Configure kernel preemption.

1.5 came out recently, so no gateway providers support it.

nix/configuration/README.org

@@ -0,0 +1,12 @@
+* To-do
+** Perhaps use overlay for /etc for speedup
+#+begin_src nix
+  system.etc.overlay.enable = true;
+#+end_src
+** read https://nixos.org/manual/nixos/stable/
+** Performance for mini pc
+#+begin_src nix
+  security.pam.loginLimits = [
+    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
+  ];
+#+end_src

nix/configuration/configuration.nix

@@ -1,9 +1,16 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 
+let
+  alias_nix_pin_revision = pkgs.writeShellScriptBin "nix-pin-revision" ''
+    # Usage: nix-pin-revision nixpkgs 'github:NixOS/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2'
+    exec nix flake lock --override-input "''${@}"
+  '';
+in
 {
   imports = [
     ./roles/2ship2harkinian
@@ -47,6 +54,7 @@
     ./roles/iso_mount
     ./roles/jujutsu
     ./roles/kanshi
+    ./roles/kernel
     ./roles/kodi
     ./roles/kubernetes
     ./roles/latex
@@ -119,6 +127,9 @@
     nix.settings.max-free = 1000000000;
     nix.settings.fallback = true;
     nix.settings.warn-dirty = false;
+    nix.settings.fsync-metadata = true;
+    # Ensure store paths are durably written to disk before registering the paths so a crash mid-build does not leave us in a corrupted state.
+    nix.settings.fsync-store-paths = true;
 
     hardware.enableRedistributableFirmware = true;
 
@@ -129,7 +140,8 @@
     # Automatic garbage collection
     nix.gc = lib.mkIf (!config.me.buildingPortable) {
       # Runs nix-collect-garbage --delete-older-than 5d
-      automatic = true;
+      # automatic = true;
+      automatic = false;
       persistent = true;
       dates = "monthly";
       # randomizedDelaySec = "14m";
@@ -137,6 +149,10 @@
     };
     nix.settings.auto-optimise-store = !config.me.buildingPortable;
 
+    environment.systemPackages = [
+      alias_nix_pin_revision
+    ];
+
     environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
       hideMounts = true;
       directories = [
@@ -220,13 +236,30 @@
         );
       in
       [
-        (disableTests "coreutils")
-        (disableTests "coreutils-full")
-        (disableTests "libuv")
-        (final: prev: {
-          inherit (final.unoptimized) libtpms libjxl;
-        })
+        (disableTests "deno") # Tests use too much disk space
+        (disableOptimizations "libtpms")
         (disableOptimizationsPython3 "scipy")
+        (disableOptimizations "assimp")
+        (disableOptimizations "gsl")
+        (final: prev: {
+          rpcs3 = prev.rpcs3.override {
+            glew = (final.glew.override { enableEGL = false; });
+          };
+        })
+        (final: prev: {
+          fwupd = prev.fwupd.overrideAttrs (
+            finalAttrs: prevAttrs: {
+              version = "2.1.5";
+              src = final.fetchFromGitHub {
+                owner = "fwupd";
+                repo = "fwupd";
+                tag = finalAttrs.version;
+                hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
+              };
+            }
+          );
+        })
+
         # Works but probably sets python2's scipy to be python3:
         #
         # (final: prev: {

nix/configuration/flake.lock

@@ -22,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769524058,
-        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
+        "lastModified": 1780894562,
+        "narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
+        "rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
         "type": "github"
       },
       "original": {
@@ -164,11 +164,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770197578,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
         "type": "github"
       },
       "original": {
@@ -178,6 +178,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-google": {
+      "locked": {
+        "lastModified": 1779893571,
+        "narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1730741070,
@@ -226,7 +242,8 @@
         "disko": "disko",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-google": "nixpkgs-google"
       }
     },
     "rust-overlay": {

nix/configuration/flake.nix

@@ -20,6 +20,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
     lanzaboote = {
       url = "github:nix-community/lanzaboote/v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -34,6 +35,7 @@
     {
       self,
       nixpkgs,
+      nixpkgs-google,
       disko,
       impermanence,
       lanzaboote,
@@ -92,6 +94,9 @@
                       hostPlatform.gcc.arch = "default";
                       hostPlatform.gcc.tune = "default";
                     };
+                    google = import nixpkgs-google {
+                      system = prev.stdenv.hostPlatform.system;
+                    };
                   })
                 ];
               };

nix/configuration/hosts/odo/SELF_BUILD

@@ -5,7 +5,6 @@ IFS=$'\n\t'
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 : "${JOBS:="1"}"
-: "${NOM:="true"}"
 
 for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
 

nix/configuration/hosts/odo/default.nix

@@ -110,6 +110,7 @@
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
@@ -164,7 +165,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = true;
+    me.shipwright.enable = false;
     me.ship2harkinian.enable = true;
   };
 }

nix/configuration/hosts/odowork/default.nix

@@ -111,6 +111,7 @@
     me.iso_mount.enable = true;
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
+    me.kernel.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
     me.lvfs.enable = true;

nix/configuration/hosts/quark/default.nix

@@ -104,6 +104,7 @@
     me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
     me.jujutsu.enable = true;
     me.kanshi.enable = false;
+    me.kernel.enable = true;
     me.kubernetes.enable = true;
     me.latex.enable = true;
     me.launch_keyboard.enable = true;
@@ -159,7 +160,7 @@
     me.zsh.enable = true;
 
     me.sm64ex.enable = true;
-    me.shipwright.enable = true;
+    me.shipwright.enable = false;
     me.ship2harkinian.enable = true;
   };
 }

