talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:e2658412aba607a1d5cf220213f75764dcea2f6c
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
...
compare: talexander:kubernetes
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

106 Commits
e2658412ab ... kubernetes

Author SHA1 Message Date
Tom Alexander
794cce9a50 Configure kernel preemption. 2026-06-14 18:06:01 -04:00
Tom Alexander
01fff9b60a Update kubernetes packages and update to gateway API 1.5.1. 2026-06-14 10:21:53 -04:00
Tom Alexander
70773fd4f3 Add secret for homepage-staging. 2026-06-14 10:21:53 -04:00
Tom Alexander
407bc13bc2 Add a secret for the harbor webhooks to flux. 2026-06-14 10:21:53 -04:00
Tom Alexander
9db4b0ea5c Update flux and install the image automation controller. 2026-06-14 10:21:53 -04:00
Tom Alexander
6d44d6e6c9 Add IP addresses to worker certs for the metrics server. 2026-06-14 10:21:52 -04:00
Tom Alexander
87aca6ef61 Delete images after 24 hours of being unused. 2026-06-14 10:21:52 -04:00
Tom Alexander
b302a14893 Set up containerd use harbor.fizz.buzz. 2026-06-14 10:21:52 -04:00
Tom Alexander
9c8c17f028 Add secrets for archive-box, webhook-bridge, and tekton. 2026-06-14 10:21:52 -04:00
Tom Alexander
fe5465f2d8 Allow node-to-node communication. 2026-06-14 10:21:52 -04:00
Tom Alexander
914d6b071e Use numbers for folder order. 2026-06-14 10:21:52 -04:00
Tom Alexander
aadcf13442 Add harbor secrets. 2026-06-14 10:21:51 -04:00
Tom Alexander
b2f9889b0c Switch to the experimental gateway CRDs for TCPRoute support. 2026-06-14 10:21:51 -04:00
Tom Alexander
b444e37e3c Add oauth2 proxy secrets. 2026-06-14 10:21:51 -04:00
Tom Alexander
54b097ae69 Add dex secrets. 2026-06-14 10:21:51 -04:00
Tom Alexander
c7502af7e8 Enable the firewall. 2026-06-14 10:21:48 -04:00
Tom Alexander
f5da063952 Add gitea secrets. 2026-06-14 08:47:17 -04:00
Tom Alexander
3b1b78c0b5 Add generation for in-repo secrets. 2026-06-14 08:47:17 -04:00
Tom Alexander
8dfd4f27f6 Enforce cilium network policies. 2026-06-14 08:47:17 -04:00
Tom Alexander
6d4550c93a Downgrade to gateway 1.4.1. 
1.5 came out recently, so no gateway providers support it.
 2026-06-14 08:47:17 -04:00
Tom Alexander
cf72a26942 Update packages in kubernetes/keys. 2026-06-14 08:47:17 -04:00
Tom Alexander
0429f19364 Fix network for updated nix. 2026-06-14 08:47:16 -04:00
Tom Alexander
2a70d24603 Fix proxy auth tls 2026-06-14 08:47:16 -04:00
Tom Alexander
8054db8cfb Generate certificates for the aggregation layer. 2026-06-14 08:47:16 -04:00
Tom Alexander
4b4934b4c4 Add a note for the cilium connectivity test. 2026-06-14 08:47:16 -04:00
Tom Alexander
d611f0fe5a Temporarily disable the firewall for debugging. 2026-06-14 08:47:16 -04:00
Tom Alexander
a665cae379 Enable gateway support. 2026-06-14 08:47:16 -04:00
Tom Alexander
4c59dfd8b2 Enable hubble. 2026-06-14 08:47:15 -04:00
Tom Alexander
8a08714522 Temporarily drop flux interval to 1 minute during early development. 
This is to reduce waiting time.
 2026-06-14 08:47:15 -04:00
Tom Alexander
8c35971357 Install deferred manifests. 2026-06-14 08:47:15 -04:00
Tom Alexander
53fe030d97 Add a custom nftables firewall config. 2026-06-14 08:47:15 -04:00
Tom Alexander
724c05f03a Enable the firewall. 
Now that we have networking working, I can enable the firewall and confirm nothing breaks.
 2026-06-14 08:47:15 -04:00
Tom Alexander
8b2916189b Fix CoreDNS IPv4 connectivity. 2026-06-14 08:47:15 -04:00
Tom Alexander
a95f24af0d Increase timeout for coredns cache. 2026-06-14 08:47:14 -04:00
Tom Alexander
1528ae0764 More changes to try to fix coredns. 2026-06-14 08:47:14 -04:00
Tom Alexander
30f817dfe8 Move the kubelet yaml config into nix. 2026-06-14 08:47:14 -04:00
Tom Alexander
efd21f715f Implement a generic helm templater package. 2026-06-14 08:47:14 -04:00
Tom Alexander
23372d763f Switch to generating the coredns manifests via nix. 2026-06-14 08:47:14 -04:00
Tom Alexander
e55ece9dad Use CoreDNS for in-cluster DNS requests and caching. 2026-06-14 08:47:14 -04:00
Tom Alexander
05f1c518fd Enable native routing. 2026-06-14 08:47:13 -04:00
Tom Alexander
43633597fc Build the cilium manifest automatically in nix. 2026-06-14 08:47:13 -04:00
Tom Alexander
90c88adb73 Allow pods to directly speak to the public internet on their own public IPv6 addresses. 2026-06-14 08:47:13 -04:00
Tom Alexander
cd78dc4680 Enable ipv4 and tunnel routing. 2026-06-14 08:47:13 -04:00
Tom Alexander
c37723ca81 Switch to kubernetes ipam mode. 2026-06-14 08:47:13 -04:00
Tom Alexander
1da8e20d5b Fix service cluster ip range. 
Kubernetes only allows a /112 for service ip range.
 2026-06-14 08:47:13 -04:00
Tom Alexander
8584577327 Fix trailing line break in kubernetes encryption config. 2026-06-14 08:47:13 -04:00
Tom Alexander
a3afb104cd Move the yaml functions to their own file. 2026-06-14 08:47:12 -04:00
Tom Alexander
d4620e8ac9 Introduce functions to generate yaml. 
The toYAML function is just an alias to toJSON which is technically fine since YAML is a superset of JSON, but these new functions will generate actual YAML.
 2026-06-14 08:47:12 -04:00
Tom Alexander
ebe4505a6f Add missing cidr declarations. 2026-06-14 08:47:12 -04:00
