diff --git a/configurations/nixos/orb-nixos/README.md b/configurations/nixos/orb-nixos/README.md new file mode 100644 index 0000000..1ef2212 --- /dev/null +++ b/configurations/nixos/orb-nixos/README.md @@ -0,0 +1,3 @@ +NixOS configuration for NixOS machine created by [OrbStaack](https://orbstack.dev/). + +All files but `default.nix` are generated by OrbStack and are copied as-is. \ No newline at end of file diff --git a/configurations/nixos/orb-nixos/configuration.nix b/configurations/nixos/orb-nixos/configuration.nix new file mode 100644 index 0000000..5b895c6 --- /dev/null +++ b/configurations/nixos/orb-nixos/configuration.nix @@ -0,0 +1,93 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, modulesPath, ... }: + +{ + imports = + [ + # Include the default lxd configuration. + "${modulesPath}/virtualisation/lxc-container.nix" + # Include the container-specific autogenerated configuration. + ./incus.nix + # Include the OrbStack-specific configuration. + ./orbstack.nix + ]; + + users.users.srid = { + uid = 501; + extraGroups = [ "wheel" "orbstack" ]; + + # simulate isNormalUser, but with an arbitrary UID + isSystemUser = true; + isNormalUser = false; + group = "users"; + createHome = true; + home = "/home/srid"; + homeMode = "700"; + useDefaultShell = true; + }; + + security.sudo.wheelNeedsPassword = false; + + # This being `true` leads to a few nasty bugs, change at your own risk! + users.mutableUsers = false; + + networking = { + dhcpcd.enable = false; + useDHCP = false; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."50-eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; + + # Extra certificates from OrbStack. + security.pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIICCzCCAbKgAwIBAgIQTSHpt26sKlwbnaJ2S0gOBTAKBggqhkjOPQQDAjBmMR0w + GwYDVQQKExRPcmJTdGFjayBEZXZlbG9wbWVudDEeMBwGA1UECwwVQ29udGFpbmVy + cyAmIFNlcnZpY2VzMSUwIwYDVQQDExxPcmJTdGFjayBEZXZlbG9wbWVudCBSb290 + IENBMB4XDTI1MDYxNDA0NDcwM1oXDTM1MDYxNDA0NDcwM1owZjEdMBsGA1UEChMU + T3JiU3RhY2sgRGV2ZWxvcG1lbnQxHjAcBgNVBAsMFUNvbnRhaW5lcnMgJiBTZXJ2 + aWNlczElMCMGA1UEAxMcT3JiU3RhY2sgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMG + ByqGSM49AgEGCCqGSM49AwEHA0IABASuAVDdRFXRE+kaNXMtVFbHSIfS7zMzVfYV + fx878wYNBCktns2WnW5gsune6PTjUjeGjY5GMu4sFdBjAmB5i42jQjBAMA4GA1Ud + DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRH62RxJrF7H38m + veqHH1QmrR9uRTAKBggqhkjOPQQDAgNHADBEAiB9xVonZHHpkK6WR1dGPdPyzTwV + 3xkjkU72LzBzjfnyIgIgcHIni0xEXPcPbGMiXMjMxbCJTcXPyPFJyvkOT/uNNlg= + -----END CERTIFICATE----- + + '' + ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/configurations/nixos/orb-nixos/default.nix b/configurations/nixos/orb-nixos/default.nix new file mode 100644 index 0000000..e47610d --- /dev/null +++ b/configurations/nixos/orb-nixos/default.nix @@ -0,0 +1,16 @@ +{ flake, ... }: + +let + inherit (flake) inputs; + inherit (inputs) self; +in +{ + nixos-unified.sshTarget = "srid@orb"; + + nixpkgs.hostPlatform = "aarch64-linux"; + + imports = [ + self.nixosModules.default + ./configuration.nix + ]; +} diff --git a/configurations/nixos/orb-nixos/incus.nix b/configurations/nixos/orb-nixos/incus.nix new file mode 100644 index 0000000..c7effb2 --- /dev/null +++ b/configurations/nixos/orb-nixos/incus.nix @@ -0,0 +1,11 @@ +{ lib +, config +, pkgs +, ... +}: + +# WARNING: THIS CONFIGURATION IS AUTOGENERATED AND WILL BE OVERWRITTEN AUTOMATICALLY + +{ + networking.hostName = "orb-nixos"; +} diff --git a/configurations/nixos/orb-nixos/orbstack.nix b/configurations/nixos/orb-nixos/orbstack.nix new file mode 100644 index 0000000..c10ae9f --- /dev/null +++ b/configurations/nixos/orb-nixos/orbstack.nix @@ -0,0 +1,67 @@ +# Generated by OrbStack. +# This WILL be overwritten in the future. Make a copy and update the include +# in configuration.nix if you want to keep your changes. + +{ lib, config, ... }: + +{ + # Add OrbStack CLI tools to PATH + environment.shellInit = '' + . /opt/orbstack-guest/etc/profile-early + + # add your customizations here + + . /opt/orbstack-guest/etc/profile-late + ''; + + # Enable documentation + documentation.man.enable = true; + documentation.doc.enable = true; + documentation.info.enable = true; + + # Disable systemd-resolved + services.resolved.enable = false; + environment.etc."resolv.conf".source = "/opt/orbstack-guest/etc/resolv.conf"; + + # Faster DHCP - OrbStack uses SLAAC exclusively + networking.dhcpcd.extraConfig = '' + noarp + noipv6 + ''; + + # Disable sshd + services.openssh.enable = false; + + # systemd + systemd.services."systemd-oomd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-userdbd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-udevd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-timesyncd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-timedated".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-portabled".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-nspawn@".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-machined".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-localed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-logind".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journald@".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journald".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journal-remote".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-journal-upload".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-importd".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-hostnamed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-homed".serviceConfig.WatchdogSec = 0; + systemd.services."systemd-networkd".serviceConfig.WatchdogSec = lib.mkIf config.systemd.network.enable 0; + + # ssh config + programs.ssh.extraConfig = '' + Include /opt/orbstack-guest/etc/ssh_config + ''; + + # indicate builder support for emulated architectures + nix.settings.extra-platforms = [ + "x86_64-linux" + "i686-linux" + ]; + + users.groups.orbstack.gid = 67278; +} diff --git a/justfile b/justfile index 7f84a57..5281288 100644 --- a/justfile +++ b/justfile @@ -19,6 +19,11 @@ pureintent: infinitude: nix run . infinitude +# Deploy to orb nixos machine +[group('deploy')] +orb: + nix run . orb-nixos + # Run all pre-commit hooks on all files pca: pre-commit run --all-files