flemming: initial commit

README.rst

@@ -8,3 +8,14 @@ https://reciproka.dev/reciproka/reciproka-ops
 
 .. _Colmena: https://colmena.cli.rs/
 .. _Reciproka Kolektivo: https://reciproka.co/
+
+.. toctree::
+
+Building for aarch64 Targets
+----------------------------
+
+If you don't have your own ``aarch64`` build server, you can apply to use the
+`aarch64 build box`_ provided by the `Nix Community`_.
+
+.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box
+.. _Nix Community: https://github.com/nix-community

hardware/pi3B.nix

@@ -0,0 +1,80 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=32M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        uboot.enable = true;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

hardware/raspberry_pi_3_model_B.nix

@@ -0,0 +1,86 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=320M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        uboot.enable = true;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          display_auto_detect=1  # Enable auto detection of screen resolution
+          gpu_mem=128
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+    #"/var" = {
+    #  device = "/dev/disk/by-label/var";
+    #  fsType = "ext4";
+    #};
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

modules/piCommon/default.nix

@@ -0,0 +1,14 @@
+# Configuration common to all my servers
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  environment = {
+    # Set the system-wide environment
+    systemPackages = with pkgs; [
+      usbutils # Tools for working with USB devices, such as lsusb
+    ];
+  };
+}

networks/pi3B_rack.nix

@@ -0,0 +1,26 @@
+# NixOps configuration for the Raspberry Pi 3B Rack
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ../hardware/raspberry_pi_3_model_B.nix
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  # Ensure the right package architecture is used
+  nixpkgs.localSystem = {
+    system = "aarch64-linux";
+    config = "aarch64-unknown-linux-gnu";
+    allowUnfree = true;
+  };
+
+  systemd.network.networks.eth0.ipv6SendRAConfig = {
+    EmitDNS = true;
+    Managed = true;
+    OtherInformation = true;
+  };
+
+  documentation = {
+    nixos.enable = false; # Save some space by disabling the manual
+  };
+}

nixos/hosts/flemming/default.nix

@@ -0,0 +1,25 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.202";
+  networking.hostName = "flemming"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

outputs.nix

@@ -32,6 +32,12 @@ in {
         overlays = [];
       };
     };
+    flemming = {
+      imports = [
+        ./nixos/hosts/flemming
+        ragenix.nixosModules.default
+      ];
+    };
     toscano = {
       imports = [
         ./nixos/hosts/toscano/configuration.nix

secrets/fiscalvelvetpoet.age

@@ -1,14 +1,16 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl
-K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY
-VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x
-Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR
-MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4
-KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp
-MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv
-RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG
-CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP
-4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc
-NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBXZGxN
+eVRsL3QyT1BPc1dOWmt4Z213czlHV1gwV0JldkRQREZ1YkZtRjNnCm9yMlpSV1dK
+R2szbEtnQ2tUOXJzWGMyUk9BQldkbjVCa1RwejJ6U01JdGsKLT4gc3NoLWVkMjU1
+MTkgUWQwZXBRIFJ0TmhHZHVqam1wWkFRbUFHSWFEYk9CbzVmWnYwUWtjZ3hsQ3Z5
+Y1JYRDgKajR1a3Nnay9SeFlId2ZDTDd6VVNlZXRpY0h3cTh0R3ExUWRRcGovbVl3
+cwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgN3BhVlk2Q0Z4RksvL1dLUmhCZFd1VUNs
+ZmtqREtpMDAzWkRyMGZML016cwpKKzloVUxLWWcxcjZOQ2czaSt1b1hqTkFrSUc2
+bUJUV2crYUl3TVhQUzBzCi0+IDxSI243aidNLWdyZWFzZSBPIVk1J2QKa3RGampV
+dlBKMitIV0ltUGhDNFcwK0c5dGFOSHJaRjlRZUppNXJPbmFFZnkwZkZKOHBmMk9P
+ZmV2L1NZbzF5Kwo3Vlk5Ci0tLSA3MkZtc2V5QXRBLzg3eTNGZkRTZVo4K1hQbkR5
+cDUwakRsMjBXWms1U0YwCuls+HqLpYE1XR6thkvMuUi/HALGGLyrzLhgDQp/2fDd
+qf27fBHxGH+LUVE/AtkcEuYvqRGOV92MFHP42wARbzTHPoT+JEtbJH9pghCRHE8l
+Zi52BJ+9Erk+AGvDyS02ziP5bstBs2uWt9y143tjuZAPLEcKAeWaPmUzxpj+zd4w
+3/5keHREdbw9xhJiXYYz55K26V/vyqHm9fz5tP32GhN0
 -----END AGE ENCRYPTED FILE-----

