From 7bb2a1342917b2b45cba16c105c1279a3895813f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Sat, 8 Nov 2025 13:49:03 +0100 Subject: [PATCH 1/5] feat: build configurations dynamically for arch --- .github/README.md | 2 +- SwarselSystems.org | 265 ++++++++++-------- files/scripts/swarsel-bootstrap.sh | 23 +- files/scripts/swarsel-install.sh | 15 +- files/scripts/swarsel-rebuild.sh | 19 +- flake.lock | 6 +- .../{ => aarch64-linux}/magicant/default.nix | 0 .../{ => x86_64-darwin}/machpizza/default.nix | 0 .../machpizza/secrets/pii.nix.enc | 0 .../{ => aarch64-linux}/treehouse/default.nix | 0 .../{ => aarch64-linux}/milkywell/default.nix | 0 .../milkywell/disk-config.nix | 0 .../milkywell/hardware-configuration.nix | 0 .../milkywell/secrets/pii.nix.enc | 0 .../{ => aarch64-linux}/moonside/default.nix | 0 .../moonside/disk-config.nix | 0 .../moonside/hardware-configuration.nix | 0 .../moonside/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/bakery/default.nix | 0 .../{ => x86_64-linux}/bakery/disk-config.nix | 0 .../bakery/hardware-configuration.nix | 0 .../bakery/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/hotel/default.nix | 0 .../{ => x86_64-linux}/hotel/disk-config.nix | 0 .../hotel/hardware-configuration.nix | 0 .../{ => x86_64-linux}/hotel/options-home.nix | 0 .../{ => x86_64-linux}/hotel/options.nix | 0 .../{ => x86_64-linux}/pyramid/default.nix | 0 .../pyramid/disk-config.nix | 0 .../pyramid/hardware-configuration.nix | 0 .../pyramid/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/summers/default.nix | 0 .../summers/disk-config.nix | 0 .../summers/guests/guest1/default.nix | 0 .../summers/hardware-configuration.nix | 0 .../summers/secrets/guest1/pii.nix.enc | 0 .../summers/secrets/pii.nix.enc | 0 .../nixos/{ => x86_64-linux}/toto/default.nix | 0 .../{ => x86_64-linux}/toto/disk-config.nix | 0 .../toto/hardware-configuration.nix | 0 .../{ => x86_64-linux}/winters/default.nix | 0 .../winters/hardware-configuration.nix | 0 .../winters/secrets/pii.nix.enc | 0 nix/hosts.nix | 152 +++++----- 44 files changed, 278 insertions(+), 204 deletions(-) rename hosts/android/{ => aarch64-linux}/magicant/default.nix (100%) rename hosts/darwin/{ => x86_64-darwin}/machpizza/default.nix (100%) rename hosts/darwin/{ => x86_64-darwin}/machpizza/secrets/pii.nix.enc (100%) rename hosts/home/{ => aarch64-linux}/treehouse/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/disk-config.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/hardware-configuration.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/disk-config.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/hardware-configuration.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/options-home.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/options.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/summers/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/guests/guest1/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/secrets/guest1/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/summers/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/toto/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/toto/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/toto/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/secrets/pii.nix.enc (100%) diff --git a/.github/README.md b/.github/README.md index 798076e..0661cc1 100644 --- a/.github/README.md +++ b/.github/README.md @@ -79,7 +79,7 @@ #### Remote deployment (recommended if you have at least one running system) - 0) Fork this repo, and write your own host config at `hosts/nixos//default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. + 0) Fork this repo, and write your own host config at `hosts/nixos///default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. 1) Have a system with `nix` available booted (this does not need to be installed, i.e. you can use a NixOS installer image; a custom minimal installer ISO can be built by running `just iso` in the root of this repo) 2) Make sure that your Yubikey is plugged in or that you have your SSH key available (and configured) 3) Run `swarsel-bootstrap -n -d ` on your existing system. diff --git a/SwarselSystems.org b/SwarselSystems.org index 0afebc4..dbfb7e7 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -906,24 +906,11 @@ The rest of the outputs either define or help define the actual configurations: inherit (outputs) lib homeLib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: - let - sys = "x86_64-linux"; - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - inherit (config.pkgs.${sys}) lib; - in + mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName; - inherit lib homeLib; + inherit inputs outputs self minimal configName homeLib; + inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; }; modules = [ @@ -941,7 +928,7 @@ The rest of the outputs either define or help define the actual configurations: inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm (inputs.nixos-extra-modules + "/modules/guests") - "${self}/hosts/nixos/${configName}" + "${self}/hosts/nixos/${arch}/${configName}" "${self}/profiles/nixos" "${self}/modules/nixos" { @@ -950,7 +937,7 @@ The rest of the outputs either define or help define the actual configurations: node = { name = lib.mkForce configName; - secretsDir = ../hosts/nixos/${configName}/secrets; + secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; }; swarselprofiles = { @@ -968,7 +955,7 @@ The rest of the outputs either define or help define the actual configurations: ]; }; - mkDarwinHost = { minimal }: configName: + mkDarwinHost = { minimal }: configName: arch: inputs.nix-darwin.lib.darwinSystem { specialArgs = { inherit inputs lib outputs self minimal configName; @@ -982,75 +969,92 @@ The rest of the outputs either define or help define the actual configurations: # inputs.fw-fanctrl.nixosModules.default # inputs.nix-topology.nixosModules.default inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" + "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure "${self}/modules/nixos/common/meta.nix" "${self}/modules/nixos/common/globals.nix" { node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; + node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; } ]; }; - mkHalfHost = configName: type: pkgs: { - ${configName} = - let - systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; - in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { - inherit inputs lib outputs self configName; - inherit (config) globals nodes; - minimal = false; - }; - modules = [ - inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri - inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops - inputs.spicetify-nix.homeManagerModules.default - inputs.swarsel-nix.homeModules.default - "${self}/hosts/${type}/${configName}" - "${self}/profiles/home" - ]; - }; - }; + mkHalfHost = configName: type: arch: + let + systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; + pkgs = lib.swarselsystems.pkgsFor.${arch}; + in + systemFunc { + inherit pkgs; + extraSpecialArgs = { + inherit inputs lib outputs self configName; + inherit (config) globals nodes; + minimal = false; + }; + modules = [ + inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri + inputs.nix-index-database.homeModules.nix-index + # inputs.sops-nix.homeManagerModules.sops + inputs.spicetify-nix.homeManagerModules.default + inputs.swarsel-nix.homeModules.default + "${self}/hosts/${type}/${arch}/${configName}" + "${self}/profiles/home" + ]; + }; + + linuxArches = [ "x86_64-linux" "aarch64-linux" ]; + darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; + mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; + + readHostDirs = hostDir: + if builtins.pathExists hostDir then + builtins.attrNames + ( + lib.filterAttrs (_: type: type == "directory") + (builtins.readDir hostDir) + ) else [ ]; + + mkHalfHostsForArch = type: arch: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + lib.genAttrs hosts (host: mkHalfHost host type arch); + + mkHostsForArch = type: arch: minimal: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + if (type == "nixos") then + lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) + else if (type == "darwin") then + lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) + else { }; + + mkConfigurationsPerArch = type: minimal: + let + arches = mkArches type; + toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); + in + lib.concatMapAttrs toMake + (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); + + halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; + configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; - mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); - nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); - darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); - - homeConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "home") "home" pkgsFor.x86_64-linux - // mkHalfHostConfigs (readHosts "home") "home" pkgsFor.aarch64-linux; - - nixOnDroidConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "android") "android" pkgsFor.aarch64-linux; + nixosConfigurations = configurationsPerArch "nixos" false; + nixosConfigurationsMinimal = configurationsPerArch "nixos" true; + darwinConfigurations = configurationsPerArch "darwin" false; + darwinConfigurationsMinimal = configurationsPerArch "darwin" true; + homeConfigurations = halfConfigurationsPerArch "home"; + nixOnDroidConfigurations = halfConfigurationsPerArch "android"; guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( _: node: @@ -1995,7 +1999,7 @@ My work machine. Built for more security, this is the gold standard of my config :PROPERTIES: :CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/default.nix { self, config, inputs, lib, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; @@ -2079,7 +2083,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:25115a54-c634-4896-9a41-254064ce9fcc :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix { config, lib, pkgs, modulesPath, ... }: { imports = @@ -2159,7 +2163,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:e0da04c7-4199-44b0-b525-6cfc64072b45 :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/disk-config.nix { disko.devices = { disk = { @@ -2253,7 +2257,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :PROPERTIES: :CUSTOM_ID: h:6f80d614-d76a-433b-8956-78d7b323b68c :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/default.nix { self, config, inputs, lib, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; @@ -2319,7 +2323,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :CUSTOM_ID: h:bbba1646-fb5f-4d04-baf0-f606037a8b39 :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. @@ -2349,7 +2353,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :CUSTOM_ID: h:72444f85-7951-47c0-858f-b51d8299de8c :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/disk-config.nix { lib, pkgs, config, ... }: let type = "btrfs"; @@ -2485,7 +2489,7 @@ This is my main server that I run at home. It handles most tasks that require bi :PROPERTIES: :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124 :END: -#+begin_src nix-ts :tangle hosts/nixos/winters/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/default.nix { lib, config, minimal, ... }: { @@ -2574,7 +2578,7 @@ This is my main server that I run at home. It handles most tasks that require bi :PROPERTIES: :CUSTOM_ID: h:0fdefb4f-ce53-4caf-89ed-5d79646f70f0 :END: -#+begin_src nix-ts :tangle hosts/nixos/winters/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/hardware-configuration.nix { config, lib, modulesPath, ... }: { @@ -2624,7 +2628,7 @@ This is my main server that I run at home. It handles most tasks that require bi **** Summers (Server: ASUS Z10PA-D8) ***** Main Configuration -#+begin_src nix-ts :tangle hosts/nixos/summers/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix { inputs, lib, config, configName, minimal, nodes, globals, ... }: { @@ -2737,7 +2741,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** hardware-configuration -#+begin_src nix-ts :tangle hosts/nixos/summers/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/hardware-configuration.nix { config, lib, modulesPath, ... }: { @@ -2769,7 +2773,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** disko -#+begin_src nix-ts :tangle hosts/nixos/summers/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/disk-config.nix { lib, config, ... }: let type = "btrfs"; @@ -2891,7 +2895,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** Guests ****** Guest 1 -#+begin_src nix-ts :tangle hosts/nixos/summers/guests/guest1/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix { lib, minimal, ... }: { @@ -2927,7 +2931,7 @@ This is my main server that I run at home. It handles most tasks that require bi A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations (the darwin configuration is severely under-developed). -#+begin_src nix-ts :tangle hosts/darwin/machpizza/default.nix +#+begin_src nix-ts :tangle hosts/darwin/x86_64-darwin/machpizza/default.nix { lib, config, ... }: let inherit (config.repo.secrets.local) workUser; @@ -2960,7 +2964,7 @@ A Mac notebook that I have received from work. I use this machine for getting ac My phone. I use only a minimal config for remote debugging here. -#+begin_src nix-ts :tangle hosts/android/magicant/default.nix +#+begin_src nix-ts :tangle hosts/android/aarch64-linux/magicant/default.nix { pkgs, ... }: { environment = { @@ -3012,7 +3016,7 @@ My phone. I use only a minimal config for remote debugging here. **** Treehouse (DGX Spark) -#+begin_src nix-ts :tangle hosts/home/treehouse/default.nix +#+begin_src nix-ts :tangle hosts/home/aarch64-linux/treehouse/default.nix { self, ... }: { @@ -3076,7 +3080,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:922105c3-a604-47d9-918b-db1803784c75 :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/default.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/default.nix { lib, minimal, ... }: { imports = [ @@ -3134,7 +3138,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:64dddedd-9b13-4b74-baf0-1d54d5a89d3b :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix { config, lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -3163,7 +3167,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , config @@ -3276,7 +3280,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:a8f20a56-ce92-43d8-8bfe-3edccebf2bf9 :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/default.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/default.nix { lib, config, minimal, ... }: let inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; @@ -3446,7 +3450,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:f99c05ab-f047-4350-b80a-4c1ff55b91bf :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix { lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; @@ -3468,7 +3472,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , config @@ -3610,7 +3614,7 @@ This is a slim setup for developing base configuration. I do not track the hardw :PROPERTIES: :CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e :END: -#+begin_src nix-ts :tangle hosts/nixos/toto/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/default.nix { self, lib, ... }: { @@ -3655,7 +3659,7 @@ This is a slim setup for developing base configuration. I do not track the hardw :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/toto/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , pkgs @@ -3983,7 +3987,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:9f1f3439-b0af-4dcd-a96f-b6aa7b6cd2ab :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/default.nix { self, config, pkgs, lib, minimal, ... }: let mainUser = "demo"; @@ -4046,7 +4050,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:849e4233-ba40-4fec-acfe-0d76e1e4371b :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , pkgs @@ -4182,7 +4186,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:6f9c1a3b-452e-4944-86e8-cb17603cc3f9 :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/options.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options.nix _: { } @@ -4193,7 +4197,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:88ccb198-74b9-4269-8e22-af1277f44667 :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/options-home.