diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..b034c8f --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,60 @@ +name: Build and upload + +on: + pull_request: + push: + branches: [main] + +jobs: + build: + strategy: + matrix: + runners: + - runner: UbuntuLatest32Cores128G + system: x86_64-linux + + - runner: UbuntuLatest32Cores128GArm + system: aarch64-linux + + runs-on: ${{ matrix.runners.runner }} + permissions: + id-token: write + contents: write + steps: + - uses: actions/checkout@v4 + + - uses: DeterminateSystems/determinate-nix-action@v3 + + - uses: DeterminateSystems/flakehub-cache-action@main + + - run: nix develop --command nixfmt --check . + if: success() || failure() + + - run: nix build .#packages.${{ matrix.runners.system }}.iso + if: success() || failure() + + - uses: actions/upload-artifact@v4 + if: github.ref_type != 'tag' + with: + name: nixos-with-determinate-${{ matrix.runners.system }}.iso + path: ./result/iso/* + retention-days: 90 + + - name: Release + uses: softprops/action-gh-release@v2 + if: github.ref_type == 'tag' + with: + prerelease: true + files: ./result/iso/* + + release: + runs-on: ubuntu-latest + needs: build + environment: ${{ github.ref_type == 'tag' && 'production' || 'build' }} + steps: + - run: "true" + - name: Release + uses: softprops/action-gh-release@v2 + if: github.ref_type == 'tag' + with: + prerelease: false diff --git a/.github/workflows/propose-release.yml b/.github/workflows/propose-release.yml new file mode 100644 index 0000000..0381185 --- /dev/null +++ b/.github/workflows/propose-release.yml @@ -0,0 +1,24 @@ +on: + workflow_dispatch: + inputs: + reference-id: + type: string + required: true + version: + type: string + required: true + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + +jobs: + propose-release: + uses: DeterminateSystems/propose-release/.github/workflows/workflow.yml@main + permissions: + id-token: "write" + contents: "write" + pull-requests: write + with: + reference-id: ${{ inputs.reference-id }} + version: ${{ inputs.version }} diff --git a/README.md b/README.md new file mode 100644 index 0000000..093c5cd --- /dev/null +++ b/README.md @@ -0,0 +1,49 @@ +# NixOS ISOs with Determinate Nix + +This repo houses the build logic for [Determinate Systems][detsys]' official ISO for [NixOS]. +Our ISOs are available for these systems: + +| System | Nix system name | +| :------------ | :-------------- | +| x86 Linux | `x86_64-linux` | +| aarch64 Linux | `aarch64-linux` | + +On both systems, the ISOs have these tools installed: + +- [Determinate Nix][det-nix], Determinate Systems' validated and secure [Nix] distribution for enterprises. + This includes [Determinate Nixd][dnixd], a utility that enables you to log in to [FlakeHub] using only this command (amongst other tasks): + + ```shell + determinate-nixd login + ``` + + Once logged in, your host can access [FlakeHub Cache][cache] and [private flakes][private-flakes] for your organization. + +- [fh], the CLI for [FlakeHub]. + You can use fh for things like [applying][fh-apply-nixos] NixOS configurations uploaded to [FlakeHub Cache][cache]. + Here's an example: + + ```shell + determinate-nixd login + fh apply nixos "my-org/my-flake/*#nixosConfigurations.my-nixos-configuration-output" + ``` + +Note: this NixOS installer image is identical to NixOS's ISOs, but with flakes enabled by default via Determinate Nix and NetworkManager being enabled instead of bare WPA Supplicant. +[ami]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html +[fh-apply-nixos]: https://docs.determinate.systems/flakehub/cli#apply-nixos +[cache]: https://docs.determinate.systems/flakehub/cache +[demo]: https://github.com/determinatesystems/demo +[det-nix]: https://docs.determinate.systems/determinate-nix +[detsys]: https://determinate.systems +[dnixd]: https://docs.determinate.systems/determinate-nix#determinate-nixd +[ec2]: https://aws.amazon.com/ec2 +[fh]: https://docs.determinate.systems/flakehub/cli +[fh-apply]: https://docs.determinate.systems/flakehub/cli#apply +[flakehub]: https://flakehub.com +[nix]: https://docs.determinate.systems/determinate-nix +[nixos]: https://zero-to-nix.com/concepts/nixos +[opentofu]: https://opentofu.org +[private-flakes]: https://docs.determinate.systems/flakehub/private-flakes +[ssm]: https://aws.amazon.com/systems-manager +[sts]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html +[terraform]: https://terraform.io diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..31467f6 --- /dev/null +++ b/flake.lock @@ -0,0 +1,333 @@ +{ + "nodes": { + "determinate": { + "inputs": { + "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", + "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", + "determinate-nixd-x86_64-darwin": [ + "determinate", + "determinate-nixd-aarch64-darwin" + ], + "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", + "nix": "nix", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1747961738, + "narHash": "sha256-9XZmFhSzZnxw0ZCn90kVP5+YUmTppzu+dUFBSUwz8Gc=", + "rev": "e0a390f89e737102f4de7dbc644ff9412b006efe", + "revCount": 236, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.6.0/0196faa6-d623-7e23-9152-44cb1b5a53f2/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A" + } + }, + "determinate-nixd-aarch64-darwin": { + "flake": false, + "locked": { + "narHash": "sha256-0eo5RlKi/HwwSa8pYm+mTA5lGpvuaxMMW1wSRmpTHpk=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/macOS" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/macOS" + } + }, + "determinate-nixd-aarch64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-d44VyeBgSrIjdzeNj6KuRbDYlwwcyq+6/uYtfTlTgWc=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/aarch64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/aarch64-linux" + } + }, + "determinate-nixd-x86_64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-vuBRBrTJzgLDovVoCYZWLIN1vfAe8szIgzSuVd/vCZ8=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/x86_64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/x86_64-linux" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1740810935, + "narHash": "sha256-6RzWfxENGlO73jQb3uQNgOvubUFwvveeIg+PZxhAu6s=", + "rev": "f44d7c3596ff028ad9f7fcc31d1941ed585f11b3", + "revCount": 2184, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.2184%2Brev-f44d7c3596ff028ad9f7fcc31d1941ed585f11b3/019550c8-7792-7766-8dd2-80fad5595f70/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/fenix/0.1.