nix/configuration/roles/base/default.nix

@@ -14,6 +14,12 @@ let
   cleanup_temporary_files = (
     patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
   );
+  decode_jwt = (patchScriptBin "decode_jwt" (builtins.readFile ./files/decode_jwt.bash));
+  git_find_merged_branches = (
+    patchScriptBin "git_find_merged_branches" (builtins.readFile ./files/git_find_merged_branches.bash)
+  );
+  git_fix_author = (patchScriptBin "git_fix_author" (builtins.readFile ./files/git_fix_author.bash));
+  rsync_clone = (patchScriptBin "rsync_clone" (builtins.readFile ./files/rsync_clone.bash));
   alias_rga = pkgs.writeShellScriptBin "rga" ''
     exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
   '';
@@ -59,8 +65,12 @@ in
       nix-output-monitor # For better view into nixos-rebuild
       # nix-serve-ng # Serve nix store over http
       cleanup_temporary_files
+      decode_jwt
       jq
       inetutils # For whois
+      git_find_merged_branches
+      git_fix_author
+      rsync_clone
     ];
   };
 }

nix/configuration/roles/base/files/cleanup_temporary_files.bash

@@ -1,4 +1,7 @@
 #!/usr/bin/env bash
 #
 # Delete temporary files on entire disk
-find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null
+set -euo pipefail
+IFS=$'\n\t'
+
+exec find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

nix/configuration/roles/base/files/decode_jwt.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Decode the contents of a JWT
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

nix/configuration/roles/base/files/git_find_merged_branches.bash

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+# Find local branches that have been merged
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: ${MAIN_BRANCH:="main"}
+
+git checkout -q ${MAIN_BRANCH} && git for-each-ref refs/heads/ "--format=%(refname:short)" | while read branch; do mergeBase=$(git merge-base ${MAIN_BRANCH} $branch) && [[ $(git cherry ${MAIN_BRANCH} $(git commit-tree $(git rev-parse "$branch^{tree}") -p $mergeBase -m _)) == "-"* ]] && echo "$branch"; done

nix/configuration/roles/base/files/git_fix_author.bash

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+git filter-branch --env-filter '
+WRONG_EMAIL="old@email.foo"
+NEW_NAME="New Name"
+NEW_EMAIL="new@email.bar"
+
+if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_COMMITTER_NAME="$NEW_NAME"
+    export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
+fi
+if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
+then
+    export GIT_AUTHOR_NAME="$NEW_NAME"
+    export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
+fi
+' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags

nix/configuration/roles/base/files/rsync_clone.bash

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Wrapper to set rsync flags for cloning a folder preserving attributes
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+exec rsync -aHAXS "$@"

nix/configuration/roles/distributed_build/default.nix

@@ -56,7 +56,7 @@ let
         # "aarch64-linux"
       ];
 
-      hostName = lib.mkForce "hydra?remote-store=local?root=/home/nixworker/persist/root";
+      hostName = lib.mkForce "hydra?remote-store=local?root=/.disk/root";
     };
   };
   joined_configs =
@@ -101,7 +101,7 @@ in
         # Using an ssh-based substituter slows down the build because querying the remote store for paths takes ages.
         #
         # nix.settings.substituters = lib.mkForce [
-        #   "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/home/nixworker/persist/root"
+        #   "ssh-ng://nixworker@ns1.fizz.buzz:65122?compress=true&ssh-key=/persist/manual/ssh/root/keys/id_ed25519&remote-store=/.disk/root"
         # ];
         # nix.settings.substitute = lib.mkForce true;
 

nix/configuration/roles/firewall/default.nix

@@ -24,7 +24,16 @@
     networking.firewall.allowedUDPPorts = [
       5353 # mDNS
     ];
+
+    # networking.firewall.enable = true;
+    # networking.nftables.enable = true;
+
     # Or disable the firewall altogether.
-    # networking.firewall.enable = false;
+    networking.firewall.enable = false;
+
+    # Debugging
+    # networking.firewall.logRefusedConnections = true;
+    # networking.firewall.logRefusedPackets = true;
+    # networking.firewall.logReversePathDrops = true;
   };
 }

nix/configuration/roles/gcloud/default.nix

@@ -18,7 +18,7 @@
   };
 
   config = lib.mkIf config.me.gcloud.enable {
-    environment.systemPackages = with pkgs; [
+    environment.systemPackages = with pkgs.google; [
       (google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
     ];
 

nix/configuration/roles/graphics/default.nix

@@ -34,7 +34,7 @@
         environment.systemPackages = with pkgs; [
           mesa-demos # for glxgears
           vulkan-tools # for vkcube
-          xorg.xeyes # to test which windows are using x11
+          xeyes # to test which windows are using x11
         ];
         hardware.graphics.enable = true;
         # hardware.graphics.enable32Bit = true;

nix/configuration/roles/hydra/default.nix

@@ -85,11 +85,11 @@ in
     };
 
     # Nix 2.30.0 (2025-07-07) changed the build directory from /tmp to /nix/var/nix/builds which broke a number of builds because my ZFS datasets were utf8only.
-    fileSystems."/home/nixworker/persist/root/nix/var/nix/builds" = {
+    fileSystems."/.disk/root/nix/var/nix/builds" = {
       device = "tmpfs";
       fsType = "tmpfs";
       options = [
-        "size=40G" # adjust for your situation and needs
+        "size=50G" # adjust for your situation and needs
         "mode=700"
         "uid=11400"
         "gid=11400"
@@ -110,7 +110,7 @@ in
         IFS=$'\n\t'
         DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
 
-        NIX_REMOTE='local?root=/home/nixworker/persist/root' RUST_BACKTRACE=1 RUST_LOG=nix_builder=DEBUG ${nix_builder}/bin/nix-builder build --config ${./files/nix_builder.toml} --target odo --target odo_update --target odowork --target odowork_update --target quark --target quark_update --target hydra --target hydra_update --target controller0 --target controller0_update --target controller1 --target controller1_update --target controller2 --target controller2_update --target worker0 --target worker0_update --target worker1 --target worker1_update --target worker2 --target worker2_update --target family_disks --target family_disks_update
+        NIX_REMOTE='local?root=/.disk/root' RUST_BACKTRACE=1 RUST_LOG=nix_builder=DEBUG ${nix_builder}/bin/nix-builder build --config ${./files/nix_builder.toml} --target odo --target odo_update --target odowork --target odowork_update --target quark --target quark_update --target hydra --target hydra_update --target controller0 --target controller0_update --target controller1 --target controller1_update --target controller2 --target controller2_update --target worker0 --target worker0_update --target worker1 --target worker1_update --target worker2 --target worker2_update --target family_disks --target family_disks_update --target nixbsd
       '';
       restartIfChanged = false;
       serviceConfig = {
@@ -138,7 +138,7 @@ in
         IFS=$'\n\t'
         DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
 