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options-home.nix _: { } @@ -17718,6 +17722,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man target_hostname="" target_destination="" + target_arch="" target_user="swarsel" ssh_port="22" persist_dir="" @@ -17733,6 +17738,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo "ARGS:" echo " -n specify target_hostname of the target host to deploy the nixos config on." echo " -d specify ip or url to the target host." + echo " -a specify the architecture of the target host." echo " target during install process." echo echo "OPTIONS:" @@ -17815,6 +17821,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift target_destination=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -17835,6 +17845,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift done + if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" ]]; then + red "error: target_arch, target_destination or target_hostname not set." + help_and_exit + fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -17926,8 +17941,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" - mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" - $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix + mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" + $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ green "Deploying minimal NixOS installation on $target_destination" @@ -17992,7 +18007,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml - sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc + sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -18051,10 +18066,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "NixOS was successfully installed!" if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" - deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe - nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix + deadnix hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix -qe + nixpkgs--fmt hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/hosts/nixos/$target_arch/$target_hostname/hardware-configuration.nix" && git add "$git_root/.sops.yaml" && git add "$git_root/secrets" && (git commit -m "feat: deployed $target_hostname" || true) && git push @@ -18088,6 +18103,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man set -eo pipefail target_config="hotel" + target_arch="" target_user="swarsel" function help_and_exit() { @@ -18097,10 +18113,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo "USAGE: $0 [OPTIONS]" echo echo "ARGS:" - echo " -n specify nixos config to build." + echo " -n specify nixos config to build." echo " Default: hotel" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -18130,6 +18147,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift target_config=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -18143,6 +18164,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift done + if [[ $target_arch == "" ]]; then + red "error: target_arch not set." + help_and_exit + fi + cd /home/"$target_user" if [ ! -d /home/"$target_user"/.dotfiles ]; then @@ -18170,7 +18196,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man rm modules/home/common/mail.nix rm modules/home/common/yubikey.nix rm modules/nixos/server/restic.nix - rm hosts/nixos/milkywell/default.nix + rm hosts/nixos/aarch64-linux/milkywell/default.nix rm -rf modules/nixos/server rm -rf modules/home/server nix flake update vbc-nix @@ -18178,8 +18204,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man else green "Valid SSH key found! Continuing with installation" fi - sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ - git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ + git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix green "Installing flake $target_config" sudo nixos-rebuild --show-trace --flake .#"$target_config" boot @@ -18210,6 +18236,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f target_config="hotel" target_hostname="hotel" target_user="swarsel" + target_arch="" persist_dir="" target_disk="/dev/vda" disk_encryption=0 @@ -18227,6 +18254,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -18265,6 +18293,10 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f shift target_disk=$1 ;; + -a) + shift + target_arch=$1 + ;; -h | --help) help_and_exit ;; ,*) echo "Invalid option detected." @@ -18280,6 +18312,11 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f } trap cleanup exit + if [[ $target_arch == "" || $target_hostname == "" ]]; then + red "error: target_arch or target_hostname not set." + help_and_exit + fi + green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -18369,9 +18406,9 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" green "Generating hardware configuration ..." - sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ + sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ - git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix sudo mkdir -p /root/.local/share/nix/ printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null green "Installing flake $target_config" @@ -25451,7 +25488,7 @@ Here lies defined the readme for GitHub and Forgejo: #### Remote deployment (recommended if you have at least one running system) - 0) Fork this repo, and write your own host config at `hosts/nixos//default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. + 0) Fork this repo, and write your own host config at `hosts/nixos///default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. 1) Have a system with `nix` available booted (this does not need to be installed, i.e. you can use a NixOS installer image; a custom minimal installer ISO can be built by running `just iso` in the root of this repo) 2) Make sure that your Yubikey is plugged in or that you have your SSH key available (and configured) 3) Run `swarsel-bootstrap -n -d ` on your existing system. diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 46ea715..c66b755 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -3,6 +3,7 @@ set -eo pipefail target_hostname="" target_destination="" +target_arch="" target_user="swarsel" ssh_port="22" persist_dir="" @@ -18,6 +19,7 @@ function help_and_exit() { echo "ARGS:" echo " -n specify target_hostname of the target host to deploy the nixos config on." echo " -d specify ip or url to the target host." + echo " -a specify the architecture of the target host." echo " target during install process." echo echo "OPTIONS:" @@ -100,6 +102,10 @@ while [[ $# -gt 0 ]]; do shift target_destination=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -120,6 +126,11 @@ while [[ $# -gt 0 ]]; do shift done +if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" ]]; then + red "error: target_arch, target_destination or target_hostname not set." + help_and_exit +fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -211,8 +222,8 @@ fi green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" -mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" -$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix +mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" +$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ green "Deploying minimal NixOS installation on $target_destination" @@ -277,7 +288,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml -sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc +sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -336,10 +347,10 @@ fi green "NixOS was successfully installed!" if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" - deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe - nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix + deadnix hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix -qe + nixpkgs--fmt hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/hosts/nixos/$target_arch/$target_hostname/hardware-configuration.nix" && git add "$git_root/.sops.yaml" && git add "$git_root/secrets" && (git commit -m "feat: deployed $target_hostname" || true) && git push diff --git a/files/scripts/swarsel-install.sh b/files/scripts/swarsel-install.sh index c130cc6..537145f 100644 --- a/files/scripts/swarsel-install.sh +++ b/files/scripts/swarsel-install.sh @@ -3,6 +3,7 @@ set -eo pipefail target_config="hotel" target_hostname="hotel" target_user="swarsel" +target_arch="" persist_dir="" target_disk="/dev/vda" disk_encryption=0 @@ -20,6 +21,7 @@ function help_and_exit() { echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -58,6 +60,10 @@ while [[ $# -gt 0 ]]; do shift target_disk=$1 ;; + -a) + shift + target_arch=$1 + ;; -h | --help) help_and_exit ;; *) echo "Invalid option detected." @@ -73,6 +79,11 @@ function cleanup() { } trap cleanup exit +if [[ $target_arch == "" || $target_hostname == "" ]]; then + red "error: target_arch or target_hostname not set." + help_and_exit +fi + green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -162,9 +173,9 @@ sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" green "Generating hardware configuration ..." -sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ +sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ -git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix +git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix sudo mkdir -p /root/.local/share/nix/ printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null green "Installing flake $target_config" diff --git a/files/scripts/swarsel-rebuild.sh b/files/scripts/swarsel-rebuild.sh index 106ac84..0a725a1 100644 --- a/files/scripts/swarsel-rebuild.sh +++ b/files/scripts/swarsel-rebuild.sh @@ -1,6 +1,7 @@ set -eo pipefail target_config="hotel" +target_arch="" target_user="swarsel" function help_and_exit() { @@ -10,10 +11,11 @@ function help_and_exit() { echo "USAGE: $0 [OPTIONS]" echo echo "ARGS:" - echo " -n specify nixos config to build." + echo " -n specify nixos config to build." echo " Default: hotel" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -43,6 +45,10 @@ while [[ $# -gt 0 ]]; do shift target_config=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -56,6 +62,11 @@ while [[ $# -gt 0 ]]; do shift done +if [[ $target_arch == "" ]]; then + red "error: target_arch not set." + help_and_exit +fi + cd /home/"$target_user" if [ ! -d /home/"$target_user"/.dotfiles ]; then @@ -83,7 +94,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm modules/home/common/mail.nix rm modules/home/common/yubikey.nix rm modules/nixos/server/restic.nix - rm hosts/nixos/milkywell/default.nix + rm hosts/nixos/aarch64-linux/milkywell/default.nix rm -rf modules/nixos/server rm -rf modules/home/server nix flake update vbc-nix @@ -91,8 +102,8 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then else green "Valid SSH key found! Continuing with installation" fi -sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ -git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix +sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ +git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix green "Installing flake $target_config" sudo nixos-rebuild --show-trace --flake .#"$target_config" boot diff --git a/flake.lock b/flake.lock index b045d34..10b1bfe 100644 --- a/flake.lock +++ b/flake.lock @@ -7815,11 +7815,11 @@ }, "nixpkgs-dev": { "locked": { - "lastModified": 1761589965, - "narHash": "sha256-ZtypYmGwo7wUOo88UKVAdUZCYCpvFM8O0bEmI7+NW5k=", + "lastModified": 1762578095, + "narHash": "sha256-uW5Ff1H/lVvsKcNXtU7COQifqnRQ5i/YTEPGQwundNQ=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "ed3254fbd834e5bfbf6bc9586d57307a92f1a269", + "rev": "a99a76ccf7bfbb8c5d6129e6ff69413c6db55c1a", "type": "github" }, "original": { diff --git a/hosts/android/magicant/default.nix b/hosts/android/aarch64-linux/magicant/default.nix similarity index 100% rename from hosts/android/magicant/default.nix rename to hosts/android/aarch64-linux/magicant/default.nix diff --git a/hosts/darwin/machpizza/default.nix b/hosts/darwin/x86_64-darwin/machpizza/default.nix similarity index 100% rename from hosts/darwin/machpizza/default.nix rename to hosts/darwin/x86_64-darwin/machpizza/default.nix diff --git a/hosts/darwin/machpizza/secrets/pii.nix.enc b/hosts/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc similarity index 100% rename from hosts/darwin/machpizza/secrets/pii.nix.enc rename to hosts/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc diff --git a/hosts/home/treehouse/default.nix b/hosts/home/aarch64-linux/treehouse/default.nix similarity index 100% rename from hosts/home/treehouse/default.nix rename to hosts/home/aarch64-linux/treehouse/default.nix diff --git a/hosts/nixos/milkywell/default.nix b/hosts/nixos/aarch64-linux/milkywell/default.nix similarity index 100% rename from hosts/nixos/milkywell/default.nix rename to hosts/nixos/aarch64-linux/milkywell/default.nix diff --git a/hosts/nixos/milkywell/disk-config.nix b/hosts/nixos/aarch64-linux/milkywell/disk-config.nix similarity index 100% rename from hosts/nixos/milkywell/disk-config.nix rename to hosts/nixos/aarch64-linux/milkywell/disk-config.nix diff --git a/hosts/nixos/milkywell/hardware-configuration.nix b/hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix similarity index 100% rename from hosts/nixos/milkywell/hardware-configuration.nix rename to hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix diff --git a/hosts/nixos/milkywell/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/milkywell/secrets/pii.nix.enc rename to hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc diff --git a/hosts/nixos/moonside/default.nix b/hosts/nixos/aarch64-linux/moonside/default.nix similarity index 100% rename from hosts/nixos/moonside/default.nix rename to hosts/nixos/aarch64-linux/moonside/default.nix diff --git a/hosts/nixos/moonside/disk-config.nix b/hosts/nixos/aarch64-linux/moonside/disk-config.nix similarity index 100% rename from hosts/nixos/moonside/disk-config.nix rename to hosts/nixos/aarch64-linux/moonside/disk-config.nix diff --git a/hosts/nixos/moonside/hardware-configuration.nix b/hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix similarity index 100% rename from hosts/nixos/moonside/hardware-configuration.nix rename to hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix diff --git a/hosts/nixos/moonside/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/moonside/secrets/pii.nix.enc rename to hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc diff --git a/hosts/nixos/bakery/default.nix b/hosts/nixos/x86_64-linux/bakery/default.nix similarity index 100% rename from hosts/nixos/bakery/default.nix rename to hosts/nixos/x86_64-linux/bakery/default.nix diff --git a/hosts/nixos/bakery/disk-config.nix b/hosts/nixos/x86_64-linux/bakery/disk-config.nix similarity index 100% rename from hosts/nixos/bakery/disk-config.nix rename to hosts/nixos/x86_64-linux/bakery/disk-config.nix diff --git a/hosts/nixos/bakery/hardware-configuration.nix b/hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix similarity index 100% rename from hosts/nixos/bakery/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix diff --git a/hosts/nixos/bakery/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/bakery/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc diff --git a/hosts/nixos/hotel/default.nix b/hosts/nixos/x86_64-linux/hotel/default.nix similarity index 100% rename from hosts/nixos/hotel/default.nix rename to hosts/nixos/x86_64-linux/hotel/default.nix diff --git a/hosts/nixos/hotel/disk-config.nix b/hosts/nixos/x86_64-linux/hotel/disk-config.nix similarity index 100% rename from hosts/nixos/hotel/disk-config.nix rename to hosts/nixos/x86_64-linux/hotel/disk-config.nix diff --git a/hosts/nixos/hotel/hardware-configuration.nix b/hosts/nixos/x86_64-linux/hotel/hardware-configuration.nix similarity index 100% rename from hosts/nixos/hotel/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/hotel/hardware-configuration.nix diff --git a/hosts/nixos/hotel/options-home.nix b/hosts/nixos/x86_64-linux/hotel/options-home.nix similarity index 100% rename from hosts/nixos/hotel/options-home.nix rename to hosts/nixos/x86_64-linux/hotel/options-home.nix diff --git a/hosts/nixos/hotel/options.nix b/hosts/nixos/x86_64-linux/hotel/options.nix similarity index 100% rename from hosts/nixos/hotel/options.nix rename to hosts/nixos/x86_64-linux/hotel/options.nix diff --git a/hosts/nixos/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix similarity index 100% rename from hosts/nixos/pyramid/default.nix rename to hosts/nixos/x86_64-linux/pyramid/default.nix diff --git a/hosts/nixos/pyramid/disk-config.nix b/hosts/nixos/x86_64-linux/pyramid/disk-config.nix similarity index 100% rename from hosts/nixos/pyramid/disk-config.nix rename to hosts/nixos/x86_64-linux/pyramid/disk-config.nix diff --git a/hosts/nixos/pyramid/hardware-configuration.nix b/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix similarity index 100% rename from hosts/nixos/pyramid/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix diff --git a/hosts/nixos/pyramid/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/pyramid/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc diff --git a/hosts/nixos/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix similarity index 100% rename from hosts/nixos/summers/default.nix rename to hosts/nixos/x86_64-linux/summers/default.nix diff --git a/hosts/nixos/summers/disk-config.nix b/hosts/nixos/x86_64-linux/summers/disk-config.nix similarity index 100% rename from hosts/nixos/summers/disk-config.nix rename to hosts/nixos/x86_64-linux/summers/disk-config.nix diff --git a/hosts/nixos/summers/guests/guest1/default.nix b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix similarity index 100% rename from hosts/nixos/summers/guests/guest1/default.nix rename to hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix diff --git a/hosts/nixos/summers/hardware-configuration.nix b/hosts/nixos/x86_64-linux/summers/hardware-configuration.nix similarity index 100% rename from hosts/nixos/summers/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/summers/hardware-configuration.nix diff --git a/hosts/nixos/summers/secrets/guest1/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/guest1/pii.nix.enc similarity index 100% rename from hosts/nixos/summers/secrets/guest1/pii.nix.enc rename to hosts/nixos/x86_64-linux/summers/secrets/guest1/pii.nix.enc diff --git a/hosts/nixos/summers/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/summers/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc diff --git a/hosts/nixos/toto/default.nix b/hosts/nixos/x86_64-linux/toto/default.nix similarity index 100% rename from hosts/nixos/toto/default.nix rename to hosts/nixos/x86_64-linux/toto/default.nix diff --git a/hosts/nixos/toto/disk-config.nix b/hosts/nixos/x86_64-linux/toto/disk-config.nix similarity index 100% rename from hosts/nixos/toto/disk-config.nix rename to hosts/nixos/x86_64-linux/toto/disk-config.nix diff --git a/hosts/nixos/toto/hardware-configuration.nix b/hosts/nixos/x86_64-linux/toto/hardware-configuration.nix similarity index 100% rename from hosts/nixos/toto/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/toto/hardware-configuration.nix diff --git a/hosts/nixos/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix similarity index 100% rename from hosts/nixos/winters/default.nix rename to hosts/nixos/x86_64-linux/winters/default.nix diff --git a/hosts/nixos/winters/hardware-configuration.nix b/hosts/nixos/x86_64-linux/winters/hardware-configuration.nix similarity index 100% rename from hosts/nixos/winters/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/winters/hardware-configuration.nix diff --git a/hosts/nixos/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/winters/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc diff --git a/nix/hosts.nix b/nix/hosts.nix index 945182d..2c99f41 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -6,24 +6,11 @@ inherit (outputs) lib homeLib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: - let - sys = "x86_64-linux"; - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - inherit (config.pkgs.