Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#
# This is a bare-bones configuration that can be edited slightly and then
# dropped on a 100TB machine that is being crossgraded to NixOS. It is
# tailored to the specific hardware choices made for our machines at 100TB and
# 100TB's network configuration. The goal is to configure a system *enough*
# that a better tool (eg morph) can take over.
#
# 1. Customize the variables below this comment.
#
# 2. Overwrite /etc/nixos/configuration.nix on Debian machine that has had
# NixOS installed on top of it.
#
# 3. Copy the generated /etc/nixos/hardware-configuration.nix from the Debian
# machine and add it to this repository. We need it to build the system
# later.
#
# 4. Finish the NixOS install and reboot into a pristine NixOS system.
#
# 5. Specify the real configuration for this system and deploy it with morph.
#
let
# Make all these correct. Some default values from a random system left in
# place as examples.
# You can probably find this interface using `ip addr` on the target system
# while it's still running Debian. Pick the interface that has the public
# address assigned.
interface = "eno1";
# You probably just know what the public address is. Make sure this agrees
# with what you see in `ip addr` though.
publicIPv4 = "69.36.183.24";
# You'll find this on the address in the `ip addr` output. eg:
#
# 3: wlp4s0: ...
# ...
# inet 69.36.183.24/24 ...
# ^^ See?
#
prefixLength = 24;
# This is the default gateway address. You can find it with `ip route` on
# the target system.
gateway = "69.36.183.1";
# And the gateway itself is reachable on a particular interface. Most
# likely the same as the interface above but I don't know if this is
# guaranteed. Look at the `ip route` output to be sure.
gatewayInterface = "eno1";
# The unique disk identifier where grub should be installed. This should
# probably be sda. You can find this value by looking for the
# wwn-... symlink to sda in /dev/disk/by-id/. For example:
#
# $ ls -l /dev/disk/by-id/
# lrwxrwxrwx 1 root root 9 Aug 29 08:09 wwn-0x5002538d414bf195 -> ../../sda
#
# Be sure to pick the disk identifier and not the identifier of one of the
# partitions!
grubDeviceID = "wwn-0x5000c500936410b9";
# This is whatever ssh public key is appropriate at the time. I'm leaving
# mine here for now.
rootPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
# Stop! I hope you're done when you get here. If you have to modify
# anything below this point the expression should probably be refactored and
# another variable added controlling whatever new thing you need to control.
# Open an issue: https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/issues/new?issue
in
# Define a function that ignores all its arguments. We don't need any of them
# for now.
{ ... }:
{
# Load the hardware configuration for this host. This is generated by
# nixos-generate-config on the target host. There is no such file checked
# in to the repository because it necessarily varies from host to host. For
# example, it includes the disk id of the root partition. We just rely on
# the tool to generate the correct configuration and then we load it from
# here.
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Configure the bootloader how we like.
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/${grubDeviceID}";
# Let me in to do subsequent configuration. This makes the machine wide
# open. We might consider locking this down a bit more. For example, we
# should only need SSH access for the next step. However, there's basically
# nothing else on the system right now so it's not an extreme risk to just
# turn off the firewall. Initially this was the approach to make sure I
# wouldn't get locked out of a system working perfectly well but with an
# overly restrictive firewall (since that case basically makes the machine a
# brick to me).
networking.firewall.enable = false;
# Also, turn on the OpenSSH server so I (morph, really) can log in and make
# further changes.
services.openssh.enable = true;
# Grant root access to the holder of the configured key. We don't bother
# setting a password because keys are better. We also don't configure any
# additional users because that will happen later.
users.users.root.openssh.authorizedKeys.keys = [
rootPublicKey
];
# Provide the static network configuration. 100TB doesn't use DHCP so turn
# off our client.
networking.dhcpcd.enable = false;
# Put the configured address on the configured interface.
networking.interfaces = {
"${interface}".ipv4.addresses = [
{ address = publicIPv4; inherit prefixLength; }
];
};
# And set up the configured route as the default.
networking.defaultGateway = {
address = gateway;
interface = gatewayInterface;
};
# I don't know if 100TB provides nameservers but these are pretty safe in
# general. This may not be strictly required to get the NixOS install
# bootable but a lot of tools have a dependency on being able to resolve
# names (for example, the Nix system configuration tool).
networking.nameservers = [
"4.2.2.1"
"8.8.8.8"
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment?
}