Tom Alexander
f962c679ca Fix DNS resolution. 2026-06-14 08:47:12 -04:00
Tom Alexander
4fe58c4d6c Apply the git repo to the cluster. 2026-06-14 08:47:12 -04:00
Tom Alexander
570424f5b1 Trust flux's ssh key in the yaml git repo. 2026-06-14 08:47:12 -04:00
Tom Alexander
3a5ada6049 Generic secrets for ssh keys. 2026-06-14 08:47:11 -04:00
Tom Alexander
8d572a5cce Generic secrets for pgp keys. 2026-06-14 08:47:11 -04:00
Tom Alexander
c26fa59408 Generate kubernetes secrets for ssh keys. 2026-06-14 08:47:11 -04:00
Tom Alexander
2e0c97bbf9 Install CoreDNS. 2026-06-14 08:47:11 -04:00
Tom Alexander
3197868a7b Generate pgp keys for sops. 2026-06-14 08:47:11 -04:00
Tom Alexander
c9f483dd98 Generate ssh keys for flux bootstrap. 2026-06-14 08:47:11 -04:00
Tom Alexander
dbeb98112b Move the cluster bootstrap into the keys flake. 
Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
 2026-06-14 08:47:10 -04:00
Tom Alexander
958ae2b694 Set up flux. 2026-06-14 08:47:10 -04:00
Tom Alexander
925eb99406 Add a bootstrap role. 2026-06-14 08:47:10 -04:00
Tom Alexander
3cdaf980b5 Add a bootstrap role to load manifests into the cluster. 2026-06-14 08:47:10 -04:00
Tom Alexander
c4caf5d103 Fix launching of containers. 2026-06-14 08:47:10 -04:00
Tom Alexander
eab42023a9 Create a debugging role. 2026-06-14 08:47:10 -04:00
Tom Alexander
fe6056cee7 Some networking fixes. 2026-06-14 08:47:10 -04:00
Tom Alexander
64ad4430bb Add cilium bootstrap. 2026-06-14 08:47:09 -04:00
Tom Alexander
dd2d0b23e4 Installing the cni plugins. 2026-06-14 08:47:09 -04:00
Tom Alexander
eb82e8e5e3 Add kube-proxy. 2026-06-14 08:47:09 -04:00
Tom Alexander
f1382cfbb7 Add kubelet. 2026-06-14 08:47:09 -04:00
Tom Alexander
43df118e4f Add worker nodes. 2026-06-14 08:47:09 -04:00
Tom Alexander
f3797b5c42 Add kube-scheduler. 2026-06-14 08:47:09 -04:00
Tom Alexander
593929598a Add kube-controller-manager. 2026-06-14 08:47:08 -04:00
Tom Alexander
3a8569b0de Fix launching kube-apiserver. 2026-06-14 08:47:08 -04:00
Tom Alexander
84738f7266 Move the encryption config into a package. 2026-06-14 08:47:08 -04:00
Tom Alexander
45b7ce369e Switch to generating certs with openssl. 2026-06-14 08:47:08 -04:00
Tom Alexander
c863bfe136 Add controller proxy certs. 2026-06-14 08:47:08 -04:00
Tom Alexander
98a0d78e45 Add requestheader-client-ca. 2026-06-14 08:47:08 -04:00
Tom Alexander
87312b19fa Add service account. 2026-06-14 08:47:07 -04:00
Tom Alexander
cb312752ba Install kubernetes. 2026-06-14 08:47:07 -04:00
Tom Alexander
321d215a57 Add additional controllers. 2026-06-14 08:47:07 -04:00
Tom Alexander
21d5002e7f Add configs for a new kubernetes cluster on NixOS. 2026-06-14 08:47:05 -04:00
Tom Alexander
9e4c079258 Update packages. 2026-06-13 22:05:23 -04:00
Tom Alexander
3ab7a6e460 Update packages. 2026-06-13 22:05:23 -04:00
Tom Alexander
49f75408ae Move kernel config to its own role. 2026-06-13 22:05:23 -04:00
Tom Alexander
0fa170c57e Preserve .vscode-shared. 
The latest vscode is storing data in ~/.vscode-shared that contains the "Open Recent" entries and the settings on which folders are trusted.
 2026-05-27 13:24:16 -04:00
Tom Alexander
3050cece0c Do not force import the root zfs pool. 2026-05-25 22:20:08 -04:00
Tom Alexander
6d070ddbb4 Update packages. 2026-05-25 22:20:08 -04:00
Tom Alexander
f99fa54d60 Revert "Update only the kernel." 
This reverts commit d52b5db39b.
 2026-05-21 20:31:54 -04:00
Tom Alexander
d52b5db39b Update only the kernel. 2026-05-21 20:31:27 -04:00
Tom Alexander
003c3cc41a Fix rnnoise after latest update. 2026-05-07 17:00:03 -04:00
Tom Alexander
d83652bb9c Add rsync_clone script. 2026-05-06 10:02:20 -04:00
Tom Alexander
6fd09a712e Add git_fix_author script. 2026-05-06 10:00:02 -04:00
Tom Alexander
d9c4f824d2 Add git_find_merged_branches script. 2026-05-06 09:56:18 -04:00
Tom Alexander
856e4daee6 Add the decode_jwt script. 2026-05-06 09:49:47 -04:00
Tom Alexander
9a9268f8cc Disable shipwright. 
The hash is not matching, so the build is broken.
 2026-05-05 22:42:17 -04:00
Tom Alexander
8d3ebf7ba2 Update packages. 2026-05-01 20:16:45 -04:00
Tom Alexander
d35cfaacbd Add nix-pin-revision script. 2026-04-26 08:32:17 -04:00
Tom Alexander
8b1212e182 Support hardware accelerated RNG in qemurc. 2026-04-26 08:32:17 -04:00
Tom Alexander
7f0250cb9d Sync to the store before registering paths. 2026-04-26 08:32:17 -04:00
Tom Alexander
bc2636a54c New VPN address for home server. 2026-04-26 08:32:17 -04:00
Tom Alexander
c8147b5e9e Use direct paths for hydra's nix store. 
I was getting corrupted builds, so as a test I am using the direct path where the drive is mounted rather than going through bind mounts.
 2026-04-26 08:32:17 -04:00
Tom Alexander
4115e95bb6 Add a build of nixbsd to nix_builder. 2026-04-26 08:32:17 -04:00
Tom Alexander
4c1465c8d0 Update packages. 2026-04-26 08:32:17 -04:00
Tom Alexander
791f67eb82 Update nix_builder. 2026-04-02 22:03:45 -04:00
Tom Alexander
bf27504a5a Add repair flag to build scripts. 2026-04-02 14:14:11 -04:00
Tom Alexander
620c12eaa7 Add auto-formatting for d2. 2026-04-02 14:04:04 -04:00
215 changed files with 10248 additions and 137 deletions
Expand all files Collapse all files

