Add a plain linux-builder configuration for Parallels VM (#47)

flake.nix

@@ -74,24 +74,15 @@
       flake = {
         # Configurations for Linux (NixOS) systems
         nixosConfigurations = {
-          here = self.nixos-flake.lib.mkLinuxSystem {
-            imports = [
-              self.nixosModules.common # Defined in nixos/default.nix
-              inputs.sops-nix.nixosModules.sops
-              ./systems/here.nix
-              ./nixos/server/harden.nix
-            ];
-            sops.defaultSopsFile = ./secrets.json;
-            sops.defaultSopsFormat = "json";
-            services.tailscale.enable = true;
-          };
+          linux-builder = self.nixos-flake.lib.mkLinuxSystem
+            ./systems/linux-builder.nix;
 
           immediacy = self.nixos-flake.lib.mkLinuxSystem {
             imports = [
               self.nixosModules.default # Defined in nixos/default.nix
               inputs.sops-nix.nixosModules.sops
               ./systems/hetzner/ax41.nix
-              ./nixos/server/harden.nix
+              ./nixos/server/harden
             ];
             sops.defaultSopsFile = ./secrets.json;
             sops.defaultSopsFormat = "json";

justfile

@@ -2,8 +2,16 @@ default:
     @just --list
 
 # Remote deploy to a host
-remote host='here':
+remote-deploy host='linux-builder':
     nixos-rebuild switch --fast --use-remote-sudo \
         --flake .#{{host}} \
         --target-host $USER@{{host}} \
         --build-host $USER@{{host}}
+
+# First install on a remote machine
+remote-install host='linux-builder':
+    nix run github:nix-community/nixos-anywhere \
+        -- \
+        --build-on-remote \
+        --flake .#{{host}} \
+        root@{{host}}

nixos/default.nix

@@ -8,7 +8,7 @@
       common.imports = [
         ./nix.nix
         ./caches
-        ./ssh-authorize.nix
+        ./self/primary-as-admin.nix
       ];
 
       my-home = {
@@ -24,7 +24,7 @@
         self.nixosModules.home-manager
         self.nixosModules.my-home
         self.nixosModules.common
-        ./self-ide.nix
+        ./self/self-ide.nix
         ./current-location.nix
       ];
     };

nixos/self/primary-as-admin.nix

@@ -1,7 +1,8 @@
+# Make flake.config.peope.myself the admin of the machine
 { flake, pkgs, lib, ... }:
 
 {
-  # Let me login
+  # Login via SSH with mmy SSH key
   users.users =
     let
       people = flake.config.people;
@@ -13,6 +14,13 @@
         openssh.authorizedKeys.keys = myKeys;
       } // lib.optionalAttrs pkgs.stdenv.isLinux {
         isNormalUser = true;
+        extraGroups = [ "wheel" ];
       };
     };
+
+  # Make me a sudoer without password
+  security = lib.optionalAttrs pkgs.stdenv.isLinux {
+    sudo.execWheelOnly = true;
+    sudo.wheelNeedsPassword = false;
+  };
 }

nixos/server/harden/basics.nix

@@ -1,18 +1,15 @@
-{ flake, ... }: {
+{
 
   # Firewall
   networking.firewall.enable = true;
 
-  security.sudo.execWheelOnly = true;
-
-  security.sudo.wheelNeedsPassword = false;
-  users.users.${flake.config.people.myself} = {
-    extraGroups = [ "wheel" ];
-  };
-
+  # Enable auditd
   security.auditd.enable = true;
   security.audit.enable = true;
 
+  # Standard openssh protections
+  #
+  # See primary-as-admin.nix to setup passwordless setup.
   services = {
     openssh = {
       enable = true;
@@ -20,12 +17,8 @@
       settings.PasswordAuthentication = false;
       allowSFTP = false;
     };
-    fail2ban = {
-      enable = true;
-      ignoreIP = [
-        "100.80.93.92" # Tailscale "appreciate"
-      ];
-    };
   };
+
+  # 🤲
   nix.settings.allowed-users = [ "root" "@users" ];
 }

nixos/server/harden/default.nix

@@ -0,0 +1,14 @@
+{
+  imports = [
+    ./basics.nix
+  ];
+
+  services = {
+    fail2ban = {
+      enable = true;
+      ignoreIP = [
+        "100.80.93.92" # Tailscale "appreciate"
+      ];
+    };
+  };
+}

systems/darwin/ci.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ flake, pkgs, lib, ... }:
 
 {
   # TODO: Refactor this into a module, like easy-github-runners.nix
@@ -56,6 +56,18 @@
   users.knownGroups = [ "github-runner" ];
   users.knownUsers = [ "github-runner" ];
 
+  # If not using linux-builder, use a VM
+  nix.distributedBuilds = true;
+  nix.buildMachines = [{
+    hostName = "linux-builder";
+    systems = [ "aarch64-linux" "x86_64-linux" ];
+    supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];
+    maxJobs = 6; # 6 cores
+    protocol = "ssh-ng";
+    sshUser = flake.config.people.myself;
+    sshKey = "/etc/ssh/ssh_host_ed25519_key";
+  }];
+
   # To build Linux derivations whilst on macOS.
   # 
   # NOTES:
@@ -64,7 +76,7 @@
   # - To update virtualisation configuration, you have to disable, delete
   #   /private/var/lib/darwin-builder/ and re-enable.
   nix.linux-builder = {
-    enable = true;
+    enable = false;
     systems = [
       "x86_64-linux"
       "aarch64-linux"

systems/disko/trivial.nix

@@ -1,8 +1,11 @@
+# A trivial disk configuration with single root partition taking whole disk
+# space.
+{ device, ... }:
 {
   disk = {
     main = {
+      inherit device;
       type = "disk";
-      device = "/dev/sda";
       content = {
         type = "gpt";
         partitions = {

systems/here.nix

@@ -1,30 +0,0 @@
-# My Linux VM running on macOS
-{ flake, modulesPath, ... }: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    flake.inputs.disko.nixosModules.disko
-  ];
-  system.stateVersion = "23.11";
-  services.openssh.enable = true;
-  services.ntp.enable = true; # Accurate time in Parallels VM?
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    binfmt.emulatedSystems = [ "x86_64-linux" ]; # For cross-compiling
-    swraid.mdadmConf = ''
-      MAILADDR srid@srid.ca
-    '';
-  };
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  hardware.parallels.enable = true;
-
-  networking = {
-    hostName = "here";
-    networkmanager.enable = true;
-  };
-  time.timeZone = "America/New_York";
-  disko.devices = import ./disko/vm.nix;
-}

systems/linux-builder.nix

@@ -0,0 +1,51 @@
+/* My Linux VM running on macOS
+
+  ## Using Parallels to create a NixOS VM
+
+  - Boot into a NixOS graphical installer
+  - Open terminal, and set a root password using `sudo su -` and `passwd root`
+  - Authorize yourself to login to the root user using `ssh-copy-id -o PreferredAuthentications=password root@linux-builder`
+  - Run nixos-anywhere (see justfile; `j remote-deploy`)
+*/
+{ flake, modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    flake.inputs.disko.nixosModules.disko
+    ../nixos/self/primary-as-admin.nix
+    ../nixos/server/harden/basics.nix
+    # Parallels VM support
+    {
+      hardware.parallels.enable = true;
+      nixpkgs.config.allowUnfree = true; # for parallels
+      services.ntp.enable = true; # Accurate time in Parallels VM?
+    }
+  ];
+
+  # Basics
+  system.stateVersion = "23.11";
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    swraid.mdadmConf = ''
+      MAILADDR srid@srid.ca
+    '';
+  };
+  disko.devices = import ./disko/trivial.nix { device = "/dev/sda"; };
+  networking = {
+    hostName = "linux-builder";
+    networkmanager.enable = true;
+  };
+  time.timeZone = "America/New_York";
+
+  # Distributed Builder
+  nixpkgs.hostPlatform = "aarch64-linux";
+  boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; # For cross-compiling
+  services.openssh.enable = true;
+  users.users.${flake.config.people.myself}.openssh.authorizedKeys.keys = [
+    # macos /etc/ssh/ssh_host_ed25519_key.pub
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPGfskkyhM0wefy0Sex2t5GENEHTIZAWrb9LzRN0R9x"
+  ];
+  nix.settings.trusted-users = [ "root" flake.config.people.myself ];
+}