diff --git a/flake.nix b/flake.nix
index 1cd599a..bcdc1aa 100755
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,13 @@
};
};
+ channels-config = {
+ allowUnfree = true;
+ permittedInsecurePackages = [
+ "intel-ocl-5.0-63503"
+ ];
+ };
+
homes.modules = with inputs; [
sops-nix.homeManagerModules.sops
];
diff --git a/modules/nixos/hardware/opengl/default.nix b/modules/nixos/hardware/opengl/default.nix
index 7735192..068ffef 100644
--- a/modules/nixos/hardware/opengl/default.nix
+++ b/modules/nixos/hardware/opengl/default.nix
@@ -1,6 +1,6 @@
{ config, lib, pkgs, namespace, ... }:
let
- inherit (lib) mkIf;
+ inherit (lib) mkIf mkForce;
inherit (lib.${namespace}) mkBoolOpt;
cfg = config.${namespace}.hardware.opengl;
@@ -8,7 +8,7 @@ in
{
options.${namespace}.hardware.opengl = {
enable = lib.mkEnableOption "support for opengl";
- enable32Bit = mkBoolOpt false "enabel 32-bit";
+ enable32Bit = mkBoolOpt false "enable 32-bit";
enableIntel = mkBoolOpt false "support for intel";
enableNvidia = mkBoolOpt false "support for nvidia";
};
@@ -19,8 +19,12 @@ in
vdpauinfo
] ++ lib.optionals cfg.enableNvidia [
nvtopPackages.full
+ ] ++ lib.optionals cfg.enableIntel [
+ intel-gpu-tools
];
+ # Add Intel Arc / Nvidia Drivers
+ hardware.enableRedistributableFirmware = cfg.enableIntel;
hardware.graphics = {
enable = true;
enable32Bit = cfg.enable32Bit;
diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix
index 87af8bb..0ef9838 100644
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@@ -1,5 +1,6 @@
{ config, lib, pkgs, namespace, host, ... }:
let
+ inherit (lib) types mkIf;
inherit (lib.${namespace}) mkBoolOpt mkOpt;
cfg = config.${namespace}.nix;
@@ -7,10 +8,10 @@ in
{
options.${namespace}.nix = {
enable = mkBoolOpt true "Whether or not to manage nix configuration.";
- package = mkOpt lib.types.package pkgs.nixVersions.latest "Which nix package to use.";
+ package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
};
- config = lib.mkIf cfg.enable {
+ config = mkIf cfg.enable {
nix =
let
users = [
@@ -23,11 +24,10 @@ in
{
inherit (cfg) package;
- buildMachines = lib.optional (host != "nixos-builder") {
+ buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
hostName = "10.0.50.130";
systems = [ "x86_64-linux" ];
sshUser = "evanreichard";
- speedFactor = 1;
protocol = "ssh";
sshKey = config.sops.secrets.builder_ssh_key.path;
supportedFeatures = [
@@ -46,10 +46,6 @@ in
options = "--delete-older-than 7d";
};
- # This will additionally add your inputs to the system's legacy channels
- # # Making legacy nix commands consistent as well
- nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
-
optimise.automatic = true;
settings = {
diff --git a/modules/nixos/security/sops/default.nix b/modules/nixos/security/sops/default.nix
index 7efad11..adfcfe5 100644
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@@ -9,7 +9,7 @@ in
enable = lib.mkEnableOption "sops";
defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
sshKeyPaths = mkOpt (with lib.types; listOf path) [
- "/etc/ssh/ssh_host_ed25519_key"
+ # "/etc/ssh/ssh_host_ed25519_key"
] "SSH Key paths to use.";
};
diff --git a/modules/nixos/services/cloud-init/default.nix b/modules/nixos/services/cloud-init/default.nix
new file mode 100644
index 0000000..48834b2
--- /dev/null
