From ea103376a35f58574e742dab53da9c8413ca8544 Mon Sep 17 00:00:00 2001 From: Andre Date: Sat, 1 Jun 2024 11:16:19 -0400 Subject: [PATCH 1/5] Enable TPM2 unlocking on Khanda --- hosts/Khanda/hardware-configuration.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/Khanda/hardware-configuration.nix b/hosts/Khanda/hardware-configuration.nix index d5c2e00..2239e3d 100644 --- a/hosts/Khanda/hardware-configuration.nix +++ b/hosts/Khanda/hardware-configuration.nix @@ -11,6 +11,9 @@ boot = { initrd = { + # Enable systemd for TPM auto-unlocking + systemd.enable = true; + availableKernelModules = [ "surface_aggregator" "surface_aggregator_registry" From 4d1539884b008b1827cf476baa4e6c0ea4690821 Mon Sep 17 00:00:00 2001 From: Andre Date: Sat, 1 Jun 2024 12:56:37 -0400 Subject: [PATCH 2/5] Messing around with nixos-upgrade --- flake.lock | 2 +- modules/base/system.nix | 10 ++++++++ modules/services/autoupgrade.nix | 44 ++++++++++++++++++++++---------- 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/flake.lock b/flake.lock index afe9f93..8d67335 100644 --- a/flake.lock +++ b/flake.lock @@ -252,7 +252,7 @@ "locked": { "lastModified": 1717092160, "narHash": "sha256-dype0zRMyP94Uo8YC1vWQ6lkvXLYMep6+Xo7AW4K9cs=", - "ref": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9", + "ref": "refs/heads/main", "rev": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9", "revCount": 42, "type": "git", diff --git a/modules/base/system.nix b/modules/base/system.nix index f19e31b..b2332f6 100644 --- a/modules/base/system.nix +++ b/modules/base/system.nix @@ -26,6 +26,16 @@ }; }; + # Configure automatic updates for all hosts + host.services.autoUpgrade = { + enable = true; + configDir = config.secrets.nixConfigFolder; + onCalendar = "daily"; + persistent = true; + pushUpdates = false; + user = config.users.users.aires.name; + }; + services = { # Enable fwupd (firmware updater) fwupd.enable = true; diff --git a/modules/services/autoupgrade.nix b/modules/services/autoupgrade.nix index d62fc99..8dab295 100644 --- a/modules/services/autoupgrade.nix +++ b/modules/services/autoupgrade.nix @@ -31,9 +31,27 @@ in type = lib.types.bool; description = "Enables automatic system updates."; }; + configDir = lib.mkOption { + type = lib.types.str; + description = "Path where your NixOS configuration files are stored."; + }; + onCalendar = lib.mkOption { + default = "daily"; + type = lib.types.str; + description = "How frequently to run updates. See systemd.timer(5) and systemd.time(7) for configuration details."; + }; + persistent = lib.mkOption { + default = true; + type = lib.types.bool; + description = "If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. This is useful to catch up on missed runs of the service when the system was powered down."; + }; pushUpdates = lib.mkEnableOption ( lib.mdDoc "Updates the flake.lock file and pushes it back to the repo." ); + user = lib.mkOption { + type = lib.types.str; + description = "The user who owns the configDir."; + }; }; }; @@ -47,28 +65,28 @@ in }; path = pathPkgs; script = '' - cd ${config.secrets.nixConfigFolder} + cd ${cfg.configDir} # Check if there are changes from Git. echo "Pulling latest version..." - sudo -u aires git fetch - sudo -u aires git diff --quiet --exit-code main origin/main || true + sudo -u ${cfg.user} git fetch + sudo -u ${cfg.user} git diff --quiet --exit-code main origin/main || true # If we have changes (git diff returns 1), pull changes and run the update if [ $? -eq 1 ]; then echo "Updates found, running nixos-rebuild..." - sudo -u aires git pull --recurse-submodules - nh os switch + sudo -u ${cfg.user} git pull --recurse-submodules + nixos-rebuild switch --flake . else echo "No updates found. Exiting." fi ''; }; - systemd.timers."nixos-upgrade-timer" = { + systemd.timers."nixos-upgrade" = { wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "timers.target" ]; timerConfig = { - OnCalendar = "daily"; - Persistent = "true"; + OnCalendar = cfg.onCalendar; + Persistent = cfg.persistent; Unit = "nixos-upgrade.service"; }; }; @@ -78,13 +96,13 @@ in systemd.services."nixos-upgrade-flake" = { serviceConfig = { Type = "oneshot"; - User = config.users.users.aires.name; + User = cfg.user; }; path = pathPkgs; # Git diffing strategy courtesy of https://stackoverflow.com/a/40255467 script = '' set -eu - cd ${config.secrets.nixConfigFolder} + cd ${cfg.configDir} # Make sure we're up-to-date echo "Pulling the latest version..." git pull --recurse-submodules @@ -93,13 +111,13 @@ in ''; }; - systemd.timers."nixos-upgrade-flake-timer" = { + systemd.timers."nixos-upgrade-flake" = { wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "timers.target" ]; timerConfig = { - OnCalendar = "daily"; - Persistent = "true"; + OnCalendar = cfg.onCalendar; + Persistent = cfg.persistent; Unit = "nixos-upgrade-flake.service"; }; }; From d959c546b08751f9598b1b0291c03af61cd0e5bd Mon Sep 17 00:00:00 2001 From: Andre Date: Sun, 2 Jun 2024 11:30:09 -0400 Subject: [PATCH 3/5] Disable automatic login on Khanda --- hosts/Khanda/default.nix | 1 - modules/services/autoupgrade.nix | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/Khanda/default.nix b/hosts/Khanda/default.nix index f4e84cd..90f3b49 100644 --- a/hosts/Khanda/default.nix +++ b/hosts/Khanda/default.nix @@ -21,7 +21,6 @@ }; users.aires = { enable = true; - autologin = true; services = { syncthing = { enable = true; diff --git a/modules/services/autoupgrade.nix b/modules/services/autoupgrade.nix index 8dab295..344539f 100644 --- a/modules/services/autoupgrade.nix +++ b/modules/services/autoupgrade.nix @@ -64,12 +64,13 @@ in User = "root"; }; path = pathPkgs; + # Git diffing strategy courtesy of https://stackoverflow.com/a/40255467 script = '' cd ${cfg.configDir} # Check if there are changes from Git. echo "Pulling latest version..." sudo -u ${cfg.user} git fetch - sudo -u ${cfg.user} git diff --quiet --exit-code main origin/main || true + sudo -u ${cfg.user} git diff --quiet --exit-code || true # If we have changes (git diff returns 1), pull changes and run the update if [ $? -eq 1 ]; then echo "Updates found, running nixos-rebuild..." @@ -99,7 +100,6 @@ in User = cfg.user; }; path = pathPkgs; - # Git diffing strategy courtesy of https://stackoverflow.com/a/40255467 script = '' set -eu cd ${cfg.configDir} From cc4ae56ea3a62c67ac6fe30fc589cdcabdb25ea2 Mon Sep 17 00:00:00 2001 From: Andre Date: Sun, 2 Jun 2024 12:37:48 -0400 Subject: [PATCH 4/5] Fix auto-update on Haven --- flake.lock | 2 +- modules/base/system.nix | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 8d67335..afe9f93 100644 --- a/flake.lock +++ b/flake.lock @@ -252,7 +252,7 @@ "locked": { "lastModified": 1717092160, "narHash": "sha256-dype0zRMyP94Uo8YC1vWQ6lkvXLYMep6+Xo7AW4K9cs=", - "ref": "refs/heads/main", + "ref": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9", "rev": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9", "revCount": 42, "type": "git", diff --git a/modules/base/system.nix b/modules/base/system.nix index b2332f6..50afc76 100644 --- a/modules/base/system.nix +++ b/modules/base/system.nix @@ -31,8 +31,6 @@ enable = true; configDir = config.secrets.nixConfigFolder; onCalendar = "daily"; - persistent = true; - pushUpdates = false; user = config.users.users.aires.name; }; From ca40bc1151d4138ae5a1acc6eb6f69e587676484 Mon Sep 17 00:00:00 2001 From: Andre Date: Sun, 2 Jun 2024 13:41:18 -0400 Subject: [PATCH 5/5] Add branch name option to nixos-upgrade with defaults to main --- modules/services/autoupgrade.nix | 11 ++++++++++- modules/services/ssh.nix | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/services/autoupgrade.nix b/modules/services/autoupgrade.nix index 344539f..d7bf297 100644 --- a/modules/services/autoupgrade.nix +++ b/modules/services/autoupgrade.nix @@ -31,6 +31,15 @@ in type = lib.types.bool; description = "Enables automatic system updates."; }; + branches = lib.mkOption { + type = lib.types.attrs; + description = "Which local and remote branches to compare."; + default = { + local = "main"; + remote = "main"; + remoteName = "origin"; + }; + }; configDir = lib.mkOption { type = lib.types.str; description = "Path where your NixOS configuration files are stored."; @@ -70,7 +79,7 @@ in # Check if there are changes from Git. echo "Pulling latest version..." sudo -u ${cfg.user} git fetch - sudo -u ${cfg.user} git diff --quiet --exit-code || true + sudo -u ${cfg.user} git diff --quiet --exit-code ${cfg.branches.local} ${cfg.branches.remoteName}/${cfg.branches.remote} || true # If we have changes (git diff returns 1), pull changes and run the update if [ $? -eq 1 ]; then echo "Updates found, running nixos-rebuild..." diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index 1a393dd..e88e287 100644 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -8,7 +8,7 @@ in host.services.ssh = { enable = lib.mkEnableOption (lib.mdDoc "Enables SSH server."); ports = lib.mkOption { - default = [ ]; + default = [ 22 ]; type = lib.types.listOf lib.types.int; description = "Ports for SSH to listen on."; };