12
nix/configuration/README.org Normal file
View File

@@ -0,0 +1,12 @@
* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
security.pam.loginLimits = [
{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
];
#+end_src

47
nix/configuration/configuration.nix
View File

@@ -1,9 +1,16 @@
{
config,
lib,
pkgs,
...
}:
let
alias_nix_pin_revision = pkgs.writeShellScriptBin "nix-pin-revision" ''
# Usage: nix-pin-revision nixpkgs 'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2'
exec nix flake lock --override-input "''${@}"
'';
in
{
imports = [
./roles/2ship2harkinian
@@ -47,6 +54,7 @@
./roles/iso_mount
./roles/jujutsu
./roles/kanshi
./roles/kernel
./roles/kodi
./roles/kubernetes
./roles/latex
@@ -119,6 +127,9 @@
nix.settings.max-free = 1000000000;
nix.settings.fallback = true;
nix.settings.warn-dirty = false;
nix.settings.fsync-metadata = true;
# Ensure store paths are durably written to disk before registering the paths so a crash mid-build does not leave us in a corrupted state.
nix.settings.fsync-store-paths = true;
hardware.enableRedistributableFirmware = true;
@@ -129,7 +140,8 @@
# Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d
automatic = true;
# automatic = true;
automatic = false;
persistent = true;
dates = "monthly";
# randomizedDelaySec = "14m";
@@ -137,6 +149,10 @@
};
nix.settings.auto-optimise-store = !config.me.buildingPortable;
environment.systemPackages = [
alias_nix_pin_revision
];
environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true;
directories = [
@@ -220,13 +236,30 @@
);
in
[
(disableTests "coreutils")
(disableTests "coreutils-full")
(disableTests "libuv")
(final: prev: {
inherit (final.unoptimized) libtpms libjxl;
})
(disableTests "deno") # Tests use too much disk space
(disableOptimizations "libtpms")
(disableOptimizationsPython3 "scipy")
(disableOptimizations "assimp")
(disableOptimizations "gsl")
(final: prev: {
rpcs3 = prev.rpcs3.override {
glew = (final.glew.override { enableEGL = false; });
};
})
(final: prev: {
fwupd = prev.fwupd.overrideAttrs (
finalAttrs: prevAttrs: {
version = "2.1.5";
src = final.fetchFromGitHub {
owner = "fwupd";
repo = "fwupd";
tag = finalAttrs.version;
hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
};
}
);
})
# Works but probably sets python2's scipy to be python3:
#
# (final: prev: {

31
nix/configuration/flake.lock generated
View File

@@ -22,11 +22,11 @@
]
},
"locked": {
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"lastModified": 1780894562,
"narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
"owner": "nix-community",
"repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
"type": "github"
},
"original": {
@@ -164,11 +164,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1770197578,
"narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"lastModified": 1780749050,
"narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
"type": "github"
},
"original": {
@@ -178,6 +178,22 @@
"type": "github"
}
},
"nixpkgs-google": {
"locked": {
"lastModified": 1779893571,
"narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
@@ -226,7 +242,8 @@
"disko": "disko",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"nixpkgs-google": "nixpkgs-google"
}
},
"rust-overlay": {

5
nix/configuration/flake.nix
View File

@@ -20,6 +20,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
@@ -34,6 +35,7 @@
{
self,
nixpkgs,
nixpkgs-google,
disko,
impermanence,
lanzaboote,
@@ -92,6 +94,9 @@
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
google = import nixpkgs-google {
system = prev.stdenv.hostPlatform.system;
};
})
];
};

2
nix/configuration/hosts/family_disks/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=family_disks
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/family_disks/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=family_disks
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#family_disks" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/family_disks/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#family_disks.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#family_disks.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/family_disks/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/family_disks/SELF_BUILD
View File

@@ -9,4 +9,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/family_disks/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#family_disks" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=hydra
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=hydra
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#hydra" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#hydra" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/hydra/VM_ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#hydra.vm_iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=i_only_boot_zfs
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#i_only_boot_zfs" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#i_only_boot_zfs.iso" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/i_only_boot_zfs/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#i_only_boot_zfs" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/neelix/DEPLOY_BOOT
View File

@@ -12,6 +12,6 @@ TARGET=neelix
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild boot --flake /persist/manual/configuration#neelix'

2
nix/configuration/hosts/neelix/DEPLOY_SWITCH
View File

@@ -12,6 +12,6 @@ TARGET=neelix
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#neelix" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json
# rsync -av --progress --delete --exclude=.git "$DIR/../../../configuration" "talexander@${TARGET}:/persist/manual/" && ssh talexander@${TARGET} 'cd /persist/manual/configuration && nix flake update zsh-histdb && nix flake update ansible-sshjail && doas nice -n 19 nixos-rebuild switch --flake /persist/manual/configuration#neelix'

2
nix/configuration/hosts/odo/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=odo
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#odo" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odo.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odo/SELF_BUILD
View File

@@ -5,8 +5,7 @@ IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
: "${NOM:="true"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odo/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odo" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/odo/default.nix
View File

@@ -110,6 +110,7 @@
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kernel.enable = true;
me.kubernetes.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
@@ -164,7 +165,7 @@
me.zsh.enable = true;
me.sm64ex.enable = true;
me.shipwright.enable = true;
me.shipwright.enable = false;
me.ship2harkinian.enable = true;
};
}

2
nix/configuration/hosts/odowork/DEPLOY_BOOT
View File

@@ -8,4 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TARGET=odowork
nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/DEPLOY_SWITCH
View File

@@ -8,4 +8,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TARGET=odowork
nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#odowork" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/INSTALLER
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.installer" --repair --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/ISO
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#odowork.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/SELF_BOOT
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/SELF_BUILD
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/odowork/SELF_SWITCH
View File

@@ -6,4 +6,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#odowork" --repair --log-format internal-json -v "${@}" |& nom --json

1
nix/configuration/hosts/odowork/default.nix
View File

@@ -111,6 +111,7 @@
me.iso_mount.enable = true;
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kernel.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
me.lvfs.enable = true;