+++ b/modules/nixos/services/cloud-init/default.nix
@@ -0,0 +1,26 @@
+{ config, lib, namespace, ... }:
+let
+ inherit (lib) mkIf;
+
+ cfg = config.${namespace}.services.cloud-init;
+in
+{
+ options.${namespace}.services.cloud-init = {
+ enable = lib.mkEnableOption "Enable Cloud-Init";
+ };
+
+ config = mkIf cfg.enable {
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ settings = {
+ datasource_list = [ "NoCloud" ];
+ preserve_hostname = false;
+ system_info = {
+ distro = "nixos";
+ network.renderers = [ "networkd" ];
+ };
+ };
+ };
+ };
+}
diff --git a/modules/nixos/services/openiscsi/default.nix b/modules/nixos/services/openiscsi/default.nix
new file mode 100644
index 0000000..a85f63f
--- /dev/null
+++ b/modules/nixos/services/openiscsi/default.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, lib, namespace, host, ... }:
+let
+ inherit (lib) types mkIf;
+ inherit (lib.${namespace}) mkOpt;
+
+ cfg = config.${namespace}.services.openiscsi;
+in
+{
+ options.${namespace}.services.openiscsi = {
+ enable = lib.mkEnableOption "Open iSCSI support";
+ name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
+ symlink = mkOpt types.bool false "Create a symlink to the iSCSI binaries";
+ };
+
+ config = mkIf cfg.enable {
+ boot.kernelModules = [ "iscsi_tcp" "libiscsi" "scsi_transport_iscsi" ];
+
+ services.openiscsi = {
+ enable = true;
+ name = cfg.name;
+ };
+
+ environment.systemPackages = with pkgs; [
+ openiscsi
+ ];
+
+ # Predominately used for RKE2 & Democratic CSI
+ system.activationScripts.iscsi-symlink = mkIf cfg.symlink ''
+ mkdir -p /usr/bin
+ ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+ ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+ '';
+ };
+}
diff --git a/modules/nixos/services/openssh/default.nix b/modules/nixos/services/openssh/default.nix
index 3c22359..7b5f061 100644
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -1,4 +1,4 @@
-{ config, format, lib, namespace, ... }:
+{ config, lib, namespace, ... }:
let
inherit (lib)
types
@@ -40,7 +40,7 @@ in
AuthenticationMethods = "publickey";
ChallengeResponseAuthentication = "no";
PasswordAuthentication = false;
- PermitRootLogin = if format == "install-iso" then "yes" else "no";
+ PermitRootLogin = "prohibit-password";
PubkeyAuthentication = "yes";
StreamLocalBindUnlink = "yes";
UseDns = false;
diff --git a/modules/nixos/services/rke2/default.nix b/modules/nixos/services/rke2/default.nix
new file mode 100644
index 0000000..d65e2ae
--- /dev/null
+++ b/modules/nixos/services/rke2/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, namespace, ... }:
+let
+ inherit (lib) types mkIf;
+ inherit (lib.${namespace}) mkOpt;
+
+ cfg = config.${namespace}.services.rke2;
+in
+{
+ options.${namespace}.services.rke2 = with types; {
+ enable = lib.mkEnableOption "Enabel RKE2";
+ disable = mkOpt (listOf str) [ ] "Disable services";
+ };
+
+ config = mkIf cfg.enable {
+ services.rke2 = {
+ enable = true;
+ disable = cfg.disable;
+ };
+ };
+}
diff --git a/modules/nixos/system/boot/default.nix b/modules/nixos/system/boot/default.nix
index ebb0e13..cfe2b95 100644
--- a/modules/nixos/system/boot/default.nix
+++ b/modules/nixos/system/boot/default.nix
@@ -43,11 +43,9 @@ in
};
initrd = mkIf cfg.xenGuest {
- availableKernelModules = [ "xen_blkfront" "xen_netfront" ];
