Migrate to Snowfall (#1)

Reviewed-on: #1
Co-authored-by: Evan Reichard <evan@reichard.io>
Co-committed-by: Evan Reichard <evan@reichard.io>

modules/nixos/services/avahi/default.nix

@@ -0,0 +1,33 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.avahi;
+in
+{
+  options.${namespace}.services.avahi = {
+    enable = lib.mkEnableOption "Avahi";
+  };
+
+  config = mkIf cfg.enable {
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        domain = true;
+        hinfo = true;
+        userServices = true;
+        workstation = true;
+      };
+    };
+
+    # Cloud Init
+    systemd.services.avahi-daemon = mkIf config.${namespace}.services.cloud-init.enable {
+      after = [ "cloud-final.service" ];
+      requires = [ "cloud-final.service" ];
+    };
+  };
+}

modules/nixos/services/cloud-init/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.cloud-init;
+in
+{
+  options.${namespace}.services.cloud-init = {
+    enable = lib.mkEnableOption "Enable Cloud-Init";
+  };
+
+  config = mkIf cfg.enable {
+    services.cloud-init = {
+      enable = true;
+      network.enable = true;
+      settings = {
+        datasource_list = [ "NoCloud" ];
+        preserve_hostname = false;
+        system_info = {
+          distro = "nixos";
+          network.renderers = [ "networkd" ];
+        };
+      };
+    };
+    networking.hostName = lib.mkForce "";
+  };
+}

modules/nixos/services/openiscsi/default.nix

@@ -0,0 +1,57 @@
+{ config, pkgs, lib, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.services.openiscsi;
+  cloudInitEnabled = config.${namespace}.services.cloud-init.enable;
+in
+{
+  options.${namespace}.services.openiscsi = {
+    enable = lib.mkEnableOption "Open iSCSI support";
+    name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
+    symlink = mkBoolOpt false "Create a symlink to the iSCSI binaries";
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernelModules = [ "iscsi_tcp" "libiscsi" "scsi_transport_iscsi" ];
+
+    services.openiscsi = {
+      enable = true;
+      name = cfg.name;
+    };
+
+    environment.systemPackages = with pkgs; [
+      openiscsi
+    ];
+
+    # Predominately used for RKE2 & Democratic CSI
+    system.activationScripts.iscsi-symlink = mkIf cfg.symlink ''
+      mkdir -p /usr/bin
+      ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+      ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+    '';
+
+    # Cloud Init Compatibility
+    environment.etc."iscsi/initiatorname.iscsi".enable = mkIf cloudInitEnabled false;
+    systemd.services.iscsi-initiator-setup = mkIf cloudInitEnabled {
+      description = "Setup iSCSI Initiator Name";
+      requires = [ "cloud-final.service" ];
+      before = [ "iscsid.service" ];
+      after = [ "cloud-final.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      path = [ pkgs.hostname pkgs.util-linux ];
+      script = ''
+        mkdir -p /run/iscsi
+        echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
+        mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+      '';
+    };
+  };
+}

modules/nixos/services/openssh/default.nix

@@ -0,0 +1,80 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib)
+    types
+    mkDefault
+    mkIf
+    ;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.openssh;
+
+  authorizedKeys = [
+    # evanreichard@lin-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+    # evanreichard@lin-va-thinkpad
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
+  ];
+in
+{
+  options.${namespace}.services.openssh = with types; {
+    enable = lib.mkEnableOption "OpenSSH support";
+    authorizedKeys = mkOpt (listOf str) authorizedKeys "The public keys to apply.";
+    extraConfig = mkOpt str "" "Extra configuration to apply.";
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+
+      hostKeys = mkDefault [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+
+      openFirewall = true;
+      ports = [ 22 ];
+
+      settings = {
+        AuthenticationMethods = "publickey";
+        ChallengeResponseAuthentication = "no";
+        PasswordAuthentication = false;
+        PermitRootLogin = "prohibit-password";
+        PubkeyAuthentication = "yes";
+        StreamLocalBindUnlink = "yes";
+        UseDns = false;
+        UsePAM = true;
+        X11Forwarding = false;
+
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "diffie-hellman-group-exchange-sha256"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
+
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+      };
+
+      startWhenNeeded = true;
+    };
+
+    programs.ssh = {
+      startAgent = lib.mkDefault true;
+      inherit (cfg) extraConfig;
+    };
+
+    reichard = {
+      user.extraOptions.openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+  };
+}

modules/nixos/services/rke2/default.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, lib, namespace, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.services.rke2;
+in
+{
+  options.${namespace}.services.rke2 = with types; {
+    enable = lib.mkEnableOption "Enable RKE2";
+    disable = mkOpt (listOf str) [ ] "Disable services";
+    openFirewall = mkBoolOpt true "Open firewall";
+  };
+
+  config = mkIf cfg.enable {
+    services.rke2 = {
+      enable = true;
+      disable = cfg.disable;
+    };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      6443 # Kubernetes API
+      9345 # RKE2 supervisor API
+      2379 # etcd Client Port
+      2380 # etcd Peer Port
+      2381 # etcd Metrics Port
+      10250 # kubelet metrics
+      9099 # Canal CNI health checks
+
+      # MetalLB
+      7946 # memberlist
+    ];
+
+    environment.systemPackages = with pkgs; [ nfs-utils ];
+
+    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      8472 # Canal CNI with VXLAN
+      # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+      # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+
+      # MetalLB
+      7946 # memberlist
+    ];
+
+    # Cloud Init
+    systemd.services.rke2-server = mkIf config.${namespace}.services.cloud-init.enable {
+      after = [ "cloud-final.service" ];
+      requires = [ "cloud-final.service" ];
+    };
+  };
+}

modules/nixos/services/ydotool/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.ydotool;
+in
+{
+  options.${namespace}.services.ydotool = {
+    enable = lib.mkEnableOption "ydotool";
+  };
+
+  config = mkIf cfg.enable {
+    reichard.user.extraGroups = [ "input" ];
+    programs.ydotool = {
+      enable = true;
+      group = "input";
+    };
+  };
+}