Merge pull request #441 from nix-community/darwin-support

Darwin support

README.md

@@ -46,7 +46,8 @@ example to deploy a GitHub Action runner on Hetzner:
 
 The [Documentation](https://nix-community.github.io/srvos/) website shows more general usage, how to install SrvOS, etc...
 
-To improve the documentation, take a look at the `./docs` folder. You can also run `nix run .#docs.serve` to start a preview server on <http://localhost:3000>.
+To improve the documentation, take a look at the `./docs` folder. You can also run `nix develop .#mkdocs -c mkdocs serve` to start a preview server on <http://localhost:8000>.
+
 
 ## Contributing
 

darwin/common/default.nix

@@ -0,0 +1,11 @@
+{ lib, ... }: {
+  imports = [
+    ./flake.nix
+    ./nix.nix
+    ./openssh.nix
+  ];
+
+  # It's the default login shell, and if not enabled, a lot of important configuration is not applied correctly
+  # Overhead is minimal, since it's just generated zsh configuration that gets added.
+  programs.zsh.enable = lib.mkDefault true;
+}

darwin/common/flake.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.srvos;
+in
+{
+  options.srvos = {
+    flake = lib.mkOption {
+      # FIXME what is the type of a flake?
+      type = lib.types.nullOr lib.types.raw;
+      default = null;
+      description = lib.mdDoc ''
+        Flake that contains the nixos configuration.
+      '';
+    };
+  };
+  config = lib.mkIf (cfg.flake != null) {
+    services.telegraf.extraConfig.inputs.file =
+      let
+        inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) cfg.flake.inputs;
+        flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'')
+          (lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input));
+        lastModified = name: input: ''
+          flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}'';
+
+        # avoid adding store path references on flakes which me not need at runtime.
+        promText = builtins.unsafeDiscardStringContext ''
+          # HELP flake_registry_last_modified Last modification date of flake input in unixtime
+          # TYPE flake_input_last_modified gauge
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList lastModified inputsWithDate)}
+        '';
+      in
+      [
+        {
+          data_format = "prometheus";
+          files = [
+            (pkgs.writeText "flake-inputs.prom" promText)
+          ];
+        }
+      ];
+  };
+}

darwin/common/nix.nix

@@ -0,0 +1,26 @@
+{ lib, config, ... }:
+{
+  services.nix-daemon.enable = true;
+
+  # Fallback quickly if substituters are not available.
+  nix.settings.connect-timeout = 5;
+
+  # Enable flakes
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ] ++ lib.optional (lib.versionOlder (lib.versions.majorMinor config.nix.package.version) "2.22")
+    "repl-flake";
+
+  # The default at 10 is rarely enough.
+  nix.settings.log-lines = lib.mkDefault 25;
+
+  # Avoid disk full issues
+  nix.settings.max-free = lib.mkDefault (3000 * 1024 * 1024);
+  nix.settings.min-free = lib.mkDefault (512 * 1024 * 1024);
+
+  # Avoid copying unnecessary stuff over SSH
+  nix.settings.builders-use-substitutes = true;
+
+  nix.daemonIOLowPriority = lib.mkDefault true;
+}

darwin/common/openssh.nix

@@ -0,0 +1,17 @@
+# Better defaults for OpenSSH
+{ lib, ... }:
+{
+  environment.etc."ssh/sshd_config.d/102-srvos.conf".text = ''
+    X11Forwarding no
+    KbdInteractiveAuthentication no
+    PasswordAuthentication no
+    UseDns no
+    # unbind gnupg sockets if they exists
+    StreamLocalBindUnlink yes
+    
+    # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,sntrup761x25519-sha512@openssh.com
+  '';
+  # Only allow system-level authorized_keys to avoid injections.
+  services.openssh.authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
+}

darwin/default.nix

@@ -0,0 +1,10 @@
+let
+  exposeModules = import ../lib/exposeModules.nix;
+in
+exposeModules ./. [
+  ./common
+  ./server
+  ./desktop
+  ./mixins/telegraf.nix
+  ./mixins/terminfo.nix
+]

darwin/desktop/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../common
+  ];
+}

darwin/mixins/telegraf.nix

@@ -0,0 +1,22 @@
+{ lib, inputs, pkgs, ... }:
+{
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      agent.interval = "60s";
+      inputs = {
+        smart.path_smartctl = "${pkgs.smartmontools}/bin/smartctl";
+        system = { };
+        mem = { };
+        swap = { };
+        disk.tagdrop.fstype = [ "ramfs" ];
+        diskio = { };
+        internal = { };
+      };
+      outputs.prometheus_client = {
+        listen = ":9273";
+        metric_version = 2;
+      };
+    };
+  };
+}

