From e4d3620bf726c41a3d8fae861fd249cc411f441e Mon Sep 17 00:00:00 2001 From: Fern Garden Date: Fri, 11 Jul 2025 12:35:02 +0800 Subject: [PATCH 1/3] Enable cross-compiling Raspberry Pi system. --- hosts/laptop/muskduck.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/laptop/muskduck.nix b/hosts/laptop/muskduck.nix index 511a951..b34de12 100644 --- a/hosts/laptop/muskduck.nix +++ b/hosts/laptop/muskduck.nix @@ -25,4 +25,6 @@ }; hardware.cpu.intel.updateMicrocode = true; + + boot.binfmt.emulatedSystems = ["aarch64-linux"]; } From 92cef09d87baa04c71c2e8e425f75f81b4928afc Mon Sep 17 00:00:00 2001 From: Fern Garden Date: Fri, 11 Jul 2025 12:35:33 +0800 Subject: [PATCH 2/3] Enable SSH server on all hosts. Add wheel group to nix trusted users. --- suites/common.nix | 20 ++++++++++++++++++++ suites/server.nix | 14 +------------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/suites/common.nix b/suites/common.nix index c5ee193..ccc900d 100644 --- a/suites/common.nix +++ b/suites/common.nix @@ -16,6 +16,9 @@ with lib; { "flakes" ]; + # Add @wheel to trusted-users for remote deployments. + nix.settings.trusted-users = ["root" "@wheel"]; + # Set $NIX_PATH to flake input. nix.nixPath = ["nixpkgs=${nixpkgs}"]; @@ -60,6 +63,12 @@ with lib; { "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" + ]; }; # Use fish shell @@ -123,6 +132,9 @@ with lib; { ''; }; + # https://discourse.nixos.org/t/slow-build-at-building-man-cache/52365/2 + documentation.man.generateCaches = false; + # Install some packages. programs = { git.enable = true; @@ -285,9 +297,17 @@ with lib; { yazi ]; + # Enable SSH server. + services.openssh.enable = true; + # Enable avahi hostname resolution. services.avahi = { enable = true; nssmdns4 = true; + publish = { + enable = true; + addresses = true; + domain = true; + }; }; } diff --git a/suites/server.nix b/suites/server.nix index 1f6af57..762cc11 100644 --- a/suites/server.nix +++ b/suites/server.nix @@ -10,19 +10,7 @@ with lib; { # Enable all terminfo (for ghostty). environment.enableAllTerminfo = true; - # Enable SSH server. - services.openssh.enable = true; - - users.users.${user} = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" - ]; - extraGroups = mkIf (user == "docker") ["docker"]; - }; - # Enable docker. virtualisation.docker.enable = mkIf (user == "docker") true; + users.users.${user}.extraGroups = mkIf (user == "docker") ["docker"]; } From 7e18add7eabfb182eaab8c448a54a964fdca9a61 Mon Sep 17 00:00:00 2001 From: Fern Garden Date: Fri, 11 Jul 2025 12:36:07 +0800 Subject: [PATCH 3/3] deploy-rs configuration --- flake.lock | 106 +++++++++++++++++++++++++++++++++++++++++++++++----- flake.nix | 9 +++-- helpers.nix | 12 +++++- 3 files changed, 112 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 3f8112b..b38e475 100755 --- a/flake.lock +++ b/flake.lock @@ -15,6 +15,26 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1749105467, + "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "6bc76b872374845ba9d645a2f012b764fecd765f", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "feishin-0_17_0": { "locked": { "lastModified": 1751534869, @@ -32,6 +52,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1747046372, @@ -91,7 +127,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -176,9 +212,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, @@ -212,6 +248,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1743014863, + "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1751203939, "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=", @@ -227,7 +279,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1751741127, "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", @@ -243,7 +295,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1751786137, "narHash": "sha256-lIlUKVGCGsh0Q2EA7/6xRtKUZjaQ/ur8uUyY+MynHXQ=", @@ -259,7 +311,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1744868846, "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", @@ -278,9 +330,9 @@ "nixvim": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nuschtosSearch": "nuschtosSearch", - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1752099138, @@ -347,11 +399,12 @@ }, "root": { "inputs": { + "deploy-rs": "deploy-rs", "feishin-0_17_0": "feishin-0_17_0", "fluffychat-2_0_0": "fluffychat-2_0_0", "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixvim": "nixvim", "secrets": "secrets", "sops-nix": "sops-nix" @@ -397,7 +450,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1751606940, @@ -442,6 +495,39 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a9adae3..107aea0 100755 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Stable nixpkgs. + deploy-rs.url = "github:serokell/deploy-rs"; lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. sops-nix.url = "github:Mic92/sops-nix"; # Secrets management. @@ -46,10 +47,10 @@ ]; }) - (mkHost "docker" { - suite = "vm"; - user = "docker"; - }) + # (mkHost "docker" { + # suite = "vm"; + # user = "docker"; + # }) (mkHost "minecraft" { suite = "vm"; diff --git a/helpers.nix b/helpers.nix index 991c633..6808817 100644 --- a/helpers.nix +++ b/helpers.nix @@ -1,6 +1,7 @@ inputs: with inputs; -with inputs.nixpkgs.lib; { +with inputs.nixpkgs.lib; let +in { mergeHosts = lists.foldl' ( a: b: attrsets.recursiveUpdate a b ) {}; @@ -53,5 +54,14 @@ with inputs.nixpkgs.lib; { ++ (filesystem.listFilesRecursive ./modules) ++ extraModules; }; + + deploy.nodes.${hostname} = { + hostname = "${hostname}.local"; + profiles.system = { + user = "root"; + sshUser = user; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${hostname}; + }; + }; }; }