secrets/forgejo.age

@@ -1,11 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC
-eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu
-Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG
-aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy
-RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0
-d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG
-d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM
-0xrmCMh3IsOvPa60vuY=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyB1VGRL
+OHRURUVFSjhzMmRmQWI1MnNrMUJDNlVEeHYrTTNQN0syV0xNSHlFCnBLSFNIMUpw
+akZZenB4WWNwRWZ1WHh3ZmZURkZDUmR3WVFHMC9QZXZSZTQKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIDIvUmk5NTZ2N29zRTE4MG9NRjk2VEtZbHdMZ3U4bHpVMnFCbHgr
+NXlXMUkKcmtkVE4rRnRyWGRDd1RVK2djVlkxRnArQWJSOTJRTEIySjRKZUtvYWtB
+dwotPiBhdi1ncmVhc2UgeFlgICp7MXZ4ClBBVUUzQTVKMDFZMVFUdlRvUE9GaXFv
+clBVUlcvTDhmMVpCWHdjenJpTlIrNlJ6MDJZZTFEWE5QN3Y1dUFFZDMKYWdRaWor
+Nk1lSzZoZFlGSG1WVTVxTVRJdjlmNFdGK3k2RnMKLS0tIE5Dcmh2THcvWmNCbXVS
+V3lIbHB6UVlnUm10TjhRMURvbEFVdVhURVM0UGcKQ9Mo+lNHm5eeutxfecchV7Yb
+593Y2GZGoxQTzIWXoWZkzPkeDxLOpUk+OTkgnNclDJ9xPXyanTSS
 -----END AGE ENCRYPTED FILE-----

secrets/root.age

@@ -1,15 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ
-M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5
-SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR
-UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD
-NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy
-Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz
-Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW
-d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG
-WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0
-cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv
-g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8
-QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBaeFBB
+cWc4V2pHNU40Q0xMRXgxRVdFZWRRZTh5NDhPNlhDZEd3Tk4zc0c4CmJrSTFoanBw
+dG9pYmJIVCs2TzkxazJjV1ptRzlSZkRmU2NGT0dtWkZHR0kKLT4gc3NoLWVkMjU1
+MTkgUWQwZXBRIFdBWmljU0F0U3UrWXEyZnl2MGY5VThxVmE1QkwyMmswRVRFRGFl
+YnpYMDQKekZQOTFQeStBUTNTSW1ibUdHM05YSDBxUFY4dGVhTkpHejUwTklCTUpM
+YwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgSzAzMGFvVERReU1nRVhvdHdVK0FzajJj
+VFZ3aXY1aWl1UW5ReDl4VHBrMApJYm9iRlVQUGNPWlpxcy9MTExhcnZrT0J6UDE0
+WUtTTUduOFlPNVFZTUs0Ci0+IHhxKC1ncmVhc2UgWl9vNyA7NilCVVshWSBEcEgv
+RGBpIGgmWAoxVjVrRHVndzI4MmJhN3EwQVEKLS0tIFJabHFPdmtseWhyaTBjV1o0
+Zm1LVEJZY0F0NFJuZUk0anhGdTRkVlFOMmcKRtPfpCjUf05Jnow5FU3OvZc3FLGm
+R462mLJoaBg4qhPr7+kxYRrGy2T0yoZLdglOJV4rHwvYWpNglY1o2Jo+I/mG1yAd
+F+afAb9mQVYreWyQuj7t71Vm1VUdQrsG85lFxdbLbS7ZzITCOrjejgoj6wMPwAgl
+iPHgOccOAPoiDQTSOdGEm3H4k8we/HSfpW7cPowwExtQCK7PSs30XeJsg4o=
 -----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -1,12 +1,18 @@
 # Used by ragenix nix only.
 # Ensure that $RULES has been set via direnv
+# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age`
+# run `ragenix -r -i /path/to/your/key` after modifying any keys below
+#
+# Re-keying is required after adding new hosts or keys:
+# run `ragenix -r -i /path/to/your/key`
 let
   fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
   ops = [fiscalvelvetpoet];
   users = [fiscalvelvetpoet];
 
+  flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
   toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
-  systems = [toscano];
+  systems = [flemming toscano];
 in {
   "root.age".publicKeys = ops ++ systems;
   "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;