wip rke2

flake.nix

@@ -43,6 +43,13 @@
         };
       };
 
+      channels-config = {
+        allowUnfree = true;
+        permittedInsecurePackages = [
+          "intel-ocl-5.0-63503"
+        ];
+      };
+
       homes.modules = with inputs; [
         sops-nix.homeManagerModules.sops
       ];

modules/nixos/hardware/opengl/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, ... }:
 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkForce;
   inherit (lib.${namespace}) mkBoolOpt;
 
   cfg = config.${namespace}.hardware.opengl;
@@ -8,7 +8,7 @@ in
 {
   options.${namespace}.hardware.opengl = {
     enable = lib.mkEnableOption "support for opengl";
-    enable32Bit = mkBoolOpt false "enabel 32-bit";
+    enable32Bit = mkBoolOpt false "enable 32-bit";
     enableIntel = mkBoolOpt false "support for intel";
     enableNvidia = mkBoolOpt false "support for nvidia";
   };
@@ -19,8 +19,12 @@ in
       vdpauinfo
     ] ++ lib.optionals cfg.enableNvidia [
       nvtopPackages.full
+    ] ++ lib.optionals cfg.enableIntel [
+      intel-gpu-tools
     ];
 
+    # Add Intel Arc / Nvidia Drivers
+    hardware.enableRedistributableFirmware = cfg.enableIntel;
     hardware.graphics = {
       enable = true;
       enable32Bit = cfg.enable32Bit;

modules/nixos/nix/default.nix

@@ -1,5 +1,6 @@
 { config, lib, pkgs, namespace, host, ... }:
 let
+  inherit (lib) types mkIf;
   inherit (lib.${namespace}) mkBoolOpt mkOpt;
 
   cfg = config.${namespace}.nix;
@@ -7,10 +8,10 @@ in
 {
   options.${namespace}.nix = {
     enable = mkBoolOpt true "Whether or not to manage nix configuration.";
-    package = mkOpt lib.types.package pkgs.nixVersions.latest "Which nix package to use.";
+    package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
   };
 
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
     nix =
       let
         users = [
@@ -23,11 +24,10 @@ in
       {
         inherit (cfg) package;
 
-        buildMachines = lib.optional (host != "nixos-builder") {
+        buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
           hostName = "10.0.50.130";
           systems = [ "x86_64-linux" ];
           sshUser = "evanreichard";
-          speedFactor = 1;
           protocol = "ssh";
           sshKey = config.sops.secrets.builder_ssh_key.path;
           supportedFeatures = [
@@ -46,10 +46,6 @@ in
           options = "--delete-older-than 7d";
         };
 
-        # This will additionally add your inputs to the system's legacy channels
-        # # Making legacy nix commands consistent as well
-        nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
-
         optimise.automatic = true;
 
         settings = {

modules/nixos/security/sops/default.nix

@@ -9,7 +9,7 @@ in
     enable = lib.mkEnableOption "sops";
     defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
     sshKeyPaths = mkOpt (with lib.types; listOf path) [
-      "/etc/ssh/ssh_host_ed25519_key"
+      # "/etc/ssh/ssh_host_ed25519_key"
     ] "SSH Key paths to use.";
   };
 

modules/nixos/services/cloud-init/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.cloud-init;
+in
+{
+  options.${namespace}.services.cloud-init = {
+    enable = lib.mkEnableOption "Enable Cloud-Init";
+  };
+
+  config = mkIf cfg.enable {
+    services.cloud-init = {
+      enable = true;
+      network.enable = true;
+      settings = {
+        datasource_list = [ "NoCloud" ];
+        preserve_hostname = false;
+        system_info = {
+          distro = "nixos";
+          network.renderers = [ "networkd" ];
+        };
+      };
+    };
+  };
+}

modules/nixos/services/openiscsi/default.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.openiscsi;
+in
+{
+  options.${namespace}.services.openiscsi = {
+    enable = lib.mkEnableOption "Open iSCSI support";
+    name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
+    symlink = mkOpt types.bool false "Create a symlink to the iSCSI binaries";
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernelModules = [ "iscsi_tcp" "libiscsi" "scsi_transport_iscsi" ];
+
+    services.openiscsi = {
+      enable = true;
+      name = cfg.name;
+    };
+
+    environment.systemPackages = with pkgs; [
+      openiscsi
+    ];
+
+    # Predominately used for RKE2 & Democratic CSI
+    system.activationScripts.iscsi-symlink = mkIf cfg.symlink ''
+      mkdir -p /usr/bin
+      ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+      ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+    '';
+  };
+}

modules/nixos/services/openssh/default.nix

@@ -1,4 +1,4 @@
-{ config, format, lib, namespace, ... }:
+{ config, lib, namespace, ... }:
 let
   inherit (lib)
     types
@@ -40,7 +40,7 @@ in
         AuthenticationMethods = "publickey";
         ChallengeResponseAuthentication = "no";
         PasswordAuthentication = false;
-        PermitRootLogin = if format == "install-iso" then "yes" else "no";
+        PermitRootLogin = "prohibit-password";
         PubkeyAuthentication = "yes";
         StreamLocalBindUnlink = "yes";
         UseDns = false;

