feat: modularize hetzner-cloud and odroid-n2plus hardware

2025-10-10 23:00:39 +02:00 · 2023-05-31 16:34:13 +02:00 · 2023-05-31 16:34:13 +02:00 · 6672846d59
commit 6672846d59
parent 61d582f033
11 changed files with 79 additions and 35 deletions
--- a/hosts/common/bios-boot.nix
+++ b/hosts/common/bios-boot.nix
@ -0,0 +1,10 @@
+{lib, ...}: {
+  boot.loader = {
+    grub = {
+      enable = true;
+      efiSupport = false;
+    };
+    timeout = lib.mkDefault 2;
+  };
+  console.earlySetup = true;
+}
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@ -1,10 +1,10 @@
 {
+  config,
  extraLib,
  inputs,
  lib,
-  nodeName,
  nodePath,
-  options,
+  pkgs,
  ...
 }: {
  # IP address math library
@ -290,7 +290,14 @@
  };

  boot = {
-    initrd.systemd.enable = true;
+    initrd.systemd = {
+      enable = true;
+      emergencyAccess = config.repo.secrets.global.root.hashedPassword;
+      # TODO good idea? targets.emergency.wants = ["network.target" "sshd.service"];
+      extraBin = with pkgs; {
+        ip = "${iproute2}/bin/ip";
+      };
+    };

    # Add "rd.systemd.unit=rescue.target" to debug initrd
    kernelParams = ["log_buf_len=10M"];
--- a/hosts/common/hardware/hetzner-cloud.nix
+++ b/hosts/common/hardware/hetzner-cloud.nix
@ -0,0 +1,3 @@
+{
+  boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
+}
--- a/hosts/common/hardware/odroid-n2plus.nix
+++ b/hosts/common/hardware/odroid-n2plus.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  nixos-hardware,
+  pkgs,
+  ...
+}: {
+  imports = [
+    nixos-hardware.common-pc-ssd
+    ./physical.nix
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "usbhid"
+    "usb_storage"
+    # Ethernet
+    "dwmac_generic"
+    "dwmac_meson8b"
+    "cfg80211"
+    # HDMI
+    "snd_soc_meson_g12a_tohdmitx"
+    "snd_soc_meson_g12a_toacodec"
+    "mdio_mux_meson_g12a"
+    "dw_hdmi"
+    "meson_vdec"
+    "meson_dw_hdmi"
+    "meson_drm"
+    "meson_rng"
+    "drm"
+    "display_connector"
+  ];
+  boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"];
+}
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -5,6 +5,8 @@
 }: {
  imports = [
    ../common/core
+    ../common/hardware/hetzner-cloud.nix
+    ../common/bios-boot.nix
    ../common/initrd-ssh.nix
    ../common/zfs.nix

@ -13,11 +15,5 @@
    ./nginx.nix
  ];

-  boot.loader.timeout = lib.mkDefault 2;
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = false;
-    devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
-  };
-  console.earlySetup = true;
+  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
 }
--- a/hosts/sentinel/fs.nix
+++ b/hosts/sentinel/fs.nix
@ -1,6 +1,5 @@
 {
  config,
-  lib,
  extraLib,
  pkgs,
  ...
@ -40,6 +39,7 @@
    };
  };

+  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
  fileSystems."/persist".neededForBoot = true;

  # After importing the rpool, rollback the root system to be empty.
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -20,6 +20,15 @@
        icfg.hostCidrv6
      ];
      gateway = ["fe80::1"];
+      routes = [
+        {routeConfig = {Destination = "172.31.1.1";};}
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
      matchConfig.MACAddress = icfg.mac;
      networkConfig.IPv6PrivacyExtensions = "yes";
      linkConfig.RequiredForOnline = "routable";
--- a/hosts/sentinel/secrets/host.pub
+++ b/hosts/sentinel/secrets/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv
--- a/hosts/sentinel/secrets/local.nix.age
+++ b/hosts/sentinel/secrets/local.nix.age
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -6,10 +6,8 @@
  ...
 }: {
  imports = [
-    nixos-hardware.common-pc-ssd
-
    ../common/core
-    ../common/hardware/physical.nix
+    ../common/hardware/odroid-n2plus.nix
    #../common/initrd-ssh.nix
    ../common/zfs.nix

@ -25,28 +23,10 @@
    ./zigbee2mqtt.nix
  ];

+  # TODO replace by bios-boot.nix
+  # and grub.devices = ... once disko is in use.
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
-  boot.initrd.availableKernelModules = [
-    "usbhid"
-    "usb_storage"
-    # Ethernet
-    "dwmac_generic"
-    "dwmac_meson8b"
-    "cfg80211"
-    # HDMI
-    "snd_soc_meson_g12a_tohdmitx"
-    "snd_soc_meson_g12a_toacodec"
-    "mdio_mux_meson_g12a"
-    "dw_hdmi"
-    "meson_vdec"
-    "meson_dw_hdmi"
-    "meson_drm"
-    "meson_rng"
-    "drm"
-    "display_connector"
-  ];
-  boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"];
  console.earlySetup = true;

  # Fails if there are no SMART devices
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -26,6 +26,7 @@
    mkOption
    optionalAttrs
    optionals
+    stringLength
    types
    ;

@ -132,6 +133,10 @@
        assertion = isClient -> ((wgCfgOf wgCfg.client.via).server.host != null);
        message = "${assertionPrefix}: The specified via node '${wgCfg.client.via}' must be a wireguard server.";
      }
+      {
+        assertion = stringLength wgCfg.linkName < 16;
+        message = "${assertionPrefix}: The specified linkName '${wgCfg.linkName}' is too long (must be max 15 characters).";
+      }
      # TODO at least 3 network participants and (externalPeers != {} or someone has via set to us) -> ip forwarding
    ];

@ -331,7 +336,7 @@ in {
        };

        linkName = mkOption {
-          default = "wg-${name}";
+          default = name;
          type = types.str;
          description = mdDoc "The name for the created network interface.";
        };
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv`