Commit 301daf9cba76
2025-11-20 16:16:06
1 parent
4b63200
Changed files (4)
imperative/wakasu/apply.sh
@@ -24,6 +24,70 @@ log_error() {
echo -e "${RED}[ERROR]${NC} $*" >&2
}
+setup.nix() {
+ log_info "Setting up Nix package manager with SELinux support..."
+
+ # Check if Nix is already installed
+ if command -v nix &>/dev/null; then
+ log_info "Nix is already installed, skipping installation"
+ return 0
+ fi
+
+ # Install required dependencies
+ log_info "Installing dependencies..."
+ sudo dnf install -y policycoreutils-python-utils
+
+ # Configure SELinux contexts for Nix
+ log_info "Configuring SELinux contexts..."
+ sudo semanage fcontext --add --type etc_t '/nix/store/[^/]+/etc(/.*)?'
+ sudo semanage fcontext --add --type lib_t '/nix/store/[^/]+/lib(/.*)?'
+ sudo semanage fcontext --add --type systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
+ sudo semanage fcontext --add --type man_t '/nix/store/[^/]+/man(/.*)?'
+ sudo semanage fcontext --add --type bin_t '/nix/store/[^/]+/s?bin(/.*)?'
+ sudo semanage fcontext --add --type usr_t '/nix/store/[^/]+/share(/.*)?'
+ sudo semanage fcontext --add --type var_run_t '/nix/var/nix/daemon-socket(/.*)?'
+ sudo semanage fcontext --add --type usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+
+ # Create Nix directories
+ log_info "Creating Nix directories..."
+ sudo mkdir -p /nix
+
+ # Install Nix with daemon support
+ log_info "Installing Nix..."
+ sh <(curl -L https://nixos.org/nix/install) --daemon
+
+ # Source Nix profile
+ if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+ . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+ log_info "Nix installed successfully! Please restart your shell or run: source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"
+ else
+ log_warn "Nix profile script not found, you may need to configure it manually"
+ fi
+}
+
+setup.selinux_policies() {
+ log_info "Configuring SELinux policies for system-manager..."
+
+ # Check if SELinux is enabled
+ if ! command -v getenforce &>/dev/null || [ "$(getenforce)" = "Disabled" ]; then
+ log_info "SELinux is not enabled, skipping SELinux policy configuration"
+ return 0
+ fi
+
+ # Install policycoreutils if not already installed
+ sudo dnf install -y policycoreutils-python-utils
+
+ # Configure SELinux context for systemd files managed by system-manager
+ log_info "Setting SELinux contexts for system-manager..."
+
+ # Allow systemd to read symbolic links created by system-manager
+ if [ -d /etc/systemd/system ]; then
+ sudo restorecon -R /etc/systemd/system || true
+ fi
+
+ log_info "SELinux policies configured successfully"
+}
+
setup.syncthing() {
log_info "Install syncthing..."
sudo dnf install -y syncthing
@@ -71,15 +135,64 @@ setup.default_packages() {
sudo dnf install -y helix acpi
}
+setup.system_manager() {
+ log_info "Activating system-manager configuration..."
+
+ # Check if Nix is installed
+ if ! command -v nix &>/dev/null; then
+ log_warn "Nix is not installed, skipping system-manager activation"
+ log_warn "Run this script again after Nix is installed and you've restarted your shell"
+ return 0
+ fi
+
+ # Get the path to this script to locate the repository
+ local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ local repo_root="$(cd "${script_dir}/../.." && pwd)"
+
+ log_info "Repository root: ${repo_root}"
+
+ # Check if we're in the right repository
+ if [ ! -f "${repo_root}/flake.nix" ]; then
+ log_error "Cannot find flake.nix in repository root: ${repo_root}"
+ log_error "Please ensure this script is in the correct location"
+ return 1
+ fi
+
+ # Activate system-manager configuration
+ log_info "Building and activating wakasu system-manager configuration..."
+ if nix run 'github:numtide/system-manager' -- switch --flake "${repo_root}#wakasu"; then
+ log_info "System-manager configuration activated successfully!"