darwin/mixins/terminfo.nix

@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }:
+{
+
+  # various terminfo packages
+  environment.systemPackages = [
+    pkgs.ncurses # macOS often ships a quite old version
+    pkgs.wezterm.terminfo # this one does not need compilation
+    # avoid compiling desktop stuff when doing cross nixos
+  ] ++ lib.optionals (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) [
+    pkgs.termite.terminfo
+  ];
+}

darwin/server/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../common
+  ];
+}

docs/darwin/getting_started.md

@@ -0,0 +1,47 @@
+# Using SrvOS with nix-darwin
+
+## Finding your way around
+
+This project exports four big categories of NixOS modules which are useful to define a server configuration:
+
+* Machine type - these are high-level settings that define the machine type (Eg: common, server or desktop). Only one of those would be included.
+* Configuration mixins - these define addons to be added to the machine configuration. One or more can be added.
+
+## Example
+
+Combining all of those together, here is how your `flake.nix` might look like, to deploy a GitHub Actions runner on Hetzner:
+
+```nix
+{
+  description = "My machines flakes";
+  inputs = {
+    srvos.url = "github:nix-community/srvos/darwin-support";
+    # Use the version of nixpkgs that has been tested to work with SrvOS
+    # Alternatively we also support the latest nixos release and unstable
+    nixpkgs.follows = "srvos/nixpkgs";
+    nix-darwin.url = "github:LnL7/nix-darwin";
+    nix-darwin.inputs.nixpkgs.follows = "srvos/nixpkgs";
+  };
+  outputs = { srvos, nix-darwin, ... }: {
+    darwinConfigurations.myHost = nix-darwin.lib.darwinSystem {
+      modules = [
+        # This machine is a server (i.e. CI runner)
+        srvos.darwinModules.server
+        # If a machine is a workstation or laptop, use this instead
+        # srvos.darwinModules.desktop
+
+        # Configured with extra terminfos
+        srvos.darwinModules.mixins-terminfo
+        # Finally add your configuration here
+        ./myHost.nix
+      ];
+    };
+  };
+}
+```
+
+## Continue
+
+Now that we have gone over the high-level details, you should have an idea of how to use this project.
+
+To dig further, take a look at the [User guide](../user_guide.md).

docs/darwin/mixins.md

@@ -0,0 +1,13 @@
+Config extensions for a given machine.
+
+One or more can be included per Darwin configuration.
+
+### `darwiModules.mixins-telegraf`
+
+Enables a generic telegraf configuration. `nixosModules.mixins-prometheus` for monitoring rules targeting this telegraf configuration.
+
+### `darwinModules.mixins-terminfo`
+
+Extends the terminfo database with often used terminal emulators.
+Terminfo is used by terminal applications to interfere supported features in the terminal.
+This is useful when connecting to a server via SSH.

docs/darwin/type.md

@@ -0,0 +1,32 @@
+Those high-level modules are used to define the type of machine.
+
+We expect only one of those to be imported per Darwin configuration.
+
+### Common (`darwinModules.common`)
+
+Use this module if you are unsure if your darwin module will be used on server or desktop.
+
+- Better nix-daemon defaults
+- Better serial console support
+- Colored package diffs on nixos-rebuild
+- Use systemd in initrd by default and networkd as a backend for the
+  Networking module
+- Do not block on networkd/networkmanager's online target
+- Better zfs defaults
+- Add ssh host keys to well-known Git servers (eg: github)
+- Enable sudo for @wheel users.
+- ...
+
+### Server (`darwinModules.server`)
+
+Use this for headless systems that are remotely managed via ssh.
+
+- Includes everything from common
+- So far nothing else, but this might change over time
+
+### Desktop (`darwinModules.desktop`)
+
+Despite this project being about servers, we wanted to dogfood the common module.
+
+- Includes everything from common
+- So far nothing else, but this might change over time

docs/getting_started.md

@@ -1,53 +1,9 @@
 # Getting Started with SrvOS
 
-This project is designed to work in combination with [NixOS](https://nixos.org).
+This project is designed to work in combination with the Linux distribution [NixOS](https://nixos.org) or [nix-darwin](https://github.com/LnL7/nix-darwin) on macOS.
 
 In this documentation, we expect the reader to be already familiar with the base operating system, and introduce how to compose it with our own extensions.
 
