From 7f0607daf4f8d1d60d560ae8faf70d2dc405dd91 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 17:59:16 -0400 Subject: [PATCH 01/12] Initial import of a nixos iso? --- flake.nix | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 flake.nix diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5edc90c --- /dev/null +++ b/flake.nix @@ -0,0 +1,53 @@ +{ + inputs.nixpkgs.url = "github:determinatesystems/nixpkgs/installer"; + inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; # */ + + outputs = { self, determinate, nixpkgs, ... }: { + packages.x86_64-linux.toplevel = self.nixosConfigurations.install.config.system.build.toplevel; + packages.x86_64-linux.iso = self.nixosConfigurations.install.config.system.build.isoImage; + + nixosConfigurations.install = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + # Load the Determinate module + determinate.nixosModules.default + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" + ({ options, ... }: { + environment.etc."nixos/flake.nix" = { + source = ./flake.nix; + mode = "0644"; +}; + environment.etc."nixos/flake.lock" = { + source = ./flake.lock; + mode = "0644"; +}; + environment.etc."nixos-generate-config.conf".text = '' + [Defaults] + Flake=1 + ''; + + system.nixos-generate-config.flake = '' +{ + inputs = { + determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release + # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + }; + outputs = inputs\@{ self, nixpkgs, determinate, ... }: { + # NOTE: '${options.networking.hostName.default}' is the default hostname + nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { + modules = [ + determinate.nixosModule.default + ./configuration.nix + ]; + }; + }; +} +''; + }) + ]; + }; + }; + + +} \ No newline at end of file From cd67b3ca2c4b2c466bf60527cd377d1aad1b66bf Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 18:07:44 -0400 Subject: [PATCH 02/12] Format lol --- flake.nix | 99 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 54 insertions(+), 45 deletions(-) diff --git a/flake.nix b/flake.nix index 5edc90c..45664f4 100644 --- a/flake.nix +++ b/flake.nix @@ -2,52 +2,61 @@ inputs.nixpkgs.url = "github:determinatesystems/nixpkgs/installer"; inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; # */ - outputs = { self, determinate, nixpkgs, ... }: { - packages.x86_64-linux.toplevel = self.nixosConfigurations.install.config.system.build.toplevel; - packages.x86_64-linux.iso = self.nixosConfigurations.install.config.system.build.isoImage; + outputs = + { + self, + determinate, + nixpkgs, + ... + }: + { + packages.x86_64-linux.toplevel = self.nixosConfigurations.install.config.system.build.toplevel; + packages.x86_64-linux.iso = self.nixosConfigurations.install.config.system.build.isoImage; - nixosConfigurations.install = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - # Load the Determinate module - determinate.nixosModules.default - "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" - ({ options, ... }: { - environment.etc."nixos/flake.nix" = { - source = ./flake.nix; - mode = "0644"; -}; - environment.etc."nixos/flake.lock" = { - source = ./flake.lock; - mode = "0644"; -}; - environment.etc."nixos-generate-config.conf".text = '' - [Defaults] - Flake=1 - ''; + nixosConfigurations.install = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + # Load the Determinate module + determinate.nixosModules.default + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" + ( + { options, ... }: + { + environment.etc."nixos/flake.nix" = { + source = ./flake.nix; + mode = "0644"; + }; + environment.etc."nixos/flake.lock" = { + source = ./flake.lock; + mode = "0644"; + }; + environment.etc."nixos-generate-config.conf".text = '' + [Defaults] + Flake=1 + ''; - system.nixos-generate-config.flake = '' -{ - inputs = { - determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; - nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release - # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable - }; - outputs = inputs\@{ self, nixpkgs, determinate, ... }: { - # NOTE: '${options.networking.hostName.default}' is the default hostname - nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { - modules = [ - determinate.nixosModule.default - ./configuration.nix - ]; - }; - }; -} -''; - }) - ]; + system.nixos-generate-config.flake = '' + { + inputs = { + determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release + # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + }; + outputs = inputs\@{ self, nixpkgs, determinate, ... }: { + # NOTE: '${options.networking.hostName.default}' is the default hostname + nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { + modules = [ + determinate.nixosModule.default + ./configuration.nix + ]; + }; + }; + } + ''; + } + ) + ]; + }; }; - }; - -} \ No newline at end of file +} From dbc4d41aa54b7ed61b846c27f09de8a3730fc886 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 19:19:00 -0400 Subject: [PATCH 03/12] Add a readme and fh --- README.md | 48 +++++++++++ flake.lock | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 7 +- 3 files changed, 294 insertions(+), 2 deletions(-) create mode 100644 README.md create mode 100644 flake.lock diff --git a/README.md b/README.md new file mode 100644 index 0000000..1d72a10 --- /dev/null +++ b/README.md @@ -0,0 +1,48 @@ +# NixOS ISOs with Determinate Nix + +This repo houses the build logic for [Determinate Systems][detsys]' official ISO for [NixOS]. +Our ISOs are available for these systems: + +| System | Nix system name | +| :------------ | :-------------- | +| x86 Linux | `x86_64-linux` | +| aarch64 Linux | `aarch64-linux` | + +On both systems, the ISOs have these tools installed: + +- [Determinate Nix][det-nix], Determinate Systems' validated and secure [Nix] distribution for enterprises. + This includes [Determinate Nixd][dnixd], a utility that enables you to log in to [FlakeHub] using only this command (amongst other tasks): + + ```shell + determinate-nixd login + ``` + + Once logged in, your host can access [FlakeHub Cache][cache] and [private flakes][private-flakes] for your organization. + +- [fh], the CLI for [FlakeHub]. + You can use fh for things like [applying][fh-apply-nixos] NixOS configurations uploaded to [FlakeHub Cache][cache]. + Here's an example: + + ```shell + determinate-nixd login + fh apply nixos "my-org/my-flake/*#nixosConfigurations.my-nixos-configuration-output" + ``` + +[ami]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html +[fh-apply-nixos]: https://docs.determinate.systems/flakehub/cli#apply-nixos +[cache]: https://docs.determinate.systems/flakehub/cache +[demo]: https://github.com/determinatesystems/demo +[det-nix]: https://docs.determinate.systems/determinate-nix +[detsys]: https://determinate.systems +[dnixd]: https://docs.determinate.systems/determinate-nix#determinate-nixd +[ec2]: https://aws.amazon.com/ec2 +[fh]: https://docs.determinate.systems/flakehub/cli +[fh-apply]: https://docs.determinate.systems/flakehub/cli#apply +[flakehub]: https://flakehub.com +[nix]: https://docs.determinate.systems/determinate-nix +[nixos]: https://zero-to-nix.com/concepts/nixos +[opentofu]: https://opentofu.org +[private-flakes]: https://docs.determinate.systems/flakehub/private-flakes +[ssm]: https://aws.amazon.com/systems-manager +[sts]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html +[terraform]: https://terraform.io diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..491399b --- /dev/null +++ b/flake.lock @@ -0,0 +1,241 @@ +{ + "nodes": { + "determinate": { + "inputs": { + "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", + "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", + "determinate-nixd-x86_64-darwin": [ + "determinate", + "determinate-nixd-aarch64-darwin" + ], + "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", + "nix": "nix", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1747961738, + "narHash": "sha256-9XZmFhSzZnxw0ZCn90kVP5+YUmTppzu+dUFBSUwz8Gc=", + "rev": "e0a390f89e737102f4de7dbc644ff9412b006efe", + "revCount": 236, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.6.0/0196faa6-d623-7e23-9152-44cb1b5a53f2/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A" + } + }, + "determinate-nixd-aarch64-darwin": { + "flake": false, + "locked": { + "narHash": "sha256-0eo5RlKi/HwwSa8pYm+mTA5lGpvuaxMMW1wSRmpTHpk=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/macOS" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/macOS" + } + }, + "determinate-nixd-aarch64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-d44VyeBgSrIjdzeNj6KuRbDYlwwcyq+6/uYtfTlTgWc=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/aarch64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/aarch64-linux" + } + }, + "determinate-nixd-x86_64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-vuBRBrTJzgLDovVoCYZWLIN1vfAe8szIgzSuVd/vCZ8=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/x86_64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/x86_64-linux" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": [ + "determinate", + "nix" + ], + "nixpkgs": [ + "determinate", + "nix", + "nixpkgs" + ], + "nixpkgs-stable": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734279981, + "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs", + "nixpkgs-23-11": "nixpkgs-23-11", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1747957393, + "narHash": "sha256-FDfLkkCNAoLLYV0h8hm279g6c2rM+VoBQ7mRX80x8V0=", + "rev": "8cd9eb86addaa7ae6975153ee47d6a8c1f90e667", + "revCount": 20892, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.6.0/0196fa94-7951-7f95-bb79-70f1d5283705/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1747533086, + "narHash": "sha256-+8goyptSXa7qV0k5uPKyky58jpBjI/qkzsbwCZFvhRY=", + "rev": "8406224e30c258025cb8b31704bdb977a8f1f009", + "revCount": 802343, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.802343%2Brev-8406224e30c258025cb8b31704bdb977a8f1f009/0196ec33-1ffa-76fa-ad14-ac737caf6446/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1747882990, + "owner": "determinatesystems", + "repo": "nixpkgs", + "rev": "9971e4fc772b61dd054ba71be7016e21b32a9681", + "type": "github" + }, + "original": { + "owner": "determinatesystems", + "ref": "installer", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "determinate": "determinate", + "nixpkgs": "nixpkgs_3" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 45664f4..738a222 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { inputs.nixpkgs.url = "github:determinatesystems/nixpkgs/installer"; - inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; # */ + inputs.determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; + inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; outputs = { @@ -18,10 +19,12 @@ modules = [ # Load the Determinate module determinate.nixosModules.default + inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" ( - { options, ... }: + { options, pkgs, ... }: { + environment.systemPackages = [ fh.packages.x86_64-linux.default ]; environment.etc."nixos/flake.nix" = { source = ./flake.nix; mode = "0644"; From 58524f1b281098ef8dc88e4c168b94f01631db98 Mon Sep 17 00:00:00 2001 From: Cole Mickens Date: Fri, 23 May 2025 16:25:25 -0700 Subject: [PATCH 04/12] iso: switch to networkmanager; add fh --- flake.lock | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 18 ++++++++--- 2 files changed, 107 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 491399b..31467f6 100644 --- a/flake.lock +++ b/flake.lock @@ -61,6 +61,46 @@ "url": "https://install.determinate.systems/determinate-nixd/tag/v3.6.0/x86_64-linux" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1740810935, + "narHash": "sha256-6RzWfxENGlO73jQb3uQNgOvubUFwvveeIg+PZxhAu6s=", + "rev": "f44d7c3596ff028ad9f7fcc31d1941ed585f11b3", + "revCount": 2184, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.2184%2Brev-f44d7c3596ff028ad9f7fcc31d1941ed585f11b3/019550c8-7792-7766-8dd2-80fad5595f70/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/fenix/0.1.%2A" + } + }, + "fh": { + "inputs": { + "fenix": "fenix", + "naersk": "naersk", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1746473843, + "narHash": "sha256-t7IZlG7rKNbkt2DIU5H0/B0+b4e9YEVJx14ijpOycCw=", + "rev": "f8319fc6a1424db090e8c3e9284ef8f48d6cf111", + "revCount": 726, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.24/0196a1f6-04df-7f72-8882-ddcd7de892e2/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/fh/%2A.tar.gz" + } + }, "flake-compat": { "flake": false, "locked": { @@ -131,6 +171,26 @@ "type": "github" } }, + "naersk": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745925850, + "narHash": "sha256-cyAAMal0aPrlb1NgzMxZqeN1mAJ2pJseDhm2m6Um8T0=", + "rev": "38bc60bbc157ae266d4a0c96671c6c742ee17a5f", + "revCount": 359, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/naersk/0.1.359%2Brev-38bc60bbc157ae266d4a0c96671c6c742ee17a5f/0196814b-3fe7-7501-996a-40369627cec0/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/naersk/0.1.