-        NIX_REMOTE='local?root=/home/nixworker/persist/root' nix-collect-garbage -d
+        NIX_REMOTE='local?root=/.disk/root' nix-collect-garbage -d
       '';
       path = with pkgs; [
         pkgs.nix

nix/configuration/roles/hydra/files/nix_builder.toml

@@ -177,3 +177,10 @@ output_directory = "/home/nixworker/persist/nix_builder"
   attr = "nixosConfigurations.family_disks.config.system.build.toplevel"
   update = true
   update_branch = "nix_update"
+
+[[targets]]
+  name = "nixbsd"
+  repo = "https://github.com/nixos-bsd/nixbsd.git"
+  revision = "828ff7a3c4ee91f548de65a963fca40eaedb171c"
+  path = "."
+  attr = "base.vmClosureInfo"

nix/configuration/roles/kernel/default.nix

@@ -0,0 +1,194 @@
+# Check current config:
+#   nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
+#   cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  preemption_type = with lib.kernel; {
+    full = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = yes;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    lazy = {
+      PREEMPT_DYNAMIC = yes;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = yes;
+      PREEMPT_NONE = no;
+    };
+    voluntary = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = no;
+    };
+    none = {
+      PREEMPT_DYNAMIC = no;
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT_LAZY = lib.mkForce no;
+      PREEMPT_NONE = yes;
+    };
+  };
+  tick_hz =
+    with lib.kernel;
+    {
+      "1000" = {
+        HZ_1000 = yes;
+        HZ = freeform "1000";
+      };
+    }
+    // lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
+      HZ_1000 = no;
+      "HZ_${hz}" = yes;
+      HZ = freeform hz;
+    });
+  performance_governor = with lib.kernel; {
+    default = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
+    };
+    performance = {
+      CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+    };
+  };
+  tick_rate = with lib.kernel; {
+    # Always tick at the hz frequency.
+    periodic = {
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = no;
+      NO_HZ = no;
+      NO_HZ_COMMON = no;
+      HZ_PERIODIC = yes;
+    };
+    # Idle - Do not disturb the CPU when idle. This can save power but increase latency.
+    idle = {
+      HZ_PERIODIC = no;
+      NO_HZ_FULL = no;
+      NO_HZ_IDLE = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+    };
+    # Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
+    tickless = {
+      HZ_PERIODIC = no;
+      NO_HZ_IDLE = no;
+      NO_HZ_FULL = yes;
+      NO_HZ = yes;
+      NO_HZ_COMMON = yes;
+      CONTEXT_TRACKING = yes;
+    };
+  };
+  huge_page = with lib.kernel; {
+    always = {
+      TRANSPARENT_HUGEPAGE_MADVISE = no;
+      TRANSPARENT_HUGEPAGE_ALWAYS = yes;
+    };
+    madvise = {
+      TRANSPARENT_HUGEPAGE_ALWAYS = no;
+      TRANSPARENT_HUGEPAGE_MADVISE = yes;
+    };
+  };
+  common_config =
+    with lib.kernel;
+    {
+      # Google's BBRv3 TCP congestion Control
+      TCP_CONG_BBR = yes;
+      DEFAULT_BBR = yes;
+    };
+  flavors = {
+    server = lib.mkMerge [
+      preemption_type.none
+      tick_hz."300"
+      performance_governor.default
+      tick_rate.tickless
+      huge_page.madvise
+    ];
+    interactive =
+      with lib.kernel;
+      lib.mkMerge [
+        {
+          # Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
+          RCU_LAZY = yes;
+        }
+        preemption_type.lazy
+        tick_hz."300"
+        performance_governor.default
+        tick_rate.tickless
+        huge_page.madvise
+      ];
+  };
+in
+{
+  imports = [ ];
+
+  options.me = {
+    kernel.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install kernel.";
+    };
+
+    kernel.version = lib.mkOption {
+      type = lib.types.str;
+      default = "linux"; # LTS
+      example = "linux_6_18";
+      description = "What version of the kernl should we use.";
+    };
+
+    kernel.flavor = lib.mkOption {
+      type = lib.types.str;
+      default = "interactive";
+      example = "server";
+      description = "What type of kernel should be built.";
+    };
+  };
+
+  config = lib.mkIf config.me.kernel.enable (
+    lib.mkMerge [
+      {
+        boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
+      }
+      (lib.mkIf (!config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (final: prev: {
+            linux_me = final."${config.me.kernel.version}";
+          })
+        ];
+      })
+      (lib.mkIf (config.me.optimizations.enable) {
+        nixpkgs.overlays = [
+          (
+            final: prev:
+            let
+              addConfig =
+                additionalConfig: pkg:
+                pkg.override (oldconfig: {
+                  structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
+                  # stdenv = pkgs.llvmPackages_latest.stdenv;
+                  # stdenv = pkgs.clangStdenv;
+                });
+            in
+            {
+              linux_me = addConfig ([
+                common_config
+                flavors."${config.me.kernel.flavor}"
+              ]) final."${config.me.kernel.version}";
+            }
+          )
+        ];
+      })
+    ]
+  );
+}

nix/configuration/roles/minimal_base/default.nix

@@ -19,6 +19,7 @@
 
   config = lib.mkIf config.me.minimal_base.enable {
     me.doas.enable = true;
+    me.kernel.enable = true;
     me.network.enable = true;
     me.nvme.enable = true;
     me.ssh.enable = true;