+ else
+ log_error "Failed to activate system-manager configuration"
+ log_warn "You can manually activate it later with:"
+ log_warn " nix run 'github:numtide/system-manager' -- switch --flake ${repo_root}#wakasu"
+ return 1
+ fi
+}
+
# Main setup function
main() {
log_info "Starting Wakasu post-install setup..."
setup.default_packages
+ setup.nix
+ setup.selinux_policies
+
+ # Note: syncthing and wireguard will be managed by system-manager
+ # These functions set up the initial configuration files
setup.syncthing
setup.wireguard
+ # Activate system-manager configuration to manage services
+ setup.system_manager
+
log_info "Post-install setup completed successfully!"
+ log_info ""
+ log_info "Next steps:"
+ log_info " 1. If Nix was just installed, restart your shell: source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"
+ log_info " 2. Configure Syncthing via the web interface"
+ log_info " 3. Set up WireGuard private key if not already done"
+ log_info " 4. Run 'systemctl status syncthing wireguard-wg0' to check service status (if using system-manager)"
}
# Run main function
imperative/wakasu/README.md
@@ -0,0 +1,180 @@
+# Wakasu - Fedora System Configuration
+
+This directory contains imperative setup scripts and system-manager configuration for the Wakasu machine (Fedora).
+
+## Overview
+
+Wakasu uses a hybrid approach:
+- **Imperative scripts** (`apply.sh`) for initial system setup and non-Nix managed components
+- **system-manager** for declarative Nix-based configuration of services and system files
+
+## Setup Process
+
+### Initial Setup
+
+Run the `apply.sh` script to set up the system:
+
+```bash
+cd imperative/wakasu
+./apply.sh
+```
+
+This script will:
+1. Install default packages (helix, acpi)
+2. Install and configure Nix with SELinux support
+3. Configure SELinux policies for system-manager
+4. Install Syncthing (managed by system-manager)
+5. Set up WireGuard configuration (managed by system-manager)
+6. Activate the system-manager configuration
+
+### What Gets Installed
+
+#### Nix Installation
+- Installs Nix package manager with daemon support
+- Configures SELinux contexts for Nix directories
+- Enables flakes and nix-command experimental features
+
+#### SELinux Configuration
+- Installs policycoreutils-python-utils
+- Sets up SELinux contexts for:
+ - Nix store directories
+ - systemd unit files
+ - system-manager managed files
+
+#### Syncthing
+- Installs Syncthing binary
+- Enables systemd user service via system-manager
+- Configuration:
+ - Data dir: `/home/vincent/.config/syncthing`
+ - GUI address: Configured based on globals.nix
+
+#### WireGuard
+- Installs wireguard-tools
+- Creates systemd service via system-manager
+- Configuration file: `/etc/wireguard/wg0.conf`
+- **Note**: You need to set `WG_PRIVATE_KEY` environment variable before running the script
+
+## System-Manager Configuration
+
+The declarative configuration is in `/systems/wakasu/system.nix` and includes:
+
+### Services Managed
+- **Syncthing**: Continuous file synchronization
+- **WireGuard**: VPN tunnel (wg0)
+
+### systemd Services
+
+#### syncthing.service
+- Runs as user `vincent`
+- Listens on configured GUI address
+- Security hardening: PrivateTmp, ProtectSystem=strict
+
+#### wireguard-wg0.service
+- Manages WireGuard interface wg0
+- Automatically brings up/down the tunnel
+- Requires `/etc/wireguard/wg0.conf` to exist
+
+## Updating Configuration
+
+### Updating system-manager Configuration
+
+After modifying `/systems/wakasu/system.nix`:
+
+```bash
+# From the repository root
+nix run 'github:numtide/system-manager' -- switch --flake .#wakasu
+```
+
+### Updating WireGuard Configuration
+
+1. Edit the configuration in `apply.sh` or manually update `/etc/wireguard/wg0.conf`
+2. Restart the service:
+ ```bash
+ sudo systemctl restart wireguard-wg0
+ ```
+
+### Re-running the Setup Script
+
+The `apply.sh` script is idempotent and can be run multiple times safely. It will:
+- Skip already installed components
+- Update configurations as needed
+- Re-activate system-manager configuration
+
+## Environment Variables
+
+### WG_PRIVATE_KEY
+Set this before running `apply.sh` to automatically configure WireGuard:
+
+```bash
+export WG_PRIVATE_KEY="your-private-key-here"
+./apply.sh
+```
+
+## Service Management
+
+Check service status:
+```bash
+systemctl status syncthing
+systemctl status wireguard-wg0
+```
+
+View service logs:
+```bash
+journalctl -u syncthing -f
+journalctl -u wireguard-wg0 -f
+```
+
+Restart services:
+```bash
+systemctl restart syncthing
+sudo systemctl restart wireguard-wg0
+```
+
+## Troubleshooting
+
+### Nix Not Found After Installation
+Restart your shell or source the Nix profile:
+```bash
+source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+```
+
+### SELinux Denials
+Check SELinux logs:
+```bash
+sudo ausearch -m avc -ts recent
+```
+
+Restore SELinux contexts:
+```bash
+sudo restorecon -R /etc/systemd/system
+```
+
+### WireGuard Not Starting
+Ensure the configuration file exists:
+```bash
+ls -l /etc/wireguard/wg0.conf
+```
+
+Check the service status:
+```bash
+sudo systemctl status wireguard-wg0
+sudo journalctl -u wireguard-wg0
+```
+
+### Syncthing Web UI Not Accessible
+Check the configured GUI address in `/etc/syncthing-config-notice` or the system-manager configuration.
