fix initrd modules and rename host

Reviewed-on: #213
Reviewed-by: teutat3s <teutates@mailbox.org>

.drone.yml

@@ -1,7 +1,7 @@
 ---
 kind: pipeline
 type: exec
-name: Check
+name: Check and deploy
 node:
   hosttype: baremetal
 
@@ -15,7 +15,27 @@ steps:
     commands:
       - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS'
       - nix $$NIX_FLAGS develop --command nix flake show
-      - nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
+      - nix $$NIX_FLAGS build ".#nixosConfigurations.host_001_momo_koeln.config.system.build.toplevel"
+
+  - name: "Deploy"
+    when:
+      event:
+        - push
+      branch:
+        - momo/main
+    environment:
+      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
+      PRIVATE_SSH_KEY:
+        from_secret: ci_private_ssh_key
+      SSH_HOST_KEY: "80.244.242.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj"
+    commands:
+      - mkdir $$HOME/.ssh && chmod 700 $$HOME/.ssh
+      - echo "$$PRIVATE_SSH_KEY" > $$HOME/.ssh/id_ed25519 && chmod 600 $$HOME/.ssh/id_ed25519
+      - echo "$$SSH_HOST_KEY" > $$HOME/.ssh/known_hosts
+      # SSH uses HOME from /etc/passwd, not from the environment, so override it
+      - export SSHOPTS="-o UserKnownHostsFile=$$HOME/.ssh/known_hosts -i $$HOME/.ssh/id_ed25519"
+      - "echo DEBUG: Using NIX_FLAGS: $$NIX_FLAGS"
+      - nix $$NIX_FLAGS develop --command deploy --magic-rollback false --skip-checks --targets '.#host_001_momo_koeln' --ssh-opts="$$SSHOPTS"
 
 ---
 kind: pipeline
@@ -76,9 +96,6 @@ steps:
         from_secret: matrix_password
       template: "Test run triggered by tag: {{ build.tag }}. Test run exit status: {{ build.status }}. Artifacts uploaded to Manta: https://eu-central.manta.greenbaum.cloud/pub_solar/public/ci/{{ repo.Owner }}/{{ repo.Name }}/{{ build.number }}/foot_wayland_info.png"
 
-depends_on:
-  - Tests
-
 trigger:
   ref:
     - refs/tags/v*
@@ -132,9 +149,6 @@ steps:
       unlink_first: true
       strip_components: 3
 
-depends_on:
-  - Check
-
 trigger:
   branch:
     - main
@@ -147,6 +161,6 @@ volumes:
 
 ---
 kind: signature
-hmac: 6aee0ffe22111bb629c0a79940bfbc3fa75f68c5ed5c4bba68abf6797b87a7ab
+hmac: a600be61980312efec74374647cdff7e3876a7858caf51433a8b76148312edc1
 
 ...

flake.nix

@@ -123,10 +123,9 @@
               users = digga.lib.rakeLeaves ./users;
             };
           suites = with profiles; rec {
-            base = [users.pub-solar users.root];
+            base = [ base-user users.root users.barkeeper ];
-            iso = base ++ [base-user graphical pub-solar-iso];
+
-            pubsolaros = [full-install base-user users.root];
+            host-001-momo-koeln = base;
-            anonymous = [pubsolaros users.pub-solar];
           };
         };
       };
@@ -141,10 +140,10 @@
           };
         };
         users = {
-          pub-solar = {suites, ...}: {
+          barkeeper = {suites, ...}: {
             imports = suites.base;
 
-            home.stateVersion = "21.03";
+            home.stateVersion = "22.05";
           };
         }; # digga.lib.importers.rakeLeaves ./users/hm;
       };
@@ -153,6 +152,11 @@
 
       homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
 
-      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {};
+      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
+        host-001-momo-koeln = {
+          hostname = "80.244.242.4";
+          sshUser = "barkeeper";
+        };
+      };
     };
 }

hosts/PubSolarOS.nix

@@ -1,21 +0,0 @@
-{suites, ...}: {
-  ### root password is empty by default ###
-  ### default password: pub-solar, optional: add your SSH keys
-  imports =
-    suites.iso;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.networkmanager.enable = true;
-
-  fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-}