${sys}) lib; - in + mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName; - inherit lib homeLib; + inherit inputs outputs self minimal configName homeLib; + inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; }; modules = [ @@ -41,7 +28,7 @@ inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm (inputs.nixos-extra-modules + "/modules/guests") - "${self}/hosts/nixos/${configName}" + "${self}/hosts/nixos/${arch}/${configName}" "${self}/profiles/nixos" "${self}/modules/nixos" { @@ -50,7 +37,7 @@ node = { name = lib.mkForce configName; - secretsDir = ../hosts/nixos/${configName}/secrets; + secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; }; swarselprofiles = { @@ -68,7 +55,7 @@ ]; }; - mkDarwinHost = { minimal }: configName: + mkDarwinHost = { minimal }: configName: arch: inputs.nix-darwin.lib.darwinSystem { specialArgs = { inherit inputs lib outputs self minimal configName; @@ -82,75 +69,92 @@ # inputs.fw-fanctrl.nixosModules.default # inputs.nix-topology.nixosModules.default inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" + "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure "${self}/modules/nixos/common/meta.nix" "${self}/modules/nixos/common/globals.nix" { node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; + node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; } ]; }; - mkHalfHost = configName: type: pkgs: { - ${configName} = - let - systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; - in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { - inherit inputs lib outputs self configName; - inherit (config) globals nodes; - minimal = false; - }; - modules = [ - inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri - inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops - inputs.spicetify-nix.homeManagerModules.default - inputs.swarsel-nix.homeModules.default - "${self}/hosts/${type}/${configName}" - "${self}/profiles/home" - ]; - }; - }; + mkHalfHost = configName: type: arch: + let + systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; + pkgs = lib.swarselsystems.pkgsFor.${arch}; + in + systemFunc { + inherit pkgs; + extraSpecialArgs = { + inherit inputs lib outputs self configName; + inherit (config) globals nodes; + minimal = false; + }; + modules = [ + inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri + inputs.nix-index-database.homeModules.nix-index + # inputs.sops-nix.homeManagerModules.sops + inputs.spicetify-nix.homeManagerModules.default + inputs.swarsel-nix.homeModules.default + "${self}/hosts/${type}/${arch}/${configName}" + "${self}/profiles/home" + ]; + }; + + linuxArches = [ "x86_64-linux" "aarch64-linux" ]; + darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; + mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; + + readHostDirs = hostDir: + if builtins.pathExists hostDir then + builtins.attrNames + ( + lib.filterAttrs (_: type: type == "directory") + (builtins.readDir hostDir) + ) else [ ]; + + mkHalfHostsForArch = type: arch: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + lib.genAttrs hosts (host: mkHalfHost host type arch); + + mkHostsForArch = type: arch: minimal: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + if (type == "nixos") then + lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) + else if (type == "darwin") then + lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) + else { }; + + mkConfigurationsPerArch = type: minimal: + let + arches = mkArches type; + toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); + in + lib.concatMapAttrs toMake + (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); + + halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; + configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; - mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); - nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); - darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); - - homeConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "home") "home" pkgsFor.x86_64-linux - // mkHalfHostConfigs (readHosts "home") "home" pkgsFor.aarch64-linux; - - nixOnDroidConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "android") "android" pkgsFor.aarch64-linux; + nixosConfigurations = configurationsPerArch "nixos" false; + nixosConfigurationsMinimal = configurationsPerArch "nixos" true; + darwinConfigurations = configurationsPerArch "darwin" false; + darwinConfigurationsMinimal = configurationsPerArch "darwin" true; + homeConfigurations = halfConfigurationsPerArch "home"; + nixOnDroidConfigurations = halfConfigurationsPerArch "android"; guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( _: node: From a5a1afed3dec00b4bc6f939e5a8b2745347a36d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Sat, 8 Nov 2025 13:49:03 +0100 Subject: [PATCH 2/5] feat: build configurations dynamically for arch --- .github/README.md | 2 +- .sops.yaml | 17 +- SwarselSystems.org | 265 ++++++++++-------- files/scripts/swarsel-bootstrap.sh | 23 +- files/scripts/swarsel-install.sh | 15 +- files/scripts/swarsel-rebuild.sh | 19 +- flake.lock | 6 +- .../{ => aarch64-linux}/magicant/default.nix | 0 .../{ => x86_64-darwin}/machpizza/default.nix | 0 .../machpizza/secrets/pii.nix.enc | 0 .../{ => aarch64-linux}/treehouse/default.nix | 0 .../{ => aarch64-linux}/milkywell/default.nix | 0 .../milkywell/disk-config.nix | 0 .../milkywell/hardware-configuration.nix | 0 .../milkywell/secrets/pii.nix.enc | 0 .../{ => aarch64-linux}/moonside/default.nix | 0 .../moonside/disk-config.nix | 0 .../moonside/hardware-configuration.nix | 0 .../moonside/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/bakery/default.nix | 0 .../{ => x86_64-linux}/bakery/disk-config.nix | 0 .../bakery/hardware-configuration.nix | 0 .../bakery/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/hotel/default.nix | 0 .../{ => x86_64-linux}/hotel/disk-config.nix | 0 .../hotel/hardware-configuration.nix | 0 .../{ => x86_64-linux}/hotel/options-home.nix | 0 .../{ => x86_64-linux}/hotel/options.nix | 0 .../{ => x86_64-linux}/pyramid/default.nix | 0 .../pyramid/disk-config.nix | 0 .../pyramid/hardware-configuration.nix | 0 .../pyramid/secrets/pii.nix.enc | 0 .../{ => x86_64-linux}/summers/default.nix | 0 .../summers/disk-config.nix | 0 .../summers/guests/guest1/default.nix | 0 .../summers/hardware-configuration.nix | 0 .../summers/secrets/guest1/pii.nix.enc | 0 .../summers/secrets/pii.nix.enc | 0 .../nixos/{ => x86_64-linux}/toto/default.nix | 0 .../{ => x86_64-linux}/toto/disk-config.nix | 0 .../toto/hardware-configuration.nix | 0 .../{ => x86_64-linux}/winters/default.nix | 0 .../winters/hardware-configuration.nix | 0 .../winters/secrets/pii.nix.enc | 0 nix/hosts.nix | 152 +++++----- 45 files changed, 289 insertions(+), 210 deletions(-) rename hosts/android/{ => aarch64-linux}/magicant/default.nix (100%) rename hosts/darwin/{ => x86_64-darwin}/machpizza/default.nix (100%) rename hosts/darwin/{ => x86_64-darwin}/machpizza/secrets/pii.nix.enc (100%) rename hosts/home/{ => aarch64-linux}/treehouse/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/disk-config.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/hardware-configuration.nix (100%) rename hosts/nixos/{ => aarch64-linux}/milkywell/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/default.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/disk-config.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/hardware-configuration.nix (100%) rename hosts/nixos/{ => aarch64-linux}/moonside/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/bakery/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/options-home.nix (100%) rename hosts/nixos/{ => x86_64-linux}/hotel/options.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/pyramid/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/summers/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/guests/guest1/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/summers/secrets/guest1/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/summers/secrets/pii.nix.enc (100%) rename hosts/nixos/{ => x86_64-linux}/toto/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/toto/disk-config.nix (100%) rename hosts/nixos/{ => x86_64-linux}/toto/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/default.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/hardware-configuration.nix (100%) rename hosts/nixos/{ => x86_64-linux}/winters/secrets/pii.nix.enc (100%) diff --git a/.github/README.md b/.github/README.md index 798076e..0661cc1 100644 --- a/.github/README.md +++ b/.github/README.md @@ -79,7 +79,7 @@ #### Remote deployment (recommended if you have at least one running system) - 0) Fork this repo, and write your own host config at `hosts/nixos//default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. + 0) Fork this repo, and write your own host config at `hosts/nixos///default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. 1) Have a system with `nix` available booted (this does not need to be installed, i.e. you can use a NixOS installer image; a custom minimal installer ISO can be built by running `just iso` in the root of this repo) 2) Make sure that your Yubikey is plugged in or that you have your SSH key available (and configured) 3) Run `swarsel-bootstrap -n -d ` on your existing system. diff --git a/.sops.yaml b/.sops.yaml index 2626089..1379cf1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -62,7 +62,7 @@ creation_rules: - *swarsel age: - *nbl - - path_regex: hosts/nixos/pyramid/secrets/pii.nix.enc + - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -75,7 +75,7 @@ creation_rules: - *swarsel age: - *moonside - - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc + - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -88,7 +88,7 @@ creation_rules: - *swarsel age: - *bakery - - path_regex: hosts/nixos/bakery/secrets/pii.nix.enc + - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -101,7 +101,7 @@ creation_rules: - *swarsel age: - *winters - - path_regex: hosts/nixos/winters/secrets/pii.nix.enc + - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -115,14 +115,19 @@ creation_rules: - *swarsel age: - *milkywell - - path_regex: hosts/nixos/milkywell/secrets/pii.nix.enc + - path_regex: hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc key_groups: - pgp: - *swarsel age: - *milkywell - - path_regex: hosts/nixos/summers/secrets/ + - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ + key_groups: + - pgp: + - *swarsel + + - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/ key_groups: - pgp: - *swarsel diff --git a/SwarselSystems.org b/SwarselSystems.org index 0afebc4..dbfb7e7 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -906,24 +906,11 @@ The rest of the outputs either define or help define the actual configurations: inherit (outputs) lib homeLib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: - let - sys = "x86_64-linux"; - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - inherit (config.pkgs.${sys}) lib; - in + mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName; - inherit lib homeLib; + inherit inputs outputs self minimal configName homeLib; + inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; }; modules = [ @@ -941,7 +928,7 @@ The rest of the outputs either define or help define the actual configurations: inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm (inputs.nixos-extra-modules + "/modules/guests") - "${self}/hosts/nixos/${configName}" + "${self}/hosts/nixos/${arch}/${configName}" "${self}/profiles/nixos" "${self}/modules/nixos" { @@ -950,7 +937,7 @@ The rest of the outputs either define or help define the actual configurations: node = { name = lib.mkForce configName; - secretsDir = ../hosts/nixos/${configName}/secrets; + secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; }; swarselprofiles = { @@ -968,7 +955,7 @@ The rest of the outputs either define or help define the actual configurations: ]; }; - mkDarwinHost = { minimal }: configName: + mkDarwinHost = { minimal }: configName: arch: inputs.nix-darwin.lib.darwinSystem { specialArgs = { inherit inputs lib outputs self minimal configName; @@ -982,75 +969,92 @@ The rest of the outputs either define or help define the actual configurations: # inputs.fw-fanctrl.nixosModules.default # inputs.nix-topology.nixosModules.default inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" + "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure "${self}/modules/nixos/common/meta.nix" "${self}/modules/nixos/common/globals.nix" { node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; + node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; } ]; }; - mkHalfHost = configName: type: pkgs: { - ${configName} = - let - systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; - in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { - inherit inputs lib outputs self configName; - inherit (config) globals nodes; - minimal = false; - }; - modules = [ - inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri - inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops - inputs.spicetify-nix.homeManagerModules.default - inputs.swarsel-nix.homeModules.default - "${self}/hosts/${type}/${configName}" - "${self}/profiles/home" - ]; - }; - }; + mkHalfHost = configName: type: arch: + let + systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; + pkgs = lib.swarselsystems.pkgsFor.${arch}; + in + systemFunc { + inherit pkgs; + extraSpecialArgs = { + inherit inputs lib outputs self configName; + inherit (config) globals nodes; + minimal = false; + }; + modules = [ + inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri + inputs.nix-index-database.homeModules.nix-index + # inputs.sops-nix.homeManagerModules.sops + inputs.spicetify-nix.homeManagerModules.default + inputs.swarsel-nix.homeModules.default + "${self}/hosts/${type}/${arch}/${configName}" + "${self}/profiles/home" + ]; + }; + + linuxArches = [ "x86_64-linux" "aarch64-linux" ]; + darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; + mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; + + readHostDirs = hostDir: + if builtins.pathExists hostDir then + builtins.attrNames + ( + lib.filterAttrs (_: type: type == "directory") + (builtins.readDir hostDir) + ) else [ ]; + + mkHalfHostsForArch = type: arch: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + lib.genAttrs hosts (host: mkHalfHost host type arch); + + mkHostsForArch = type: arch: minimal: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + if (type == "nixos") then + lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) + else if (type == "darwin") then + lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) + else { }; + + mkConfigurationsPerArch = type: minimal: + let + arches = mkArches type; + toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); + in + lib.concatMapAttrs toMake + (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); + + halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; + configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; - mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); - nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); - darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); - - homeConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "home") "home" pkgsFor.x86_64-linux - // mkHalfHostConfigs (readHosts "home") "home" pkgsFor.aarch64-linux; - - nixOnDroidConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "android") "android" pkgsFor.aarch64-linux; + nixosConfigurations = configurationsPerArch "nixos" false; + nixosConfigurationsMinimal = configurationsPerArch "nixos" true; + darwinConfigurations = configurationsPerArch "darwin" false; + darwinConfigurationsMinimal = configurationsPerArch "darwin" true; + homeConfigurations = halfConfigurationsPerArch "home"; + nixOnDroidConfigurations = halfConfigurationsPerArch "android"; guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( _: node: @@ -1995,7 +1999,7 @@ My work machine. Built for more security, this is the gold standard of my config :PROPERTIES: :CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/default.nix { self, config, inputs, lib, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; @@ -2079,7 +2083,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:25115a54-c634-4896-9a41-254064ce9fcc :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix { config, lib, pkgs, modulesPath, ... }: { imports = @@ -2159,7 +2163,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:e0da04c7-4199-44b0-b525-6cfc64072b45 :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/disk-config.nix { disko.devices = { disk = { @@ -2253,7 +2257,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :PROPERTIES: :CUSTOM_ID: h:6f80d614-d76a-433b-8956-78d7b323b68c :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/default.nix { self, config, inputs, lib, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; @@ -2319,7 +2323,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :CUSTOM_ID: h:bbba1646-fb5f-4d04-baf0-f606037a8b39 :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. @@ -2349,7 +2353,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :CUSTOM_ID: h:72444f85-7951-47c0-858f-b51d8299de8c :END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/disk-config.nix { lib, pkgs, config, ... }: let type = "btrfs"; @@ -2485,7 +2489,7 @@ This is my main server that I run at home. It handles most tasks that require bi :PROPERTIES: :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124 :END: -#+begin_src nix-ts :tangle hosts/nixos/winters/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/default.nix { lib, config, minimal, ... }: { @@ -2574,7 +2578,7 @@ This is my main server that I run at home. It handles most tasks that require bi :PROPERTIES: :CUSTOM_ID: h:0fdefb4f-ce53-4caf-89ed-5d79646f70f0 :END: -#+begin_src nix-ts :tangle hosts/nixos/winters/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/hardware-configuration.nix { config, lib, modulesPath, ... }: { @@ -2624,7 +2628,7 @@ This is my main server that I run at home. It handles most tasks that require bi **** Summers (Server: ASUS Z10PA-D8) ***** Main Configuration -#+begin_src nix-ts :tangle hosts/nixos/summers/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix { inputs, lib, config, configName, minimal, nodes, globals, ... }: { @@ -2737,7 +2741,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** hardware-configuration -#+begin_src nix-ts :tangle hosts/nixos/summers/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/hardware-configuration.nix { config, lib, modulesPath, ... }: { @@ -2769,7 +2773,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** disko -#+begin_src nix-ts :tangle hosts/nixos/summers/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/disk-config.nix { lib, config, ... }: let type = "btrfs"; @@ -2891,7 +2895,7 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src ***** Guests ****** Guest 1 -#+begin_src nix-ts :tangle hosts/nixos/summers/guests/guest1/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix { lib, minimal, ... }: { @@ -2927,7 +2931,7 @@ This is my main server that I run at home. It handles most tasks that require bi A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations (the darwin configuration is severely under-developed). -#+begin_src nix-ts :tangle hosts/darwin/machpizza/default.nix +#+begin_src nix-ts :tangle hosts/darwin/x86_64-darwin/machpizza/default.nix { lib, config, ... }: let inherit (config.repo.secrets.local) workUser; @@ -2960,7 +2964,7 @@ A Mac notebook that I have received from work. I use this machine for getting ac My phone. I use only a minimal config for remote debugging here. -#+begin_src nix-ts :tangle hosts/android/magicant/default.nix +#+begin_src nix-ts :tangle hosts/android/aarch64-linux/magicant/default.nix { pkgs, ... }: { environment = { @@ -3012,7 +3016,7 @@ My phone. I use only a minimal config for remote debugging here. **** Treehouse (DGX Spark) -#+begin_src nix-ts :tangle hosts/home/treehouse/default.nix +#+begin_src nix-ts :tangle hosts/home/aarch64-linux/treehouse/default.nix { self, ... }: { @@ -3076,7 +3080,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:922105c3-a604-47d9-918b-db1803784c75 :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/default.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/default.nix { lib, minimal, ... }: { imports = [ @@ -3134,7 +3138,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:64dddedd-9b13-4b74-baf0-1d54d5a89d3b :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix { config, lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") @@ -3163,7 +3167,7 @@ For this I use a free Ampere instance from OCI with 50G of space. In case my acc :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/milkywell/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/milkywell/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , config @@ -3276,7 +3280,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:a8f20a56-ce92-43d8-8bfe-3edccebf2bf9 :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/default.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/default.nix { lib, config, minimal, ... }: let inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; @@ -3446,7 +3450,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:f99c05ab-f047-4350-b80a-4c1ff55b91bf :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix { lib, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; @@ -3468,7 +3472,7 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/moonside/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , config @@ -3610,7 +3614,7 @@ This is a slim setup for developing base configuration. I do not track the hardw :PROPERTIES: :CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e :END: -#+begin_src nix-ts :tangle hosts/nixos/toto/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/default.nix { self, lib, ... }: { @@ -3655,7 +3659,7 @@ This is a slim setup for developing base configuration. I do not track the hardw :CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d :END: -#+begin_src nix-ts :tangle hosts/nixos/toto/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , pkgs @@ -3983,7 +3987,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:9f1f3439-b0af-4dcd-a96f-b6aa7b6cd2ab :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/default.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/default.nix { self, config, pkgs, lib, minimal, ... }: let mainUser = "demo"; @@ -4046,7 +4050,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:849e4233-ba40-4fec-acfe-0d76e1e4371b :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/disk-config.nix # NOTE: ... is needed because dikso passes diskoFile { lib , pkgs @@ -4182,7 +4186,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:6f9c1a3b-452e-4944-86e8-cb17603cc3f9 :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/options.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options.nix _: { } @@ -4193,7 +4197,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru :CUSTOM_ID: h:88ccb198-74b9-4269-8e22-af1277f44667 :END: -#+begin_src nix-ts :tangle hosts/nixos/hotel/options-home.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options-home.nix _: { } @@ -17718,6 +17722,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man target_hostname="" target_destination="" + target_arch="" target_user="swarsel" ssh_port="22" persist_dir="" @@ -17733,6 +17738,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo "ARGS:" echo " -n specify target_hostname of the target host to deploy the nixos config on." echo " -d specify ip or url to the target host." + echo " -a specify the architecture of the target host." echo " target during install process." echo echo "OPTIONS:" @@ -17815,6 +17821,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift target_destination=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -17835,6 +17845,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift done + if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" ]]; then + red "error: target_arch, target_destination or target_hostname not set." + help_and_exit + fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -17926,8 +17941,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" - mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" - $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix + mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" + $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ green "Deploying minimal NixOS installation on $target_destination" @@ -17992,7 +18007,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml - sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc + sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -18051,10 +18066,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "NixOS was successfully installed!" if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" - deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe - nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix + deadnix hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix -qe + nixpkgs--fmt hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/hosts/nixos/$target_arch/$target_hostname/hardware-configuration.nix" && git add "$git_root/.sops.yaml" && git add "$git_root/secrets" && (git commit -m "feat: deployed $target_hostname" || true) && git push @@ -18088,6 +18103,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man set -eo pipefail target_config="hotel" + target_arch="" target_user="swarsel" function help_and_exit() { @@ -18097,10 +18113,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo "USAGE: $0 [OPTIONS]" echo echo "ARGS:" - echo " -n specify nixos config to build." + echo " -n specify nixos config to build." echo " Default: hotel" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -18130,6 +18147,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift target_config=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -18143,6 +18164,11 @@ This program sets up a new NixOS host remotely. It also takes care of secret man shift done + if [[ $target_arch == "" ]]; then + red "error: target_arch not set." + help_and_exit + fi + cd /home/"$target_user" if [ ! -d /home/"$target_user"/.dotfiles ]; then @@ -18170,7 +18196,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man rm modules/home/common/mail.nix rm modules/home/common/yubikey.nix rm modules/nixos/server/restic.nix - rm hosts/nixos/milkywell/default.nix + rm hosts/nixos/aarch64-linux/milkywell/default.nix rm -rf modules/nixos/server rm -rf modules/home/server nix flake update vbc-nix @@ -18178,8 +18204,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man else green "Valid SSH key found! Continuing with installation" fi - sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ - git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ + git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix green "Installing flake $target_config" sudo nixos-rebuild --show-trace --flake .#"$target_config" boot @@ -18210,6 +18236,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f target_config="hotel" target_hostname="hotel" target_user="swarsel" + target_arch="" persist_dir="" target_disk="/dev/vda" disk_encryption=0 @@ -18227,6 +18254,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -18265,6 +18293,10 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f shift target_disk=$1 ;; + -a) + shift + target_arch=$1 + ;; -h | --help) help_and_exit ;; ,*) echo "Invalid option detected." @@ -18280,6 +18312,11 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f } trap cleanup exit + if [[ $target_arch == "" || $target_hostname == "" ]]; then + red "error: target_arch or target_hostname not set." + help_and_exit + fi + green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -18369,9 +18406,9 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" green "Generating hardware configuration ..." - sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ + sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ - git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix sudo mkdir -p /root/.local/share/nix/ printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null green "Installing flake $target_config" @@ -25451,7 +25488,7 @@ Here lies defined the readme for GitHub and Forgejo: #### Remote deployment (recommended if you have at least one running system) - 0) Fork this repo, and write your own host config at `hosts/nixos//default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. + 0) Fork this repo, and write your own host config at `hosts/nixos///default.nix` (you can use one of the other configurations as a template. Also see https://github.com/Swarsel/.dotfiles/tree/main/modules for a list of all additional options). At the very least, you should replace the `secrets/` directory with your own secrets and replace the SSH public keys with your own ones (otherwise I will come visit you!🔓❤️). I personally recommend to use the literate configuration and `org-babel-tangle-file` in Emacs, but you can also simply edit the separate `.nix` files. 1) Have a system with `nix` available booted (this does not need to be installed, i.e. you can use a NixOS installer image; a custom minimal installer ISO can be built by running `just iso` in the root of this repo) 2) Make sure that your Yubikey is plugged in or that you have your SSH key available (and configured) 3) Run `swarsel-bootstrap -n -d ` on your existing system. diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 46ea715..c66b755 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -3,6 +3,7 @@ set -eo pipefail target_hostname="" target_destination="" +target_arch="" target_user="swarsel" ssh_port="22" persist_dir="" @@ -18,6 +19,7 @@ function help_and_exit() { echo "ARGS:" echo " -n specify target_hostname of the target host to deploy the nixos config on." echo " -d specify ip or url to the target host." + echo " -a specify the architecture of the target host." echo " target during install process." echo echo "OPTIONS:" @@ -100,6 +102,10 @@ while [[ $# -gt 0 ]]; do shift target_destination=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -120,6 +126,11 @@ while [[ $# -gt 0 ]]; do shift done +if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" ]]; then + red "error: target_arch, target_destination or target_hostname not set." + help_and_exit +fi + green "~SwarselSystems~ remote installer" green "Reading system information for $target_hostname ..." @@ -211,8 +222,8 @@ fi green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" -mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" -$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix +mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" +$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ green "Deploying minimal NixOS installation on $target_destination" @@ -277,7 +288,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml -sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc +sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -336,10 +347,10 @@ fi green "NixOS was successfully installed!" if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" - deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe - nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix + deadnix hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix -qe + nixpkgs--fmt hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/hosts/nixos/$target_arch/$target_hostname/hardware-configuration.nix" && git add "$git_root/.sops.yaml" && git add "$git_root/secrets" && (git commit -m "feat: deployed $target_hostname" || true) && git push diff --git a/files/scripts/swarsel-install.sh b/files/scripts/swarsel-install.sh index c130cc6..537145f 100644 --- a/files/scripts/swarsel-install.sh +++ b/files/scripts/swarsel-install.sh @@ -3,6 +3,7 @@ set -eo pipefail target_config="hotel" target_hostname="hotel" target_user="swarsel" +target_arch="" persist_dir="" target_disk="/dev/vda" disk_encryption=0 @@ -20,6 +21,7 @@ function help_and_exit() { echo " Default: /dev/vda" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -58,6 +60,10 @@ while [[ $# -gt 0 ]]; do shift target_disk=$1 ;; + -a) + shift + target_arch=$1 + ;; -h | --help) help_and_exit ;; *) echo "Invalid option detected." @@ -73,6 +79,11 @@ function cleanup() { } trap cleanup exit +if [[ $target_arch == "" || $target_hostname == "" ]]; then + red "error: target_arch or target_hostname not set." + help_and_exit +fi + green "~SwarselSystems~ local installer" cd /home/"$target_user" @@ -162,9 +173,9 @@ sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" green "Generating hardware configuration ..." -sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ +sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ -git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix +git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix sudo mkdir -p /root/.local/share/nix/ printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null green "Installing flake $target_config" diff --git a/files/scripts/swarsel-rebuild.sh b/files/scripts/swarsel-rebuild.sh index 106ac84..0a725a1 100644 --- a/files/scripts/swarsel-rebuild.sh +++ b/files/scripts/swarsel-rebuild.sh @@ -1,6 +1,7 @@ set -eo pipefail target_config="hotel" +target_arch="" target_user="swarsel" function help_and_exit() { @@ -10,10 +11,11 @@ function help_and_exit() { echo "USAGE: $0 [OPTIONS]" echo echo "ARGS:" - echo " -n specify nixos config to build." + echo " -n specify nixos config to build." echo " Default: hotel" echo " -u specify user to deploy for." echo " Default: swarsel" + echo " -a specify target architecture." echo " -h | --help Print this help." exit 0 } @@ -43,6 +45,10 @@ while [[ $# -gt 0 ]]; do shift target_config=$1 ;; + -a) + shift + target_arch=$1 + ;; -u) shift target_user=$1 @@ -56,6 +62,11 @@ while [[ $# -gt 0 ]]; do shift done +if [[ $target_arch == "" ]]; then + red "error: target_arch not set." + help_and_exit +fi + cd /home/"$target_user" if [ ! -d /home/"$target_user"/.dotfiles ]; then @@ -83,7 +94,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm modules/home/common/mail.nix rm modules/home/common/yubikey.nix rm modules/nixos/server/restic.nix - rm hosts/nixos/milkywell/default.nix + rm hosts/nixos/aarch64-linux/milkywell/default.nix rm -rf modules/nixos/server rm -rf modules/home/server nix flake update vbc-nix @@ -91,8 +102,8 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then else green "Valid SSH key found! Continuing with installation" fi -sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ -git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix +sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/ +git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix green "Installing flake $target_config" sudo nixos-rebuild --show-trace --flake .