-## Finding your way around
+For NixOS continue reading [here](nixos/getting_started.md),
+for nix-darwin/macOS read [this](darwin/getting_started.md).
 
-This project exports four big categories of NixOS modules which are useful to define a server configuration:
-
-* Machine type - these are high-level settings that define the machine type (Eg: common, server or desktop). Only one of those would be included.
-* Machine hardware - these define hardware-related settings for well known hardware. Only one of those would be included. (eg: AWS EC2 instances).
-* Machine role - theses take over a machine for a specific role. Only one of those would be included. (eg: GitHub Actions runner)
-* Configuration mixins - these define addons to be added to the machine configuration. One or more can be added.
-
-## Example
-
-Combining all of those together, here is how your `flake.nix` might look like, to deploy a GitHub Actions runner on Hetzner:
-
-```nix
-{
-  description = "My machines flakes";
-  inputs = {
-    srvos.url = "github:nix-community/srvos";
-    # Use the version of nixpkgs that has been tested to work with SrvOS
-    # Alternatively we also support the latest nixos release and unstable
-    nixpkgs.follows = "srvos/nixpkgs";
-  };
-  outputs = { self, nixpkgs, srvos }: {
-    nixosConfigurations.myHost = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        # This machine is a server
-        srvos.nixosModules.server
-        # Deployed on the AMD Hetzner hardware
-        srvos.nixosModules.hardware-hetzner-amd
-        # Configured with extra terminfos
-        srvos.nixosModules.mixins-terminfo
-        # And designed to run the GitHub Actions runners
-        srvos.nixosModules.roles-github-actions-runner
-        # Finally add your configuration here
-        ./myHost.nix
-      ];
-    };
-  };
-}
-```
-
-## Continue
-
-Now that we have gone over the high-level details, you should have an idea of how to use this project.
-
-To dig further, take a look at the [User guide](user_guide.md).

docs/nixos/getting_started.md

@@ -0,0 +1,49 @@
+# Using SrvOS on NixOS
+
+## Finding your way around
+
+This project exports four big categories of NixOS modules which are useful to define a server configuration:
+
+* Machine type - these are high-level settings that define the machine type (Eg: common, server or desktop). Only one of those would be included.
+* Machine hardware - these define hardware-related settings for well known hardware. Only one of those would be included. (eg: AWS EC2 instances).
+* Machine role - theses take over a machine for a specific role. Only one of those would be included. (eg: GitHub Actions runner)
+* Configuration mixins - these define addons to be added to the machine configuration. One or more can be added.
+
+## Example
+
+Combining all of those together, here is how your `flake.nix` might look like, to deploy a GitHub Actions runner on Hetzner:
+
+```nix
+{
+  description = "My machines flakes";
+  inputs = {
+    srvos.url = "github:nix-community/srvos";
+    # Use the version of nixpkgs that has been tested to work with SrvOS
+    # Alternatively we also support the latest nixos release and unstable
+    nixpkgs.follows = "srvos/nixpkgs";
+  };
+  outputs = { self, nixpkgs, srvos }: {
+    nixosConfigurations.myHost = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        # This machine is a server
+        srvos.nixosModules.server
+        # Deployed on the AMD Hetzner hardware
+        srvos.nixosModules.hardware-hetzner-amd
+        # Configured with extra terminfos
+        srvos.nixosModules.mixins-terminfo
+        # And designed to run the GitHub Actions runners
+        srvos.nixosModules.roles-github-actions-runner
+        # Finally add your configuration here
+        ./myHost.nix
+      ];
+    };
+  };
+}
+```
+
+## Continue
+
+Now that we have gone over the high-level details, you should have an idea of how to use this project.
+
+To dig further, take a look at the [User guide](../user_guide.md).

docs/nixos/mixins.md

@@ -12,7 +12,17 @@ Configure systemd-boot as bootloader.
 
 ### `nixosModules.mixins-telegraf`
 
-Enables a generic telegraf configuration. See [Mic's dotfiles](https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix) for monitoring rules targeting this telegraf configuration.
+Enables a generic telegraf configuration. `nixosModules.mixins-prometheus` for monitoring rules targeting this telegraf configuration.
+
+### `nixosModules.mixins-terminfo`
+
+Extends the terminfo database with often used terminal emulators.
+Terminfo is used by terminal applications to interfere supported features in the terminal.
+This is useful when connecting to a server via SSH.
+
+### `nixosModules.mixins-prometheus`
+
+Enables a Prometheus and configures it with a set of alert rules targeting our `nixosModules.mixins-prometheus` module.
 
 ### `nixosModules.mixins-nginx`