machines/flexy: Add New System

.gitmodules

@@ -7,3 +7,7 @@
 [submodule "vendor/ragenix"]
 	path = vendor/ragenix
 	url = [email protected]:NiXium-org/ragenix.git
+[submodule "vendor/gjs-osk"]
+	path = vendor/gjs-osk
+	url = [email protected]:Kreyren/gjs-osk.git
+	branch = central

config/machine-derivations.conf

@@ -1,5 +1,6 @@
 # Declare which system derivation should be used for which machine
 
+flexy nixos-flexy-stable
 ignucius nixos-ignucius-stable
 morph nixos-morph-stable
 mracek nixos-mracek-stable

src/nixos/default.nix

@@ -49,12 +49,6 @@ in {
 				nixosModules.system-time
 				nixosModules.system-wifi
 
-				nixosModules.machine-ignucius
-				nixosModules.machine-morph
-				nixosModules.machine-mracek
-				nixosModules.machine-sinnenfreude
-				nixosModules.machine-tupac
-
 				# {
 				# 	sops.defaultSopsFile = ./.sops.yaml;
 				# }

src/nixos/machines/default.nix

@@ -1,5 +1,6 @@
 {
 	imports = [
+		./flexy
 		./ignucius
 		./morph
 		./mracek

src/nixos/machines/flexy/README.md

@@ -0,0 +1,23 @@
+# Mráááček! :3
+
+Named after the diminutive of Czech word 'mrak' meaning 'cloud' and used for cloud computing.
+
+Role: Always-on control and fallback server
+
+## Services
+
+* [ ] VaultWarden
+* [X] Vikunja
+* [X] Tor
+* [X] Monero-node
+* [ ] Nextcloud
+
+To Be Considered
+* [ ] PrivateBin?
+* [ ] Lokinet
+* [ ] Conduit, Blocked by https://github.com/element-hq/synapse/issues/7088
+
+## ToDo
+
+* [ ] Figure out backups
+* [ ] Perform automated and scheduled maintanances to get a report on the hardware state of the device to ensure it's stable capability

src/nixos/machines/flexy/config/bootloader.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+# Bootloader management of FLEXY
+
+{
+	boot.lanzaboote.enable = false; # Whether to use NixOS's implementation of secure-boot
+	boot.loader.systemd-boot.enable = true;
+
+	boot.loader.efi.canTouchEfiVariables = true;
+}