2
nix/configuration/hosts/quark/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=quark
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#quark" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#quark.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/quark/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#quark" --repair --log-format internal-json -v "${@}" |& nom --json

3
nix/configuration/hosts/quark/default.nix
View File

@@ -104,6 +104,7 @@
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kernel.enable = true;
me.kubernetes.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
@@ -159,7 +160,7 @@
me.zsh.enable = true;
me.sm64ex.enable = true;
me.shipwright.enable = true;
me.shipwright.enable = false;
me.ship2harkinian.enable = true;
};
}

2
nix/configuration/hosts/recovery/DEPLOY_BOOT
View File

@@ -10,4 +10,4 @@ TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/DEPLOY_SWITCH
View File

@@ -10,4 +10,4 @@ TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/ISO
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_BOOT
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_BUILD
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

2
nix/configuration/hosts/recovery/SELF_SWITCH
View File

@@ -7,4 +7,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --repair --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/roles/base/default.nix
View File

@@ -14,6 +14,12 @@ let
cleanup_temporary_files = (
patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
);
decode_jwt = (patchScriptBin "decode_jwt" (builtins.readFile ./files/decode_jwt.bash));
git_find_merged_branches = (
patchScriptBin "git_find_merged_branches" (builtins.readFile ./files/git_find_merged_branches.bash)
);
git_fix_author = (patchScriptBin "git_fix_author" (builtins.readFile ./files/git_fix_author.bash));
rsync_clone = (patchScriptBin "rsync_clone" (builtins.readFile ./files/rsync_clone.bash));
alias_rga = pkgs.writeShellScriptBin "rga" ''
exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
'';
@@ -59,8 +65,12 @@ in
nix-output-monitor # For better view into nixos-rebuild
# nix-serve-ng # Serve nix store over http
cleanup_temporary_files
decode_jwt
jq
inetutils # For whois
git_find_merged_branches
git_fix_author
rsync_clone
];
};
}

5
nix/configuration/roles/base/files/cleanup_temporary_files.bash
View File

@@ -1,4 +1,7 @@
#!/usr/bin/env bash
#
# Delete temporary files on entire disk
find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null
set -euo pipefail
IFS=$'\n\t'
exec find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

8
nix/configuration/roles/base/files/decode_jwt.bash Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env bash
#
# Decode the contents of a JWT
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

10
nix/configuration/roles/base/files/git_find_merged_branches.bash Normal file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
# Find local branches that have been merged
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: ${MAIN_BRANCH:="main"}
git checkout -q ${MAIN_BRANCH} && git for-each-ref refs/heads/ "--format=%(refname:short)" | while read branch; do mergeBase=$(git merge-base ${MAIN_BRANCH} $branch) && [[ $(git cherry ${MAIN_BRANCH} $(git commit-tree $(git rev-parse "$branch^{tree}") -p $mergeBase -m _)) == "-"* ]] && echo "$branch"; done

22
nix/configuration/roles/base/files/git_fix_author.bash Normal file
View File

@@ -0,0 +1,22 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
git filter-branch --env-filter '
WRONG_EMAIL="old@email.foo"
NEW_NAME="New Name"
NEW_EMAIL="new@email.bar"
if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
then
export GIT_COMMITTER_NAME="$NEW_NAME"
export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
fi
if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
then
export GIT_AUTHOR_NAME="$NEW_NAME"
export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
fi
' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags

8
nix/configuration/roles/base/files/rsync_clone.bash Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env bash
#
# Wrapper to set rsync flags for cloning a folder preserving attributes
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec rsync -aHAXS "$@"

4
nix/configuration/roles/distributed_build/default.nix
View File

@@ -56,7 +56,7 @@ let
# "aarch64-linux"
];
hostName = lib.mkForce "hydra?remote-store=local?root=/home/nixworker/persist/root";
hostName = lib.mkForce "hydra?remote-store=local?root=/.disk/root";
};
};
joined_configs =
@@ -101,7 +101,7 @@ in
# Using an ssh-based substituter slows down the build because querying the remote store for paths takes ages.
#
# nix.settings.substituters = lib.mkForce [
# "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/home/nixworker/persist/root"
# "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/.disk/root"
# ];
# nix.settings.substitute = lib.mkForce true;

23
nix/configuration/roles/emacs/files/emacs/elisp/base-functions.el
View File

@@ -27,6 +27,29 @@
)
)
(defun run-command-on-buffer-require-output (cmd &rest args)
"Run a command using the current buffer as stdin and replacing its contents if the command succeeds with the stdout from the command. This is useful for code formatters. This version only replaces the buffer contents if the command output some text."
(let (
(stdout-buffer (generate-new-buffer "tmp-stdout" t))
(full-cmd (append '(call-process-region nil nil cmd nil stdout-buffer nil) args))
)
(unwind-protect
(let ((exit-status (eval full-cmd)))
(if (eq exit-status 0)
(if (> (buffer-size stdout-buffer) 0)
(save-excursion
(replace-buffer-contents stdout-buffer)
)
(message "No output from command on buffer %s" (append (list cmd) args))
)
(message "FAILED running command on buffer %s" (append (list cmd) args))
)
)
(kill-buffer stdout-buffer)
)
)
)
(defun run-command-in-directory (dir cmd &rest args)
"Run a command in the specified directory. If the directory is nil, the directory of the file is used. The stdout result is trimmed of whitespace and returned."
(let (

4
nix/configuration/roles/emacs/files/emacs/elisp/lang-d2.el
View File

@@ -1,14 +1,14 @@
(defun d2-format-buffer ()
"Run prettier."
(interactive)
(run-command-on-buffer "d2" "fmt" "-")
(run-command-on-buffer-require-output "d2" "fmt" "-")
)
(use-package d2-mode
:commands (d2-mode)
:hook (
(d2-mode . (lambda ()
;; (add-hook 'before-save-hook 'd2-format-buffer nil 'local)
(add-hook 'before-save-hook 'd2-format-buffer nil 'local)
))
)
)

11
nix/configuration/roles/firewall/default.nix
View File

@@ -24,7 +24,16 @@
networking.firewall.allowedUDPPorts = [
5353 # mDNS
];
# networking.firewall.enable = true;
# networking.nftables.enable = true;
# Or disable the firewall altogether.
# networking.firewall.enable = false;
networking.firewall.enable = false;
# Debugging
# networking.firewall.logRefusedConnections = true;
# networking.firewall.logRefusedPackets = true;
# networking.firewall.logReversePathDrops = true;
};
}