#"$target_config" boot diff --git a/flake.lock b/flake.lock index b045d34..10b1bfe 100644 --- a/flake.lock +++ b/flake.lock @@ -7815,11 +7815,11 @@ }, "nixpkgs-dev": { "locked": { - "lastModified": 1761589965, - "narHash": "sha256-ZtypYmGwo7wUOo88UKVAdUZCYCpvFM8O0bEmI7+NW5k=", + "lastModified": 1762578095, + "narHash": "sha256-uW5Ff1H/lVvsKcNXtU7COQifqnRQ5i/YTEPGQwundNQ=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "ed3254fbd834e5bfbf6bc9586d57307a92f1a269", + "rev": "a99a76ccf7bfbb8c5d6129e6ff69413c6db55c1a", "type": "github" }, "original": { diff --git a/hosts/android/magicant/default.nix b/hosts/android/aarch64-linux/magicant/default.nix similarity index 100% rename from hosts/android/magicant/default.nix rename to hosts/android/aarch64-linux/magicant/default.nix diff --git a/hosts/darwin/machpizza/default.nix b/hosts/darwin/x86_64-darwin/machpizza/default.nix similarity index 100% rename from hosts/darwin/machpizza/default.nix rename to hosts/darwin/x86_64-darwin/machpizza/default.nix diff --git a/hosts/darwin/machpizza/secrets/pii.nix.enc b/hosts/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc similarity index 100% rename from hosts/darwin/machpizza/secrets/pii.nix.enc rename to hosts/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc diff --git a/hosts/home/treehouse/default.nix b/hosts/home/aarch64-linux/treehouse/default.nix similarity index 100% rename from hosts/home/treehouse/default.nix rename to hosts/home/aarch64-linux/treehouse/default.nix diff --git a/hosts/nixos/milkywell/default.nix b/hosts/nixos/aarch64-linux/milkywell/default.nix similarity index 100% rename from hosts/nixos/milkywell/default.nix rename to hosts/nixos/aarch64-linux/milkywell/default.nix diff --git a/hosts/nixos/milkywell/disk-config.nix b/hosts/nixos/aarch64-linux/milkywell/disk-config.nix similarity index 100% rename from hosts/nixos/milkywell/disk-config.nix rename to hosts/nixos/aarch64-linux/milkywell/disk-config.nix diff --git a/hosts/nixos/milkywell/hardware-configuration.nix b/hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix similarity index 100% rename from hosts/nixos/milkywell/hardware-configuration.nix rename to hosts/nixos/aarch64-linux/milkywell/hardware-configuration.nix diff --git a/hosts/nixos/milkywell/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/milkywell/secrets/pii.nix.enc rename to hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc diff --git a/hosts/nixos/moonside/default.nix b/hosts/nixos/aarch64-linux/moonside/default.nix similarity index 100% rename from hosts/nixos/moonside/default.nix rename to hosts/nixos/aarch64-linux/moonside/default.nix diff --git a/hosts/nixos/moonside/disk-config.nix b/hosts/nixos/aarch64-linux/moonside/disk-config.nix similarity index 100% rename from hosts/nixos/moonside/disk-config.nix rename to hosts/nixos/aarch64-linux/moonside/disk-config.nix diff --git a/hosts/nixos/moonside/hardware-configuration.nix b/hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix similarity index 100% rename from hosts/nixos/moonside/hardware-configuration.nix rename to hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix diff --git a/hosts/nixos/moonside/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/moonside/secrets/pii.nix.enc rename to hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc diff --git a/hosts/nixos/bakery/default.nix b/hosts/nixos/x86_64-linux/bakery/default.nix similarity index 100% rename from hosts/nixos/bakery/default.nix rename to hosts/nixos/x86_64-linux/bakery/default.nix diff --git a/hosts/nixos/bakery/disk-config.nix b/hosts/nixos/x86_64-linux/bakery/disk-config.nix similarity index 100% rename from hosts/nixos/bakery/disk-config.nix rename to hosts/nixos/x86_64-linux/bakery/disk-config.nix diff --git a/hosts/nixos/bakery/hardware-configuration.nix b/hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix similarity index 100% rename from hosts/nixos/bakery/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix diff --git a/hosts/nixos/bakery/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/bakery/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc diff --git a/hosts/nixos/hotel/default.nix b/hosts/nixos/x86_64-linux/hotel/default.nix similarity index 100% rename from hosts/nixos/hotel/default.nix rename to hosts/nixos/x86_64-linux/hotel/default.nix diff --git a/hosts/nixos/hotel/disk-config.nix b/hosts/nixos/x86_64-linux/hotel/disk-config.nix similarity index 100% rename from hosts/nixos/hotel/disk-config.nix rename to hosts/nixos/x86_64-linux/hotel/disk-config.nix diff --git a/hosts/nixos/hotel/hardware-configuration.nix b/hosts/nixos/x86_64-linux/hotel/hardware-configuration.nix similarity index 100% rename from hosts/nixos/hotel/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/hotel/hardware-configuration.nix diff --git a/hosts/nixos/hotel/options-home.nix b/hosts/nixos/x86_64-linux/hotel/options-home.nix similarity index 100% rename from hosts/nixos/hotel/options-home.nix rename to hosts/nixos/x86_64-linux/hotel/options-home.nix diff --git a/hosts/nixos/hotel/options.nix b/hosts/nixos/x86_64-linux/hotel/options.nix similarity index 100% rename from hosts/nixos/hotel/options.nix rename to hosts/nixos/x86_64-linux/hotel/options.nix diff --git a/hosts/nixos/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix similarity index 100% rename from hosts/nixos/pyramid/default.nix rename to hosts/nixos/x86_64-linux/pyramid/default.nix diff --git a/hosts/nixos/pyramid/disk-config.nix b/hosts/nixos/x86_64-linux/pyramid/disk-config.nix similarity index 100% rename from hosts/nixos/pyramid/disk-config.nix rename to hosts/nixos/x86_64-linux/pyramid/disk-config.nix diff --git a/hosts/nixos/pyramid/hardware-configuration.nix b/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix similarity index 100% rename from hosts/nixos/pyramid/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix diff --git a/hosts/nixos/pyramid/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/pyramid/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc diff --git a/hosts/nixos/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix similarity index 100% rename from hosts/nixos/summers/default.nix rename to hosts/nixos/x86_64-linux/summers/default.nix diff --git a/hosts/nixos/summers/disk-config.nix b/hosts/nixos/x86_64-linux/summers/disk-config.nix similarity index 100% rename from hosts/nixos/summers/disk-config.nix rename to hosts/nixos/x86_64-linux/summers/disk-config.nix diff --git a/hosts/nixos/summers/guests/guest1/default.nix b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix similarity index 100% rename from hosts/nixos/summers/guests/guest1/default.nix rename to hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix diff --git a/hosts/nixos/summers/hardware-configuration.nix b/hosts/nixos/x86_64-linux/summers/hardware-configuration.nix similarity index 100% rename from hosts/nixos/summers/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/summers/hardware-configuration.nix diff --git a/hosts/nixos/summers/secrets/guest1/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/guest1/pii.nix.enc similarity index 100% rename from hosts/nixos/summers/secrets/guest1/pii.nix.enc rename to hosts/nixos/x86_64-linux/summers/secrets/guest1/pii.nix.enc diff --git a/hosts/nixos/summers/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/summers/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc diff --git a/hosts/nixos/toto/default.nix b/hosts/nixos/x86_64-linux/toto/default.nix similarity index 100% rename from hosts/nixos/toto/default.nix rename to hosts/nixos/x86_64-linux/toto/default.nix diff --git a/hosts/nixos/toto/disk-config.nix b/hosts/nixos/x86_64-linux/toto/disk-config.nix similarity index 100% rename from hosts/nixos/toto/disk-config.nix rename to hosts/nixos/x86_64-linux/toto/disk-config.nix diff --git a/hosts/nixos/toto/hardware-configuration.nix b/hosts/nixos/x86_64-linux/toto/hardware-configuration.nix similarity index 100% rename from hosts/nixos/toto/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/toto/hardware-configuration.nix diff --git a/hosts/nixos/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix similarity index 100% rename from hosts/nixos/winters/default.nix rename to hosts/nixos/x86_64-linux/winters/default.nix diff --git a/hosts/nixos/winters/hardware-configuration.nix b/hosts/nixos/x86_64-linux/winters/hardware-configuration.nix similarity index 100% rename from hosts/nixos/winters/hardware-configuration.nix rename to hosts/nixos/x86_64-linux/winters/hardware-configuration.nix diff --git a/hosts/nixos/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc similarity index 100% rename from hosts/nixos/winters/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc diff --git a/nix/hosts.nix b/nix/hosts.nix index 945182d..2c99f41 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -6,24 +6,11 @@ inherit (outputs) lib homeLib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: - let - sys = "x86_64-linux"; - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - - # lib = config.pkgsPre.${sys}.lib // { - # inherit (inputs.home-manager.lib) hm; - # swarselsystems = self.outputs.swarselsystemsLib; - # }; - inherit (config.pkgs.${sys}) lib; - in + mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName; - inherit lib homeLib; + inherit inputs outputs self minimal configName homeLib; + inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; }; modules = [ @@ -41,7 +28,7 @@ inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm (inputs.nixos-extra-modules + "/modules/guests") - "${self}/hosts/nixos/${configName}" + "${self}/hosts/nixos/${arch}/${configName}" "${self}/profiles/nixos" "${self}/modules/nixos" { @@ -50,7 +37,7 @@ node = { name = lib.mkForce configName; - secretsDir = ../hosts/nixos/${configName}/secrets; + secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; }; swarselprofiles = { @@ -68,7 +55,7 @@ ]; }; - mkDarwinHost = { minimal }: configName: + mkDarwinHost = { minimal }: configName: arch: inputs.nix-darwin.lib.darwinSystem { specialArgs = { inherit inputs lib outputs self minimal configName; @@ -82,75 +69,92 @@ # inputs.fw-fanctrl.nixosModules.default # inputs.nix-topology.nixosModules.default inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" + "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure "${self}/modules/nixos/common/meta.nix" "${self}/modules/nixos/common/globals.nix" { node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; + node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; } ]; }; - mkHalfHost = configName: type: pkgs: { - ${configName} = - let - systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; - in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { - inherit inputs lib outputs self configName; - inherit (config) globals nodes; - minimal = false; - }; - modules = [ - inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri - inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops - inputs.spicetify-nix.homeManagerModules.default - inputs.swarsel-nix.homeModules.default - "${self}/hosts/${type}/${configName}" - "${self}/profiles/home" - ]; - }; - }; + mkHalfHost = configName: type: arch: + let + systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; + pkgs = lib.swarselsystems.pkgsFor.${arch}; + in + systemFunc { + inherit pkgs; + extraSpecialArgs = { + inherit inputs lib outputs self configName; + inherit (config) globals nodes; + minimal = false; + }; + modules = [ + inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri + inputs.nix-index-database.homeModules.nix-index + # inputs.sops-nix.homeManagerModules.sops + inputs.spicetify-nix.homeManagerModules.default + inputs.swarsel-nix.homeModules.default + "${self}/hosts/${type}/${arch}/${configName}" + "${self}/profiles/home" + ]; + }; + + linuxArches = [ "x86_64-linux" "aarch64-linux" ]; + darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; + mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; + + readHostDirs = hostDir: + if builtins.pathExists hostDir then + builtins.attrNames + ( + lib.filterAttrs (_: type: type == "directory") + (builtins.readDir hostDir) + ) else [ ]; + + mkHalfHostsForArch = type: arch: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + lib.genAttrs hosts (host: mkHalfHost host type arch); + + mkHostsForArch = type: arch: minimal: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + if (type == "nixos") then + lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) + else if (type == "darwin") then + lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) + else { }; + + mkConfigurationsPerArch = type: minimal: + let + arches = mkArches type; + toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); + in + lib.concatMapAttrs toMake + (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); + + halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; + configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; - mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); - nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); - darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); - - homeConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "home") "home" pkgsFor.x86_64-linux - // mkHalfHostConfigs (readHosts "home") "home" pkgsFor.aarch64-linux; - - nixOnDroidConfigurations = - let - inherit (lib.swarselsystems) pkgsFor readHosts; - in - mkHalfHostConfigs (readHosts "android") "android" pkgsFor.aarch64-linux; + nixosConfigurations = configurationsPerArch "nixos" false; + nixosConfigurationsMinimal = configurationsPerArch "nixos" true; + darwinConfigurations = configurationsPerArch "darwin" false; + darwinConfigurationsMinimal = configurationsPerArch "darwin" true; + homeConfigurations = halfConfigurationsPerArch "home"; + nixOnDroidConfigurations = halfConfigurationsPerArch "android"; guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( _: node: From e1569ba472bcfed269c7be04bec880b63c1b8544 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Mon, 10 Nov 2025 01:23:50 +0100 Subject: [PATCH 3/5] fix: bootstrap script not working with nix-plugins --- SwarselSystems.org | 244 ++++++++++++++++------------- files/scripts/swarsel-bootstrap.sh | 1 + justfile | 10 +- modules/nixos/common/pii.nix | 4 +- nix/devshell.nix | 238 +++++++++++++++------------- 5 files changed, 279 insertions(+), 218 deletions(-) diff --git a/SwarselSystems.org b/SwarselSystems.org index dbfb7e7..48bf906 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1340,110 +1340,141 @@ Lastly, in the =perSystem= attribute set, we see that it is actually passed some }; }; - devshells.default = let - nix-version = "2_30"; - in { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - pkgs.nixpkgs-fmt - self.packages.${system}.swarsel-build - self.packages.${system}.swarsel-deploy - (pkgs.symlinkJoin { - name = "home-manager"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.home-manager ]; - postBuild = '' - wrapProgram $out/bin/home-manager \ - --append-flags '--flake .#$(hostname)' - ''; - }) - ]; + devshells = { + deploy = + let + nix-version = "2_28"; + in { + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.stable25_05.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + ]; - commands = [ + env = + [ + { + name = "NIX_CONFIG"; + value = '' + plugin-files = ${pkgs.stable25_05.nix-plugins.overrideAttrs (o: { + buildInputs = [pkgs.stable25_05.nixVersions."nix_${nix-version}" pkgs.stable25_05.boost]; + patches = (o.patches or []) ++ [./nix-plugins.patch]; + })}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + } + ]; + }; + default = + let + nix-version = "2_30"; + in { - package = pkgs.statix; - help = "Lint flake"; - } - { - package = pkgs.deadnix; - help = "Check flake for dead code"; - } - { - package = pkgs.nix-tree; - help = "Interactively browse dependency graphs of Nix derivations"; - } - { - package = pkgs.nvd; - help = "Diff two nix toplevels and show which packages were upgraded"; - } - { - package = pkgs.nix-diff; - help = "Explain why two Nix derivations differ"; - } - { - package = pkgs.nix-output-monitor; - help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; - name = "nom \"$@\""; - } - { - name = "hm"; - help = "Manage home-manager config"; - command = "home-manager \"$@\""; - } - { - name = "fmt"; - help = "Format flake"; - command = "nixpkgs-fmt --check \"$FLAKE\""; - } - { - name = "sd"; - help = "Build and deploy this nix config to nodes"; - command = "swarsel-deploy \"$@\""; - } - { - name = "sl"; - help = "Build and deploy a config to nodes"; - command = "swarsel-deploy \${1} switch"; - } - { - name = "sw"; - help = "Build and switch to the host's config locally"; - command = "swarsel-deploy $(hostname) switch"; - } - { - name = "bld"; - help = "Build a number of configurations"; - command = "swarsel-build \"$@\""; - } - { - name = "c"; - help = "Work with the flake git repository"; - command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; - } - ]; + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + pkgs.nixpkgs-fmt + self.packages.${system}.swarsel-build + self.packages.${system}.swarsel-deploy + (pkgs.symlinkJoin { + name = "home-manager"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.home-manager ]; + postBuild = '' + wrapProgram $out/bin/home-manager \ + --append-flags '--flake .