hosts/bootstrap.nix

@@ -1,54 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  profiles,
-  ...
-}:
-with lib; let
-  # Gets hostname of host to be bundled inside iso
-  # Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
-  getFqdn = config: let
-    net = config.networking;
-    fqdn =
-      if (net ? domain) && (net.domain != null)
-      then "${net.hostName}.${net.domain}"
-      else net.hostName;
-  in
-    fqdn;
-in {
-  # build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
-  imports = [
-    # profiles.networking
-    profiles.users.root # make sure to configure ssh keys
-    profiles.users.pub-solar
-    profiles.base-user
-    profiles.graphical
-    profiles.pub-solar-iso
-  ];
-
-  config = {
-    boot.loader.systemd-boot.enable = true;
-
-    # will be overridden by the bootstrapIso instrumentation
-    fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-    system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
-
-    # mkForce because a similar transformation gets double applied otherwise
-    # https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L17
-    # https://github.com/NixOS/nixpkgs/blob/aecd4d8349b94f9bd5718c74a5b789f233f67326/nixos/modules/installer/cd-dvd/installation-cd-base.nix#L21-L22
-    isoImage = {
-      isoBaseName = mkForce (getFqdn config);
-      isoName = mkForce "${config.system.nixos.label}-${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso";
-    };
-
-    # This value determines the NixOS release from which the default
-    # settings for stateful data, like file locations and database versions
-    # on your system were taken. It‘s perfectly fine and recommended to leave
-    # this value at the release version of the first install of this system.
-    # Before changing this value read the documentation for this option
-    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-    system.stateVersion = "21.05"; # Did you read the comment?
-  };
-}

hosts/host-001-momo-koeln/configuration.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  pub-solar.core.lite = true;
+
+  time.timeZone = "Europe/Berlin";
+
+  networking = {
+    useDHCP = false;
+
+    interfaces.enp1s0.ipv4.addresses = [{
+      address = "80.244.242.4";
+      prefixLength = 29;
+    }];
+
+    defaultGateway = "80.244.242.1";
+    nameservers = [ "95.129.51.51" "80.244.244.244" ];
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  system.stateVersion = "22.05";
+}

hosts/host-001-momo-koeln/default.nix

@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+  imports = [
+    ./host-001-momo-koeln.nix
+  ] ++ suites.host-001-momo-koeln;
+}

hosts/host-001-momo-koeln/hardware-configuration.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Use the GRUB 2 boot loader.
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_scsi" "sd_mod" "sr_mod" "dm-snapshot" "virtio_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-label/cryptroot";
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/boot";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-label/swap"; }
+    ];
+
+  networking = {
+    defaultGateway = "80.244.242.1";
+
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+
+    interfaces."enp1s0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.4";
+          prefixLength = 29;
+        }
+      ];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/host-001-momo-koeln/host-001-momo-koeln.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+  psCfg = config.pub-solar;
+in
+{
+  imports = [
+    ./configuration.nix
+  ];
+
+}

profiles/base-user/default.nix

@@ -13,12 +13,15 @@ in {
   users = {
     mutableUsers = false;
 
+    groups."${psCfg.user.name}" = {};
+
     users = with pkgs;
       pkgs.lib.setAttrByPath [psCfg.user.name] {
         # Indicates whether this is an account for a “real” user.
         # This automatically sets group to users, createHome to true,
         # home to /home/username, useDefaultShell to true, and isSystemUser to false.
         isNormalUser = true;
+        group = "${psCfg.user.name}";
         description = psCfg.user.description;
         extraGroups = [
           "wheel"

users/barkeeper/default.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  hmUsers,
+  pkgs,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  config = {
+    home-manager.users = {inherit (hmUsers) barkeeper;};
+
+    security.sudo.extraRules = [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+
+    pub-solar = {
+      user = {
+        name = "barkeeper";
+        description = "momo deployment user";
+        fullName = "momo infra barkeeper";
+        email = "admins@momo.koeln";
+        gpgKeyId = "";
+        publicKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb @hensoko"
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW @ci-drone-runner"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"
+        ];
+      };
+    };
+  };
+}

users/pub-solar/default.nix

@@ -1,18 +0,0 @@
-{hmUsers, ...}: {
-  home-manager.users = {inherit (hmUsers) pub-solar;};
-
-  pub-solar = {
-    # These are your personal settings
-    # The only required settings are `name` and `password`,
-    # for convenience, use publicKeys to add your SSH keys
-    # The rest is used for programs like git
-    user = {
-      name = "pub-solar";
-      # default password = pub-solar
-      password = "$6$Kv0BCLU2Jg7GN8Oa$hc2vERKCbZdczFqyHPfgCaleGP.JuOWyd.bfcIsLDNmExGXI6Rnkze.SWzVzVS311KBznN/P4uUYAUADXkVtr.";
-      fullName = "Pub Solar";
-      email = "iso@pub.solar";
-      publicKeys = [];
-    };
-  };
-}