2
nix/configuration/roles/gcloud/default.nix
View File

@@ -18,7 +18,7 @@
};
config = lib.mkIf config.me.gcloud.enable {
environment.systemPackages = with pkgs; [
environment.systemPackages = with pkgs.google; [
(google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
];

2
nix/configuration/roles/graphics/default.nix
View File

@@ -34,7 +34,7 @@
environment.systemPackages = with pkgs; [
mesa-demos # for glxgears
vulkan-tools # for vkcube
xorg.xeyes # to test which windows are using x11
xeyes # to test which windows are using x11
];
hardware.graphics.enable = true;
# hardware.graphics.enable32Bit = true;

12
nix/configuration/roles/hydra/default.nix
View File

@@ -23,8 +23,8 @@ let
src = pkgs.fetchgit {
url = "https://code.fizz.buzz/talexander/nix_builder.git";
# tag = version;
rev = "d0fc2331e7aadc8bdd98836b466172ac37628e7d";
hash = "sha256-V1DU9U4+k96KfGV9BTxKYjxLzV6tWvQPM+a+5NU94G8=";
rev = "606832f505a1ccc9702cd12c236c3188f9282e82";
hash = "sha256-WHvnkCIPDBw0BnrQMnBpmwmYuhlxR4FfkoNWw2DY6XE=";
leaveDotGit = false;
};
@@ -85,11 +85,11 @@ in
};
# Nix 2.30.0 (2025-07-07) changed the build directory from /tmp to /nix/var/nix/builds which broke a number of builds because my ZFS datasets were utf8only.
fileSystems."/home/nixworker/persist/root/nix/var/nix/builds" = {
fileSystems."/.disk/root/nix/var/nix/builds" = {
device = "tmpfs";
fsType = "tmpfs";
options = [
"size=40G" # adjust for your situation and needs
"size=50G" # adjust for your situation and needs
"mode=700"
"uid=11400"
"gid=11400"
@@ -110,7 +110,7 @@ in
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
NIX_REMOTE='local?root=/home/nixworker/persist/root' RUST_BACKTRACE=1 RUST_LOG=nix_builder=DEBUG ${nix_builder}/bin/nix-builder build --config ${./files/nix_builder.toml} --target odo --target odo_update --target odowork --target odowork_update --target quark --target quark_update --target hydra --target hydra_update --target controller0 --target controller0_update --target controller1 --target controller1_update --target controller2 --target controller2_update --target worker0 --target worker0_update --target worker1 --target worker1_update --target worker2 --target worker2_update --target family_disks --target family_disks_update
NIX_REMOTE='local?root=/.disk/root' RUST_BACKTRACE=1 RUST_LOG=nix_builder=DEBUG ${nix_builder}/bin/nix-builder build --config ${./files/nix_builder.toml} --target odo --target odo_update --target odowork --target odowork_update --target quark --target quark_update --target hydra --target hydra_update --target controller0 --target controller0_update --target controller1 --target controller1_update --target controller2 --target controller2_update --target worker0 --target worker0_update --target worker1 --target worker1_update --target worker2 --target worker2_update --target family_disks --target family_disks_update --target nixbsd
'';
restartIfChanged = false;
serviceConfig = {
@@ -138,7 +138,7 @@ in
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
NIX_REMOTE='local?root=/home/nixworker/persist/root' nix-collect-garbage -d
NIX_REMOTE='local?root=/.disk/root' nix-collect-garbage -d
'';
path = with pkgs; [
pkgs.nix

7
nix/configuration/roles/hydra/files/nix_builder.toml
View File

@@ -177,3 +177,10 @@ output_directory = "/home/nixworker/persist/nix_builder"
attr = "nixosConfigurations.family_disks.config.system.build.toplevel"
update = true
update_branch = "nix_update"
[[targets]]
name = "nixbsd"
repo = "https://github.com/nixos-bsd/nixbsd.git"
revision = "828ff7a3c4ee91f548de65a963fca40eaedb171c"
path = "."
attr = "base.vmClosureInfo"

194
nix/configuration/roles/kernel/default.nix Normal file
View File

@@ -0,0 +1,194 @@
# Check current config:
# nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
# cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
{
config,
lib,
pkgs,
...
}:
let
preemption_type = with lib.kernel; {
full = {
PREEMPT_DYNAMIC = yes;
PREEMPT = yes;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = no;
};
lazy = {
PREEMPT_DYNAMIC = yes;
PREEMPT = no;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = yes;
PREEMPT_NONE = no;
};
voluntary = {
PREEMPT_DYNAMIC = no;
PREEMPT = no;
PREEMPT_VOLUNTARY = yes;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = no;
};
none = {
PREEMPT_DYNAMIC = no;
PREEMPT = no;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = yes;
};
};
tick_hz =
with lib.kernel;
{
"1000" = {
HZ_1000 = yes;
HZ = freeform "1000";
};
}
// lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
HZ_1000 = no;
"HZ_${hz}" = yes;
HZ = freeform hz;
});
performance_governor = with lib.kernel; {
default = {
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
};
performance = {
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
};
};
tick_rate = with lib.kernel; {
# Always tick at the hz frequency.
periodic = {
NO_HZ_IDLE = no;
NO_HZ_FULL = no;
NO_HZ = no;
NO_HZ_COMMON = no;
HZ_PERIODIC = yes;
};
# Idle - Do not disturb the CPU when idle. This can save power but increase latency.
idle = {
HZ_PERIODIC = no;
NO_HZ_FULL = no;
NO_HZ_IDLE = yes;
NO_HZ = yes;
NO_HZ_COMMON = yes;
};
# Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
tickless = {
HZ_PERIODIC = no;
NO_HZ_IDLE = no;
NO_HZ_FULL = yes;
NO_HZ = yes;
NO_HZ_COMMON = yes;
CONTEXT_TRACKING = yes;
};
};
huge_page = with lib.kernel; {
always = {
TRANSPARENT_HUGEPAGE_MADVISE = no;
TRANSPARENT_HUGEPAGE_ALWAYS = yes;
};
madvise = {
TRANSPARENT_HUGEPAGE_ALWAYS = no;
TRANSPARENT_HUGEPAGE_MADVISE = yes;
};
};
common_config =
with lib.kernel;
{
# Google's BBRv3 TCP congestion Control
TCP_CONG_BBR = yes;
DEFAULT_BBR = yes;
};
flavors = {
server = lib.mkMerge [
preemption_type.none
tick_hz."300"
performance_governor.default
tick_rate.tickless
huge_page.madvise
];
interactive =
with lib.kernel;
lib.mkMerge [
{
# Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
RCU_LAZY = yes;
}
preemption_type.lazy
tick_hz."300"
performance_governor.default
tick_rate.tickless
huge_page.madvise
];
};
in
{
imports = [ ];
options.me = {
kernel.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install kernel.";
};
kernel.version = lib.mkOption {
type = lib.types.str;
default = "linux"; # LTS
example = "linux_6_18";
description = "What version of the kernl should we use.";
};
kernel.flavor = lib.mkOption {
type = lib.types.str;
default = "interactive";
example = "server";
description = "What type of kernel should be built.";
};
};
config = lib.mkIf config.me.kernel.enable (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
}
(lib.mkIf (!config.me.optimizations.enable) {
nixpkgs.overlays = [
(final: prev: {
linux_me = final."${config.me.kernel.version}";
})
];
})
(lib.mkIf (config.me.optimizations.enable) {
nixpkgs.overlays = [
(
final: prev:
let
addConfig =
additionalConfig: pkg:
pkg.override (oldconfig: {
structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
# stdenv = pkgs.llvmPackages_latest.stdenv;
# stdenv = pkgs.clangStdenv;
});
in
{
linux_me = addConfig ([
common_config
flavors."${config.me.kernel.flavor}"
]) final."${config.me.kernel.version}";
}
)
];
})
]
);
}

1
nix/configuration/roles/minimal_base/default.nix
View File

@@ -19,6 +19,7 @@
config = lib.mkIf config.me.minimal_base.enable {
me.doas.enable = true;
me.kernel.enable = true;
me.network.enable = true;
me.nvme.enable = true;
me.ssh.enable = true;

10
nix/configuration/roles/network/default.nix
View File

@@ -56,15 +56,19 @@ in
# TODO: The 127.0.0.1 address should probably be moved to a host-specific file.
networking.extraHosts = ''
127.0.0.1 ${config.networking.hostName}.home.arpa
10.216.1.1 homeserver
10.216.1.32 homeserver
fdfd:5e8a:ee2d::1:32 homeserver
10.216.1.6 media
10.216.1.12 odo
fdfd:5e8a:ee2d::1:2 odo
10.216.1.14 neelix
10.216.1.15 quark
fdfd:5e8a:ee2d::1:3 quark
10.217.1.1 drmario
10.217.2.1 mrmanager
172.16.16.245 turtle
172.16.16.251 stream
fdfd:5e8a:ee2d::2:2 mrmanager
172.16.16.245 turtle
172.16.16.251 stream
'';
networking.wireless.iwd = {

53
nix/configuration/roles/optimized_build/default.nix
View File

@@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:
@@ -49,65 +48,13 @@
};
config = lib.mkMerge [
(lib.mkIf (!config.me.optimizations.enable) (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
# boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
}
]
))
(lib.mkIf config.me.optimizations.enable (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
nixpkgs.hostPlatform = {
gcc.arch = config.me.optimizations.arch;
gcc.tune = config.me.optimizations.arch;
};
nixpkgs.overlays = [
(
final: prev:
let
addConfig =
additionalConfig: pkg:
pkg.override (oldconfig: {
structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
});
in
{
linux_me = addConfig {
# Full preemption
PREEMPT = lib.mkOverride 60 lib.kernel.yes;
PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
# Google's BBRv3 TCP congestion Control
TCP_CONG_BBR = lib.kernel.yes;
DEFAULT_BBR = lib.kernel.yes;
# Preemptive Full Tickless Kernel at 300Hz
HZ = lib.kernel.freeform "300";
HZ_300 = lib.kernel.yes;
HZ_1000 = lib.kernel.no;
} prev.linux_6_18; # or prev.linux
}
)
(final: prev: {
inherit (final.unoptimized)
assimp
binaryen
gsl
rapidjson
ffmpeg-headless
ffmpeg
pipewire
chromaprint
gtkmm
;
})
];
}
]
))

1
nix/configuration/roles/qemu/files/qemurc.bash
View File

@@ -355,6 +355,7 @@ function start_body {
-smp cores="$CPU_CORES"
-m "$MEMORY"
-rtc base=localtime
-device virtio-rng-pci
-drive "file=\"@OVMFfd@/FV/OVMF_CODE.fd\",if=pflash,format=raw,readonly=on"
-drive "if=pflash,format=raw,file=\"$(readlink -f "${mount_path}/OVMF_VARS.fd")\""
-drive "if=none,file=/dev/zvol/${zfs_path}/disk0,format=raw,id=hd0"

2
nix/configuration/roles/recovery/default.nix
View File

@@ -29,7 +29,7 @@
}
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [
ddrescueview
#ddrescueview
];
})
]

2
nix/configuration/roles/rpcs3/default.nix
View File

@@ -53,6 +53,8 @@ in
rpcs3
];
allowedUnfree = [ "rpcs3" ];
security.pam.loginLimits = [
{
domain = "@wheel";

5
nix/configuration/roles/sm64ex/default.nix
View File

@@ -18,7 +18,10 @@
};
config = lib.mkIf (config.me.sm64ex.enable && config.me.graphical) {
allowedUnfree = [ "sm64ex" ];
allowedUnfree = [
"sm64ex"
"baserom.us.z64"
];
environment.systemPackages = with pkgs; [
sm64ex

4
nix/configuration/roles/sound/default.nix
View File

@@ -30,7 +30,7 @@
# If you want to use JACK applications, uncomment this
#jack.enable = true;
extraLv2Packages = [ pkgs.rnnoise-plugin ];
extraLadspaPackages = [ pkgs.rnnoise-plugin.ladspa ];
configPackages = [
(pkgs.writeTextDir "share/pipewire/pipewire.conf.d/99-input-denoising.conf" ''
context.modules = [
@@ -43,7 +43,7 @@
{
type = ladspa
name = rnnoise
plugin = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"
plugin = "librnnoise_ladspa"
label = noise_suppressor_mono
control = {
"VAD Threshold (%)" = 50.0

3
nix/configuration/roles/sway/default.nix
View File

@@ -94,6 +94,9 @@ let
output 'Unknown 0x095F 0x00000000' scale 1.5
output 'BOE 0x095F Unknown' scale 1.5
output 'BOE 0x0BCA Unknown' scale 1.5
# Breaks screen sharing:
# output 'Dell Inc. DELL U3014 P1V6N35M329L' render_bit_depth 10
'';
};
window-management = pkgs.writeTextFile {