nix/configuration/roles/network/default.nix

@@ -56,13 +56,17 @@ in
     # TODO: The 127.0.0.1 address should probably be moved to a host-specific file.
     networking.extraHosts = ''
       127.0.0.1 ${config.networking.hostName}.home.arpa
-      10.216.1.1		homeserver
+      10.216.1.32		homeserver
+      fdfd:5e8a:ee2d::1:32	homeserver
       10.216.1.6		media
       10.216.1.12		odo
+      fdfd:5e8a:ee2d::1:2	odo
       10.216.1.14		neelix
       10.216.1.15		quark
+      fdfd:5e8a:ee2d::1:3	quark
       10.217.1.1		drmario
       10.217.2.1		mrmanager
+      fdfd:5e8a:ee2d::2:2 mrmanager
       172.16.16.245		turtle
       172.16.16.251		stream
     '';

nix/configuration/roles/optimized_build/default.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 
@@ -49,65 +48,13 @@
   };
 
   config = lib.mkMerge [
-    (lib.mkIf (!config.me.optimizations.enable) (
-      lib.mkMerge [
-        {
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
-          # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
-        }
-      ]
-    ))
     (lib.mkIf config.me.optimizations.enable (
       lib.mkMerge [
         {
-          boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
-
           nixpkgs.hostPlatform = {
             gcc.arch = config.me.optimizations.arch;
             gcc.tune = config.me.optimizations.arch;
           };
-
-          nixpkgs.overlays = [
-            (
-              final: prev:
-              let
-                addConfig =
-                  additionalConfig: pkg:
-                  pkg.override (oldconfig: {
-                    structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
-                  });
-              in
-              {
-                linux_me = addConfig {
-                  # Full preemption
-                  PREEMPT = lib.mkOverride 60 lib.kernel.yes;
-                  PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
-
-                  # Google's BBRv3 TCP congestion Control
-                  TCP_CONG_BBR = lib.kernel.yes;
-                  DEFAULT_BBR = lib.kernel.yes;
-
-                  # Preemptive Full Tickless Kernel at 300Hz
-                  HZ = lib.kernel.freeform "300";
-                  HZ_300 = lib.kernel.yes;
-                  HZ_1000 = lib.kernel.no;
-                } prev.linux_6_18; # or prev.linux
-              }
-            )
-            (final: prev: {
-              inherit (final.unoptimized)
-                assimp
-                binaryen
-                gsl
-                rapidjson
-                ffmpeg-headless
-                ffmpeg
-                pipewire
-                chromaprint
-                gtkmm
-                ;
-            })
-          ];
         }
       ]
     ))

nix/configuration/roles/qemu/files/qemurc.bash

@@ -355,6 +355,7 @@ function start_body {
         -smp cores="$CPU_CORES"
         -m "$MEMORY"
         -rtc base=localtime
+        -device virtio-rng-pci
         -drive "file=\"@OVMFfd@/FV/OVMF_CODE.fd\",if=pflash,format=raw,readonly=on"
         -drive "if=pflash,format=raw,file=\"$(readlink -f "${mount_path}/OVMF_VARS.fd")\""
         -drive "if=none,file=/dev/zvol/${zfs_path}/disk0,format=raw,id=hd0"

nix/configuration/roles/recovery/default.nix

@@ -29,7 +29,7 @@
       }
       (lib.mkIf config.me.graphical {
         environment.systemPackages = with pkgs; [
-          ddrescueview
+          #ddrescueview
         ];
       })
     ]

nix/configuration/roles/rpcs3/default.nix

@@ -53,6 +53,8 @@ in
       rpcs3
     ];
 
+    allowedUnfree = [ "rpcs3" ];
+
     security.pam.loginLimits = [
       {
         domain = "@wheel";

nix/configuration/roles/sm64ex/default.nix

@@ -18,7 +18,10 @@
   };
 
   config = lib.mkIf (config.me.sm64ex.enable && config.me.graphical) {
-    allowedUnfree = [ "sm64ex" ];
+    allowedUnfree = [
+      "sm64ex"
+      "baserom.us.z64"
+    ];
 
     environment.systemPackages = with pkgs; [
       sm64ex

nix/configuration/roles/sound/default.nix

@@ -30,7 +30,7 @@
           # If you want to use JACK applications, uncomment this
           #jack.enable = true;
 
-          extraLv2Packages = [ pkgs.rnnoise-plugin ];
+          extraLadspaPackages = [ pkgs.rnnoise-plugin.ladspa ];
           configPackages = [
             (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/99-input-denoising.conf" ''
               context.modules = [
@@ -43,7 +43,7 @@
                               {
                                   type = ladspa
                                   name = rnnoise
-                                  plugin = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"
+                                  plugin = "librnnoise_ladspa"
                                   label = noise_suppressor_mono
                                   control = {
                                       "VAD Threshold (%)" = 50.0

nix/configuration/roles/vscode/default.nix

@@ -121,6 +121,12 @@ in
             group = "talexander";
             mode = "0755";
           }
+          {
+            directory = ".vscode-shared";
+            user = "talexander";
+            group = "talexander";
+            mode = "0755";
+          }
         ];
       };
     };

nix/configuration/roles/zfs/default.nix

@@ -44,6 +44,9 @@ in
 
     boot.zfs.devNodes = "/dev/disk/by-partuuid";
 
+    # Do not force import your root pool during boot. Force importing would be useful if the pool had been imported by a different machine most recently.
+    boot.zfs.forceImportRoot = false;
+
     services.zfs = {
       autoScrub = {
         enable = true;