+
+## Files and Directories
+
+- `apply.sh` - Main setup script
+- `README.md` - This file
+- `/systems/wakasu/system.nix` - system-manager configuration
+- `/etc/wireguard/wg0.conf` - WireGuard configuration
+- `/home/vincent/.config/syncthing` - Syncthing data directory
+- `/etc/syncthing-config-notice` - Syncthing configuration info
+
+## References
+
+- [Nix on Fedora with SELinux](https://gist.github.com/matthewpi/08c3d652e7879e4c4c30bead7021ff73)
+- [system-manager](https://github.com/numtide/system-manager)
+- [system-manager SELinux issues](https://github.com/numtide/system-manager/issues/115)
systems/wakasu/system.nix
@@ -0,0 +1,91 @@
+{
+ config,
+ globals,
+ hostname,
+ lib,
+ libx,
+ pkgs,
+ ...
+}:
+{
+ # Environment packages
+ environment.systemPackages = with pkgs; [
+ helix
+ acpi
+ syncthing
+ wireguard-tools
+ ];
+
+ # Syncthing service
+ systemd.services.syncthing = {
+ enable = true;
+ description = "Syncthing - Open Source Continuous File Synchronization";
+ wants = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+ wantedBy = [ "default.target" ];
+
+ serviceConfig = {
+ Type = "simple";
+ Restart = "on-failure";
+ RestartSec = "10s";
+ ExecStart = "${pkgs.syncthing}/bin/syncthing serve --no-browser --gui-address=${
+ libx.syncthingGuiAddress globals.machines."${hostname}"
+ }";
+ # Run as the user
+ User = "vincent";
+ Group = "users";
+ # Security settings
+ PrivateTmp = true;
+ ProtectSystem = "strict";
+ ProtectHome = false; # Syncthing needs access to home
+ ReadWritePaths = [ "/home/vincent" ];
+ };
+ };
+
+ # Wireguard service
+ systemd.services.wireguard-wg0 = {
+ enable = true;
+ description = "WireGuard Tunnel - wg0";
+ wants = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ path = [ pkgs.wireguard-tools ];
+
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+
+ script = ''
+ # Check if private key exists
+ if [ ! -f /etc/wireguard/wg0.conf ]; then
+ echo "WireGuard configuration not found at /etc/wireguard/wg0.conf"
+ echo "Please run the wakasu apply.sh script to set up WireGuard"
+ exit 0
+ fi
+
+ # Bring up the WireGuard interface
+ ${pkgs.wireguard-tools}/bin/wg-quick up wg0 || true
+ '';
+
+ preStop = ''
+ ${pkgs.wireguard-tools}/bin/wg-quick down wg0 || true
+ '';
+ };
+
+ # Configure /etc files
+ environment.etc = {
+ "syncthing-config-notice" = {
+ text = ''
+ Syncthing is managed by system-manager.
+ Configuration is stored in /home/vincent/.config/syncthing
+
+ GUI Address: ${libx.syncthingGuiAddress globals.machines."${hostname}"}
+
+ To manage devices and folders, use the web interface.
+ '';
+ mode = "0444";
+ };
+ };
+}
flake.nix
@@ -147,6 +147,10 @@
hostname = "aion";
system = "aarch64-linux";
};
+ wakasu = libx.mkSystemManager {
+ hostname = "wakasu";
+ system = "x86_64-linux";
+ };
};
images = {