%2A" + } + }, + "fh": { + "inputs": { + "fenix": "fenix", + "naersk": "naersk", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1746473843, + "narHash": "sha256-t7IZlG7rKNbkt2DIU5H0/B0+b4e9YEVJx14ijpOycCw=", + "rev": "f8319fc6a1424db090e8c3e9284ef8f48d6cf111", + "revCount": 726, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.24/0196a1f6-04df-7f72-8882-ddcd7de892e2/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/fh/%2A.tar.gz" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": [ + "determinate", + "nix" + ], + "nixpkgs": [ + "determinate", + "nix", + "nixpkgs" + ], + "nixpkgs-stable": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734279981, + "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745925850, + "narHash": "sha256-cyAAMal0aPrlb1NgzMxZqeN1mAJ2pJseDhm2m6Um8T0=", + "rev": "38bc60bbc157ae266d4a0c96671c6c742ee17a5f", + "revCount": 359, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/naersk/0.1.359%2Brev-38bc60bbc157ae266d4a0c96671c6c742ee17a5f/0196814b-3fe7-7501-996a-40369627cec0/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/naersk/0.1.%2A" + } + }, + "nix": { + "inputs": { + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs", + "nixpkgs-23-11": "nixpkgs-23-11", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1747957393, + "narHash": "sha256-FDfLkkCNAoLLYV0h8hm279g6c2rM+VoBQ7mRX80x8V0=", + "rev": "8cd9eb86addaa7ae6975153ee47d6a8c1f90e667", + "revCount": 20892, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.6.0/0196fa94-7951-7f95-bb79-70f1d5283705/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1747533086, + "narHash": "sha256-+8goyptSXa7qV0k5uPKyky58jpBjI/qkzsbwCZFvhRY=", + "rev": "8406224e30c258025cb8b31704bdb977a8f1f009", + "revCount": 802343, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.802343%2Brev-8406224e30c258025cb8b31704bdb977a8f1f009/0196ec33-1ffa-76fa-ad14-ac737caf6446/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1746183838, + "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=", + "rev": "bf3287dac860542719fe7554e21e686108716879", + "revCount": 717608, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2411.717608%2Brev-bf3287dac860542719fe7554e21e686108716879/0196927e-0862-7e0b-a84b-fbc51a400e7c/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2411.%2A" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1747882990, + "owner": "determinatesystems", + "repo": "nixpkgs", + "rev": "9971e4fc772b61dd054ba71be7016e21b32a9681", + "type": "github" + }, + "original": { + "owner": "determinatesystems", + "ref": "installer", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "determinate": "determinate", + "fh": "fh", + "nixpkgs": "nixpkgs_4" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1740737930, + "narHash": "sha256-2AW/FJQI/i6bbRB/8HR9l9SjxjuiukJpHdMPgwApPKA=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "fe8444616679f8e50ff9696f4750df1f10e7433d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..96f198b --- /dev/null +++ b/flake.nix @@ -0,0 +1,115 @@ +{ + inputs.nixpkgs.url = "github:determinatesystems/nixpkgs/installer"; + inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; + inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; + + outputs = + { + self, + determinate, + nixpkgs, + fh, + ... + }: + let + forSystems = + s: f: + nixpkgs.lib.genAttrs s ( + system: + f rec { + inherit system; + pkgs = nixpkgs.legacyPackages.${system}; + } + ); + + forAllSystems = forSystems [ + "aarch64-darwin" + "x86_64-darwin" + "x86_64-linux" + "aarch64-linux" + ]; + forLinuxSystems = forSystems [ + "x86_64-linux" + "aarch64-linux" + ]; + in + { + devShells = forAllSystems ( + { system, pkgs, ... }: + { + default = pkgs.mkShellNoCC { + buildInputs = with pkgs; [ + nixfmt-rfc-style + ]; + }; + } + ); + + packages = forLinuxSystems ( + { system, ... }: + { + toplevel = self.nixosConfigurations.${system}.install.config.system.build.toplevel; + iso = self.nixosConfigurations.${system}.install.config.system.build.isoImage; + } + ); + + nixosConfigurations = forLinuxSystems ( + { system, ... }: + { + install = nixpkgs.lib.nixosSystem { + system = system; + modules = [ + # Load the Determinate module + determinate.nixosModules.default + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" + ( + { + options, + pkgs, + lib, + ... + }: + { + environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; + environment.etc."nixos/flake.nix" = { + source = ./flake.nix; + mode = "0644"; + }; + environment.etc."nixos/flake.lock" = { + source = ./flake.lock; + mode = "0644"; + }; + environment.etc."nixos-generate-config.conf".text = '' + [Defaults] + Flake=1 + ''; + + networking.wireless.enable = lib.mkForce false; + networking.networkmanager.enable = true; + + system.nixos-generate-config.flake = '' + { + inputs = { + determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release + # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + }; + outputs = inputs\@{ self, nixpkgs, determinate, ... }: { + # NOTE: '${options.networking.hostName.default}' is the default hostname + nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { + modules = [ + determinate.nixosModule.default + ./configuration.nix + ]; + }; + }; + } + ''; + } + ) + ]; + }; + } + ); + }; +}