initial commit

README.md

@@ -0,0 +1,19 @@
+## ec2-build-docker-host
+
+This script sets up a Docker test system based on NixOS. For configuration options consult:
+
+https://search.nixos.org/options
+
+To change the resulting system, edit the *configuration.nix* and re-run the script.
+
+### Usage
+```
+git clone https://github.com/mrckndt/ec2-build-docker-host
+cd ec2-build-docker-host
+
+bash ec2-build-docker-host -i <PATH-TO-IDENTITY-FILE>
+or
+./ec2-build-docker-host -i <PATH-TO-IDENTITY-FILE>
+```
+
+Follow the shown instructions and wait...

configuration.nix

@@ -0,0 +1,165 @@
+{ config, lib, modulesPath, pkgs, ... }:
+
+with lib;
+
+let
+  allowedTCPPorts = [ 80 443 8065 ];
+  allowedUDPPorts = [ ];
+  autoUpdateContainers = true;
+  hostName = "nixos-docker-test";
+  systemPackages = with pkgs; [
+    bind
+    bmon
+    docker-compose
+    file
+    htop
+    iotop
+    ncdu
+    netcat-gnu
+    nmap
+    nmon
+    psmisc
+    ranger
+    rsync
+  ];
+  stateVersion = "23.05";
+  timeZone = "Europe/Berlin";
+in
+{
+  imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
+
+  boot.tmp = {
+    cleanOnBoot = true;
+    useTmpfs = true;
+  };
+
+  documentation = {
+    info.enable = false;
+    man.generateCaches = true;
+  };
+
+  environment = {
+    systemPackages = systemPackages;
+    variables = {
+      LESS = mkDefault "-FRSMKI";
+      SYSTEMD_LESS = mkDefault "FRSMKI";
+    };
+  };
+
+  fonts.fontconfig.enable = false;
+
+  i18n.supportedLocales = [
+    "en_US.UTF-8/UTF-8"
+    "de_DE.UTF-8/UTF-8"
+  ];
+
+  networking = {
+    hostName = hostName;
+    firewall = {
+      allowedTCPPorts = allowedTCPPorts;
+      allowedUDPPorts = allowedUDPPorts;
+    };
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+    };
+    settings.auto-optimise-store = true;
+  };
+
+  programs = {
+    neovim = {
+      enable = true;
+      vimAlias = true;
+      viAlias = true;
+      defaultEditor = true;
+      configure = {
+        customRC = ''
+          filetype plugin indent on
+
+          set autowrite
+          set expandtab
+          set ignorecase
+          set laststatus=2
+          set linebreak
+          set list listchars=tab:▸\ ,trail:·
+          set mouse=a
+          set nofoldenable
+          set nojoinspaces
+          set nowrap
+          set number
+          set shiftwidth=2
+          set showbreak=↪\
+          set splitbelow
+          set splitright
+          set statusline=\(%n\)\ %<%.99f\ %y\ %w%m%r%=%-14.(%l,%c%V%)\ %P
+          set textwidth=120
+          set wrapscan
+
+          nnoremap <silent> <C-b> :buffers<CR>:buffer<Space>
+
+          unmap Y
+        '';
+      };
+    };
+    tmux = {
+      enable = true;
+      aggressiveResize = true;
+      baseIndex = 1;
+      clock24 = true;
+      escapeTime = 0;
+      extraConfig = ''
+        set -g mouse on
+        set -g renumber-windows on
+        set -g set-titles on
+        set -g status-interval 10
+        set -g status-right "#(whoami)@#(hostname) | #(cut -f1 -d \" \" < /proc/loadavg) | %H:%M "
+        set -ga terminal-overrides ",xterm-256color:Tc"
+
+        unbind C-b
+        set -g prefix C-x
+        bind C-x send-prefix
+      '';
+      historyLimit = 10000;
+      terminal = "xterm-256color";
+    };
+    zsh = {
+      enable = true;
+      enableBashCompletion = true;
+      ohMyZsh = {
+        enable = true;
+        theme = "gentoo";
+      };
+    };
+  };
+
+  # needed for rootless containers (e.g. with podman)
+  security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
+
+  system = {
+    autoUpgrade.enable = true;
+    stateVersion = stateVersion;
+  };
+
+  time.timeZone = timeZone;
+
+  users.defaultUserShell = mkIf config.programs.zsh.enable pkgs.zsh;
+
+  virtualisation = {
+    docker.enable = true;
+    oci-containers.backend = "docker";
+
+    oci-containers.containers.watchtower = mkIf autoUpdateContainers {
+      image = "containrrr/watchtower:latest";
+      volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+      extraOptions = [
+        "--security-opt=no-new-privileges:true"
+        "--pids-limit=100"
+        "--read-only"
+        "--tmpfs=/tmp"
+      ];
+    };
+  };
+}

ec2-build-docker-host

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+usage() {
+  cat <<EOF
+Usage:
+  $(basename "$0") [OPTION...]
+
+Options:
+  -h  Print this help
+  -i  Path to SSH identity file
+
+EOF
+}
+
+while getopts i:h opt; do
+  case "$opt" in
+    i)
+      identityFile="${OPTARG}"
+      ;;
+    h)
+      usage
+      exit 0
+      ;;
+    \?)
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+shift $((OPTIND - 1))
+
+if [ -z ${identityFile} ]; then
+  echo "missing option: -i is required" >&2
+  usage >&2
+  exit 64
+fi
+
+if [ -z $(type -P "scp") ] || [ -z $(type -P "ssh") ]; then
+  echo "SSH needs to be installed" >&2
+  exit 64
+fi
+
+echo "Please open $(tput bold)https://nixos.org/download#nixos-amazon$(tput sgr0) and follow the
+instructions to launch an EC2 instance.
+
+$(tput bold)Note: it's recommended to use a disk size of >=20GB.$(tput sgr0)"
+echo
+
+read -p "Domain or IP of launched EC2 instance: " host
+
+echo
+echo "$(tput bold)Copying configuration to ${host}...$(tput sgr0)"
+scp -i "${identityFile}" ./configuration.nix root@"${host}":/etc/nixos/configuration.nix
+
+echo "$(tput bold)Building system...$(tput sgr0)"
+ssh -i "${identityFile}" root@"${host}" "nixos-rebuild switch --upgrade"