6
nix/configuration/roles/vscode/default.nix
View File

@@ -121,6 +121,12 @@ in
group = "talexander";
mode = "0755";
}
{
directory = ".vscode-shared";
user = "talexander";
group = "talexander";
mode = "0755";
}
];
};
};

3
nix/configuration/roles/zfs/default.nix
View File

@@ -44,6 +44,9 @@ in
boot.zfs.devNodes = "/dev/disk/by-partuuid";
# Do not force import your root pool during boot. Force importing would be useful if the pool had been imported by a different machine most recently.
boot.zfs.forceImportRoot = false;
services.zfs = {
autoScrub = {
enable = true;

1
nix/kubernetes/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
result

132
nix/kubernetes/README.org Normal file
View File

@@ -0,0 +1,132 @@
* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
security.pam.loginLimits = [
{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
];
#+end_src
* IP Ranges
| | IPv4 | IPv6 |
|--------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
| PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck
** Check cilium status
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- cilium-dbg status --verbose
kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement
#+end_src
** Check connectivity
#+begin_src bash
cilium connectivity test
#+end_src
** Show dropped packets
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
#+end_src
** Show dropped packets for a specific pod
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop
#+end_src
** Install flux
#+begin_src bash
nix shell 'nixpkgs#fluxcd'
flux bootstrap git \
--url=ssh://git@<host>/<org>/<repository> \
--branch=main \
--private-key-file=<path/to/private.key> \
--password=<key-passphrase> \
--path=clusters/my-cluster
#+end_src
#+begin_src bash
nix shell 'nixpkgs#kubernetes-helm'
helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
--namespace flux-system \
--create-namespace
#+end_src
#+begin_src text
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
annotations:
fluxcd.controlplane.io/reconcileEvery: "1h"
fluxcd.controlplane.io/reconcileTimeout: "5m"
spec:
distribution:
version: "2.x"
registry: "ghcr.io/fluxcd"
artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-reflector-controller
- image-automation-controller
cluster:
type: kubernetes
size: medium
multitenant: false
networkPolicy: true
domain: "cluster.local"
kustomize:
patches:
- target:
kind: Deployment
patch: |
- op: replace
path: /spec/template/spec/nodeSelector
value:
kubernetes.io/os: linux
- op: add
path: /spec/template/spec/tolerations
value:
- key: "CriticalAddonsOnly"
operator: "Exists"
sync:
kind: OCIRepository
url: "oci://ghcr.io/my-org/my-fleet-manifests"
ref: "latest"
path: "clusters/my-cluster"
pullSecret: "ghcr-auth"
#+end_src
#+begin_src text
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
spec:
distribution:
version: "2.7.x"
registry: "ghcr.io/fluxcd"
sync:
kind: GitRepository
url: "ssh://git@10.215.1.210:22/repos/mrmanager"
ref: "refs/heads/nix"
path: "clusters/my-cluster"
pullSecret: "flux-system"
#+end_src
#+begin_src bash
flux create secret git flux-system \
--url=https://gitlab.com/my-org/my-fleet.git \
--username=git \
--password=$GITLAB_TOKEN
#+end_src

149
nix/kubernetes/configuration.nix Normal file
View File

@@ -0,0 +1,149 @@
{
config,
lib,
...
}:
{
imports = [
./roles/boot
./roles/cilium
./roles/containerd
./roles/control_plane
./roles/debugging
./roles/doas
./roles/dont_use_substituters
./roles/etcd
./roles/firewall
./roles/image_based_appliance
./roles/iso
./roles/kernel
./roles/kube_apiserver
./roles/kube_controller_manager
./roles/kube_proxy
./roles/kube_scheduler
./roles/kubelet
./roles/kubernetes
./roles/minimal_base
./roles/network
./roles/nvme
./roles/optimized_build
./roles/ssh
./roles/sshd
./roles/user
./roles/worker_node
./roles/zsh
./util/install_files
./util/unfree_polyfill
];
config = {
nix.settings.experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
# "blake3-hashes"
# "git-hashing"
];
nix.settings.trusted-users = [ "@wheel" ];
hardware.enableRedistributableFirmware = true;
# Keep outputs so we can build offline.
nix.settings.keep-outputs = true;
nix.settings.keep-derivations = true;
# Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d
automatic = true;
persistent = true;
dates = "monthly";
# randomizedDelaySec = "14m";
options = "--delete-older-than 30d";
};
nix.settings.auto-optimise-store = !config.me.buildingPortable;
environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true;
directories = [
"/var/lib/nixos" # Contains user information (uids/gids)
"/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
"/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
];
files = [
"/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
];
};
# Write a list of the currently installed packages to /etc/current-system-packages
# environment.etc."current-system-packages".text =
# let
# packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
# sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
# formatted = builtins.concatStringsSep "\n" sortedUnique;
# in
# formatted;
# nixpkgs.overlays = [
# (final: prev: {
# foot = throw "foo";
# })
# ];
nixpkgs.overlays =
let
disableTests = (
package_name:
(final: prev: {
"${package_name}" = prev."${package_name}".overrideAttrs (old: {
doCheck = false;
doInstallCheck = false;
});
})
);
in
[
# (final: prev: {
# imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
# version = "7.1.2-7";
# src = final.fetchFromGitHub {
# owner = "ImageMagick";
# repo = "ImageMagick";
# tag = version;
# hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
# };
# });
# })
# (final: prev: {
# grub2 = (final.callPackage ./package/grub { });
# })
(final: prev: {
inherit (final.unoptimized)
libtpms
;
})
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
};
}

256
nix/kubernetes/flake.lock generated Normal file
View File

@@ -0,0 +1,256 @@
{
"nodes": {
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1780290312,
"narHash": "sha256-eTAlX0CwgB84Ts3GaBd944A3DRXVMzgA0EqroZBISUo=",
"owner": "nix-community",
"repo": "disko",
"rev": "115e5211780054d8a890b41f0b7734cafad54dfe",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"impermanence",
"nixpkgs"
]
},
"locked": {
"lastModified": 1768598210,
"narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769548169,
"narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1780749050,
"narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

