Disko for the laptops

Actually it might make more sense to keep it, especially for setting up new hosts.

.forgejo/workflows/update.yaml

@@ -1,12 +1,32 @@
 on: [push]
+
 jobs:
-  format:
+  # Source: https://github.com/isabelroses/dotfiles/tree/main/.github/workflows
-    runs-on: nix
+  update-lockfile:
+    runs-on: ubuntu-latest
+
     steps:
-      - run: nix --experimental-features 'nix-command flakes' fmt
+      - name: Checkout
-  build:
+        uses: actions/checkout@v4
-    runs-on: nix
+
-    steps:
+      - name: Install Nix
-      - run: nix --experimental-features 'nix-command flakes' flake update
+        uses: DeterminateSystems/nix-installer-action@main
-      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Haven
+        with:
-      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Khanda
+          logger: pretty
+
+#      - name: Update Lockfile
+#        uses: DeterminateSystems/update-flake-lock@main
+#        id: update
+#        with:
+#          pr-title: "chore(deps): flake inputs"
+#          commit-msg: "chore(deps): flake inputs"
+#          token: ${{ secrets.GITHUB_TOKEN }}
+
+#  build:
+#    runs-on: nix
+#    steps:
+#      - run: nix-env -iA nixpkgs.nodejs_20
+#      - uses: actions/checkout@v4
+#      - run: nix --experimental-features 'nix-command flakes' flake update
+#      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Haven
+#      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Khanda

flake.lock

@@ -33,6 +33,27 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1715070411,
+        "narHash": "sha256-5CNvkH0Nf7yMwgKhjUNg/lUK40C7DXB4zKOuA2jVO90=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "4677f6c53482a8b01ee93957e3bdd569d51261d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.6.1",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -218,11 +239,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716506851,
+        "lastModified": 1717036776,
-        "narHash": "sha256-fzY708SyfHwLOFrg5ZU0fXW9mNdvRvqz64jg97vvpJM=",
+        "narHash": "sha256-joKTxvywYlKspGGKOIXho6oRbggOPyayEqAyuZCavO0=",
         "ref": "refs/heads/main",
-        "rev": "18fa4a89e208cb8e881f5f71c75bbd4c1c2fd37d",
+        "rev": "b4b38e6b5fe18da9464f291ae5fbf2ea9acb9ccb",
-        "revCount": 83,
+        "revCount": 86,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module"
       },
@@ -250,26 +271,26 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1716827240,
+        "lastModified": 1717092160,
-        "narHash": "sha256-0LHXNvx7KEsn3j9w/4VtQiEWKrqJmmWn1k/169x/N04=",
+        "narHash": "sha256-dype0zRMyP94Uo8YC1vWQ6lkvXLYMep6+Xo7AW4K9cs=",
-        "ref": "refs/heads/main",
+        "ref": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9",
-        "rev": "f8a243d7e9db4689bcfc7726df75d5725daf4b60",
+        "rev": "42ddf14d36d9fab1eb070f51fdf1991d1a21dde9",
-        "revCount": 40,
+        "revCount": 42,
         "type": "git",
-        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
+        "url": "file:./nix-secrets"
       },
       "original": {
         "type": "git",
-        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
+        "url": "file:./nix-secrets"
       }
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716588418,
+        "lastModified": 1717000136,
-        "narHash": "sha256-3EpFUFlZjE+UkBlSXp2lC65ysgUmpAHl13kjh45+et0=",
+        "narHash": "sha256-MyFE1416Wsb9UxTNiHTGoOvtUl5JuCftj4EBfz9oPHU=",
         "ref": "master",
-        "rev": "80736f76ded618a54dce2db319247aeb902ce795",
+        "rev": "2575b7552f52b34dadb08f140326fbbd19056355",
-        "revCount": 1683,
+        "revCount": 1685,
         "type": "git",
         "url": "https://code.8bitbuddhism.com/aires/nixos-hardware"
       },
@@ -313,11 +334,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1716542732,
+        "lastModified": 1717144377,
-        "narHash": "sha256-0Y9fRr0CUqWT4KgBITmaGwlnNIGMYuydu2L8iLTfHU4=",
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d12251ef6e8e6a46e05689eeccd595bdbd3c9e60",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
         "type": "github"
       },
       "original": {
@@ -360,6 +381,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
         "lix": "lix",

flake.nix

@@ -26,6 +26,7 @@
 
     # Hardware configurations
     nixos-hardware.url = "git+https://code.8bitbuddhism.com/aires/nixos-hardware?ref=master";
+    #nixos-hardware.url = "git+https://github.com/NixOS/nixos-hardware?ref=master";
 
