{ description = "A very basic flake"; inputs = { deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; image-builder = { url = "git+https://git.asonix.dog/asonix/nixos-aarch64-images"; inputs.nixpkgs.follows = "nixpkgs"; }; nixpkgs.url = "github:asonix/nixpkgs/asonix/nixos-unstable-pinned"; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self, deploy-rs, image-builder, nixpkgs, sops-nix }: let sharedModule = import ./modules/shared; btrbkModule = import ./modules/btrbk; dockerModule = import ./modules/docker; subvolumesModule = import ./modules/subvolumes; k3sModule = import ./modules/k3s; makeConfig = { hostname, extraModules ? [ ] }: with image-builder.packages.aarch64-linux.modules; nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ sops-nix.nixosModules.sops sharedModule userModule { networking.hostName = hostname; } ] ++ extraModules; }; makeGenericK3sConfig = { hostname, macAddress ? null, enableK3s ? true, selfIp, serverIp ? null, extraModules ? [ ] }: with image-builder.packages.aarch64-linux.modules; makeConfig { inherit hostname; extraModules = [ (if serverIp == null then k3sModule.server { enable = enableK3s; } else k3sModule.agent { inherit serverIp; enable = enableK3s; }) ({ config, pkgs, ... }: { services.lvm.enable = true; networking = { interfaces.end0 = { inherit macAddress; ipv4.addresses = [ { address = selfIp; prefixLength = 24; } ]; }; defaultGateway = "192.168.20.1"; nameservers = [ "192.168.20.21" "192.168.20.1" ]; }; environment.systemPackages = with pkgs; [ nfs-utils ]; }) ] ++ extraModules; }; makeBoardK3sConfig = module: { hostname, macAddress ? null, enableK3s ? true, selfIp, serverIp }: makeGenericK3sConfig { inherit hostname macAddress enableK3s selfIp serverIp; extraModules = [ module ]; }; makeRock64K3sConfig = makeBoardK3sConfig image-builder.packages.aarch64-linux.modules.rock64; makeRockPro64K3sConfig = makeBoardK3sConfig image-builder.packages.aarch64-linux.modules.rockPro64v2; makeQuartz64AK3sConfig = makeBoardK3sConfig image-builder.packages.aarch64-linux.modules.quartz64a; makeSoQuartzK3sConfig = { hostname, enableK3s ? true, unlockMounts ? true, mountVolumes ? true, selfIp, serverIp ? null }: with image-builder.packages.aarch64-linux.modules; let device = "/dev/mapper/cryptdrive1"; subvolumes = [ "@k3s-config" ]; in makeGenericK3sConfig { inherit hostname selfIp serverIp; enableK3s = unlockMounts && mountVolumes && enableK3s; extraModules = [ soquartz-blade (btrbkModule { inherit subvolumes; mountDir = "/btrfs/nvme"; primaryIp = serverIp; }) (if unlockMounts && mountVolumes then (subvolumesModule { inherit device subvolumes; }) else { }) ({ config, pkgs, ... }: let keyFilePath = config.sops.secrets.k3sKeyFile.path; prepareNvme = '' #!/usr/bin/env bash set -e echo "Creating two partitions" fdisk -w always /dev/nvme0n1 << EOL g n 1 +50G n 2 w EOL echo "YES" | cryptsetup luksFormat /dev/nvme0n1p1 -d ${keyFilePath} cryptsetup luksOpen /dev/nvme0n1p1 cryptdrive1 -d ${keyFilePath} mkfs.btrfs /dev/mapper/cryptdrive1 mkdir -p /btrfs/nvme mount /dev/mapper/cryptdrive1 /btrfs/nvme btrfs subvolume create /btrfs/nvme/@k3s-config btrfs subvolume create /btrfs/nvme/@snapshots btrfs subvolume create /btrfs/nvme/@swap btrfs subvolume create /btrfs/nvme/@var-lib-rancher btrfs subvolume create /btrfs/nvme/@var-lib-rook btrfs subvolume create /btrfs/nvme/@var-log-pods btrfs filesystem mkswapfile -s 4g /btrfs/nvme/@swap/file umount /btrfs/nvme cryptsetup luksClose cryptdrive1 ''; in { sops.secrets.k3sKeyFile = { format = "binary"; sopsFile = ./secrets/k3sKeyFile.bin; }; environment.systemPackages = with pkgs; [ (writeShellScriptBin "prepare-nvme" prepareNvme) ]; environment.etc.crypttab = { enable = unlockMounts; text = '' cryptdrive1 /dev/nvme0n1p1 ${keyFilePath} luks ''; }; fileSystems = let defaultOptions = [ "defaults" "rw" "compress=zstd" ]; fileSystemConfig = { "/btrfs/nvme" = { inherit device; fsType = "btrfs"; options = defaultOptions; }; "/swap" = { inherit device; fsType = "btrfs"; options = defaultOptions ++ [ "subvol=@swap" ]; }; "/var/lib/rancher" = { inherit device; fsType = "btrfs"; options = defaultOptions ++ [ "subvol=@var-lib-rancher" ]; }; "/var/lib/rook" = { inherit device; fsType = "btrfs"; options = defaultOptions ++ [ "subvol=@var-lib-rook" ]; }; "/var/log/pods" = { inherit device; fsType = "btrfs"; options = defaultOptions ++ [ "subvol=@var-log-pods" ]; }; }; in if unlockMounts && mountVolumes then fileSystemConfig else { }; swapDevices = let swapFile = { device = "/swap/file"; size = (1024 * 4); }; in if unlockMounts && mountVolumes then [ swapFile ] else [ ]; }) ]; }; makeNextcloudConfig = { hostname, primaryIp ? null }: with image-builder.packages.aarch64-linux.modules; let device = "/dev/mapper/cryptdrive1"; mountDir = "/btrfs/hdd"; subvolumes = [ "@nc-config" "@nc-data" "@postgres" "@redis" "@gitea" "@gitea-conf" "@pihole" "@papermc" "@docker-cfg" "@garage" "@garage-config" ]; in makeConfig { inherit hostname; extraModules = [ rockPro64v2 dockerModule (btrbkModule { inherit mountDir primaryIp subvolumes; }) (if primaryIp == null then (subvolumesModule { inherit device subvolumes; }) else { }) ({ config, ... }: { sops.secrets.nextcloudKeyFile = { format = "binary"; sopsFile = ./secrets/nextcloudKeyFile.bin; }; environment.etc.crypttab = { enable = true; text = '' cryptdrive1 /dev/sda1 ${config.sops.secrets.nextcloudKeyFile.path} luks cryptdrive2 /dev/sdb1 ${config.sops.secrets.nextcloudKeyFile.path} luks cryptdrive3 /dev/sdc1 ${config.sops.secrets.nextcloudKeyFile.path} luks ''; }; fileSystems."${mountDir}" = { inherit device; fsType = "btrfs"; options = [ "defaults" "compress=zstd" "rw" ]; }; }) ]; }; makePostgresConfig = { hostname, keyFile, primaryIp ? null }: with image-builder.packages.aarch64-linux.modules; let device = "/dev/mapper/cryptdrive1"; mountDir = "/btrfs/ssd"; subvolumes = [ "@postgres" "@postgres-cfg" ]; in makeConfig { inherit hostname; extraModules = [ rock64 dockerModule (btrbkModule { inherit mountDir primaryIp subvolumes; }) (if primaryIp == null then (subvolumesModule { inherit device subvolumes; }) else { }) ({ config, ... }: let keyFilePath = config.sops.secrets."${keyFile}".path; in { sops.secrets.${keyFile} = { format = "binary"; sopsFile = ./secrets/${keyFile}.bin; }; environment.etc.crypttab = { enable = true; text = '' cryptdrive1 /dev/sda1 ${keyFilePath} luks ''; }; fileSystems."${mountDir}" = { inherit device; fsType = "btrfs"; options = [ "defaults" "compress=zstd" "rw" ]; }; }) ]; }; deployer = { hostname, configuration }: { hostname = hostname; profiles.system = { sshUser = "asonix"; user = "root"; magicRollback = false; sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" "-t" ]; path = deploy-rs.lib.aarch64-linux.activate.nixos configuration; }; }; in { nixosConfigurations = { nextcloud1 = makeNextcloudConfig { hostname = "nextcloud1"; # primaryIp = "192.168.20.28"; }; nextcloud2 = makeNextcloudConfig { hostname = "nextcloud2"; primaryIp = "192.168.20.21"; }; redtail1 = makePostgresConfig { hostname = "redtail1"; keyFile = "redtailKeyFile"; primaryIp = "192.168.20.24"; }; redtail2 = makePostgresConfig { hostname = "redtail2"; keyFile = "redtailKeyFile"; # primaryIp = "192.168.20.23"; }; whitestorm1 = makePostgresConfig { hostname = "whitestorm1"; keyFile = "whitestormKeyFile"; # primaryIp = "192.168.20.11"; }; whitestorm2 = makePostgresConfig { hostname = "whitestorm2"; keyFile = "whitestormKeyFile"; primaryIp = "192.168.20.26"; }; k3s1 = makeSoQuartzK3sConfig { hostname = "k3s1"; selfIp = "192.168.20.120"; }; k3s2 = makeSoQuartzK3sConfig { hostname = "k3s2"; selfIp = "192.168.20.121"; serverIp = "192.168.20.120"; }; k3s3 = makeSoQuartzK3sConfig { hostname = "k3s3"; selfIp = "192.168.20.122"; serverIp = "192.168.20.120"; }; k3s4 = makeSoQuartzK3sConfig { hostname = "k3s4"; selfIp = "192.168.20.123"; serverIp = "192.168.20.120"; }; k3s5 = makeSoQuartzK3sConfig { hostname = "k3s5"; selfIp = "192.168.20.124"; serverIp = "192.168.20.120"; }; k3s6 = makeSoQuartzK3sConfig { hostname = "k3s6"; selfIp = "192.168.20.125"; serverIp = "192.168.20.120"; }; k3s-rock1 = makeRock64K3sConfig { hostname = "k3s-rock1"; selfIp = "192.168.20.20"; serverIp = "192.168.20.120"; macAddress = "02:36:51:19:8c:5d"; }; k3s-rock2 = makeRock64K3sConfig { hostname = "k3s-rock2"; selfIp = "192.168.20.111"; serverIp = "192.168.20.120"; macAddress = "02:af:fa:0e:c5:41"; }; k3s-rock3 = makeRock64K3sConfig { hostname = "k3s-rock3"; selfIp = "192.168.20.112"; serverIp = "192.168.20.120"; macAddress = "02:86:c1:62:77:51"; }; k3s-rock4 = makeRock64K3sConfig { hostname = "k3s-rock4"; selfIp = "192.168.20.113"; serverIp = "192.168.20.120"; macAddress = "02:7a:2e:2c:bb:99"; }; k3s-rock5 = makeRock64K3sConfig { hostname = "k3s-rock5"; selfIp = "192.168.20.114"; serverIp = "192.168.20.120"; macAddress = "02:76:67:0f:a0:b7"; }; k3s-quartza1 = makeQuartz64AK3sConfig { hostname = "k3s-quartza1"; selfIp = "192.168.20.160"; serverIp = "192.168.20.120"; }; k3s-rockpro1 = makeRockPro64K3sConfig { hostname = "k3s-rockpro1"; selfIp = "192.168.20.180"; serverIp = "192.168.20.120"; }; }; deploy.nodes.nextcloud2 = deployer { hostname = "192.168.20.28"; configuration = self.nixosConfigurations.nextcloud2; }; deploy.nodes.k3s1 = deployer { hostname = "192.168.20.120"; configuration = self.nixosConfigurations.k3s1; }; deploy.nodes.k3s2 = deployer { hostname = "192.168.20.121"; configuration = self.nixosConfigurations.k3s2; }; deploy.nodes.k3s3 = deployer { hostname = "192.168.20.122"; configuration = self.nixosConfigurations.k3s3; }; deploy.nodes.k3s4 = deployer { hostname = "192.168.20.123"; configuration = self.nixosConfigurations.k3s4; }; deploy.nodes.k3s5 = deployer { hostname = "192.168.20.124"; configuration = self.nixosConfigurations.k3s5; }; deploy.nodes.k3s6 = deployer { hostname = "192.168.20.125"; configuration = self.nixosConfigurations.k3s6; }; deploy.nodes.k3s-rock1 = deployer { hostname = "192.168.20.20"; configuration = self.nixosConfigurations.k3s-rock1; }; deploy.nodes.k3s-rock2 = deployer { hostname = "192.168.20.111"; configuration = self.nixosConfigurations.k3s-rock2; }; deploy.nodes.k3s-rock3 = deployer { hostname = "192.168.20.112"; configuration = self.nixosConfigurations.k3s-rock3; }; deploy.nodes.k3s-rock4 = deployer { hostname = "192.168.20.113"; configuration = self.nixosConfigurations.k3s-rock4; }; deploy.nodes.k3s-rock5 = deployer { hostname = "192.168.20.114"; configuration = self.nixosConfigurations.k3s-rock5; }; deploy.nodes.k3s-quartza1 = deployer { hostname = "192.168.20.160"; configuration = self.nixosConfigurations.k3s-quartza1; }; deploy.nodes.k3s-rockpro1 = deployer { hostname = "192.168.20.180"; configuration = self.nixosConfigurations.k3s-rockpro1; }; }; }