modules/nixos/services/rke2/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.rke2;
+in
+{
+  options.${namespace}.services.rke2 = with types; {
+    enable = lib.mkEnableOption "Enabel RKE2";
+    disable = mkOpt (listOf str) [ ] "Disable services";
+  };
+
+  config = mkIf cfg.enable {
+    services.rke2 = {
+      enable = true;
+      disable = cfg.disable;
+    };
+  };
+}

modules/nixos/system/boot/default.nix

@@ -43,11 +43,9 @@ in
       };
 
       initrd = mkIf cfg.xenGuest {
-        availableKernelModules = [ "xen_blkfront" "xen_netfront" ];
         kernelModules = [ "xen_netfront" "xen_blkfront" ];
-        supportedFilesystems = [ "ext4" "xenfs" ];
+        supportedFilesystems = [ "xenfs" ];
       };
-
       kernelModules = mkIf cfg.xenGuest [ "xen_netfront" "xen_blkfront" "xenfs" ];
     };
   };

systems/x86_64-vmware/rke2-node/default.nix

@@ -1,16 +1,46 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, namespace, lib, modulesPath, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
+
   config = {
     reichard = {
-      nix.enable = false;
+      nix = enabled;
+
+      system = {
+        boot = {
+          enable = true;
+          xenGuest = true;
+        };
+      };
+
+      services = {
+        openssh = enabled;
+        cloud-init = enabled;
+        rke2 = {
+          enable = true;
+          disable = [ "rke2-ingress-nginx" ];
+        };
+        openiscsi = {
+          enable = true;
+          symlink = true;
+        };
+      };
+
+      hardware = {
+        opengl = {
+          enable = true;
+          enableIntel = true;
+        };
+      };
     };
 
     # Basic System
     system.stateVersion = "24.11";
-    nix.settings.experimental-features = [ "nix-command" "flakes" ];
     time.timeZone = "UTC";
 
     fileSystems."/" = {
@@ -19,41 +49,6 @@
       autoResize = true;
     };
 
-    boot = {
-      initrd = {
-        availableKernelModules = [
-          # Xen
-          "xen_blkfront"
-          "xen_netfront"
-        ];
-        kernelModules = [ "xen_netfront" "xen_blkfront" ];
-        supportedFilesystems = [ "ext4" "xenfs" ];
-      };
-      kernelModules = [
-        # Xen VM Requirements
-        "xen_netfront"
-        "xen_blkfront"
-        "xenfs"
-
-        # iSCSI
-        "iscsi_tcp"
-      ];
-    };
-
-    # Add Intel Arc A310 GPU Drivers
-    nixpkgs.config.allowUnfree = true;
-    hardware.enableRedistributableFirmware = true;
-    hardware.graphics = {
-      enable = true;
-      extraPackages = with pkgs; [
-        libvdpau-va-gl
-        intel-vaapi-driver
-        intel-media-driver
-        intel-compute-runtime
-        intel-ocl
-      ];
-    };
-
     # Network Configuration
     networking = {
       hostName = lib.mkForce "";
@@ -88,44 +83,6 @@
       };
     };
 
-    services = {
-      # Enable Xen Guest Utilities
-      xe-guest-utilities.enable = true;
-
-      # Enable iSCSI
-      openiscsi = {
-        enable = true;
-        name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
-      };
-
-      # Cloud Init
-      cloud-init = {
-        enable = true;
-        network.enable = true;
-        settings = {
-          datasource_list = [ "NoCloud" ];
-          preserve_hostname = false;
-          system_info.distro = "nixos";
-          system_info.network.renderers = [ "networkd" ];
-        };
-      };
-
-      # Enable SSH
-      openssh = {
-        enable = true;
-        settings = {
-          PasswordAuthentication = false;
-          PermitRootLogin = "prohibit-password";
-        };
-      };
-
-      # Enable RKE2
-      rke2 = {
-        enable = true;
-        disable = [ "rke2-ingress-nginx" ];
-      };
-    };
-
     systemd.services = {
       # RKE2 - Wait Cloud Init
       rke2-server = {
@@ -155,33 +112,11 @@
       };
     };
 
-    # User Authorized Keys
-    users.users.root = {
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
-      ];
-      hashedPassword = null;
-    };
-
-    # Add Symlinks Expected by Democratic
-    system.activationScripts = {
-      iscsi-initiator = ''
-        mkdir -p /usr/bin
-        ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
-        ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
-      '';
-    };
-
     # System Packages
     environment = {
       systemPackages = with pkgs; [
         htop
-        intel-gpu-tools
-        k9s
-        kubectl
-        kubernetes-helm
         nfs-utils
-        openiscsi
         tmux
         vim
       ];