     # Home-manager
     home-manager = {
@@ -35,7 +36,7 @@
 
     # "Secrets management"
     nix-secrets = {
-      url = "git+file:///home/aires/Development/nix-configuration/nix-secrets";
+      url = "git+file:./nix-secrets";
       flake = false;
     };
 
@@ -104,6 +105,7 @@
           system = "x86_64-linux";
           modules = defaultModules ++ [
             nixos-hardware.nixosModules.common-cpu-intel
+            nixos-hardware.nixosModules.common-gpu-intel
             ./hosts/Dimaga
           ];
         };
@@ -112,6 +114,7 @@
           system = "x86_64-linux";
           modules = defaultModules ++ [
             nixos-hardware.nixosModules.common-cpu-amd-pstate
+            nixos-hardware.nixosModules.common-gpu-amd
             ./hosts/Haven
           ];
         };

hosts/Haven/default.nix

@@ -19,7 +19,6 @@ in
   imports = [ ./hardware-configuration.nix ];
 
   system.stateVersion = "24.05";
-  system.autoUpgrade.enable = lib.mkForce false;
 
   host = {
     role = "server";
@@ -51,6 +50,7 @@ in
         enable = true;
         home = "/storage/services/airsonic-advanced";
       };
+      autoUpgrade.pushUpdates = true;
       boinc.enable = true;
       cache = {
         enable = false; # Disable for now
@@ -114,4 +114,41 @@ in
 
   # Allow Haven to be a build target for other architectures (mainly ARM64)
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  # Automatically update Flake configuration for other hosts to use
+  systemd.services."nixos-update-flake" = {
+    serviceConfig = {
+      Type = "oneshot";
+      User = config.users.users.aires.name;
+    };
+    path = with pkgs; [
+      # Courtesy of https://discourse.nixos.org/t/how-to-use-other-packages-binary-in-systemd-service-configuration/14363
+      coreutils
+      gnutar
+      xz.bin
+      gzip
+      git
+      config.nix.package.out
+      openssh
+    ];
+    script = ''
+      set -eu
+      cd ${config.secrets.nixConfigFolder}
+      git pull --recurse-submodules
+      nix flake update
+      git add flake.lock
+      git diff --quiet && git diff --staged --quiet || git commit -am "Update flake.lock" && git push	# Courtesy of https://stackoverflow.com/a/40255467
+    '';
+  };
+
+  systemd.timers."nixos-update-flake-timer" = {
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = "true";
+      Unit = "nixos-update-flake.service";
+    };
+  };
 }

hosts/Khanda/hardware-configuration.nix

@@ -43,11 +43,6 @@
         "surface_kbd"
         "pinctrl_tigerlake"
       ];
-
-      luks.devices."luks-bd1fe396-6740-4e7d-af2c-26ca9a3031f1" = {
-        device = "/dev/disk/by-uuid/bd1fe396-6740-4e7d-af2c-26ca9a3031f1";
-        crypttabExtraOpts = [ "tpm2-device=auto" ];
-      };
     };
 
     kernelModules = [
@@ -68,22 +63,6 @@
     extraModulePackages = [ ];
   };
 
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/b34afd29-94ff-421b-bb96-8497951abf58";
-      fsType = "btrfs";
-      options = [ "subvol=@,compress=zstd" ];
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/DD2A-9C83";
-      fsType = "vfat";
-    };
-  };
-
-  # TODO: Disable once DIsko is up and running
-  swapDevices = [ { device = "/dev/disk/by-uuid/8c2519d9-3e47-4aa1-908d-98b1aa8b909d"; } ];
-
   networking = {
     useDHCP = lib.mkDefault true;
     hostName = "Khanda";
@@ -103,7 +82,7 @@
   # boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
 
   # Disk management
-  disko.enableConfig = false; # Disable while testing
+  disko.enableConfig = true; # Disable while testing
   disko.devices = {
     disk = {
       nvme0n1 = {
@@ -154,7 +133,7 @@
                       mountpoint = "/nix";
                     };
                     "/swap" = {
-                      mountpoint = "/.swapvol";
+                      mountpoint = "/.swap";
                       swap.swapfile.size = "8G";
                     };
                     "/log" = {

