mynix
/
nixos-infect
mirror of https://github.com/elitak/nixos-infect.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mynix:8f8b0b2d38abf34922e79b76fdb87d56ec395da8
Branches Tags
mynix:master
...
compare: mynix:4c05e060dff2b2d7532e507b6bf80aafd8fb5133
Branches Tags
mynix:master

13 Commits
8f8b0b2d38 ... 4c05e060df

Author SHA1 Message Date
Gasper Vozel 4c05e060df
Merge d5abe77e22 into 5ef3f953d3 2024-03-11 23:04:24 +00:00
Jonah Dahlquist 5ef3f953d3
Logged my experince using on GCP with an e2-micro (#193) 
* Added log of success/failure on GCP

* Reformatted GCP table

---------

Co-authored-by: Eric Litak <elitak@gmail.com>
 2024-03-11 08:41:57 -07:00
Anthony M. Cook db45635db2
Remove redundant DO check (#198) 
Removed line performs the same check and the same action as the block a couple lines below

Co-authored-by: Eric Litak <elitak@gmail.com>
 2024-03-11 08:41:39 -07:00
Jean-François Roche 69819871dc
Add option to use a custom nix install URL (#195) 
This change allow users to specify a custom nix install URL to use
another nix version than the latest stable or to use another
installer script.
 2024-03-11 08:40:15 -07:00
Jonah Dahlquist 45e2361a9e
Resolved symlink to nixpkgs channel before passing to nix-env command (#191) 
Co-authored-by: Jonah Bron <hi@jonah.id>
 2024-03-11 08:34:49 -07:00
Dominik Gleich bbe94a1175
fix: Authorized keys parsing and extraction (#187) 
* add support for SK authorized keys

nixos-infect incorrectly handles

* Update nixos-infect

* Replace space with [[:space:]]

* Fix possible security issue
 2024-03-11 08:34:16 -07:00
iosmanthus 095fcbc28d
change lightsail boot device to /dev/nvme0n1 (#186) 
* change lightsail boot device to /dev/nvme0n1

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>

* fix missing import

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>

---------

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
 2024-03-11 08:33:32 -07:00
Donovan Glover 20b43baa2a
chore: Rename boot.cleanTmpDir to boot.tmp.cleanOnBoot (#181) 2024-03-11 08:32:24 -07:00
Sridhar Ratnakumar de39be8be7
readme/DO: Mark ubuntu 23.10 as failure (#180) 2024-03-11 08:32:00 -07:00
Donovan Glover f6d3db8432
chore(docs): Update channel version to 23.05 (#178) 2024-03-11 08:31:38 -07:00
Star 2ef79962d8
Update README (#176) 
* Update README.md

Add successful cases running on Google Cloud Debian11

* Update README.md
 2024-03-11 08:30:52 -07:00
Maciej Krüger 6712970770
Add provider autodetection for hetzner (#174) 2024-03-11 08:30:14 -07:00
Gasper Vozel d5abe77e22 Add instructions on how to install NixOS on Media Temple 2022-01-28 10:12:00 +01:00
5 changed files with 285 additions and 18 deletions
Show Stats Expand all files Collapse all files