#$(hostname)' + ''; + }) + ]; - devshell.startup.pre-commit-install.text = "pre-commit install"; + commands = [ + { + package = pkgs.statix; + help = "Lint flake"; + } + { + package = pkgs.deadnix; + help = "Check flake for dead code"; + } + { + package = pkgs.nix-tree; + help = "Interactively browse dependency graphs of Nix derivations"; + } + { + package = pkgs.nvd; + help = "Diff two nix toplevels and show which packages were upgraded"; + } + { + package = pkgs.nix-diff; + help = "Explain why two Nix derivations differ"; + } + { + package = pkgs.nix-output-monitor; + help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; + name = "nom \"$@\""; + } + { + name = "hm"; + help = "Manage home-manager config"; + command = "home-manager \"$@\""; + } + { + name = "fmt"; + help = "Format flake"; + command = "nixpkgs-fmt --check \"$FLAKE\""; + } + { + name = "sd"; + help = "Build and deploy this nix config to nodes"; + command = "swarsel-deploy \"$@\""; + } + { + name = "sl"; + help = "Build and deploy a config to nodes"; + command = "swarsel-deploy \${1} switch"; + } + { + name = "sw"; + help = "Build and switch to the host's config locally"; + command = "swarsel-deploy $(hostname) switch"; + } + { + name = "bld"; + help = "Build a number of configurations"; + command = "swarsel-build \"$@\""; + } + { + name = "c"; + help = "Work with the flake git repository"; + command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; + } + ]; - env = let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + devshell.startup.pre-commit-install.text = "pre-commit install"; + + env = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + [ + { + name = "NIX_CONFIG"; + value = '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + } + ]; }; - in [ - { - # Additionally configure nix-plugins with our extra builtins file. - # We need this for our repo secrets. - name = "NIX_CONFIG"; - value = '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - } - ]; }; }; } @@ -4801,7 +4832,7 @@ This is also exposed to home-manager configurations, in case this ever breaks, I #+begin_src nix-ts :tangle modules/nixos/common/pii.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix - { config, inputs, lib, minimal, ... }: + { config, inputs, lib, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -4867,7 +4898,7 @@ This is also exposed to home-manager configurations, in case this ever breaks, I let local = config.node.secretsDir + "/pii.nix.enc"; in - (lib.optionalAttrs (lib.pathExists local && !minimal) { inherit local; }) // lib.optionalAttrs (!minimal) { + (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // lib.optionalAttrs true { common = ../../../secrets/repo/pii.nix.enc; }; }; @@ -17904,6 +17935,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi cd "$FLAKE" + rm install/flake.lock || true git_root=$(git rev-parse --show-toplevel) # ------------------------ @@ -23872,12 +23904,9 @@ This file defines a few workflows that I often need to run when working on my co update: nix flake update - iso: + iso CONFIG="live-iso": rm -rf result - nix build .#nixosConfigurations.iso.config.system.build.isoImage && ln -sf result/iso/*.iso latest.iso - - iso-flake FLAKE SYSTEM="x86_64" FORMAT="iso": - nixos-generate --flake .#{{FLAKE}} -f {{FORMAT}} --system {{SYSTEM}} + nix build --print-out-paths .#live-iso iso-install DRIVE: iso sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync @@ -23888,6 +23917,9 @@ This file defines a few workflows that I often need to run when working on my co sync USER HOST: rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/ + bootstrap DEST CONFIG ARCH="x86_64-linux": + nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" + #+end_src ** aspell.conf :PROPERTIES: diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index c66b755..7f53755 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -185,6 +185,7 @@ if [ ! -d "$FLAKE" ]; then fi cd "$FLAKE" + rm install/flake.lock || true git_root=$(git rev-parse --show-toplevel) # ------------------------ diff --git a/justfile b/justfile index f2f9f7f..b13d397 100644 --- a/justfile +++ b/justfile @@ -10,12 +10,9 @@ check-trace: update: nix flake update -iso: +iso CONFIG="live-iso": rm -rf result - nix build .#nixosConfigurations.iso.config.system.build.isoImage && ln -sf result/iso/*.iso latest.iso - -iso-flake FLAKE SYSTEM="x86_64" FORMAT="iso": - nixos-generate --flake .#{{FLAKE}} -f {{FORMAT}} --system {{SYSTEM}} + nix build --print-out-paths .#live-iso iso-install DRIVE: iso sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync @@ -25,3 +22,6 @@ dd DRIVE ISO: sync USER HOST: rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/ + +bootstrap DEST CONFIG ARCH="x86_64-linux": + nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" diff --git a/modules/nixos/common/pii.nix b/modules/nixos/common/pii.nix index 26b31d0..b39de85 100644 --- a/modules/nixos/common/pii.nix +++ b/modules/nixos/common/pii.nix @@ -1,5 +1,5 @@ # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix -{ config, inputs, lib, minimal, ... }: +{ config, inputs, lib, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -65,7 +65,7 @@ in let local = config.node.secretsDir + "/pii.nix.enc"; in - (lib.optionalAttrs (lib.pathExists local && !minimal) { inherit local; }) // lib.optionalAttrs (!minimal) { + (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // lib.optionalAttrs true { common = ../../../secrets/repo/pii.nix.enc; }; }; diff --git a/nix/devshell.nix b/nix/devshell.nix index 2969bcf..a1ce6f6 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -46,114 +46,142 @@ }; }; - devshells.default = - let - nix-version = "2_30"; - in - { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - pkgs.nixpkgs-fmt - self.packages.${system}.swarsel-build - self.packages.${system}.swarsel-deploy - (pkgs.symlinkJoin { - name = "home-manager"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.home-manager ]; - postBuild = '' - wrapProgram $out/bin/home-manager \ - --append-flags '--flake .#$(hostname)' - ''; - }) - ]; + devshells = { + deploy = + let + nix-version = "2_28"; + in + { + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.stable25_05.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + ]; - commands = [ - { - package = pkgs.statix; - help = "Lint flake"; - } - { - package = pkgs.deadnix; - help = "Check flake for dead code"; - } - { - package = pkgs.nix-tree; - help = "Interactively browse dependency graphs of Nix derivations"; - } - { - package = pkgs.nvd; - help = "Diff two nix toplevels and show which packages were upgraded"; - } - { - package = pkgs.nix-diff; - help = "Explain why two Nix derivations differ"; - } - { - package = pkgs.nix-output-monitor; - help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; - name = "nom \"$@\""; - } - { - name = "hm"; - help = "Manage home-manager config"; - command = "home-manager \"$@\""; - } - { - name = "fmt"; - help = "Format flake"; - command = "nixpkgs-fmt --check \"$FLAKE\""; - } - { - name = "sd"; - help = "Build and deploy this nix config to nodes"; - command = "swarsel-deploy \"$@\""; - } - { - name = "sl"; - help = "Build and deploy a config to nodes"; - command = "swarsel-deploy \${1} switch"; - } - { - name = "sw"; - help = "Build and switch to the host's config locally"; - command = "swarsel-deploy $(hostname) switch"; - } - { - name = "bld"; - help = "Build a number of configurations"; - command = "swarsel-build \"$@\""; - } - { - name = "c"; - help = "Work with the flake git repository"; - command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; - } - ]; - - devshell.startup.pre-commit-install.text = "pre-commit install"; - - env = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - [ - { - # Additionally configure nix-plugins with our extra builtins file. - # We need this for our repo secrets. - name = "NIX_CONFIG"; - value = '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} + env = + [ + { + name = "NIX_CONFIG"; + value = '' + plugin-files = ${pkgs.stable25_05.nix-plugins.overrideAttrs (o: { + buildInputs = [pkgs.stable25_05.nixVersions."nix_${nix-version}" pkgs.stable25_05.boost]; + patches = (o.patches or []) ++ [./nix-plugins.patch]; + })}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + } + ]; + }; + default = + let + nix-version = "2_30"; + in + { + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + pkgs.nixpkgs-fmt + self.packages.${system}.swarsel-build + self.packages.${system}.swarsel-deploy + (pkgs.symlinkJoin { + name = "home-manager"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.home-manager ]; + postBuild = '' + wrapProgram $out/bin/home-manager \ + --append-flags '--flake .#$(hostname)' ''; + }) + ]; + + commands = [ + { + package = pkgs.statix; + help = "Lint flake"; + } + { + package = pkgs.deadnix; + help = "Check flake for dead code"; + } + { + package = pkgs.nix-tree; + help = "Interactively browse dependency graphs of Nix derivations"; + } + { + package = pkgs.nvd; + help = "Diff two nix toplevels and show which packages were upgraded"; + } + { + package = pkgs.nix-diff; + help = "Explain why two Nix derivations differ"; + } + { + package = pkgs.nix-output-monitor; + help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; + name = "nom \"$@\""; + } + { + name = "hm"; + help = "Manage home-manager config"; + command = "home-manager \"$@\""; + } + { + name = "fmt"; + help = "Format flake"; + command = "nixpkgs-fmt --check \"$FLAKE\""; + } + { + name = "sd"; + help = "Build and deploy this nix config to nodes"; + command = "swarsel-deploy \"$@\""; + } + { + name = "sl"; + help = "Build and deploy a config to nodes"; + command = "swarsel-deploy \${1} switch"; + } + { + name = "sw"; + help = "Build and switch to the host's config locally"; + command = "swarsel-deploy $(hostname) switch"; + } + { + name = "bld"; + help = "Build a number of configurations"; + command = "swarsel-build \"$@\""; + } + { + name = "c"; + help = "Work with the flake git repository"; + command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; } ]; - }; + + devshell.startup.pre-commit-install.text = "pre-commit install"; + + env = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + [ + { + name = "NIX_CONFIG"; + value = '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + } + ]; + }; + }; }; } From 30a97098af80acbf9adc2d6be3e7f456d5a2968b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Mon, 10 Nov 2025 01:28:25 +0100 Subject: [PATCH 4/5] feat[server]: preparations for router config --- SwarselSystems.org | 388 ++++++++++++++++++++++--- files/scripts/swarsel-bootstrap.sh | 4 + install/installer-config.nix | 36 +-- modules/nixos/common/globals.nix | 121 +++++++- modules/nixos/server/ankisync.nix | 2 +- modules/nixos/server/atuin.nix | 2 +- modules/nixos/server/disk-encrypt.nix | 34 +++ modules/nixos/server/firefly-iii.nix | 2 +- modules/nixos/server/forgejo.nix | 2 +- modules/nixos/server/freshrss.nix | 2 +- modules/nixos/server/garage.nix | 2 +- modules/nixos/server/homebox.nix | 2 +- modules/nixos/server/immich.nix | 2 +- modules/nixos/server/jellyfin.nix | 2 +- modules/nixos/server/jenkins.nix | 2 +- modules/nixos/server/kanidm.nix | 2 +- modules/nixos/server/kavita.nix | 2 +- modules/nixos/server/koillection.nix | 2 +- modules/nixos/server/matrix.nix | 2 +- modules/nixos/server/monitoring.nix | 2 +- modules/nixos/server/navidrome.nix | 2 +- modules/nixos/server/network.nix | 26 ++ modules/nixos/server/nextcloud.nix | 2 +- modules/nixos/server/paperless.nix | 2 +- modules/nixos/server/radicale.nix | 2 +- modules/nixos/server/snipe-it.nix | 2 +- modules/nixos/server/syncthing.nix | 2 +- nix/lib.nix | 16 + profiles/nixos/localserver/default.nix | 2 + profiles/nixos/minimal/default.nix | 1 + secrets/repo/globals.nix.enc | 8 +- 31 files changed, 586 insertions(+), 92 deletions(-) create mode 100644 modules/nixos/server/disk-encrypt.nix create mode 100644 modules/nixos/server/network.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index 48bf906..870a41c 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -689,6 +689,22 @@ Concerning the =flake = _:= part: inherit (inputs.nixpkgs) lib; in rec { + cidrToSubnetMask = cidr: + let + prefixLength = lib.toInt (lib.last (lib.splitString "/" cidr)); + bits = lib.genList (i: if i < prefixLength then 1 else 0) 32; + octets = lib.genList + (i: + let + octetBits = lib.sublist (i * 8) 8 bits; + octetValue = lib.foldl (acc: bit: acc * 2 + bit) 0 octetBits; + in + octetValue + ) 4; + subnetMask = lib.concatStringsSep "." (map toString octets); + in + subnetMask; + mkIfElseList = p: yes: no: lib.mkMerge [ (lib.mkIf p yes) (lib.mkIf (!p) no) @@ -2533,7 +2549,11 @@ This is my main server that I run at home. It handles most tasks that require bi loader.efi.canTouchEfiVariables = true; }; - globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + # globals.networks.home.hosts.${config.node.name} = { + # ipv4 = config.repo.secrets.local.home-ipv4; + # mac = config.repo.secrets.local.home-mac; + # }; networking = { inherit (config.repo.secrets.local) hostId; @@ -2673,8 +2693,6 @@ This is my main server that I run at home. It handles most tasks that require bi loader.efi.canTouchEfiVariables = true; }; - # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; - networking = { inherit (config.repo.secrets.local) hostId; hostName = configName; @@ -3837,36 +3855,32 @@ TODO: cleanup this mess { self, config, pkgs, lib, ... }: let pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh"; - in - { - - config = { - home-manager.users.root.home = { - stateVersion = "23.05"; - file = { + stateVersion = lib.mkDefault "23.05"; + homeFiles = { ".bash_history" = { text = '' swarsel-install -n hotel ''; }; }; + in + { + + config = { + home-manager.users.root.home = { + inherit stateVersion; + file = homeFiles; }; home-manager.users.swarsel = { home = { username = "swarsel"; homeDirectory = lib.mkDefault "/home/swarsel"; - stateVersion = lib.mkDefault "23.05"; + inherit stateVersion; keyboard.layout = "us"; sessionVariables = { FLAKE = "/home/swarsel/.dotfiles"; }; - file = { - ".bash_history" = { - text = '' - swarsel-install -n hotel - ''; - }; - }; + file = homeFiles; }; }; @@ -3884,10 +3898,6 @@ TODO: cleanup this mess nix = { channel.enable = false; package = pkgs.nixVersions.nix_2_28; - # extraOptions = '' - # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins - # extra-builtins-file = ${../nix/extra-builtins.nix} - # ''; extraOptions = '' plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { buildInputs = [config.nix.package pkgs.boost]; @@ -3939,6 +3949,7 @@ TODO: cleanup this mess environment.etc."issue".text = '' ~SwarselSystems~ IP of primary interface: \4 + These IPs were also found: \4{eth0} \4{eth1} \4{eth2} \4{eth3} \4{wlan0} The Password for all users & root is 'setup'. Install the system remotely by running 'bootstrap -n -d ' on a machine with deployed secrets. Alternatively, run 'swarsel-install -n ' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access). @@ -3949,6 +3960,7 @@ TODO: cleanup this mess wireless.enable = false; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; networkmanager.enable = true; + usePredictableInterfaceNames = false; }; services.getty.autologinUser = lib.mkForce "root"; @@ -3975,6 +3987,8 @@ TODO: cleanup this mess programs.bash.shellAliases = { "swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --"; + "swarsel-net-manufacturer" = "lspci -nn | grep -i 'network\|ethernet'"; + "swarsel-kernel-module" = "lspci -k -d"; }; system.activationScripts.cache = { @@ -4363,6 +4377,91 @@ in mkOption types ; + + networkOptions = netSubmod: { + cidrv4 = mkOption { + type = types.nullOr types.net.cidrv4; + description = "The CIDRv4 of this network"; + default = null; + }; + + subnetMask4 = mkOption { + type = types.nullOr types.net.cidrv4; + description = "The dotted decimal form of the subnet mask of this network"; + readOnly = true; + default = lib.swarselsystems.cidrToSubnetMask netSubmod.cidrv4; + }; + + cidrv6 = mkOption { + type = types.nullOr types.net.cidrv6; + description = "The CIDRv6 of this network"; + default = null; + }; + + hosts = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (hostSubmod: { + options = { + id = mkOption { + type = types.int; + description = "The id of this host in the network"; + }; + + mac = mkOption { + type = types.nullOr types.net.mac; + description = "The MAC of the interface on this host that belongs to this network."; + default = null; + }; + + ipv4 = mkOption { + type = types.nullOr types.net.ipv4; + description = "The IPv4 of this host in this network"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null then + null + else + lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4; + }; + + ipv6 = mkOption { + type = types.nullOr types.net.ipv6; + description = "The IPv6 of this host in this network"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null then + null + else + lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6; + }; + + cidrv4 = mkOption { + type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part + description = "The IPv4 of this host in this network, including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null then + null + else + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4; + }; + + cidrv6 = mkOption { + type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part + description = "The IPv6 of this host in this network, including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null then + null + else + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + }; + }; + }) + ); + }; + }; in { options = { @@ -4398,12 +4497,44 @@ in ); }; + networks = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (netSubmod: { + options = networkOptions netSubmod // { + vlans = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (vlanNetSubmod: { + options = networkOptions vlanNetSubmod // { + id = mkOption { + type = types.ints.between 1 4094; + description = "The VLAN id"; + }; + + name = mkOption { + description = "The name of this VLAN"; + default = vlanNetSubmod.config._module.args.name; + type = types.str; + }; + }; + }) + ); + }; + }; + }) + ); + }; + hosts = mkOption { type = types.attrsOf ( types.submodule { options = { - ipv4 = mkOption { - type = types.str; + defaultGateway4 = mkOption { + type = types.nullOr types.net.ipv4; + }; + defaultGateway6 = mkOption { + type = types.nullOr types.net.ipv6; }; }; } @@ -6941,6 +7072,166 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t } #+end_src +**** Network settings + + +#+begin_src nix-ts :tangle modules/nixos/server/network.nix + { lib, config, ... }: + { + options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + config = lib.mkIf config.swarselmodules.server.network { + + globals.networks.home.hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking.networks.home) id; + mac = config.repo.secrets.local.networking.networks.home.mac or null; + }; + + globals.hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking) defaultGateway4; + }; + + networking = { + inherit (config.repo.secrets.local.networking) hostId; + hostName = config.node.name; + nftables.enable = lib.mkDefault true; + enableIPv6 = lib.mkDefault true; + firewall = { + enable = lib.mkDefault true; + }; + }; + + }; + } +#+end_src + +**** Disk encryption + +The hostkey can be generated with =ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key=. +Use =lspci -v | grep -iA8 'network\|ethernet'= to supposedly find out which kernel module is needed for networking in initrd. However I prefer a different approach: + +Use =lspci -nn | grep -i network= to find out manufacturer info: + +#+begin_src shell :exports both +lspci -nn | grep -i 'network\|ethernet' +#+end_src + +#+RESULTS: +: 04:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616] + +From the last bracket, then take the first value to find out the correct kernel module: + +#+begin_src shell :exports both +lspci -k -d 14c3: +#+end_src + +#+RESULTS: +| 04:00.0 | Network | controller: | MEDIATEK | Corp. | MT7922 | 802.11ax | PCI | Express | Wireless | Network | Adapter | +| | Subsystem: | MEDIATEK | Corp. | Device | e616 | | | | | | | +| | Kernel | driver | in | use: | mt7921e | | | | | | | +| | Kernel | modules: | mt7921e | | | | | | | | | + +#+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix + { self, lib, config, globals, ... }: + let + localIp = globals.networks.home.hosts.