nix/kubernetes/.gitignore

@@ -0,0 +1 @@
+result

nix/kubernetes/README.org

@@ -0,0 +1,132 @@
+* To-do
+** Perhaps use overlay for /etc for speedup
+#+begin_src nix
+  system.etc.overlay.enable = true;
+#+end_src
+** read https://nixos.org/manual/nixos/stable/
+** Performance for mini pc
+#+begin_src nix
+  security.pam.loginLimits = [
+    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
+  ];
+#+end_src
+* IP Ranges
+|                                | IPv4                        | IPv6                                    |
+|--------------------------------+-----------------------------+-----------------------------------------|
+| Pod                            | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
+| Service                        | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
+| Node                           | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
+| Load Balancer                  | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
+| Load Balancer Private (unused) | 10.198.0.0/16               | fd9c:0bd5:22a4::/112                    |
+| PowerDNS from inside cluster   | 10.215.1.211                |                                         |
+* Healthcheck
+** Check cilium status
+#+begin_src bash
+  kubectl -n kube-system exec ds/cilium -- cilium-dbg status --verbose
+  kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement
+#+end_src
+** Check connectivity
+#+begin_src bash
+  cilium connectivity test
+#+end_src
+** Show dropped packets
+#+begin_src bash
+  kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
+#+end_src
+** Show dropped packets for a specific pod
+#+begin_src bash
+  kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop
+#+end_src
+** Install flux
+#+begin_src bash
+  nix shell 'nixpkgs#fluxcd'
+
+  flux bootstrap git \
+    --url=ssh://git@<host>/<org>/<repository> \
+    --branch=main \
+    --private-key-file=<path/to/private.key> \
+    --password=<key-passphrase> \
+    --path=clusters/my-cluster
+#+end_src
+
+#+begin_src bash
+  nix shell 'nixpkgs#kubernetes-helm'
+
+  helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
+    --namespace flux-system \
+    --create-namespace
+#+end_src
+
+#+begin_src text
+  apiVersion: fluxcd.controlplane.io/v1
+  kind: FluxInstance
+  metadata:
+    name: flux
+    namespace: flux-system
+    annotations:
+      fluxcd.controlplane.io/reconcileEvery: "1h"
+      fluxcd.controlplane.io/reconcileTimeout: "5m"
+  spec:
+    distribution:
+      version: "2.x"
+      registry: "ghcr.io/fluxcd"
+      artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
+    components:
+      - source-controller
+      - kustomize-controller
+      - helm-controller
+      - notification-controller
+      - image-reflector-controller
+      - image-automation-controller
+    cluster:
+      type: kubernetes
+      size: medium
+      multitenant: false
+      networkPolicy: true
+      domain: "cluster.local"
+    kustomize:
+      patches:
+        - target:
+            kind: Deployment
+          patch: |
+            - op: replace
+              path: /spec/template/spec/nodeSelector
+              value:
+                kubernetes.io/os: linux
+            - op: add
+              path: /spec/template/spec/tolerations
+              value:
+                - key: "CriticalAddonsOnly"
+                  operator: "Exists"
+    sync:
+      kind: OCIRepository
+      url: "oci://ghcr.io/my-org/my-fleet-manifests"
+      ref: "latest"
+      path: "clusters/my-cluster"
+      pullSecret: "ghcr-auth"
+#+end_src
+
+#+begin_src text
+  apiVersion: fluxcd.controlplane.io/v1
+  kind: FluxInstance
+  metadata:
+    name: flux
+    namespace: flux-system
+  spec:
+    distribution:
+      version: "2.7.x"
+      registry: "ghcr.io/fluxcd"
+    sync:
+      kind: GitRepository
+      url: "ssh://git@10.215.1.210:22/repos/mrmanager"
+      ref: "refs/heads/nix"
+      path: "clusters/my-cluster"
+      pullSecret: "flux-system"
+#+end_src
+
+#+begin_src bash
+  flux create secret git flux-system \
+    --url=https://gitlab.com/my-org/my-fleet.git \
+    --username=git \
+    --password=$GITLAB_TOKEN
+#+end_src

nix/kubernetes/configuration.nix

@@ -0,0 +1,149 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    ./roles/boot
+    ./roles/cilium
+    ./roles/containerd
+    ./roles/control_plane
+    ./roles/debugging
+    ./roles/doas
+    ./roles/dont_use_substituters
+    ./roles/etcd
+    ./roles/firewall
+    ./roles/image_based_appliance
+    ./roles/iso
+    ./roles/kernel
+    ./roles/kube_apiserver
+    ./roles/kube_controller_manager
+    ./roles/kube_proxy
+    ./roles/kube_scheduler
+    ./roles/kubelet
+    ./roles/kubernetes
+    ./roles/minimal_base
+    ./roles/network
+    ./roles/nvme
+    ./roles/optimized_build
+    ./roles/ssh
+    ./roles/sshd
+    ./roles/user
+    ./roles/worker_node
+    ./roles/zsh
+    ./util/install_files
+    ./util/unfree_polyfill
+  ];
+
+  config = {
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+      # "blake3-hashes"
+      # "git-hashing"
+    ];
+    nix.settings.trusted-users = [ "@wheel" ];
+
+    hardware.enableRedistributableFirmware = true;
+
+    # Keep outputs so we can build offline.
+    nix.settings.keep-outputs = true;
+    nix.settings.keep-derivations = true;
+
+    # Automatic garbage collection
+    nix.gc = lib.mkIf (!config.me.buildingPortable) {
+      # Runs nix-collect-garbage --delete-older-than 5d
+      automatic = true;
+      persistent = true;
+      dates = "monthly";
+      # randomizedDelaySec = "14m";
+      options = "--delete-older-than 30d";
+    };
+    nix.settings.auto-optimise-store = !config.me.buildingPortable;
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      directories = [
+        "/var/lib/nixos" # Contains user information (uids/gids)
+        "/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
+        "/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
+      ];
+      files = [
+        "/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
+      ];
+    };
+
+    # Write a list of the currently installed packages to /etc/current-system-packages
+    # environment.etc."current-system-packages".text =
+    #   let
+    #     packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
+    #     sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
+    #     formatted = builtins.concatStringsSep "\n" sortedUnique;
+    #   in
+    #   formatted;
+
+    # nixpkgs.overlays = [
+    #   (final: prev: {
+    #     foot = throw "foo";
+    #   })
+    # ];
+
+    nixpkgs.overlays =
+      let
+        disableTests = (
+          package_name:
+          (final: prev: {
+            "${package_name}" = prev."${package_name}".overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+            });
+          })
+        );
+      in
+      [
+        # (final: prev: {
+        #   imagemagick = prev.imagemagick.overrideAttrs (old: rec {
+        #     # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
+        #     version = "7.1.2-7";
+
+        #     src = final.fetchFromGitHub {
+        #       owner = "ImageMagick";
+        #       repo = "ImageMagick";
+        #       tag = version;
+        #       hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
+        #     };
+        #   });
+        # })
+        # (final: prev: {
+        #   grub2 = (final.callPackage ./package/grub { });
+        # })
+        (final: prev: {
+          inherit (final.unoptimized)
+            libtpms
+            ;
+        })
+      ];
+
+    # This option defines the first version of NixOS you have installed on this particular machine,
+    # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+    #
+    # Most users should NEVER change this value after the initial install, for any reason,
+    # even if you've upgraded your system to a new NixOS release.
+    #
+    # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+    # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+    # to actually do that.
+    #
+    # This value being lower than the current NixOS release does NOT mean your system is
+    # out of date, out of support, or vulnerable.
+    #
+    # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+    # and migrated your data accordingly.
+    #
+    # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+    system.stateVersion = "24.11"; # Did you read the comment?
+  };
+}