%2A" + } + }, "nix": { "inputs": { "flake-parts": "flake-parts", @@ -215,6 +275,20 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1746183838, + "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=", + "rev": "bf3287dac860542719fe7554e21e686108716879", + "revCount": 717608, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2411.717608%2Brev-bf3287dac860542719fe7554e21e686108716879/0196927e-0862-7e0b-a84b-fbc51a400e7c/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2411.%2A" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1747882990, "owner": "determinatesystems", @@ -232,7 +306,25 @@ "root": { "inputs": { "determinate": "determinate", - "nixpkgs": "nixpkgs_3" + "fh": "fh", + "nixpkgs": "nixpkgs_4" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1740737930, + "narHash": "sha256-2AW/FJQI/i6bbRB/8HR9l9SjxjuiukJpHdMPgwApPKA=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "fe8444616679f8e50ff9696f4750df1f10e7433d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 738a222..2b48645 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,7 @@ self, determinate, nixpkgs, + fh, ... }: { @@ -19,12 +20,11 @@ modules = [ # Load the Determinate module determinate.nixosModules.default - inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" ( - { options, pkgs, ... }: + { options, pkgs, lib, ... }: { - environment.systemPackages = [ fh.packages.x86_64-linux.default ]; + environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; environment.etc."nixos/flake.nix" = { source = ./flake.nix; mode = "0644"; @@ -38,19 +38,29 @@ Flake=1 ''; + networking.wireless.enable = lib.mkForce false; + networking.networkmanager.enable = true; + system.nixos-generate-config.flake = '' { inputs = { determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; }; - outputs = inputs\@{ self, nixpkgs, determinate, ... }: { + outputs = inputs\@{ self, nixpkgs, determinate, fh, ... }: { # NOTE: '${options.networking.hostName.default}' is the default hostname nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { modules = [ determinate.nixosModule.default ./configuration.nix + ( + { options, pkgs, ... }: + { + environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; + } + ) ]; }; }; From 1f3b8f215b98b68462f87c16005156f24efbfff2 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 19:32:31 -0400 Subject: [PATCH 05/12] add a ci workflow --- .github/workflows/ci.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..7429699 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,27 @@ +name: Build and upload + +on: + pull_request: + push: + branches: [main] + +jobs: + build: + runs-on: UbuntuLatest32Cores128G + permissions: + id-token: write + contents: write + steps: + - uses: actions/checkout@v4 + + - uses: DeterminateSystems/determinate-nix-action@v3 + + - uses: DeterminateSystems/flakehub-cache-action@main + + - run: nix build .#iso + + - uses: actions/upload-artifact@v4 + with: + name: nixos-with-determinate.iso + path: ./result/iso/* + retention-days: 90 From 09e8670e9a5e717e5c5cd623467288e746fd7958 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 19:36:36 -0400 Subject: [PATCH 06/12] Specify a system and drop fh from the inside --- flake.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/flake.nix b/flake.nix index 2b48645..4ccbf51 100644 --- a/flake.nix +++ b/flake.nix @@ -47,20 +47,13 @@ determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable - inputs.fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; }; - outputs = inputs\@{ self, nixpkgs, determinate, fh, ... }: { + outputs = inputs\@{ self, nixpkgs, determinate, ... }: { # NOTE: '${options.networking.hostName.default}' is the default hostname nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { modules = [ determinate.nixosModule.default ./configuration.nix - ( - { options, pkgs, ... }: - { - environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; - } - ) ]; }; }; From 070edd9ff6efef503b61d34402633753c15e7db6 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 19:52:15 -0400 Subject: [PATCH 07/12] Run the build on aarch64 too --- .github/workflows/ci.