hosts/Shura/bluetooth/vitrix-pdp-pro-params

@@ -0,0 +1,42 @@
+[General]
+Name=Victrix Pro BFG
+Appearance=0x03c4
+AddressType=public
+SupportedTechnologies=LE;
+Trusted=true
+Blocked=false
+WakeAllowed=true
+Services=00001800-0000-1000-8000-00805f9b34fb;00001801-0000-1000-8000-00805f9b34fb;0000180a-0000-1000-8000-00805f9b34fb;0000180f-0000-1000-8000-00805f9b34fb;00001812-0000-1000-8000-00805f9b34fb;00001813-0000-1000-8000-00805f9b34fb;f95a48e6-a721-11e9-a2a3-022ae2dbcce4;
+
+[LongTermKey]
+Key=F12268049C72EA0561E2E77DEA02AC12
+Authenticated=0
+EncSize=16
+EDiv=29996
+Rand=5139827239406697411
+
+[PeripheralLongTermKey]
+Key=CC60B7A9080383302B61EC2127E0D5CD
+Authenticated=0
+EncSize=16
+EDiv=59630
+Rand=6653202288716901387
+
+[SlaveLongTermKey]
+Key=CC60B7A9080383302B61EC2127E0D5CD
+Authenticated=0
+EncSize=16
+EDiv=59630
+Rand=6653202288716901387
+
+[DeviceID]
+Source=2
+Vendor=3695
+Product=587
+Version=768
+
+[ConnectionParameters]
+MinInterval=6
+MaxInterval=6
+Latency=0
+Timeout=300

hosts/Shura/default.nix

@@ -15,6 +15,9 @@ let
   mano-touchpad-bluetooth = pkgs.writeText "info" (
     builtins.readFile ./bluetooth/mano-touchpad-bluetooth-params
   );
+  vitrix-pdp-pro-bluetooth = pkgs.writeText "info" (
+    builtins.readFile ./bluetooth/vitrix-pdp-pro-params
+  );
 
   # Use gremlin user's monitor configuration for GDM (desktop monitor primary). See https://discourse.nixos.org/t/gdm-monitor-configuration/6356/4
   monitorsXmlContent = builtins.readFile ./monitors.xml;
@@ -75,6 +78,7 @@ in
     "L+ /var/lib/bluetooth/AC:50:DE:9F:AB:88/00:0E:DD:72:2F:0C/info - - - - ${shure-aonic-bluetooth}"
     "L+ /var/lib/bluetooth/AC:50:DE:9F:AB:88/F4:6A:D7:3A:16:75/info - - - - ${xbox-elite-bluetooth}"
     "L+ /var/lib/bluetooth/AC:50:DE:9F:AB:88/F8:5D:3C:7D:9A:00/info - - - - ${mano-touchpad-bluetooth}"
+    "L+ /var/lib/bluetooth/AC:50:DE:9F:AB:88/00:34:30:47:37:AB/info - - - - ${vitrix-pdp-pro-bluetooth}"
   ];
 
   # Configure the virtual machine created by nixos-rebuild build-vm

hosts/Shura/hardware-configuration.nix

@@ -66,13 +66,6 @@
     };
   };
 
-  swapDevices = [
-    {
-      device = "/swap/swapfile";
-      size = 16384;
-    }
-  ];
-
   networking = {
     # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
     # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -86,4 +79,73 @@
   };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  # Disk management
+  disko.enableConfig = false; # Disable while testing
+  disko.devices = {
+    disk = {
+      nvme0n1 = {
+        type = "disk";
+        device = "";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              label = "boot";
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            luks = {
+              size = "100%";
+              label = "nixos";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                settings = {
+                  allowDiscards = true;
+                  crypttabExtraOpts = ["tpm2-device=auto"];
+                };
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ]; # Override existing partition
+                  # Subvolumes must set a mountpoint in order to be mounted,
+                  # unless their parent is mounted
+                  subvolumes = {
+                    # Subvolume name is different from mountpoint
+                    "/root" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/";
+                    };
+                    "/home" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/home";
+                    };
+                    "/nix" = {
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                      mountpoint = "/nix";
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swap";
+                      swap.swapfile.size = "16G";
+                    };
+                    "/log" = {
+                      mountpoint = "/var/log";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
 }

modules/base/programs.nix

@@ -17,7 +17,7 @@
 
     nh = {
       enable = true;
-      flake = "${config.users.users.aires.home}/Development/nix-configuration";
+      flake = "${config.secrets.nixConfigFolder}";
 
       # Alternative garbage collection system to nix.gc.automatic
       clean = {

modules/base/system.nix

@@ -26,15 +26,6 @@
     };
   };
 