nix/kubernetes/flake.lock

@@ -0,0 +1,256 @@
+{
+  "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1731098351,
+        "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1780290312,
+        "narHash": "sha256-eTAlX0CwgB84Ts3GaBd944A3DRXVMzgA0EqroZBISUo=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "115e5211780054d8a890b41f0b7734cafad54dfe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "impermanence",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769548169,
+        "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1737639419,
+        "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.2",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731363552,
+        "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "impermanence": "impermanence",
+        "lanzaboote": "lanzaboote",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731897198,
+        "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/kubernetes/flake.nix

@@ -0,0 +1,183 @@
+# Get a repl for this flake
+#   nix repl --expr "builtins.getFlake \"$PWD\""
+
+# TODO maybe use `nix eval --raw .#odo.iso.outPath`
+
+#
+# Install on a new machine:
+#
+# Set
+#   me.disko.enable = true;
+#   me.disko.offline.enable = true;
+#
+# Run
+#   doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
+#   doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
+
+{
+  description = "My system configuration";
+
+  inputs = {
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      disko,
+      impermanence,
+      lanzaboote,
+      ...
+    }:
+    let
+      forAllSystems =
+        func:
+        builtins.listToAttrs (
+          map (system: {
+            name = system;
+            value = func system;
+          }) nixpkgs.lib.systems.flakeExposed
+        );
+      nodes = {
+        controller0 = {
+          system = "x86_64-linux";
+        };
+        controller1 = {
+          system = "x86_64-linux";
+        };
+        controller2 = {
+          system = "x86_64-linux";
+        };
+        worker0 = {
+          system = "x86_64-linux";
+        };
+        worker1 = {
+          system = "x86_64-linux";
+        };
+        worker2 = {
+          system = "x86_64-linux";
+        };
+      };
+      nixosConfigs = builtins.mapAttrs (
+        hostname: nodeConfig: format:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit self;
+
+            this_nixos_config = self.nixosConfigurations."${hostname}";
+
+            all_nixos_configs = self.nixosConfigurations;
+          };
+          modules = [
+            impermanence.nixosModules.impermanence
+            lanzaboote.nixosModules.lanzaboote
+            disko.nixosModules.disko
+            ./configuration.nix
+            (./. + "/hosts/${hostname}")
+            (./. + "/formats/${format}.nix")
+            {
+              config = {
+                nixpkgs.hostPlatform.system = nodeConfig.system;
+                nixpkgs.overlays = [
+                  (final: prev: {
+                    # stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
+                    unoptimized = import nixpkgs {
+                      system = prev.stdenv.hostPlatform.system;
+                      hostPlatform.gcc.arch = "default";
+                      hostPlatform.gcc.tune = "default";
+                    };
+                  })
+                ];
+              };
+            }
+            (
+              {
+                config,
+                lib,
+                pkgs,
+                ...
+              }:
+              let
+                nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
+                  source /etc/set-environment
+                  nix repl --expr 'builtins.getFlake "${self}"'
+                '';
+                # If we wanted the current version of a flake then we'd just launch
+                #   nix repl
+                # and then run:
+                #   :lf /path/to/flake
+              in
+              {
+                config = {
+                  environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
+                };
+              }
+            )
+          ];
+        }
+      ) nodes;
+      installerConfig =
+        hostname: nodeConfig:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            targetSystem = self.nixosConfigurations."${hostname}";
+          };
+          modules = [
+            ./formats/installer.nix
+            (
+              {
+                config,
+                lib,
+                pkgs,
+                ...
+              }:
+              let
+                nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
+                  source /etc/set-environment
+                  nix repl --expr 'builtins.getFlake "${self}"'
+                '';
+                # If we wanted the current version of a flake then we'd just launch
+                #   nix repl
+                # and then run:
+                #   :lf /path/to/flake
+              in
+              {
+                config = {
+                  environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
+                };
+              }
+            )
+            ({ nixpkgs.hostPlatform.system = nodeConfig.system; })
+          ];
+        };
+    in
+    {
+      nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
+    }
+    // {
+      packages = (
+        forAllSystems (
+          system:
+          (builtins.mapAttrs (hostname: nodeConfig: {
+            iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
+            vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
+            sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
+            installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
+          }) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
+        )
+      );
+    };
+}

nix/kubernetes/formats/installer.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  targetSystem,
+  ...
+}:
+let
+  installer = pkgs.writeShellApplication {
+    name = "installer";
+    runtimeInputs = with pkgs; [
+      # clevis
+      dosfstools
+      e2fsprogs
+      gawk
+      nixos-install-tools
+      util-linux
+      config.nix.package
+    ];
+    text = ''
+      set -euo pipefail
+
+      ${targetSystem.config.system.build.diskoScript}
+
+      nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
+    '';
+  };
+  installerFailsafe = pkgs.writeShellScript "failsafe" ''
+    ${lib.getExe installer} || echo "ERROR: Installation failure!"
+    sleep 3600
+  '';
+in
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/all-hardware.nix")
+  ];
+
+  # boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
+  # boot.zfs.package = pkgs.zfs_unstable;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
+  boot.kernelParams = [
+    "quiet"
+    "systemd.unit=getty.target"
+  ];
+  boot.supportedFilesystems.zfs = true;
+  boot.initrd.systemd.enable = true;
+
+  networking.hostId = "04581ecf";
+
+  isoImage.makeEfiBootable = true;
+  isoImage.makeUsbBootable = true;
+  isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+
+  environment.systemPackages = [
+    installer
+  ];
+
+  systemd.services."getty@tty1" = {
+    overrideStrategy = "asDropin";
+    serviceConfig = {
+      ExecStart = [
+        ""
+        installerFailsafe
+      ];
+      Restart = "no";
+      StandardInput = "null";
+    };
+  };
+
+  # system.stateVersion = lib.mkDefault lib.trivial.release;
+  system.stateVersion = "24.11";
+}