kernelModules = [ "xen_netfront" "xen_blkfront" ];
- supportedFilesystems = [ "ext4" "xenfs" ];
+ supportedFilesystems = [ "xenfs" ];
};
-
kernelModules = mkIf cfg.xenGuest [ "xen_netfront" "xen_blkfront" "xenfs" ];
};
};
diff --git a/systems/x86_64-vmware/rke2-node/default.nix b/systems/x86_64-vmware/rke2-node/default.nix
index 9c28331..c87b5a5 100755
--- a/systems/x86_64-vmware/rke2-node/default.nix
+++ b/systems/x86_64-vmware/rke2-node/default.nix
@@ -1,16 +1,46 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, namespace, lib, modulesPath, ... }:
+let
+ inherit (lib.${namespace}) enabled;
+in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
+
config = {
reichard = {
- nix.enable = false;
+ nix = enabled;
+
+ system = {
+ boot = {
+ enable = true;
+ xenGuest = true;
+ };
+ };
+
+ services = {
+ openssh = enabled;
+ cloud-init = enabled;
+ rke2 = {
+ enable = true;
+ disable = [ "rke2-ingress-nginx" ];
+ };
+ openiscsi = {
+ enable = true;
+ symlink = true;
+ };
+ };
+
+ hardware = {
+ opengl = {
+ enable = true;
+ enableIntel = true;
+ };
+ };
};
# Basic System
system.stateVersion = "24.11";
- nix.settings.experimental-features = [ "nix-command" "flakes" ];
time.timeZone = "UTC";
fileSystems."/" = {
@@ -19,41 +49,6 @@
autoResize = true;
};
- boot = {
- initrd = {
- availableKernelModules = [
- # Xen
- "xen_blkfront"
- "xen_netfront"
- ];
- kernelModules = [ "xen_netfront" "xen_blkfront" ];
- supportedFilesystems = [ "ext4" "xenfs" ];
- };
- kernelModules = [
- # Xen VM Requirements
- "xen_netfront"
- "xen_blkfront"
- "xenfs"
-
- # iSCSI
- "iscsi_tcp"
- ];
- };
-
- # Add Intel Arc A310 GPU Drivers
- nixpkgs.config.allowUnfree = true;
- hardware.enableRedistributableFirmware = true;
- hardware.graphics = {
- enable = true;
- extraPackages = with pkgs; [
- libvdpau-va-gl
- intel-vaapi-driver
- intel-media-driver
- intel-compute-runtime
- intel-ocl
- ];
- };
-
# Network Configuration
networking = {
hostName = lib.mkForce "";
@@ -88,44 +83,6 @@
};
};
- services = {
- # Enable Xen Guest Utilities
- xe-guest-utilities.enable = true;
-
- # Enable iSCSI
- openiscsi = {
- enable = true;
- name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
- };
-
- # Cloud Init
- cloud-init = {
- enable = true;
- network.enable = true;
- settings = {
- datasource_list = [ "NoCloud" ];
- preserve_hostname = false;
- system_info.distro = "nixos";
- system_info.network.renderers = [ "networkd" ];
- };
- };
-
- # Enable SSH
- openssh = {
- enable = true;
- settings = {
- PasswordAuthentication = false;
- PermitRootLogin = "prohibit-password";
- };
- };
-
- # Enable RKE2
- rke2 = {
- enable = true;
- disable = [ "rke2-ingress-nginx" ];
- };
- };
-
systemd.services = {
# RKE2 - Wait Cloud Init
rke2-server = {
@@ -155,33 +112,11 @@
};
};
- # User Authorized Keys
- users.users.root = {
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
- ];
- hashedPassword = null;
- };
-
- # Add Symlinks Expected by Democratic
- system.activationScripts = {
- iscsi-initiator = ''
- mkdir -p /usr/bin
- ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
- ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
- '';
- };
-
# System Packages
environment = {
systemPackages = with pkgs; [
htop
- intel-gpu-tools
- k9s
- kubectl
- kubernetes-helm
nfs-utils
- openiscsi
tmux
vim
];