183
nix/kubernetes/flake.nix Normal file
View File

@@ -0,0 +1,183 @@
# Get a repl for this flake
# nix repl --expr "builtins.getFlake \"$PWD\""
# TODO maybe use `nix eval --raw .#odo.iso.outPath`
#
# Install on a new machine:
#
# Set
# me.disko.enable = true;
# me.disko.offline.enable = true;
#
# Run
# doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
# doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
{
description = "My system configuration";
inputs = {
impermanence = {
url = "github:nix-community/impermanence";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
self,
nixpkgs,
disko,
impermanence,
lanzaboote,
...
}:
let
forAllSystems =
func:
builtins.listToAttrs (
map (system: {
name = system;
value = func system;
}) nixpkgs.lib.systems.flakeExposed
);
nodes = {
controller0 = {
system = "x86_64-linux";
};
controller1 = {
system = "x86_64-linux";
};
controller2 = {
system = "x86_64-linux";
};
worker0 = {
system = "x86_64-linux";
};
worker1 = {
system = "x86_64-linux";
};
worker2 = {
system = "x86_64-linux";
};
};
nixosConfigs = builtins.mapAttrs (
hostname: nodeConfig: format:
nixpkgs.lib.nixosSystem {
specialArgs = {
inherit self;
this_nixos_config = self.nixosConfigurations."${hostname}";
all_nixos_configs = self.nixosConfigurations;
};
modules = [
impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
./configuration.nix
(./. + "/hosts/${hostname}")
(./. + "/formats/${format}.nix")
{
config = {
nixpkgs.hostPlatform.system = nodeConfig.system;
nixpkgs.overlays = [
(final: prev: {
# stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
unoptimized = import nixpkgs {
system = prev.stdenv.hostPlatform.system;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
})
];
};
}
(
{
config,
lib,
pkgs,
...
}:
let
nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
source /etc/set-environment
nix repl --expr 'builtins.getFlake "${self}"'
'';
# If we wanted the current version of a flake then we'd just launch
# nix repl
# and then run:
# :lf /path/to/flake
in
{
config = {
environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
};
}
)
];
}
) nodes;
installerConfig =
hostname: nodeConfig:
nixpkgs.lib.nixosSystem {
specialArgs = {
targetSystem = self.nixosConfigurations."${hostname}";
};
modules = [
./formats/installer.nix
(
{
config,
lib,
pkgs,
...
}:
let
nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
source /etc/set-environment
nix repl --expr 'builtins.getFlake "${self}"'
'';
# If we wanted the current version of a flake then we'd just launch
# nix repl
# and then run:
# :lf /path/to/flake
in
{
config = {
environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
};
}
)
({ nixpkgs.hostPlatform.system = nodeConfig.system; })
];
};
in
{
nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
}
// {
packages = (
forAllSystems (
system:
(builtins.mapAttrs (hostname: nodeConfig: {
iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
}) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
)
);
};
}

74
nix/kubernetes/formats/installer.nix Normal file
View File

@@ -0,0 +1,74 @@
{
config,
pkgs,
lib,
modulesPath,
targetSystem,
...
}:
let
installer = pkgs.writeShellApplication {
name = "installer";
runtimeInputs = with pkgs; [
# clevis
dosfstools
e2fsprogs
gawk
nixos-install-tools
util-linux
config.nix.package
];
text = ''
set -euo pipefail
${targetSystem.config.system.build.diskoScript}
nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
'';
};
installerFailsafe = pkgs.writeShellScript "failsafe" ''
${lib.getExe installer} || echo "ERROR: Installation failure!"
sleep 3600
'';
in
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/all-hardware.nix")
];
# boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
# boot.zfs.package = pkgs.zfs_unstable;
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
boot.kernelParams = [
"quiet"
"systemd.unit=getty.target"
];
boot.supportedFilesystems.zfs = true;
boot.initrd.systemd.enable = true;
networking.hostId = "04581ecf";
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
environment.systemPackages = [
installer
];
systemd.services."getty@tty1" = {
overrideStrategy = "asDropin";
serviceConfig = {
ExecStart = [
""
installerFailsafe
];
Restart = "no";
StandardInput = "null";
};
};
# system.stateVersion = lib.mkDefault lib.trivial.release;
system.stateVersion = "24.11";
}

36
nix/kubernetes/formats/iso.nix Normal file
View File

@@ -0,0 +1,36 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.buildingPortable = true;
me.disko.enable = true;
me.disko.offline.enable = true;
me.mountPersistence = lib.mkForce false;
# me.optimizations.enable = lib.mkForce false;
# Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
# me.image_based_appliance.enable = true;
# TODO: Should I use this instead of doing a mkIf for the disk config?
# disko.enableConfig = false;
# Faster image generation for testing/development.
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
};
}

32
nix/kubernetes/formats/sd.nix Normal file
View File

@@ -0,0 +1,32 @@
{
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# TODO: image based appliance?
# TODO: Maybe this?
# fileSystems = {
# "/" = {
# device = "/dev/disk/by-label/NIXOS_SD";
# fsType = "ext4";
# options = [
# "noatime"
# "norelatime"
# ];
# };
# };
};
}

1
nix/kubernetes/formats/toplevel.nix Normal file
View File

@@ -0,0 +1 @@
{ }

22
nix/kubernetes/formats/vm_iso.nix Normal file
View File

@@ -0,0 +1,22 @@
{
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.image_based_appliance.enable = true;
};
}

24
nix/kubernetes/functions/to_yaml.nix Normal file
View File

@@ -0,0 +1,24 @@
{
pkgs,
...
}:
let
to_yaml_file =
file_name: contents:
let
settingsFormat = pkgs.formats.yaml { };
yaml_file = settingsFormat.generate file_name contents;
in
yaml_file;
to_yaml =
file_name: contents:
let
settingsFormat = pkgs.formats.yaml { };
yaml_file = settingsFormat.generate file_name contents;
yaml_content = builtins.readFile yaml_file;
in
yaml_content;
in
{
inherit to_yaml to_yaml_file;
}

13
nix/kubernetes/hosts/controller0/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/controller0/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

130
nix/kubernetes/hosts/controller0/default.nix Normal file
View File

@@ -0,0 +1,130 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "769e1349";
hostName = "controller0"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.221";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.etcd.cluster_name = "put-a-nix-on-it";
me.etcd.internal_ip = [
# "10.215.1.221"
"[2620:11f:7001:7:ffff:ffff:0ad7:01dd]"
];
me.etcd.initial_cluster = [
# "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
# "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
# "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
"controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
"controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
"controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
];
me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
# me.kube_apiserver.external_ip = "74.80.180.138";
me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
me.kube_apiserver.etcd_services = [
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
];
me.control_plane.enable = true;
me.dont_use_substituters.enable = true;
me.etcd.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/controller0/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/controller0/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

Some files were not shown because too many files have changed in this diff Show More