nix/kubernetes/formats/iso.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.buildingPortable = true;
+    me.disko.enable = true;
+    me.disko.offline.enable = true;
+    me.mountPersistence = lib.mkForce false;
+    # me.optimizations.enable = lib.mkForce false;
+
+    # Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
+    # me.image_based_appliance.enable = true;
+
+    # TODO: Should I use this instead of doing a mkIf for the disk config?
+    # disko.enableConfig = false;
+
+    # Faster image generation for testing/development.
+    isoImage.squashfsCompression = "zstd -Xcompression-level 15";
+  };
+}

nix/kubernetes/formats/sd.nix

@@ -0,0 +1,32 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+
+    # TODO: image based appliance?
+
+    # TODO: Maybe this?
+    # fileSystems = {
+    #   "/" = {
+    #     device = "/dev/disk/by-label/NIXOS_SD";
+    #     fsType = "ext4";
+    #     options = [
+    #       "noatime"
+    #       "norelatime"
+    #     ];
+    #   };
+    # };
+  };
+}

nix/kubernetes/formats/toplevel.nix

@@ -0,0 +1 @@
+{ }

nix/kubernetes/formats/vm_iso.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    (modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
+  ];
+
+  config = {
+    isoImage.makeEfiBootable = true;
+    isoImage.makeUsbBootable = true;
+
+    networking.dhcpcd.enable = true;
+    networking.useDHCP = true;
+
+    me.image_based_appliance.enable = true;
+  };
+}

nix/kubernetes/functions/to_yaml.nix

@@ -0,0 +1,24 @@
+{
+  pkgs,
+  ...
+}:
+let
+  to_yaml_file =
+    file_name: contents:
+    let
+      settingsFormat = pkgs.formats.yaml { };
+      yaml_file = settingsFormat.generate file_name contents;
+    in
+    yaml_file;
+  to_yaml =
+    file_name: contents:
+    let
+      settingsFormat = pkgs.formats.yaml { };
+      yaml_file = settingsFormat.generate file_name contents;
+      yaml_content = builtins.readFile yaml_file;
+    in
+    yaml_content;
+in
+{
+  inherit to_yaml to_yaml_file;
+}

nix/kubernetes/hosts/controller0/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller0
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller0
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller0/default.nix

@@ -0,0 +1,130 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "769e1349";
+
+        hostName = "controller0"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.221";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.etcd.cluster_name = "put-a-nix-on-it";
+    me.etcd.internal_ip = [
+      # "10.215.1.221"
+      "[2620:11f:7001:7:ffff:ffff:0ad7:01dd]"
+    ];
+    me.etcd.initial_cluster = [
+      # "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+      # "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
+      # "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
+      "controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
+      "controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
+      "controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
+    ];
+
+    me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
+    # me.kube_apiserver.external_ip = "74.80.180.138";
+    me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
+    me.kube_apiserver.etcd_services = [
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
+    ];
+
+    me.control_plane.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.etcd.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/kubernetes/hosts/controller0/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/kubernetes/hosts/controller0/vm_disk.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      "/.persist" = lib.mkForce {
+        device = "bind9p";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.persist/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.persist/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/state"
+        ];
+        neededForBoot = true;
+      };
+
+      "/k8spv" = lib.mkForce {
+        device = "k8spv";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/disk" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+    };
+  };
+}

nix/kubernetes/hosts/controller1/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller1
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#controller1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller1
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#controller1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller1.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller1.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller1/default.nix

@@ -0,0 +1,130 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "59a83979";
+
+        hostName = "controller1"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.222";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.etcd.cluster_name = "put-a-nix-on-it";
+    me.etcd.internal_ip = [
+      # "10.215.1.221"
+      "[2620:11f:7001:7:ffff:ffff:0ad7:01de]"
+    ];
+    me.etcd.initial_cluster = [
+      # "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+      # "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
+      # "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
+      "controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
+      "controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
+      "controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
+    ];
+
+    me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
+    # me.kube_apiserver.external_ip = "74.80.180.138";
+    me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
+    me.kube_apiserver.etcd_services = [
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
+    ];
+
+    me.control_plane.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.etcd.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/kubernetes/hosts/controller1/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/kubernetes/hosts/controller1/vm_disk.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      "/.persist" = lib.mkForce {
+        device = "bind9p";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.persist/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.persist/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/state"
+        ];
+        neededForBoot = true;
+      };
+
+      "/k8spv" = lib.mkForce {
+        device = "k8spv";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/disk" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+    };
+  };
+}

nix/kubernetes/hosts/controller2/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller2
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#controller2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=controller2
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#controller2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller2.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller2.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/controller2/default.nix