168
MediaTemple/README.md Normal file
View File

@ -0,0 +1,168 @@
# NixOS on Media Temple
On Media Temple we can install NixOS on Ubuntu servers by using a custom infect script.
## Add a new server
1. Click on `Add New Service` and select `Self Managed VPS`.
1. Select appropriate server resources (e.g. 2 CPU, 4GB RAM and 100GB storage) and tick `No control panel`.
1. After order has been processed you will need to finish the installation (selecting Ubuntu
version, setting username and password)
## Infect Ubuntu 20.04
After executing the infect script (`bash infect.sh`) you will need to modify the
`hardware-configuration.nix` file. The script will stop and you will need to do it
manually. You will need to remove all `squashfs` and `vfat` (efi boot) entries.
The automatically generated config will look something like this:
```
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e46da1b8-55a0-4df9-842e-8d80c3a22ffc";
fsType = "ext4";
};
fileSystems."/snap/snapd/12883" =
{ device = "/var/lib/snapd/snaps/snapd_12883.snap";
fsType = "squashfs";
options = [ "loop" ];
};
fileSystems."/snap/core20/1081" =
{ device = "/var/lib/snapd/snaps/core20_1081.snap";
fsType = "squashfs";
options = [ "loop" ];
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/7341-10DC";
fsType = "vfat";
};
fileSystems."/snap/lxd/21545" =
{ device = "/var/lib/snapd/snaps/lxd_21545.snap";
fsType = "squashfs";
options = [ "loop" ];
};
fileSystems."/snap/snapd/14549" =
{ device = "/var/lib/snapd/snaps/snapd_14549.snap";
fsType = "squashfs";
options = [ "loop" ];
};
fileSystems."/snap/core20/1270" =
{ device = "/var/lib/snapd/snaps/core20_1270.snap";
fsType = "squashfs";
options = [ "loop" ];
};
fileSystems."/snap/lxd/21835" =
{ device = "/var/lib/snapd/snaps/lxd_21835.snap";
fsType = "squashfs";
options = [ "loop" ];
};
swapDevices = [ ];
}
```
It's also recommended to name `fileSystem."/"` device to `/dev/sda3` in case the server
gets relocated (disk UUID will change) and add `nvme` to `boot.initrd.kernelModules`.
How do I know it's `/dev/sda3` and not e.g. sda1 or sda2? Run `lsblk` and you will see
the correct pact. In our case:
```
root@ip:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 32.3M 1 loop /snap/snapd/12883
loop1 7:1 0 61.8M 1 loop /snap/core20/1081
loop2 7:2 0 67.3M 1 loop /snap/lxd/21545
loop3 7:3 0 43.4M 1 loop /snap/snapd/14549
loop4 7:4 0 61.9M 1 loop /snap/core20/1270
loop5 7:5 0 67.2M 1 loop /snap/lxd/21835
sda 8:0 0 100G 0 disk
├─sda1 8:1 0 4M 0 part
├─sda2 8:2 0 106M 0 part /boot/efi
└─sda3 8:3 0 99.9G 0 part /
```
Optional:
- Add a bit of swap.
- Mount `/dev/sda2` partition on `/boot`
After you remove all the `squashfs` and the efi boot entries you will be left with:
```
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/sda3";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/sda2";
fsType = "vfat";
};
swapDevices = [
{
device = "/swapfile";
size = 1024;
priority = 0;
}
];
}
```
The last few lines of infect output will look something like this:
```
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = "en_US.UTF-8",
LC_CTYPE = "UTF-8",
LANG = "C.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("C.UTF-8").
updating GRUB 2 menu...
installing the GRUB 2 boot loader on /dev/sda...
Installing for i386-pc platform.
/nix/store/jx1qj6fh98fnifslhllpcaqaia2nhxz5-grub-2.06/sbin/grub-install: warning: cannot open directory `/nix/store/jx1qj6fh98fnifslhllpcaqaia2nhxz5-grub-2.06/share/locale': No such file or directory.
Installation finished. No error reported.
```
Verify `/etc/nixos/*.nix` config files and make sure they are correct (especially IPs in
`configuration.nix`).
After reboot, you should be able to SSH to the server.

40
MediaTemple/configuration.nix Normal file
View File

@ -0,0 +1,40 @@
{ pkgs, ... }: {
imports = [
./hardware-configuration.nix
# Including this by default now to avoid potential problems with missing kernel modules
<nixpkgs/nixos/modules/profiles/all-hardware.nix>
];
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
networking.enableIPv6 = false;
networking.interfaces.ens3.useDHCP = false;
networking.defaultGateway = "169.254.0.1";
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
networking.interfaces.ens3 = {
ipv4.addresses = [
{ address = "1.2.3.4"; prefixLength = 32; } # Primary IP
{ address = "1.2.3.5"; prefixLength = 32; } # Secondary IP
];
ipv4.routes = [{
address = "169.254.0.1"; # IP of the gateway
prefixLength = 32;
}];
};
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
};
# Set initial root password in case we need to use the rescue console.
# IMPORTANT: change the password!
users.users.root.initialPassword = "secret";
# IMPORTANT: replace with your own key(s)!
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAAD..."
];
system.stateVersion = "21.05";
}

42
MediaTemple/infect.sh Normal file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -e -o pipefail
# Add build group and user
groupadd nixbld -g 30000 || true
for i in {1..10}; do
useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" "nixbld$i" || true
done
# Install NixOS
curl -L https://nixos.org/nix/install | sh
. /root/.nix-profile/etc/profile.d/nix.sh
nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs
nix-channel --update
# Install NixOS installation tools, TODO: Make nicer
nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config ]"
# Set up configurations and install it in a profile
nixos-generate-config
echo "---"
echo "Remove the lxcfs (on Ubuntu 16.04) or squashfs (on Ubuntu 20.04 and 21.04) entry with nano"
sleep 5
nano /etc/nixos/hardware-configuration.nix
cp configuration.nix /etc/nixos
nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -I nixos-config=/etc/nixos/configuration.nix -iA system
# Set NixOS to boot and replace the original distro
touch /etc/NIXOS
cat > /etc/NIXOS_LUSTRATE <<EOF
etc/nixos
root/.nix-defexpr/channels
EOF
# Switch to NixOS OS
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
echo "---"
echo "Verify all the settings and check if there were any problematic errors."
echo "If everything is OK, reboot"
echo ""
echo "Keep in mind that you have to deal with /old-root after reboot"