${config.node.name}.ipv4; + subnetMask = globals.networks.home.subnetMask4; + gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; + in + { + options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; + config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { + + boot.kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; + boot.initrd = { + availableKernelModules = [ "r8169" ]; + network = { + enable = true; + udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 22; + authorizedKeyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + }; + postCommands = '' + echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + ''; + }; + }; + + }; + } +#+end_src + +**** kavita +:PROPERTIES: +:CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295 +:END: + +#+begin_src nix-ts :tangle modules/nixos/server/router.nix + { self, lib, config, pkgs, globals, ... }: + let + serviceName = "router"; + serviceUser = "kavita"; + in + { + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + systemd.network = { + wait-online.anyInterface = true; + networks = { + "30-lan0" = { + matchConfig.Name = "lan0"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan1" = { + matchConfig.Name = "lan1"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; + } +#+end_src + **** kavita :PROPERTIES: :CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295 @@ -6955,7 +7246,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceName = "kavita"; serviceUser = "kavita"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7027,7 +7318,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceName = "jellyfin"; serviceUser = "jellyfin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7099,7 +7390,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceUser = "navidrome"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7453,7 +7744,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; serviceUser = "matrix-synapse"; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; federationPort = 8448; whatsappPort = 29318; @@ -7811,7 +8102,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceGroup = serviceUser; serviceName = "nextcloud"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7891,7 +8182,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t serviceUser = "immich"; serviceName = "immich"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7976,7 +8267,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= serviceGroup = serviceUser; serviceName = "paperless"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; tikaPort = 9998; gotenbergPort = 3002; @@ -8304,7 +8595,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= serviceUser = "syncthing"; serviceGroup = serviceUser; serviceName = "syncthing"; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; specificServiceName = "syncthing-${configName}"; cfg = config.services.${serviceName}; @@ -8530,7 +8821,7 @@ This section exposes several metrics that I use to check the health of my server serviceGroup = serviceUser; serviceName = "grafana"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; prometheusPort = 9090; prometheusUser = "prometheus"; @@ -8784,7 +9075,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w servicePort = 8088; serviceName = "jenkins"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -8879,7 +9170,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; inherit (config.swarselsystems) sopsFile; in @@ -8995,7 +9286,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with serviceGroup = serviceUser; serviceName = "forgejo"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; kanidmDomain = globals.services.kanidm.domain; in @@ -9159,7 +9450,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; ankiUser = globals.user.name; in @@ -9244,7 +9535,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ -d ' on a machine with deployed secrets. Alternatively, run 'swarsel-install -n ' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access). @@ -113,6 +106,7 @@ in wireless.enable = false; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; networkmanager.enable = true; + usePredictableInterfaceNames = false; }; services.getty.autologinUser = lib.mkForce "root"; @@ -139,6 +133,8 @@ in programs.bash.shellAliases = { "swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --"; + "swarsel-net-manufacturer" = "lspci -nn | grep -i 'network\|ethernet'"; + "swarsel-kernel-module" = "lspci -k -d"; }; system.activationScripts.cache = { diff --git a/modules/nixos/common/globals.nix b/modules/nixos/common/globals.nix index c42e7ae..8d226d4 100644 --- a/modules/nixos/common/globals.nix +++ b/modules/nixos/common/globals.nix @@ -4,6 +4,91 @@ let mkOption types ; + + networkOptions = netSubmod: { + cidrv4 = mkOption { + type = types.nullOr types.net.cidrv4; + description = "The CIDRv4 of this network"; + default = null; + }; + + subnetMask4 = mkOption { + type = types.nullOr types.net.cidrv4; + description = "The dotted decimal form of the subnet mask of this network"; + readOnly = true; + default = lib.swarselsystems.cidrToSubnetMask netSubmod.cidrv4; + }; + + cidrv6 = mkOption { + type = types.nullOr types.net.cidrv6; + description = "The CIDRv6 of this network"; + default = null; + }; + + hosts = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (hostSubmod: { + options = { + id = mkOption { + type = types.int; + description = "The id of this host in the network"; + }; + + mac = mkOption { + type = types.nullOr types.net.mac; + description = "The MAC of the interface on this host that belongs to this network."; + default = null; + }; + + ipv4 = mkOption { + type = types.nullOr types.net.ipv4; + description = "The IPv4 of this host in this network"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null then + null + else + lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4; + }; + + ipv6 = mkOption { + type = types.nullOr types.net.ipv6; + description = "The IPv6 of this host in this network"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null then + null + else + lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6; + }; + + cidrv4 = mkOption { + type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part + description = "The IPv4 of this host in this network, including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null then + null + else + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4; + }; + + cidrv6 = mkOption { + type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part + description = "The IPv6 of this host in this network, including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null then + null + else + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + }; + }; + }) + ); + }; + }; in { options = { @@ -39,12 +124,44 @@ in ); }; + networks = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (netSubmod: { + options = networkOptions netSubmod // { + vlans = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule (vlanNetSubmod: { + options = networkOptions vlanNetSubmod // { + id = mkOption { + type = types.ints.between 1 4094; + description = "The VLAN id"; + }; + + name = mkOption { + description = "The name of this VLAN"; + default = vlanNetSubmod.config._module.args.name; + type = types.str; + }; + }; + }) + ); + }; + }; + }) + ); + }; + hosts = mkOption { type = types.attrsOf ( types.submodule { options = { - ipv4 = mkOption { - type = types.str; + defaultGateway4 = mkOption { + type = types.nullOr types.net.ipv4; + }; + defaultGateway6 = mkOption { + type = types.nullOr types.net.ipv6; }; }; } diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix index 0447dea..b845ad7 100644 --- a/modules/nixos/server/ankisync.nix +++ b/modules/nixos/server/ankisync.nix @@ -5,7 +5,7 @@ let servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; ankiUser = globals.user.name; in diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix index 38fe352..d355e6f 100644 --- a/modules/nixos/server/atuin.nix +++ b/modules/nixos/server/atuin.nix @@ -3,7 +3,7 @@ let servicePort = 8888; serviceName = "atuin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix new file mode 100644 index 0000000..dddc1a4 --- /dev/null +++ b/modules/nixos/server/disk-encrypt.nix @@ -0,0 +1,34 @@ +{ self, lib, config, globals, ... }: +let + localIp = globals.networks.home.hosts.${config.node.name}.ipv4; + subnetMask = globals.networks.home.subnetMask4; + gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; +in +{ + options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; + config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { + + boot.kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; + boot.initrd = { + availableKernelModules = [ "r8169" ]; + network = { + enable = true; + udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 22; + authorizedKeyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + }; + postCommands = '' + echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + ''; + }; + }; + + }; +} diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix index 37aa48a..c0acad1 100644 --- a/modules/nixos/server/firefly-iii.nix +++ b/modules/nixos/server/firefly-iii.nix @@ -5,7 +5,7 @@ let serviceGroup = serviceUser; serviceName = "firefly-iii"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; nginxGroup = "nginx"; diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix index 886c6aa..a674078 100644 --- a/modules/nixos/server/forgejo.nix +++ b/modules/nixos/server/forgejo.nix @@ -7,7 +7,7 @@ let serviceGroup = serviceUser; serviceName = "forgejo"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; kanidmDomain = globals.services.kanidm.domain; in diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix index 8e94add..0375e64 100644 --- a/modules/nixos/server/freshrss.nix +++ b/modules/nixos/server/freshrss.nix @@ -5,7 +5,7 @@ let serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; inherit (config.swarselsystems) sopsFile; in diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index 5ac3673..d537552 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -5,7 +5,7 @@ let serviceName = "garage"; servicePort = 3900; serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}"; - serviceAddress = globals.hosts.${configName}.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; cfg = config.services.${serviceName}; metadata_dir = "/var/lib/garage/meta"; diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix index 56adac9..c1b62ab 100644 --- a/modules/nixos/server/homebox.nix +++ b/modules/nixos/server/homebox.nix @@ -3,7 +3,7 @@ let servicePort = 7745; serviceName = "homebox"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index e3bc4a0..cefa330 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -4,7 +4,7 @@ let serviceUser = "immich"; serviceName = "immich"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix index 420bbb6..552f8bf 100644 --- a/modules/nixos/server/jellyfin.nix +++ b/modules/nixos/server/jellyfin.nix @@ -4,7 +4,7 @@ let serviceName = "jellyfin"; serviceUser = "jellyfin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix index 91d94f0..808bcef 100644 --- a/modules/nixos/server/jenkins.nix +++ b/modules/nixos/server/jenkins.nix @@ -3,7 +3,7 @@ let servicePort = 8088; serviceName = "jenkins"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 79b1983..e7ab275 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -8,7 +8,7 @@ let serviceGroup = serviceUser; serviceName = "kanidm"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; oauth2ProxyDomain = globals.services.oauth2Proxy.domain; immichDomain = globals.services.immich.domain; diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index c93be62..dfa915e 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -6,7 +6,7 @@ let serviceName = "kavita"; serviceUser = "kavita"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index 08da2d1..eb45709 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -6,7 +6,7 @@ let servicePort = 2282; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDir = "/Vault/data/koillection"; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres postgresPort = config.services.postgresql.settings.port; # 5432 diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index 24f4530..ba18600 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -6,7 +6,7 @@ let serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; serviceUser = "matrix-synapse"; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; federationPort = 8448; whatsappPort = 29318; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index 758e63d..d1ee714 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -5,7 +5,7 @@ let serviceGroup = serviceUser; serviceName = "grafana"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; prometheusPort = 9090; prometheusUser = "prometheus"; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index 30cb8da..34b245a 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -5,7 +5,7 @@ let serviceUser = "navidrome"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix new file mode 100644 index 0000000..90b8c0e --- /dev/null +++ b/modules/nixos/server/network.nix @@ -0,0 +1,26 @@ +{ lib, config, ... }: +{ + options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + config = lib.mkIf config.swarselmodules.server.network { + + globals.networks.home.hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking.networks.home) id; + mac = config.repo.secrets.local.networking.networks.home.mac or null; + }; + + globals.hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking) defaultGateway4; + }; + + networking = { + inherit (config.repo.secrets.local.networking) hostId; + hostName = config.node.name; + nftables.enable = lib.mkDefault true; + enableIPv6 = lib.mkDefault true; + firewall = { + enable = lib.mkDefault true; + }; + }; + + }; +} diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index 36765d2..50e8b9f 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -8,7 +8,7 @@ let serviceGroup = serviceUser; serviceName = "nextcloud"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index ca813b1..005bdab 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -7,7 +7,7 @@ let serviceGroup = serviceUser; serviceName = "paperless"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; tikaPort = 9998; gotenbergPort = 3002; diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix index 7ad9fe2..411a3e6 100644 --- a/modules/nixos/server/radicale.nix +++ b/modules/nixos/server/radicale.nix @@ -7,7 +7,7 @@ let serviceUser = "radicale"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; cfg = config.services.${serviceName}; in diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix index b7a9edd..3ae183e 100644 --- a/modules/nixos/server/snipe-it.nix +++ b/modules/nixos/server/snipe-it.nix @@ -9,7 +9,7 @@ let serviceUser = "snipeit"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; mysqlPort = 3306; in diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix index 6d1ac78..6eb61c6 100644 --- a/modules/nixos/server/syncthing.nix +++ b/modules/nixos/server/syncthing.nix @@ -7,7 +7,7 @@ let serviceUser = "syncthing"; serviceGroup = serviceUser; serviceName = "syncthing"; - serviceAddress = globals.hosts.winters.ipv4; + serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; specificServiceName = "syncthing-${configName}"; cfg = config.services.