Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Roles

Roles are used to enable large numbers of default options based on what kind of machine they are.

This can reduce a lot of boilerplate, if you run many hosts with similar configurations.

Currently there are two available roles:

Desktop

Designed for desktop use, sets up:

  • base shell + env
  • systemd-networkd networking
  • boot integrated, systemd-boot by default but can be changed
  • initrd + SSH encrypted root unlock

Module Options Reference for provision.roles.desktop

Example Usage:

provision.roles.desktop = {
  enable = true;
  # add myuser as nix trusted user
  trustedNixUsers = ["myuser"];
  # import SSH keyFiles from my user into initrd.networkd authorizedKeyFiles
  initrdUnlockUsers = ["myuser"];
};

Produces:

  };

  config = mkIf cfg.desktop.enable {
    provision = {
      fs.boot = {
        enable = true;
        initrd.enable = false;
        initrd.ssh.usersImportKeyFiles = cfg.desktop.initrdUnlockUsers;
      };
      core = {
        enable = true;
        fonts.enable = true;
      };
      nix = {
        basic = true;
        develop = true;
        builder = true;
        optimise.enable = true;
        trustWheel = mkDefault true;
        trustedUsers = cfg.desktop.nixTrustedUsers;
      };
      networking.ssh = {
        enable = true;
        hardened = true;

Edge

Designed for server use, sets up:

  • base shell + env
  • garbage collected + optimised nix
  • systemd-networkd networking
  • boot integrated, systemd-boot by default but can be changed
  • initrd + SSH encrypted root unlock

Module Options Reference for provision.roles.edge

Example Usage:

provision.roles.desktop = {
  enable = true;
  # increase inotify limits multiple
  bigMachine = true;
  # add deploy as nix trusted user, can be required for remote deploys
  trustedNixUsers = ["deploy"];
  # import SSH keyFiles from deploy user into initrd.networkd authorizedKeyFiles
  initrdUnlockUsers = ["deploy"];
  # add network kernel modules to stage-1 boot for remote unlock over SSH
  initrdNetModules = ["e1000e"];
};

Produces:

    initrdNetModules =
      opts.stringList [ ]
        "extra network modules to add to `boot.initrd.availableKernelModules`";
    nixTrustedUsers = opts.stringList [ ] "trusted nix users (needed for deploy user at least)";
  };

  config = mkIf cfg.edge.enable {
    provision = {
      fs.boot = {
        enable = true;
        initrd.enable = true;
        initrd.ssh.usersImportKeyFiles = cfg.edge.initrdUnlockUsers;
        initrd.network.modules = cfg.edge.initrdNetModules;
      };
      core = {
        enable = true;
        shell.enable = true;
        locale.enable = true;
        aliases.enable = true;
        packages.enable = true;
        defaults.sysctl.bumpInotifyLimits = true;
        defaults.sysctl.inotifyLimitsMultiple = mkIf cfg.edge.bigMachine 10000;
      };
      nix = {