30
README.md
View File

@ -55,7 +55,7 @@ and most importantly, simply didn't work for me!
4) run the script with:
```
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-22.11 bash -x
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.05 bash -x
```
*NB*: This script wipes out the targeted host's root filesystem when it runs to completion.
@ -72,7 +72,7 @@ and supply to it the following example yaml stanzas:
#cloud-config
runcmd:
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=digitalocean NIX_CHANNEL=nixos-22.11 bash 2>&1 | tee /tmp/infect.log
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=digitalocean NIX_CHANNEL=nixos-23.05 bash 2>&1 | tee /tmp/infect.log
```
#### Potential tweaks:
@ -90,7 +90,7 @@ write_files:
environment.systemPackages = with pkgs; [ vim ];
}
runcmd:
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=digitalocean NIXOS_IMPORT=./host.nix NIX_CHANNEL=nixos-22.11 bash 2>&1 | tee /tmp/infect.log
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=digitalocean NIXOS_IMPORT=./host.nix NIX_CHANNEL=nixos-23.05 bash 2>&1 | tee /tmp/infect.log
```
@ -106,6 +106,7 @@ runcmd:
|CoreOS |2430.0.0 (alpha) | _unable_ |2020-03-30|
|Debian |10.3 x64 |**success**|2020-03-30|
|Debian |9.12 x64 |**success**|2020-03-30|
|Debian |11 x64 |**success**|2023-11-12|
|Fedora |30 x64 |**success**|2020-03-30|
|Fedora |31 x64 |**success**|2020-03-30|
|FreeBSD |11.3 x64 ufs | _failure_ |2020-03-30|
@ -120,6 +121,7 @@ runcmd:
|Ubuntu |20.04 x64 |**success**|2022-03-23|
|Ubuntu |22.04 x64 |**success**|2023-06-05|
|Ubuntu |22.10 x64 | _failure_ |2023-06-05|
|Ubuntu |23.10 x64 | _failure_ |2023-11-16|
### Vultr
To set up a NixOS Vultr server, instantiate an Ubuntu box with the following "Cloud-Init User-Data":
@ -127,7 +129,7 @@ To set up a NixOS Vultr server, instantiate an Ubuntu box with the following "Cl
```bash
#!/bin/sh
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-22.11 bash
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.05 bash
```
Allow for a few minutes over the usual Ubuntu deployment time for NixOS to download & install itself.
@ -147,7 +149,7 @@ When creating a server provide the following yaml as "Cloud config":
#cloud-config
runcmd:
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-22.11 bash 2>&1 | tee /tmp/infect.log
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-23.05 bash 2>&1 | tee /tmp/infect.log
```
#### Tested on
@ -254,9 +256,13 @@ Requred some Xen modules to work out, after that NixOS erected itself without a
### Google Cloud Platform
#### Tested on
|Distribution. | Name | Status | test date|
|-------------------------------------|-----------------|-----------|----------|
| Ubuntu on Ampere Altra (Arm64) | 20.04 |**success**|2022-09-07|
|Distribution | Name | Status | test date| Machine type |
|-------------------------------------|-----------------|-----------|----------|--------------|
| Debian | 11 |**success**|2023-11-12|ec2-micro |
| Debian (Amd64) | 11 |**success**|2023-11-12| |
| Ubuntu on Ampere Altra (Arm64) | 20.04 |**success**|2022-09-07| |
| Ubuntu | 20.04 |**success**|2022-09-07|Ampere Ultra |
| Ubuntu | 20.04 |-failure- |2023-11-12|ec2-micro |
### Contabo
Tested on Cloud VPS. Contabo sets the hostname to something like `vmi######.contaboserver.net`, Nixos only allows RFC 1035 compliant hostnames ([see here](https://search.nixos.org/options?show=networking.hostName&query=hostname)). Run `hostname something_without_dots` before running the script. If you run the script before changing the hostname - remove the `/etc/nixos/configuration.nix` so it's regenerated with the new hostname.
@ -274,7 +280,7 @@ build time or using `ssh-copy-id` before running nixos-infect
```
#!/bin/sh
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-22.11 bash 2>&1 | tee /tmp/infect.log
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.05 bash 2>&1 | tee /tmp/infect.log
```
#### Tested on
@ -302,7 +308,7 @@ Tested on vServer. The network configuration seems to be important so the same t
### ServArica
Requires the same static network settings that Digital Ocean does.
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=servarica NIX_CHANNEL=nixos-22.11 bash
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=servarica NIX_CHANNEL=nixos-23.05 bash
#### Tested on
|Distribution| Name | Status | test date|
@ -333,7 +339,7 @@ write_files:
environment.systemPackages = with pkgs; [ tmux ];
}
runcmd:
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIXOS_IMPORT=./host.nix NIX_CHANNEL=nixos-22.10 bash 2>&1 | tee /tmp/infect.log
- curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIXOS_IMPORT=./host.nix NIX_CHANNEL=nixos-23.05 bash 2>&1 | tee /tmp/infect.log
```
#### Tested on
@ -349,7 +355,7 @@ and have a copy of the private key on your local box.
On RackNerd's Ubuntu 20.04, there's no `curl` by default, so `wget -O-` needs to be used instead:
```command
# wget -O- https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-22.11 bash -x
# wget -O- https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-23.05 bash -x
```
#### Tested on