${serviceName}; diff --git a/nix/lib.nix b/nix/lib.nix index a7b6194..c41db61 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -6,6 +6,22 @@ let inherit (inputs.nixpkgs) lib; in rec { + cidrToSubnetMask = cidr: + let + prefixLength = lib.toInt (lib.last (lib.splitString "/" cidr)); + bits = lib.genList (i: if i < prefixLength then 1 else 0) 32; + octets = lib.genList + (i: + let + octetBits = lib.sublist (i * 8) 8 bits; + octetValue = lib.foldl (acc: bit: acc * 2 + bit) 0 octetBits; + in + octetValue + ) 4; + subnetMask = lib.concatStringsSep "." (map toString octets); + in + subnetMask; + mkIfElseList = p: yes: no: lib.mkMerge [ (lib.mkIf p yes) (lib.mkIf (!p) no) diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index c73b619..928e012 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -15,6 +15,8 @@ boot = lib.mkDefault true; server = { general = lib.mkDefault true; + network = lib.mkDefault true; + diskEncryption = lib.mkDefault true; packages = lib.mkDefault true; ssh = lib.mkDefault true; nginx = lib.mkDefault true; diff --git a/profiles/nixos/minimal/default.nix b/profiles/nixos/minimal/default.nix index a224336..c233faa 100644 --- a/profiles/nixos/minimal/default.nix +++ b/profiles/nixos/minimal/default.nix @@ -21,6 +21,7 @@ server = { ssh = lib.mkDefault true; + diskEncryption = lib.mkDefault true; }; }; diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc index 64a35db..d6641b4 100644 --- a/secrets/repo/globals.nix.enc +++ b/secrets/repo/globals.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:8qexHpKJg6o1Fb9H50I3H25UOpNFs2sQl2hd3B2hdJRTjc96aVgTgI838Fnn7G6mFBpHqP0SFCU0/CP6SKqbhJ6SucrfpQN/RqZlSCxmuZi3sqv3voNd7/5JzY0D/5XUTfzHkeEA34HS0GcNLLY7m+QskfJdqGSMB5P++88xCNETqv+sRPVegm1ZGttj+tttesLkAcIU0556WiQhyIcpR4ZiO75NWRFerOmb4LxADR+bwBfesfGUfjflsqOSJll17N9SECSWE7o75Ojn+yde/EznK+zQlsCYvPp90d2xU6dpdRNtp9jrjvXvEVCmcwjIqIKXqurc2CU=,iv:xBYgbmjHwhbH+7WR5MLVysrChxr6rERo6WZuu07sUS0=,tag:vMoMu9mrrGRTA3oO2wsnWw==,type:str]", + "data": "ENC[AES256_GCM,data:1nK/JO8sa+N6EXpyIHBnRapOXYbtM38jnNCf/j0wIOG+0uJvQEFc1e9gIFvuvmPUpUjh6XMuEKNxvLTjFlaLiypOX3yJVTn2fiyOWSm244wcye0GRPe+RWIi+1kEPrFDBEG2JFB+9iGSx0Vf2NfBPgaVFnr4Z2TTGH/kvxiTV6KYucWQNHh+jvVKZ6vAsCP2pFWp2yhpov9l5Tj6MwyK7E46Gn7DmCAtlZcA64Nht+99Zrrfuq8byan6w8RMFR830GJvdMAAD/Vsz/6aGQfHhpJwl4L8/4WwvhQq/DuU1umI1Q7r7FosXbos6g8wTWuM3ccD7V//tFDeVkaMKJzkLkQt0JbyzansijadTYjo0I1w15iH2nySBSIrsOJauBcw3XaP6NfAC3fN1lh/fDaj5HWud5v2ginWRfJNYalfMvTkXm2E5m8SXjanGJL1bHBle4TwEDNPT8+LFIJm8gf57rQRcRlh,iv:W3xvnTblM4Aa0dzDKiWqHM6B5zmu5ddk3D4tYAVNBiY=,tag:KelbYP9xbTmDaWiPrkS+Mw==,type:str]", "sops": { "age": [ { @@ -27,8 +27,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibGlMSU4vUEF5UlNVZzlr\nMTMyOFY2Zi8rZFdZT1JrelZEUUZkZHFvOFdzCjVPbVovaU9nZklJQWNZeDJZNm0r\nMXBIK2hsZEY0NElxTVVMWmN6WU1Ld28KLS0tIENaallkK05SMllia3prV25hZDR2\nZDBNU0dYYnJESG1JZGpvSGp1WW9UMVEKJgfdLp7BRXvyAekecNJiaBXmxSj1qNxx\nZeHceqEkfWV/PzX+RP4LHjXTQCLEOJijbKxDmxSsYq49hC9xjZASuw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-07-22T17:19:04Z", - "mac": "ENC[AES256_GCM,data:r1h9ouXb8o8Vk3/l3SX6hxbPApMn4BcCIs52Jhv9s9RYURMGb9qqPipbX7yFIYDBMka2qJJ0BneJz2EI60nTxx+QqATImR2oot2U6iONrelgs+AL3We//xpHOVHSxQ9XMmeEOcVqXEU3u843jV1RElxarRCwB9yM6IWTPx2qNzA=,iv:bS571Ddgz6Fbhyxy2bL/087ZTD7egcvPoLXD9uF8aN0=,tag:HJBI6G6ivRHhJMXYrNhIKw==,type:str]", + "lastmodified": "2025-11-09T22:41:57Z", + "mac": "ENC[AES256_GCM,data:iHmgHvT3yn5ayimvO+miRA3dA/0o4juBvBzWIXwtZyt5gSI4oJizMbRaX5coVJgeDdPsYaiQFqSnEPrPmrMIR16jdmscQLvz7X1gtdanMP++5q13jWOkiUHPC2nZy47M+36bzC2P/BHqKE782ERTGnD70VZO4a1lOa7pB32NutY=,iv:oOn9x/xf5g82GXdZ9fDxgEiUScXXfzSdEZccqFQLF4w=,tag:iEhx2Hm0yP6G/1w6cIgHIg==,type:str]", "pgp": [ { "created_at": "2025-07-02T12:10:18Z", @@ -37,6 +37,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" + "version": "3.11.0" } } From ca35e7894d4a8b2d2748dea06376a4037bc86182 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Mon, 10 Nov 2025 01:30:18 +0100 Subject: [PATCH 5/5] feat[server]: add initial router config --- SwarselSystems.org | 210 +++++++++++++++++- .../nixos/x86_64-linux/hintbooth/default.nix | 29 +++ .../x86_64-linux/hintbooth/disk-config.nix | 118 ++++++++++ .../hintbooth/hardware-configuration.nix | 24 ++ .../hintbooth/secrets/pii.nix.enc | 16 ++ hosts/nixos/x86_64-linux/summers/default.nix | 2 - .../x86_64-linux/summers/secrets/pii.nix.enc | 6 +- hosts/nixos/x86_64-linux/winters/default.nix | 6 +- .../x86_64-linux/winters/secrets/pii.nix.enc | 6 +- modules/nixos/server/router.nix | 56 +++++ profiles/nixos/router/default.nix | 12 + 11 files changed, 470 insertions(+), 15 deletions(-) create mode 100644 hosts/nixos/x86_64-linux/hintbooth/default.nix create mode 100644 hosts/nixos/x86_64-linux/hintbooth/disk-config.nix create mode 100644 hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix create mode 100644 hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc create mode 100644 modules/nixos/server/router.nix create mode 100644 profiles/nixos/router/default.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index 870a41c..656b149 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -2973,6 +2973,191 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src +**** Hintbooth (Router: HUNSN RM02) + +***** Main Configuration +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix + { lib, minimal, ... }: + { + + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + + swarselsystems = { + info = "HUNSN RM02, 8GB RAM"; + flakePath = "/root/.dotfiles"; + isImpermanence = true; + isSecureBoot = true; + isCrypted = true; + isBtrfs = true; + isLinux = true; + isNixos = true; + rootDisk = "/dev/sda"; + swapSize = "8G"; + }; + + } // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = true; + router = false; + }; + + } + +#+end_src + +***** hardware-configuration +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix + { config, lib, modulesPath, ... }: + + { + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + } +#+end_src +***** disko + +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/disk-config.nix + { lib, config, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } +#+end_src **** machpizza (MacBook Pro) :PROPERTIES: :CUSTOM_ID: h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d @@ -7167,16 +7352,12 @@ lspci -k -d 14c3: } #+end_src -**** kavita -:PROPERTIES: -:CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295 -:END: +**** Router #+begin_src nix-ts :tangle modules/nixos/server/router.nix - { self, lib, config, pkgs, globals, ... }: + { lib, config, ... }: let serviceName = "router"; - serviceUser = "kavita"; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -19738,6 +19919,23 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a } +#+end_src +**** Router + +#+begin_src nix-ts :tangle profiles/nixos/router/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.router = lib.mkEnableOption "enable the router profile"; + config = lib.mkIf config.swarselprofiles.router { + swarselmodules = { + server = { + router = lib.mkDefault true; + }; + }; + }; + + } + #+end_src *** home-manager :PROPERTIES: diff --git a/hosts/nixos/x86_64-linux/hintbooth/default.nix b/hosts/nixos/x86_64-linux/hintbooth/default.nix new file mode 100644 index 0000000..b7a9049 --- /dev/null +++ b/hosts/nixos/x86_64-linux/hintbooth/default.nix @@ -0,0 +1,29 @@ +{ lib, minimal, ... }: +{ + + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + + swarselsystems = { + info = "HUNSN RM02, 8GB RAM"; + flakePath = "/root/.dotfiles"; + isImpermanence = true; + isSecureBoot = true; + isCrypted = true; + isBtrfs = true; + isLinux = true; + isNixos = true; + rootDisk = "/dev/sda"; + swapSize = "8G"; + }; + +} // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = true; + router = false; + }; + +} diff --git a/hosts/nixos/x86_64-linux/hintbooth/disk-config.nix b/hosts/nixos/x86_64-linux/hintbooth/disk-config.nix new file mode 100644 index 0000000..a4b5089 --- /dev/null +++ b/hosts/nixos/x86_64-linux/hintbooth/disk-config.nix @@ -0,0 +1,118 @@ +{ lib, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix b/hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix new file mode 100644 index 0000000..21725ec --- /dev/null +++ b/hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc new file mode 100644 index 0000000..e9aa129 --- /dev/null +++ b/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc @@ -0,0 +1,16 @@ +{ + "data": "ENC[AES256_GCM,data:dXhWlutdXYLxq7pAWK77lK1mz1y/lh0nl4mHa/jf4ABaQxkB9or1/ceEGwzUoFZAP+EmCuz35UpGYuT4jdti/BPDFsg3273NjVxfPBdV3Mr75FpEG56tMZKafUwARtwsBGQcIduPUgymOxKxUzy5YJokbdFThAa9Y25OFKDwOtN33NSG5QT8tEtBOFzeUx5K+9Kt1YDFCgl8dOOFtA==,iv:wZ1VY7IcK2dFjgrGZrUg+Oz3id8DZKzVgPMkjBrp1GE=,tag:F0SH8w32ec09P3NaMLcuTA==,type:str]", + "sops": { + "lastmodified": "2025-11-09T23:30:30Z", + "mac": "ENC[AES256_GCM,data:odBcMskVn/ag12j/sDxqD7/8q3GD+LPfoRQ4UcwiFAdRWIRyLKdG3HUJzt1yEVQnpvaHHOq3QmGC34FPA+GT6zw6TC9EacibmigX5uT+n6hYdVgXy97T/nD9ITtq6gVy8VjWugKpqMwTDta1HV037DKTf7LDmrTUaFhzFmtzNyA=,iv:CjkjUwCzACzuUI/TceDeopRsT9xiIZxciGq7UeBEVTw=,tag:ySF9Dxha7it2F2g81NZ+EQ==,type:str]", + "pgp": [ + { + "created_at": "2025-11-09T11:20:20Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAgiGGUn4Dhw6aB34J+332lw/CMPnZb3apThxgKjAVLKDz\neEeG+iD3iOJ3m+xg0KhgV5m2nykw0LXcXlErNIxnBmPm91DiQuW2Nzgz2J9FYF+J\nMHZ65JG+9nEt6dUplEKTBS492hiKrfD6a3BR/WFy9qrv0uY8DutAeUbkXVXqY+Sn\nxTTu2DK9Yy6lps2gmaZ1nJwLffaILyZuwYqMKtv1d1tEQFsBbkwh1chj0857nldD\n4t+bDYpMa1eFBQ/vi4YfMrw19Qq0xEWo7nKdT/pj8qAW9c4D7pHf7rm4t0T+H3tN\nfk1dJKuZuITXRrIth1zhq5bLepsIWtk/hG9fNKPbYj+xThhbCWEpH18FVVJsPCtv\nksZ3i70uz6FvyMYxyNANTMIxVa+SI+dhx6bCGQ/I9xFxK2Yju/yL6Gt4av3GhyjK\ncd8B5AlIKzxDvhWBMakjf+R/I63a7AlI9QliZhEFrpNOdcBu78ZvtKKplJ6fG8SZ\nExCFFf/qtqHtM0rvl8wyyVntD2r9WLKwDF7+tlygxbexqCaVs8CPtuiswOEGldc3\nZkG+zYsXSvBmyyfwrVYoIKRjJ1QiYys+EE5OdfI9kZ/I+kByiwr6PRHDnIkuc7jj\n8odeSq/KVMwS3d0u3c6qTPWbnSvAa6KM91dnMaXb0ws/B0eNE22USNk//KVfdKKF\nAgwDC9FRLmchgYQBD/99q4jpY7LnuV12/KxqZvbSHkBlO3HlBDYfmAYUn1gYS83T\ni+eGlWqHlXAwaqDnz5hGKe/yHRBVZjUO8Ic61ujHH28dPC++hMDkfq9sBH9mXeXA\nfovVEQJOiF65K40Lel9FAa9E5yjGSvcocqBrsh4usS6jTrFJmnat4poCnJDG+Ova\n7S2kD2FEwQxRRFlWX8I7nsmdxgATIIVhLgvCImJKAb2GEBmXx/Vpj6UTG5H+dvtP\niYtHxq0QOpeR47wNc5nUTaHTP0Lsj9hB4SS7rTdKHptXEtHCEznM7SEarNCt+MQY\nQd5O/x3cItJKADxV2JO2XPL96hqlX/e6+CWcsW89nAbuIID651b7ZWBw19F+62dt\nxlVrehcsYWLz+GuGBYysx+/0EVuZ422AEi/v9ft5YdigXrxq0ddJKRtFvcQFMh0G\n2w12fADrzX2ExzTWWc7FIwBmCr5XcwLVtmwU2bOD8mX36B7UPybBDsZ5J7/fr3TP\nYIz5ApQI5ewNsBhVoyJxSJQ6IoEBC5udrGNBMKOgZEYW+1MTWPojDU9eIg0Mew1D\n7PkXYEDrHBUccbaePLViUPcEeGkE7gB/FAWsIIfjRFzR8GDJpf/RnEK7G4mvPrIw\nlH8ARzgA93gtGOyx0DVOg+zIeplbARgZoIhyX3QCpsOTPz/CmBZIwMikRZfag9Je\nAfBikUXA2MBcIDAocQAKFILnFLyY7qgNKhvqhiCc+j04GmP7mjtAiZXP7lyUauRM\nt2PUcec90jfk0wsT1DXfeJKuWVa1hkv4/2Ejz5/PXa6ZQbrmBtZG9ZIDk2VveQ==\n=k0BA\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix index 43c4b49..3b6051b 100644 --- a/hosts/nixos/x86_64-linux/summers/default.nix +++ b/hosts/nixos/x86_64-linux/summers/default.nix @@ -11,8 +11,6 @@ loader.efi.canTouchEfiVariables = true; }; - # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; - networking = { inherit (config.repo.secrets.local) hostId; hostName = configName; diff --git a/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc index dae95ff..6f72187 100644 --- a/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:XTHUIhn7yVn2/EvZBSg1v+EU154Kj0hgvHbUdpnc2W4U+0UNBlqxRvVxw8XFm8uo1en2hXoS,iv:XeEzWY0UB/QqbxoIQJEOkWlaU5nyETl0Aki7iyRq/Y8=,tag:rcNiCc5a6+wLYAzX1pMxxQ==,type:str]", + "data": "ENC[AES256_GCM,data:PFtZdHoWzYmrHio52kBZ7LDthUI+qAPBfCqkY/ubTIwVJoaZixXbuzJdJuA84YH5YBZ/umTYG/9Ocs4hNbCYoPcG6VdreIcqwVxD6PgCEtqtTK0qxOfBqdIXQ1Gl2EzyMuxQm3pFFEx1zzueJ3KvdZEZRtzvytLlw/pKkETLECAxqAoZ5fSVApzIczGI053046v7ItdulGLOZGc=,iv:0EhqmcDH8yFC78H2tuhGbu49ZzVaMtdvf/7XuNU9hyo=,tag:/8rHZKR6CLH7HNAaK5EDOg==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-06T11:16:16Z", - "mac": "ENC[AES256_GCM,data:rBE1qTiaLme63i23YL16qmDE6rcKaxwWwzzqgsv4SmKCBJonjiyUc4DyRU8JuCbTx6K9+4VtERJzTLlbXhvjXl27LRQtfbNSBXBIyTgdSz0Fo46lDdVUMFSdPDbU97XAx9P3eu425aspkJYxffOJ2lvqinAVuw9U6oBpot5jVaw=,iv:N3mp0DY80UVGa4Vf4ya+5B/9w8iTihAyg/XgStgtHAo=,tag:tKjnbFm0yFddj759OK5Mdw==,type:str]", + "lastmodified": "2025-11-09T23:30:06Z", + "mac": "ENC[AES256_GCM,data:/af6vMgOLZ6bqLdwhmCg9lX+S1afi3HoKeVhrEgxtjrob3IIHMoD2YqP+PhXazGTyArBPEHxojZ9ew8SqedosID61nE8H45gMV6jz8g4hF9sm7c5CRavEk7Lgy4kO4Xw6LyUEO379RUa3OOrhKrOI2+zWf+NkCQf8Hy79Cc56Ds=,iv:BDuCygDtMYdYfd8p3xZSNN4ZaFiN9WbNRD+3LSluwlY=,tag:+S01XGwLZcCa9c8IDDjjGg==,type:str]", "pgp": [ { "created_at": "2025-08-24T23:36:17Z", diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix index cbe391e..c50b4a7 100644 --- a/hosts/nixos/x86_64-linux/winters/default.nix +++ b/hosts/nixos/x86_64-linux/winters/default.nix @@ -10,7 +10,11 @@ loader.efi.canTouchEfiVariables = true; }; - globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + # globals.networks.home.hosts.${config.node.name} = { + # ipv4 = config.repo.secrets.local.home-ipv4; + # mac = config.repo.secrets.local.home-mac; + # }; networking = { inherit (config.repo.secrets.local) hostId; diff --git a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc index 053a465..cdcc63e 100644 --- a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:i8kqmycc80NLcOirK7D20hxsWWFGNMx5d1SDueaSTmymvTb0rNMFiRoLf44c9Bc5yBySg9zRNCJ8lyc1SZH5YAqIYGN8y4nzOTxyPxT1R+Igtzm49sBdp1dK6MVCW1/xIsjDE/niV19l9LTptN7neCIEuDjB22bSMRhfVOxOiSwd2FKBeH61XACFLAz3AuVC4a+FhqsBkmLOAg7SIG0xdsyi2tjuTOCiMci9eQk8q9XkmLQC3z6vBaIBxPErkIG/fyhNBYt0Hv+37b/TFVbBL9qnGK369Ln9EUm0IarInaq9haxE18DkI5bzlJH5hw4JNjMGFz8av6rOJT5oW52yPor1RBodwUtP6YDQCQsdINIbjmAM9C0HGBY31nyy07fVT+QDcNydjT1fEXLSJTseO5E/MrRCVBioorBpG+5kBBQhRMihGeT8htVGVQpiJC7peARRfSQTUqjNH/esWTPCk0xPOXgApgPIbXBIJFj4RiH2erzN1PKPpuGZfuqbEr63VXCp6t0jttZKDEEjob1ZJMKfiqRubaz+ycg/sxFb1p+l9O21ihW8jM9huiBpVTc+mHU0ENTSstC4uB5LG6HMqV9vmqrKP4OM13vifggpQ6K9VRXebpI/t4tdRETcwWIMo/LRCmhGO4o0+1tNG+ayVDVmY/ORJu/Nrl61TtmUXxGc74Vd1sea+60LuqDHdIEs06thxFLSCVXaxa70gTlQIlVSEJBz9yaAMm7Iw4CSvLbYTXrRg6P/jIZx7rGSyC7I/kFMAPsa2KYxUUkBNd8zSoHyf8paxbgocb3yNcMtHIyNYiOXaLgr56DasJKsXTdjnuic6PLBCd9+U9o9R4wdBw4CGHZ3+3P+LexImkK9InVTm3QD9gyWtgDe66jrQMJxicixtx6hKvP0P0nmjhE6UjhfMMYV2Qu7vx1APhE62KF9y+axIlKju4kYkRhC9BHi2FuZUCFkPiPd/RRWzBTuChnKud9TWTixBtzpBI39/5e3i8f55hcG0XkUT+rMolq/hCObIczq7M2TVrZK4vUGByHXi1Vljk+K2tUZLVGq+Vpa7JUfmyp/qdUBG5FFXBBLUmAA0yjR+XxTtuZ4+M7JdgoYlzXEN8AbyBTEfVps4HJVPfwWMZaXEWqc7fwSVNlkRpIGSkbF8+tzBd0M66FtjbC9hs1P/SwwUr/ZTwJW0D8EXDUOJo2VCGpGtzHZpg5wd7qPTKL20fLVrpdfKIMeBrPtpCkv2YAzSXClAMQqMJ1DtrFr9WNeTAv0ROwkfnGIYwFpDnK3Xy3Z9V1HlZY3K/UYybzb43Dvtl0qWcSmXxKWLK0rqe3r4sWKA/gpOi8UIyCssAv5At0JO2e0yBJv7tXi+WGNZIBEy559EYdnfHty2KZTR5M/PiP5t1PMbuzUkee3voybnAioCZfGsh5Ln04ZihUHbtbxocM4yieaqBd7nryO81b1ZARoZKbASaGMc7y65pgsA1MiNnbtGIZUwlNyg1q3iZxdtkG6qgG2vCY9Z6JNXXl6RoBmbDbCaIzvid8OXvK8z0z4t0BpYQCFVb3/sEAqweUnQffstEFB,iv:+cS1MmSlZWLdRt5Ey31y6WrDAudgjHxsUbfCBUK0/Sg=,tag:byOqNWWPQmlrDWQO1tRRJQ==,type:str]", + "data": "ENC[AES256_GCM,data:4SiiMDgtS3KPoG/fuYnfzaxVycaQsSycTODMQQS9a4ICcZFY21LdKCRQs8N908ndBrdjMIHMhG6LDI1RVRs6m5EBZLYho3dzvf3YlpztnypaGrAkXfTnCuvP15vvAOgHnJYF3PQ41XcKoQ9yKRJGv3E/1lt2bkGkZsH43aDizz/BfRXpKKOezLkzumi6IYiwrVrdPHf0yQj7qeMBfPi9WBicf+/daonOOssa1JMqZ8B+Uy8tG0qi6JlL2eQa18njDfV7rcmGyQGUYBkVoc2E+YYrAUbB7KDYSwe3Gqzo75Ls6IjH8O0KemYnqPbOIPrlrAsGPen+ZAT6tdCQ9QCNwXlGLERRidVcSWjjk32VthlLzXGrhXoChidwui7ff8SwUXIf9OyV1E4wREdPJPBkOBVKOhaCEZfEavREHRTlftmE0KHi6k4CXKi2HPvOvOt4HvHALSFJCKkmrn+8THv01niHS0X3iQfIJCzPpXFCkKVYB+2t/NOPeB6qJsI3+eLpd7jhU9p4q6Ny/OmSpYRFgqqF4TXg+npYQm7L1bqSkpRqbzfQmS9MdEl/h79K2x2GYBmTOAR6fs7c7kUFiXoxrP56Sh3sLyTuhzD3VGJ6HxHFlaIXAi3tZ9VObSCa3zpLWv7j6e3vNp01Z0O0UfJ5ZNNHOe+IIyUtEAA9ywLxU+uRuCsBe7PZeT95WpfDkiQVY3LPXxFr92dE4w6Ex6CZyneUF3wOwDqxVi+J2FXAJkYXDi6uE3kyBhn77FsaEVx5H/GxxsT8cFXEa6EjhQ0/eQTw7DYZ11urgN7iNDKrhh4oPnkI9HRrIaqbtaW3H8Rzx01/JkkfOdhiXHxYILm4W6YnLt0kTPI+nNgUEX2/H5h12xXPCF4isK6oHe+DExbP+5Ccz0AOEueNMn0LxH/zhG/f6k7sdOs05PIC0p56v1yRrhYtaVemFdfSWI4dgaXpygR5h2YtrGDHKq8vlsafIa8olrjbgMMpeXjrnpDSC8MgQ55wLHAEIVWPdKmr74704gGKz7PL6L0DAqh8YMTIHaOdf5h520qqiFm0bJWttrPhi0LvHlZUsumgGJ+MqQdRpxbnjo3q8rY0pwyVNxCHieKdchjdCeH9+xhoMpVvjwudrbsycyeF2Bm/TY5emoSTKWq8ucnkpTqXUpuRpi6kaqQRZIMoSR4BjsfGDcNrT+SWqjVnkOOx5EL7B0cJUt9QGaWeSsTj3JK7InnhfyKr44f4e0T2RHjwarZoW9OnPFJnwnsvUarQ5U8LRdRfY0H74XoMdfpZhlTgV1sS37MdKjgakQzVRY5ANA3H4VmaTeJxjPelSnve/Vtkp3SPIuhacfBkMCkoDGPqjR8nmJ1vZdqM9RlLyZcNnZxqsQHT0/wqHSAImfZiLiTHIpkBucYOvt1/OuFrnUTz8XtHFZU6f3tMTM5pCZS5/X2nA+LXiW7+uoIcYpowPb5iVfkFc0T/rSWbqqZoR+kAWFllGK+k9h8brlGyKdwBWF45xWmpl4CSwvngzKKW14f3Ljlf7NyrcUXOxHfrL3wzIoYMFcqNWLh6D4qPt3cqJDihYzF4GYu73VJhUK6sn2GqZ/XCttfBd5MfrvSqLv4iHmrYC3oXl0JS+J7LuZudWIJSEDGhv1ZUdUKahKWsfMvmmVnk28AczdE/rBiAJ+9POeRmGYJ743PSua0k+tBIUbdQ+xkuruenII4pK37yd5H0Ic4ATtcVg0Bg4se5JBXmEoHodO5t2Vg8gUXVI+Xc,iv:C/7cgdkpNmOIeb8cdYI0rbyxebJLgpqIU8ezO+zRqCA=,tag:NywhkBzKpQrJ3H7ZKxvYgQ==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-04T09:26:35Z", - "mac": "ENC[AES256_GCM,data:T8GqsMxfFB9s1EOeLHNzxoz23FCOnlNsBsbvMxiLq7a78xt5Xw3dVN/IWfkyiCDwfSjo+fVx2yEd5tP/B3fSN7S8WJNSe5ZywLpal/RlsCzv7ARvbVCaBx22S4az97JsR1qQUcGSvoiTH5e/0t2tBtimGJ1witbvbiGkTBp8taw=,iv:Qs26cjeMLtRhTDO91yfBo93wUKJ9zVfUbJ8o6myHGUo=,tag:FbT8emz6q1QnXdxoX6hsYQ==,type:str]", + "lastmodified": "2025-11-09T23:29:33Z", + "mac": "ENC[AES256_GCM,data:UU9a1Yg8Inmcht6gc2pTi3GpV945YAMdVN08Q2/yjg5850N3VhVcD0dsu/bn+4fOSvOiDtWzkoqq1PquRWJbfDjZJxl0aivU7UHN3st64nxIc/mKKZp7VwavMDTVDQScRlpaPZoC0zZ5CDQtBQisfY2AiDtfUVBKZLfuvI3Kjsc=,iv:RPcSwZHVlTo8laro1bCAaJT8KXXCtLHJk1iH4zaZbgk=,tag:qOhN4DNr+d1/34R6L78PLg==,type:str]", "pgp": [ { "created_at": "2025-08-24T23:36:17Z", diff --git a/modules/nixos/server/router.nix b/modules/nixos/server/router.nix new file mode 100644 index 0000000..fb8112a --- /dev/null +++ b/modules/nixos/server/router.nix @@ -0,0 +1,56 @@ +{ lib, config, ... }: +let + serviceName = "router"; +in +{ + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + systemd.network = { + wait-online.anyInterface = true; + networks = { + "30-lan0" = { + matchConfig.Name = "lan0"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan1" = { + matchConfig.Name = "lan1"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; +} diff --git a/profiles/nixos/router/default.nix b/profiles/nixos/router/default.nix new file mode 100644 index 0000000..256cfa0 --- /dev/null +++ b/profiles/nixos/router/default.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.router = lib.mkEnableOption "enable the router profile"; + config = lib.mkIf config.swarselprofiles.router { + swarselmodules = { + server = { + router = lib.mkDefault true; + }; + }; + }; + +}