@@ -0,0 +1,130 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "26a43660";
+
+        hostName = "controller2"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.223";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.etcd.cluster_name = "put-a-nix-on-it";
+    me.etcd.internal_ip = [
+      # "10.215.1.221"
+      "[2620:11f:7001:7:ffff:ffff:0ad7:01df]"
+    ];
+    me.etcd.initial_cluster = [
+      # "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+      # "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
+      # "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
+      "controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
+      "controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
+      "controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
+    ];
+
+    me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
+    # me.kube_apiserver.external_ip = "74.80.180.138";
+    me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
+    me.kube_apiserver.etcd_services = [
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
+      "https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
+    ];
+
+    me.control_plane.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.etcd.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/kubernetes/hosts/controller2/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/kubernetes/hosts/controller2/vm_disk.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      "/.persist" = lib.mkForce {
+        device = "bind9p";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.persist/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.persist/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/state"
+        ];
+        neededForBoot = true;
+      };
+
+      "/k8spv" = lib.mkForce {
+        device = "k8spv";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/disk" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+    };
+  };
+}

nix/kubernetes/hosts/worker0/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker0
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#worker0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker0
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#worker0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker0.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker0.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker0/default.nix

@@ -0,0 +1,106 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "0aadbb10";
+
+        hostName = "worker0"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.224";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01e0";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+    me.worker_node.enable = true;
+  };
+}

nix/kubernetes/hosts/worker0/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/kubernetes/hosts/worker0/vm_disk.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      "/.persist" = lib.mkForce {
+        device = "bind9p";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.persist/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.persist/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/state"
+        ];
+        neededForBoot = true;
+      };
+
+      "/k8spv" = lib.mkForce {
+        device = "k8spv";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/disk" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+    };
+  };
+}

nix/kubernetes/hosts/worker1/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker1
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#worker1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker1
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#worker1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker1.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker1.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker1/default.nix

@@ -0,0 +1,106 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "4324346d";
+
+        hostName = "worker1"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.225";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01e1";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.worker_node.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+  };
+}

nix/kubernetes/hosts/worker1/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  config = {
+    boot.initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "thunderbolt"
+    ];
+    boot.initrd.kernelModules = [ ];
+    boot.kernelModules = [ ];
+    boot.extraModulePackages = [ ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    # networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
+  };
+}

nix/kubernetes/hosts/worker1/vm_disk.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  config = {
+    # Mount the local disk
+    fileSystems = lib.mkIf config.me.mountPersistence {
+      "/.disk" = lib.mkForce {
+        device = "/dev/nvme0n1p1";
+        fsType = "ext4";
+        options = [
+          "noatime"
+          "discard"
+        ];
+        neededForBoot = true;
+      };
+
+      "/.persist" = lib.mkForce {
+        device = "bind9p";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/persist" = {
+        fsType = "none";
+        device = "/.persist/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/persist"
+        ];
+        neededForBoot = true;
+      };
+
+      "/state" = {
+        fsType = "none";
+        device = "/.persist/state";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.persist/state"
+        ];
+        neededForBoot = true;
+      };
+
+      "/k8spv" = lib.mkForce {
+        device = "k8spv";
+        fsType = "9p";
+        options = [
+          "noatime"
+          "trans=virtio"
+          "version=9p2000.L"
+          "cache=mmap"
+          "msize=512000"
+          # "noauto"
+          # "x-systemd.automount"
+        ];
+        neededForBoot = true;
+      };
+
+      "/disk" = {
+        fsType = "none";
+        device = "/.disk/persist";
+        options = [
+          "bind"
+          "rw"
+        ];
+        depends = [
+          "/.disk/persist"
+        ];
+        neededForBoot = true;
+      };
+    };
+  };
+}

nix/kubernetes/hosts/worker2/DEPLOY_BOOT

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker2
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild boot --flake "$DIR/../../#worker2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/DEPLOY_SWITCH

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+TARGET=worker2
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+
+nixos-rebuild switch --flake "$DIR/../../#worker2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker2.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/SELF_BOOT

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/SELF_BUILD

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/SELF_SWITCH

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/VM_ISO

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: "${JOBS:="1"}"
+
+for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
+nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker2.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

nix/kubernetes/hosts/worker2/default.nix

@@ -0,0 +1,106 @@
+# MANUAL: On client machines generate signing keys:
+#   nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
+#
+# Trust other machines and add the substituters:
+#   nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
+#   nix.binaryCaches = [ "https://test.example/nix-cache" ];
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./vm_disk.nix
+  ];
+
+  config = {
+    networking =
+      let
+        interface = "enp0s2";
+      in
+      {
+        # Generate with `head -c4 /dev/urandom | od -A none -t x4`
+        hostId = "ce017961";
+
+        hostName = "worker2"; # Define your hostname.
+
+        interfaces = {
+          "${interface}" = {
+            ipv4.addresses = [
+              {
+                address = "10.215.1.226";
+                prefixLength = 24;
+              }
+            ];
+
+            ipv6.addresses = [
+              {
+                address = "2620:11f:7001:7:ffff:ffff:0ad7:01e2";
+                prefixLength = 64;
+              }
+            ];
+          };
+        };
+        defaultGateway = "10.215.1.1";
+        defaultGateway6 = {
+          # address = "2620:11f:7001:7::1";
+          address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
+          inherit interface;
+        };
+
+        dhcpcd.enable = lib.mkForce false;
+        useDHCP = lib.mkForce false;
+      };
+
+    time.timeZone = "America/New_York";
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    me.boot.enable = true;
+    me.boot.secure = false;
+    me.mountPersistence = true;
+    boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
+
+    me.optimizations = {
+      enable = true;
+      arch = "znver4";
+      # build_arch = "x86-64-v3";
+      system_features = [
+        "gccarch-znver4"
+        "gccarch-skylake"
+        "gccarch-kabylake"
+        # "gccarch-alderlake" missing WAITPKG
+        "gccarch-x86-64-v3"
+        "gccarch-x86-64-v4"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+        "nixos-test"
+      ];
+    };
+
+    # Mount tmpfs at /tmp
+    boot.tmp.useTmpfs = true;
+
+    # Enable TRIM
+    # services.fstrim.enable = lib.mkDefault true;
+
+    # nix.optimise.automatic = true;
+    # nix.optimise.dates = [ "03:45" ];
+    # nix.optimise.persistent = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+    ];
+
+    # nix.sshServe.enable = true;
+    # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+    me.worker_node.enable = true;
+    me.dont_use_substituters.enable = true;
+    me.minimal_base.enable = true;
+  };
+}