23
nixos-infect
View File

@ -4,6 +4,12 @@
set -e -o pipefail
autodetectProvider() {
if [ -e /etc/hetzner-build ]; then
PROVIDER="hetznercloud"
fi
}
makeConf() {
# Skip everything if main config already present
[[ -e /etc/nixos/configuration.nix ]] && return 0
@ -20,7 +26,7 @@ makeConf() {
local IFS=$'\n'
for trypath in /root/.ssh/authorized_keys /home/$SUDO_USER/.ssh/authorized_keys $HOME/.ssh/authorized_keys; do
[[ -r "$trypath" ]] \
&& keys=$(sed -E 's/^.*((ssh|ecdsa)-[^[:space:]]+)[[:space:]]+([^[:space:]]+)([[:space:]]*.*)$/\1 \3\4/' "$trypath") \
&& keys=$(sed -E 's/^[^#].*[[:space:]]((sk-ssh|sk-ecdsa|ssh|ecdsa)-[^[:space:]]+)[[:space:]]+([^[:space:]]+)([[:space:]]*.*)$/\1 \3\4/' "$trypath") \
&& [[ ! -z "$keys" ]] \
&& break
done
@ -35,7 +41,7 @@ makeConf() {
$NIXOS_IMPORT
];
boot.cleanTmpDir = true;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = ${zramswap};
networking.hostName = "$(hostname -s)";
networking.domain = "$(hostname -d)";
@ -90,9 +96,10 @@ EOF
makeLightsailConf() {
mkdir -p /etc/nixos
cat > /etc/nixos/configuration.nix << EOF
{ config, pkgs, modulesPath, ... }:
{ config, pkgs, modulesPath, lib, ... }:
{
imports = [ "\${modulesPath}/virtualisation/amazon-image.nix" ];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
}
EOF
}
@ -318,8 +325,8 @@ infect() {
# TODO use addgroup and adduser as fallbacks
#addgroup nixbld -g 30000 || true
#for i in {1..10}; do adduser -DH -G nixbld nixbld$i || true; done
curl -L https://nixos.org/nix/install | sh -s -- --no-channel-add
NIX_INSTALL_URL="${NIX_INSTALL_URL:-https://nixos.org/nix/install}"
curl -L "${NIX_INSTALL_URL}" | sh -s -- --no-channel-add
# shellcheck disable=SC1090
source ~/.nix-profile/etc/profile.d/nix.sh
@ -338,7 +345,7 @@ infect() {
export NIXOS_CONFIG="${NIXOS_CONFIG:-/etc/nixos/configuration.nix}"
nix-env --set \
-I nixpkgs=$HOME/.nix-defexpr/channels/nixos \
-I nixpkgs=$(realpath $HOME/.nix-defexpr/channels/nixos) \
-f '<nixpkgs/nixos>' \
-p /nix/var/nix/profiles/system \
-A system
@ -375,6 +382,10 @@ infect() {
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
}
if [ ! -v PROVIDER ]; then
autodetectProvider
fi
[ "$PROVIDER" = "digitalocean" ] && doNetConf=y # digitalocean requires detailed network config to be generated
[ "$PROVIDER" = "lightsail" ] && newrootfslabel="nixos"
if [[ "$PROVIDER" = "digitalocean" ]] || [[ "$PROVIDER" = "servarica" ]] || [[ "$PROVIDER" = "hetznercloud" ]]; then