSH login.
37
+
# services.openssh.permitRootLogin = "yes";
38
+
users.users.root.password = "nixos-emergency-meeting";
39
+
users.users.root.openssh = {
40
+
authorizedKeys.keys = [
41
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev"
42
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUnTexcVQTGT+UhX8MRPkMvM6FPuskbY2Dn0ScZ3+ot ~ajhalili2006 [passwordless key for sshfs]"
43
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEYDna7HlVN6FL+Mxaof+WH5EoVmaUrM7GFAdQSveTJ ajhalili2006@crew.recaptime.dev"
44
+
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzMlrUe7qMA1P0lP56lq2dKTrwFU6CrVltQ9um+PhOMLkoi31kAlujHtWF6mqGRLXcK0Ao/0Wqug++r82Zu0u7dpAv8LCExtaRRMzagwPkEe4OOqUBOpS6mggfsik8mNA+1UtpkXJ+ZiB4cXtNKEZC0jtxWOTXSV67qgkSxuO+YBWB+7pnESkB0KorqwOoWGGUVfYQtbKUAt6VqM4s6dn7saXqwmN0tCPO6a+4L4mazkYjFD11HhktYsjP9dvnxYSOtMrSFb9JOXRST2LdiIJgwg+HTqBSWGO7aBRHMJaTF3ajlbMtKDQI/EcNQLyGgX6yFdjjzz9DRY+2oU0vPTytdqM2BKsfLlR0GVg7BVL7TZPaLJ1lgpCl4Z1oClW9FOzhnYJVT0W+IKPsnYsFPfv/BVgjWF7YtLdc5zqFJ31PULtikCyd0I6Kt95YD0HdrlR2faWcBHI8KKEAwCCanodGnK/xTOxisTX2dXOxx3mvR/L3Wil2ca5hnD+vt500/o8= gildedguy@andreijiroh"
45
+
];
46
+
};
47
+
48
+
# Wireless networking (1). You might want to enable this if your Pi is not attached via Ethernet.
49
+
# I know I have to setup a temporary hidden SSID with a random password for automation purposes,
50
+
# so dont't rely on values here.
51
+
networking.wireless = {
52
+
enable = true;
53
+
interfaces = [ "wlan0" ];
54
+
networks = {
55
+
"UnattendedNixosSetup_2.4G" = {
56
+
psk = "82a240704f00a476a28dc53b";
57
+
hidden = true;
58
+
};
59
+
"UnattendedNixosSetup_5G" = {
60
+
psk = "82a240704f00a476a28dc53b";
61
+
hidden = true;
62
+
};
63
+
};
64
+
allowAuxiliaryImperativeNetworks = true;
65
+
};
66
+
67
+
# Wireless networking (2). Enables `wpa_supplicant` on boot.
68
+
systemd.services.wpa_supplicant.wantedBy = lib.mkOverride 10 [ "default.target" ];
69
+
70
+
# NTP time sync.
71
+
services.timesyncd.enable = true;
72
+
}