-  # Configure automatic updates
-  system.autoUpgrade = {
-    enable = true;
-    flake = "${config.users.users.aires.home}/Development/nix-configuration";
-    dates = "daily";
-    allowReboot = false;
-    operation = "switch";
-  };
-
   services = {
     # Enable fwupd (firmware updater)
     fwupd.enable = true;

modules/services/autoupgrade.nix

@@ -0,0 +1,108 @@
+# Run automatic updates. Replaces system.autoUpgrade.
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.host.services.autoUpgrade;
+
+  # List of packages to include in each service's $PATH
+  pathPkgs = with pkgs; [
+    # Courtesy of https://discourse.nixos.org/t/how-to-use-other-packages-binary-in-systemd-service-configuration/14363
+    coreutils
+    git
+    gnutar
+    gzip
+    config.nix.package.out
+    nh
+    config.programs.ssh.package
+    sudo
+    xz.bin
+  ];
+in
+{
+  options = {
+    host.services.autoUpgrade = {
+      enable = lib.mkOption {
+        default = true;
+        type = lib.types.bool;
+        description = "Enables automatic system updates.";
+      };
+      pushUpdates = lib.mkEnableOption (
+        lib.mdDoc "Updates the flake.lock file and pushes it back to the repo."
+      );
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      # Pull and apply updates.
+      systemd.services."nixos-upgrade" = {
+        serviceConfig = {
+          Type = "oneshot";
+          User = "root";
+        };
+        path = pathPkgs;
+        script = ''
+          cd ${config.secrets.nixConfigFolder}
+          # Check if there are changes from Git.
+          echo "Pulling latest version..."
+          sudo -u aires git fetch
+          sudo -u aires git diff --quiet --exit-code main origin/main || true
+          # If we have changes (git diff returns 1), pull changes and run the update
+          if [ $? -eq 1 ]; then
+            echo "Updates found, running nixos-rebuild..."
+            sudo -u aires git pull --recurse-submodules
+            nh os switch
+          else
+            echo "No updates found. Exiting."
+          fi
+        '';
+      };
+      systemd.timers."nixos-upgrade-timer" = {
+        wants = [ "network-online.target" ];
+        after = [ "network-online.target" ];
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "daily";
+          Persistent = "true";
+          Unit = "nixos-upgrade.service";
+        };
+      };
+    })
+    (lib.mkIf cfg.pushUpdates {
+      # Automatically update Flake configuration for other hosts to use
+      systemd.services."nixos-upgrade-flake" = {
+        serviceConfig = {
+          Type = "oneshot";
+          User = config.users.users.aires.name;
+        };
+        path = pathPkgs;
+        # Git diffing strategy courtesy of https://stackoverflow.com/a/40255467
+        script = ''
+          set -eu
+          cd ${config.secrets.nixConfigFolder}
+          # Make sure we're up-to-date
+          echo "Pulling the latest version..."
+          git pull --recurse-submodules
+          nix flake update --commit-lock-file
+          git push
+        '';
+      };
+
+      systemd.timers."nixos-upgrade-flake-timer" = {
+        wants = [ "network-online.target" ];
+        after = [ "network-online.target" ];
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "daily";
+          Persistent = "true";
+          Unit = "nixos-upgrade-flake.service";
+        };
+      };
+    })
+  ];
+}

modules/services/forgejo.nix

@@ -72,11 +72,13 @@ in
           labels = [
             "nix:docker://nixos/nix" # Shoutout to Icewind 1991 for this syntax: https://icewind.nl/entry/gitea-actions-nix/
             "debian:docker://node:20-bullseye"
+            "ubuntu-latest:docker://ubuntu:latest"
           ];
           settings = {
             # For an example of configuring in Nix: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
             # For an example of the different options available: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
-            container.validVolumes = "**";
+            container.options = "-v /nix:/nix";
+            container.validVolumes = [ "/nix" ];
           };
         };
       };
@@ -96,6 +98,12 @@ in
       };
     };
 
+    # Allow containers to make DNS queries (https://www.reddit.com/r/NixOS/comments/199f16j/why_dont_my_podman_containers_have_internet_access/)
+    networking.firewall.interfaces.podman4 = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
     systemd.services = {
       nginx.wants = [ config.systemd.services.forgejo.name ];
     } // lib.optionalAttrs (!cfg.autostart) { forgejo.wantedBy = lib.mkForce [ ]; };

nix-secrets

@@ -1 +1 @@
-Subproject commit f8a243d7e9db4689bcfc7726df75d5725daf4b60
+Subproject commit 42ddf14d36d9fab1eb070f51fdf1991d1a21dde9