src/nixos/machines/flexy/config/disks.nix

@@ -0,0 +1,237 @@
+{ config, lib, ... }:
+
+# Nix-based Disk Management of FLEXY with disko and impermenance on tmpfs
+
+# Formatting strategy:
+#    Table: GPT
+#    2048 - 1050623 (1048576) -- 512M EFI System
+#    1050624 - 479145983 (478095360) -- -10G nix store BTRFS
+#    479145984 - 500117503 (20971520) -- 100% Encrypted swap
+
+let
+	inherit (lib) mkMerge;
+
+	diskoDevice = "/dev/disk/by-id/nvme-UMIS_RPJTJ256MEE1OWX_SS0W76181Z1CD11J23ED";
+in mkMerge [
+	{
+		age.secrets.flexy-disks-password.file = ../secrets/flexy-disks-password.age; # Supply password for disk encryption
+	}
+
+	# FIXME(Krey): Causes infinite recursion, no idea why
+	# (if (config.boot.impermenance.enable == true) then {
+	(if (true) then {
+		age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; # Change the identity path to use our disko path
+
+		fileSystems."/nix/persist/system".neededForBoot = true;
+
+		# FIXME(Krey): Figure out how to do labels
+		disko.devices = {
+			nodev."/" = {
+				fsType = "tmpfs";
+				mountOptions = [
+					"size=1G"
+					"defaults"
+					"mode=755"
+				];
+			};
+
+			disk = {
+				system = {
+					device = diskoDevice;
+					type = "disk";
+					# imageSize = "50G"; # Size of the generated image
+					content = {
+						type = "gpt";
+						partitions = {
+
+							boot = {
+								priority = 1; # Needs to be first partition
+								type = "EF00"; # EFI System Partition/
+								size = "512M";
+								content = {
+									type = "filesystem";
+									format = "vfat"; # FAT32
+									# SECURITY(Krey): Required since systemd 254, to not make the random-seed file writtable by default
+									# * https://github.com/nix-community/disko/issues/527#issuecomment-1924076948
+									# * https://discourse.nixos.org/t/nixos-install-with-custom-flake-results-in-boot-being-world-accessible/34555/14
+									mountOptions = [ "umask=0077" ];
+									mountpoint = "/boot";
+								};
+							};
+
+							store = {
+								priority = 3;
+								size = "100%";
+								content = {
+									name = "store";
+									type = "luks";
+									settings.allowDiscards = true;
+
+									passwordFile = config.age.secrets.flexy-disks-password.path;
+
+									initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+									extraFormatArgs = [
+										"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+										"--label=CRYPT_NIX"
+									];
+
+									extraOpenArgs = [
+										"--timeout 10"
+									];
+
+									content = {
+										type = "btrfs";
+										extraArgs = [ "--label NIX_STORE" ];
+										subvolumes = {
+											"@nix" = {
+												mountpoint = "/nix";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+											"@persist" = {
+												mountpoint = "/nix/persist/system";
+												mountOptions = [ "compress=lzo" "noatime" ];
+											};
+										};
+									};
+								};
+							};
+
+							swap = {
+								priority = 2;
+								size = "10G";
+								content = {
+									name = "swap";
+									type = "luks";
+
+									settings.allowDiscards = true;
+
+									passwordFile = config.age.secrets.flexy-disks-password.path;
+
+									initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+									extraFormatArgs = [
+										"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+										"--label=CRYPT_SWAP"
+									];
+
+									extraOpenArgs = [
+										"--timeout 10"
+									];
+
+									content = {
+										# FIXME-QA(Krey): Add label 'SWAP'
+										type = "swap";
+										resumeDevice = true; # resume from hiberation from this device
+
+										extraArgs = [
+											"--label SWAP"
+										];
+									};
+								};
+							};
+						};
+					};
+				};
+			};
+		};
+	} else {
+		age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Change the identity path to use our disko path
+
+		disk = {
+			system = {
+				device = diskoDevice;
+				type = "disk";
+				# imageSize = "50G"; # Size of the generated image
+				content = {
+					type = "gpt";
+					partitions = {
+
+						boot = {
+							priority = 1; # Needs to be first partition
+							type = "EF00"; # EFI System Partition/
+							size = "512M";
+							content = {
+								type = "filesystem";
+								format = "vfat"; # FAT32
+								mountpoint = "/boot";
+							};
+						};
+
+						store = {
+							priority = 3;
+							size = "100%";
+							content = {
+								name = "store";
+								type = "luks";
+								settings.allowDiscards = true;
+
+								passwordFile = config.age.secrets.flexy-disks-password.path;
+
+								initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+								extraFormatArgs = [
+									"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+									"--label=CRYPT_NIX"
+								];
+
+								extraOpenArgs = [
+									"--timeout 10"
+								];
+
+								content = {
+									type = "btrfs";
+									extraArgs = [ "--label NIX_STORE" ];
+									subvolumes = {
+										"@nix" = {
+											mountpoint = "/nix";
+											mountOptions = [ "compress=lzo" "noatime" ];
+										};
+										"@persist" = {
+											mountpoint = "/nix/persist/system";
+											mountOptions = [ "compress=lzo" "noatime" ];
+										};
+									};
+								};
+							};
+						};
+
+						swap = {
+							priority = 2;
+							size = "10G";
+							content = {
+								name = "swap";
+								type = "luks";
+
+								settings.allowDiscards = true;
+
+								passwordFile = config.age.secrets.flexy-disks-password.path;
+
+								initrdUnlock = true; # Add a boot.initrd.luks.devices entry for the specified disk
+
+								extraFormatArgs = [
+									"--use-random" # use true random data from /dev/random, will block until enough entropy is available
+									"--label=CRYPT_SWAP"
+								];
+
+								extraOpenArgs = [
+									"--timeout 10"
+								];
+
+								content = {
+									# FIXME-QA(Krey): Add label 'SWAP'
+									type = "swap";
+									resumeDevice = true; # resume from hiberation from this device
+
+									extraArgs = [
+										"--label SWAP"
+									];
+								};
+							};
+						};
+					};
+				};
+			};
+		};
+	})
+]

src/nixos/machines/flexy/config/firmware.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+# Firmware management of FLEXY
+
+{
+	services.fwupd.enable = true; # Use FWUP daemon to keep firmware files up-to-date
+}

src/nixos/machines/flexy/config/hardware-acceleration.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+# Hardware-acceleration management of FLEXY
+
+# dGPU: AMD ATI Radeon RX Vega 6
+
+{
+	"24.05" = {
+		# The option was renamed on `hardware.graphics` in NixOS 24.11+
+		hardware.opengl = {
+			enable = true;
+			driSupport = true;
+			driSupport32Bit = true;
+		};
+	};
+
+	"24.11" = {
+		hardware.graphics.enable = true;
+		hardware.graphics.enable32Bit = true;
+	};
+}."${lib.trivial.release}" or (throw "Release is not implemented: ${lib.trivial.release}")

src/nixos/machines/flexy/config/initrd.nix

@@ -0,0 +1,18 @@
+{ ... }:
+
+# InitRD Management of FLEXY
+
+{
+	# InitRD Kernel Modules
+	boot.initrd.availableKernelModules = [
+		# Auto-Generated
+		"nvme"
+		"xhci_pci"
+		"rtsx_pci_sdmmc"
+	];
+	boot.initrd.kernelModules = [ ];
+
+	boot.initrd.includeDefaultModules = true; # Has to be set to true to be able to input decrypting password
+
+	boot.initrd.systemd.enable = true;
+}

src/nixos/machines/flexy/config/kernel.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+# Kernel Management of FLEXY
+
+{
+	boot.kernelModules = [
+		"kvm-amd" # Use KVM
+	];
+}

src/nixos/machines/flexy/config/networking.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+
+# Networking Management of FLEXY
+
+let
+	inherit (lib) mkForce;
+in {
+	networking.interfaces.wlp2s0.useDHCP = true; # Use DHCP on the main WiFi adapter
+
+	# Always use network manager for convinience
+	# FIXME-QA(Krey): Set to false by `/nixos/modules/services/networking/networkmanager.nix`, better management needed
+	networking.networkmanager.enable = mkForce true;
+}