wip: continue migration

2026-04-14 21:29:12 +02:00 · 2026-04-03 22:55:16 +02:00 · 2026-04-03 22:55:16 +02:00 · fa9bd32b0b
commit fa9bd32b0b
parent 7ce27d5d2f
129 changed files with 6252 additions and 106 deletions
--- a/hosds/nixos/aarch64-linux/belchsfactory/default.nix
+++ b/hosds/nixos/aarch64-linux/belchsfactory/default.nix
@ -0,0 +1,67 @@
+{ self, lib, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
+  ];
+
+  node.lockFromBootstrapping = lib.mkForce false;
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    isCloud = true;
+    proxyHost = "twothreetunnel";
+    server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
+      garage = {
+        data_dir = {
+          capacity = "150G";
+          path = "/var/lib/garage/data";
+        };
+        keys = {
+          nixos = [
+            "attic"
+          ];
+        };
+        buckets = [
+          "attic"
+        ];
+      };
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+  swarselmodules.server = {
+    wireguard = true;
+    ssh-builder = true;
+    postgresql = true;
+    attic = true;
+    garage = true;
+    hydra = false;
+  };
+
+}
--- a/hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix
+++ b/hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix
@ -0,0 +1,121 @@
+{ lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
--- a/hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix
+++ b/hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix
@ -0,0 +1,15 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
--- a/hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
+++ b/hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-28T14:15:06Z",
+		"mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-11-25T18:32:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
--- a/hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml
+++ b/hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml