From ec7ec5112c15550d2f05cce49a87bad968c620a3 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sun, 12 Oct 2025 19:20:07 -0700 Subject: make the remote unlock bits a nix module Move all the hardware configuration for rivendell into the default.nix. --- flake/hosts.nix | 12 ++++++ machines/nixos/x86_64-linux/rivendell/default.nix | 45 ++++++++++++---------- .../rivendell/hardware-configuration.nix | 38 ------------------ modules/nixos/default.nix | 1 + modules/nixos/remote-unlock.nix | 31 +++++++++++++++ 5 files changed, 68 insertions(+), 59 deletions(-) delete mode 100644 machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix create mode 100644 modules/nixos/remote-unlock.nix diff --git a/flake/hosts.nix b/flake/hosts.nix index fe23cdd..2739051 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -227,6 +227,18 @@ in allowLocalDeployment = false; }; }; + rivendell = + { name, ... }: + { + imports = [ ../machines/nixos/x86_64-linux/${name} ]; + deployment = { + tags = [ "bm" ]; + targetHost = "rivendell"; + targetUser = "fcuny"; + buildOnTarget = true; + allowLocalDeployment = false; + }; + }; }; }; } diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix index 8c71cbf..8e54b4c 100644 --- a/machines/nixos/x86_64-linux/rivendell/default.nix +++ b/machines/nixos/x86_64-linux/rivendell/default.nix @@ -2,12 +2,15 @@ lib, adminUser, config, + modulesPath, + inputs, ... }: { imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series ./disks.nix - ./hardware-configuration.nix { home-manager.users.${adminUser.name} = { imports = [ @@ -18,9 +21,27 @@ } ]; + services.fwupd.enable = true; + hardware.enableRedistributableFirmware = true; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usbhid" + "usb_storage" + "sd_mod" + "r8169" # ethernet driver + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.enable = true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + networking.hostName = "rivendell"; networking.useDHCP = lib.mkDefault true; systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; @@ -36,27 +57,9 @@ group = "nogroup"; }; - boot.kernelParams = [ - "ip=dhcp" - ]; - - boot.initrd.network = { - enable = true; - postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; - flushBeforeStage2 = true; - ssh = { - enable = true; - port = 911; - hostKeys = [ - "/etc/initrd/ssh_host_ed25519_key" - ]; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - ]; - }; - }; - nix.settings.trusted-users = [ "builder" ]; + my.modules.remote-unlock.enable = true; + system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix b/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix deleted file mode 100644 index 02de536..0000000 --- a/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - inputs, - lib, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series - ]; - - services.fwupd.enable = true; - hardware.enableRedistributableFirmware = true; - - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "thunderbolt" - "usbhid" - "usb_storage" - "sd_mod" - "r8169" # ethernet driver - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 94348f6..47cf81e 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -6,6 +6,7 @@ ./home-manager.nix ./nix.nix ./podman.nix + ./remote-unlock.nix ./ssh.nix ./user.nix ]; diff --git a/modules/nixos/remote-unlock.nix b/modules/nixos/remote-unlock.nix new file mode 100644 index 0000000..38b023d --- /dev/null +++ b/modules/nixos/remote-unlock.nix @@ -0,0 +1,31 @@ +{ lib, config, ... }: +let + cfg = config.my.modules.remote-unlock; +in +{ + options.my.modules.remote-unlock = with lib; { + enable = mkEnableOption "remote unlock"; + }; + + config = lib.mkIf cfg.enable { + boot.kernelParams = [ + "ip=dhcp" + ]; + + boot.initrd.network = { + enable = true; + postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 911; + hostKeys = [ + "/etc/initrd/ssh_host_ed25519_key" + ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + }; + }; + }; +} -- cgit v1.2.3