wip: continue migration

2026-04-14 21:29:12 +02:00 · 2026-04-03 22:55:16 +02:00 · 2026-04-03 22:55:16 +02:00 · fa9bd32b0b
commit fa9bd32b0b
parent 7ce27d5d2f
129 changed files with 6252 additions and 106 deletions
--- a/hosds/nixos/aarch64-linux/liliputsteps/default.nix
+++ b/hosds/nixos/aarch64-linux/liliputsteps/default.nix
@ -0,0 +1,51 @@
+{ self, config, lib, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
+  ];
+
+  topology.self = {
+    icon = "devices.cloud-server";
+    interfaces.ProxyJump = {
+      virtual = true;
+      physicalConnections = [
+        (config.lib.topology.mkConnection "moonside" "lan")
+        (config.lib.topology.mkConnection "twothreetunnel" "lan")
+        (config.lib.topology.mkConnection "belchsfactory" "lan")
+        (config.lib.topology.mkConnection "stoicclub" "lan")
+        (config.lib.topology.mkConnection "eagleland" "wan")
+      ];
+    };
+  };
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    isCloud = true;
+    mainUser = "jump";
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+  swarselmodules.server = {
+    bastion = true;
+    # ssh = false;
+  };
+
+  # users.users.swarsel.enable = lib.mkForce false;
+  # home-manager.users.swarsel.enable = lib.mkForce false
+}
--- a/hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix
+++ b/hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix
@ -0,0 +1,121 @@
+{ lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
--- a/hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix
+++ b/hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix
@ -0,0 +1,15 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
--- a/hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
+++ b/hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-01T16:51:40Z",
+		"mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-12-01T15:59:42Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
--- a/hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml
+++ b/hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml
@ -0,0 +1,48 @@
+jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str]
+sops:
+    age:
+        - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ
+            YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi
+            OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1
+            R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm
+            nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-01T16:49:44Z"
+    mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str]
+    pgp:
+        - created_at: "2025-12-01T15:59:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO
+            ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww
+            cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh
+            7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX
+            h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN
+            bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4
+            WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6
+            Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6
+            u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4
+            0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4
+            WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF
+            AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm
+            m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q
+            dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk
+            mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ
+            ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA
+            mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W
+            ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy
+            IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1
+            kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt
+            7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4
+            RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc
+            AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3
+            8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI=
+            =2NIK
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0