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7429699..463faa9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,16 @@ on: jobs: build: - runs-on: UbuntuLatest32Cores128G + strategy: + matrix: + runners: + - runner: UbuntuLatest32Cores128G + system: x86_64-linux + + - runner: UbuntuLatest32Cores128GArm + system: aarch64-linux + + runs-on: ${{ matrix.runners.runner }} permissions: id-token: write contents: write @@ -18,10 +27,10 @@ jobs: - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build .#iso + - run: nix build .#packages.${{ matrix.runners.system }}.iso - uses: actions/upload-artifact@v4 with: - name: nixos-with-determinate.iso + name: nixos-with-determinate-${{ matrix.runners.system }}.iso path: ./result/iso/* retention-days: 90 From 954add6e704a197e74261d4ace13ceb8820e68e5 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 22:20:17 -0400 Subject: [PATCH 08/12] fmt, build arm --- .github/workflows/ci.yml | 4 ++ flake.nix | 139 ++++++++++++++++++++++++++------------- 2 files changed, 97 insertions(+), 46 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 463faa9..c81e6ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,11 @@ jobs: - uses: DeterminateSystems/flakehub-cache-action@main + - run: nix develop --command nixfmt --check . + if: success() || failure() + - run: nix build .#packages.${{ matrix.runners.system }}.iso + if: success() || failure() - uses: actions/upload-artifact@v4 with: diff --git a/flake.nix b/flake.nix index 4ccbf51..96f198b 100644 --- a/flake.nix +++ b/flake.nix @@ -11,58 +11,105 @@ fh, ... }: - { - packages.x86_64-linux.toplevel = self.nixosConfigurations.install.config.system.build.toplevel; - packages.x86_64-linux.iso = self.nixosConfigurations.install.config.system.build.isoImage; + let + forSystems = + s: f: + nixpkgs.lib.genAttrs s ( + system: + f rec { + inherit system; + pkgs = nixpkgs.legacyPackages.${system}; + } + ); - nixosConfigurations.install = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - # Load the Determinate module - determinate.nixosModules.default - "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" - ( - { options, pkgs, lib, ... }: - { - environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; - environment.etc."nixos/flake.nix" = { - source = ./flake.nix; - mode = "0644"; - }; - environment.etc."nixos/flake.lock" = { - source = ./flake.lock; - mode = "0644"; - }; - environment.etc."nixos-generate-config.conf".text = '' - [Defaults] - Flake=1 - ''; + forAllSystems = forSystems [ + "aarch64-darwin" + "x86_64-darwin" + "x86_64-linux" + "aarch64-linux" + ]; + forLinuxSystems = forSystems [ + "x86_64-linux" + "aarch64-linux" + ]; + in + { + devShells = forAllSystems ( + { system, pkgs, ... }: + { + default = pkgs.mkShellNoCC { + buildInputs = with pkgs; [ + nixfmt-rfc-style + ]; + }; + } + ); - networking.wireless.enable = lib.mkForce false; - networking.networkmanager.enable = true; + packages = forLinuxSystems ( + { system, ... }: + { + toplevel = self.nixosConfigurations.${system}.install.config.system.build.toplevel; + iso = self.nixosConfigurations.${system}.install.config.system.build.isoImage; + } + ); - system.nixos-generate-config.flake = '' + nixosConfigurations = forLinuxSystems ( + { system, ... }: + { + install = nixpkgs.lib.nixosSystem { + system = system; + modules = [ + # Load the Determinate module + determinate.nixosModules.default + "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal-combined.nix" + ( + { + options, + pkgs, + lib, + ... + }: { - inputs = { - determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; - nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release - # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + environment.systemPackages = [ fh.packages.${pkgs.stdenv.hostPlatform.system}.default ]; + environment.etc."nixos/flake.nix" = { + source = ./flake.nix; + mode = "0644"; }; - outputs = inputs\@{ self, nixpkgs, determinate, ... }: { - # NOTE: '${options.networking.hostName.default}' is the default hostname - nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { - modules = [ - determinate.nixosModule.default - ./configuration.nix - ]; - }; + environment.etc."nixos/flake.lock" = { + source = ./flake.lock; + mode = "0644"; }; + environment.etc."nixos-generate-config.conf".text = '' + [Defaults] + Flake=1 + ''; + + networking.wireless.enable = lib.mkForce false; + networking.networkmanager.enable = true; + + system.nixos-generate-config.flake = '' + { + inputs = { + determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/3"; + nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1"; # NixOS, rolling release + # nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0"; # NixOS, current stable + }; + outputs = inputs\@{ self, nixpkgs, determinate, ... }: { + # NOTE: '${options.networking.hostName.default}' is the default hostname + nixosConfigurations.${options.networking.hostName.default} = nixpkgs.lib.nixosSystem { + modules = [ + determinate.nixosModule.default + ./configuration.nix + ]; + }; + }; + } + ''; } - ''; - } - ) - ]; - }; + ) + ]; + }; + } + ); }; - } From 697b3dd45b2a816e9c2c216177b080608a8dca26 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 22:49:35 -0400 Subject: [PATCH 09/12] Push release artifacts --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c81e6ab..e12448b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,14 @@ jobs: if: success() || failure() - uses: actions/upload-artifact@v4 + if: github.ref_type != 'tag' with: name: nixos-with-determinate-${{ matrix.runners.system }}.iso path: ./result/iso/* retention-days: 90 + + - name: Release + uses: softprops/action-gh-release@v2 + if: github.ref_type == 'tag' + with: + files: ./result/iso/* From 8dc6448e71f9331283a2962c96ab5ef78a15bfc9 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 22:50:43 -0400 Subject: [PATCH 10/12] Add a propose-release workflow --- .github/workflows/propose-release.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/propose-release.yml diff --git a/.github/workflows/propose-release.yml b/.github/workflows/propose-release.yml new file mode 100644 index 0000000..0381185 --- /dev/null +++ b/.github/workflows/propose-release.yml @@ -0,0 +1,24 @@ +on: + workflow_dispatch: + inputs: + reference-id: + type: string + required: true + version: + type: string + required: true + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + +jobs: + propose-release: + uses: DeterminateSystems/propose-release/.github/workflows/workflow.yml@main + permissions: + id-token: "write" + contents: "write" + pull-requests: write + with: + reference-id: ${{ inputs.reference-id }} + version: ${{ inputs.version }} From 981eb9924299b190ed9638a22ae42cf1c18067ea Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 22:53:56 -0400 Subject: [PATCH 11/12] make the release stable --- .github/workflows/ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e12448b..b034c8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,4 +44,17 @@ jobs: uses: softprops/action-gh-release@v2 if: github.ref_type == 'tag' with: + prerelease: true files: ./result/iso/* + + release: + runs-on: ubuntu-latest + needs: build + environment: ${{ github.ref_type == 'tag' && 'production' || 'build' }} + steps: + - run: "true" + - name: Release + uses: softprops/action-gh-release@v2 + if: github.ref_type == 'tag' + with: + prerelease: false From a3866e9e6e5867249f4cd37ab8a590a6a3be751a Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Fri, 23 May 2025 23:19:21 -0400 Subject: [PATCH 12/12] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1d72a10..093c5cd 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ On both systems, the ISOs have these tools installed: fh apply nixos "my-org/my-flake/*#nixosConfigurations.my-nixos-configuration-output" ``` +Note: this NixOS installer image is identical to NixOS's ISOs, but with flakes enabled by default via Determinate Nix and NetworkManager being enabled instead of bare WPA Supplicant. [ami]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html [fh-apply-nixos]: https://docs.determinate.systems/flakehub/cli#apply-nixos [cache]: https://docs.determinate.systems/flakehub/cache