feat: add initialdeploy hashed password to root

base/default.nix

@@ -84,6 +84,8 @@
 
   # users.mutableUsers = lib.mkDefault false;
 
+  users.users.root.initialHashedPassword = "$y$j9T$ahP6GAdttD17OMBo7Yqeh.$Ad7qBcFvTL7HrJ9uTtrQzksN3220Nj9t/CrP6DwgK34"; # generated using mkpasswd, see huttiheita root on vaultwarden
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/services/acme.nix

@@ -8,6 +8,5 @@
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
-    users.users.root.initialPassword = "root";
   };
 }

flake.nix

@@ -49,8 +49,14 @@
     qotd.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
-  let
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    sops-nix,
+    disko,
+    ...
+  } @ inputs: let
     inherit (nixpkgs) lib;
     systems = [
       "x86_64-linux"
@@ -71,9 +77,11 @@
   in {
     inputs = lib.mapAttrs (_: src: src.outPath) inputs;
 
-    pkgs = forAllSystems (system: import nixpkgs {
+    pkgs = forAllSystems (system:
+      import nixpkgs {
         inherit system;
-      config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+        config.allowUnfreePredicate = pkg:
+          builtins.elem (lib.getName pkg)
           [
             "nvidia-x11"
             "nvidia-settings"
@@ -81,11 +89,7 @@
       });
 
     nixosConfigurations = let
-      nixosConfig =
-        nixpkgs:
-        name:
-        configurationPath:
-        extraArgs@{
+      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
         localSystem ? "x86_64-linux", # buildPlatform
         crossSystem ? "x86_64-linux", # hostPlatform
         specialArgs ? {},
@@ -93,48 +97,62 @@
         overlays ? [],
         enableDefaults ? true,
         ...
-        }:
-        let
-          commonPkgsConfig = {
-            config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
+      }: let
+        commonPkgsConfig =
+          {
+            config.allowUnfreePredicate = pkg:
+              builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
                 "nvidia-settings"
               ];
-            overlays = (lib.optionals enableDefaults [
+            overlays =
+              (lib.optionals enableDefaults [
                 # Global overlays go here
                 inputs.roowho2.overlays.default
-            ]) ++ overlays;
-          } // (if localSystem != crossSystem then {
+              ])
+              ++ overlays;
+          }
+          // (
+            if localSystem != crossSystem
+            then {
               inherit localSystem crossSystem;
-          } else {
+            }
+            else {
               system = crossSystem;
-          });
+            }
+          );
         pkgs = import nixpkgs commonPkgsConfig;
         unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
       in
-        lib.nixosSystem (lib.recursiveUpdate
+        lib.nixosSystem (
+          lib.recursiveUpdate
           {
             system = crossSystem;
 
             inherit pkgs;
 
-          specialArgs = {
+            specialArgs =
+              {
                 inherit inputs unstablePkgs;
                 values = import ./values.nix;
                 fp = path: ./${path};
-          } // specialArgs;
+              }
+              // specialArgs;
 
-          modules = [
+            modules =
+              [
                 {
                   networking.hostName = lib.mkDefault name;
                 }
                 configurationPath
-          ] ++ (lib.optionals enableDefaults [
+              ]
+              ++ (lib.optionals enableDefaults [
                 sops-nix.nixosModules.sops
                 inputs.roowho2.nixosModules.default
                 self.nixosModules.rsync-pull-targets
-          ]) ++ modules;
+              ])
+              ++ modules;
           }
           (builtins.removeAttrs extraArgs [
             "localSystem"
@@ -148,7 +166,8 @@
 
       stableNixosConfig = name: extraArgs:
         nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
-    in {
+    in
+      {
         bicep = stableNixosConfig "bicep" {
           modules = [
             inputs.matrix-next.nixosModules.default
@@ -181,7 +200,11 @@
             inputs.qotd.nixosModules.default
           ];
         };
-      ildkule = stableNixosConfig "ildkule" { };
+        ildkule = stableNixosConfig "ildkule" {
+          modules = [
+            inputs.disko.nixosModules.disko
+          ];
+        };
         #ildkule-unstable = unstableNixosConfig "ildkule" { };
         skrot = stableNixosConfig "skrot" {
           modules = [
@@ -234,12 +257,13 @@
           ];
         };
       }
-    //
-    (let
+      // (let
         machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
         stableLupineNixosConfig = name: extraArgs:
           nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
-    in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
+      in
+        lib.genAttrs machineNames (name:
+          stableLupineNixosConfig name {
             modules = [{networking.hostName = name;}];
             specialArgs.lupineName = name;
           }));
@@ -264,7 +288,8 @@
             })
           ];
         };
-      in pkgs.callPackage ./shell.nix { };
+      in
+        pkgs.callPackage ./shell.nix {};
       cuda = let
         cuda-pkgs = import nixpkgs-unstable {
           inherit system;
@@ -273,18 +298,22 @@
             cudaSupport = true;
           };
         };
-      in cuda-pkgs.callPackage ./shells/cuda.nix { };
+      in
+        cuda-pkgs.callPackage ./shells/cuda.nix {};
     });
 
     packages = {
       "x86_64-linux" = let
         system = "x86_64-linux";
         pkgs = nixpkgs.legacyPackages.${system};
-      in rec {
+      in
+        rec {
           default = important-machines;
-        important-machines = pkgs.linkFarm "important-machines"
+          important-machines =
+            pkgs.linkFarm "important-machines"
             (lib.getAttrs importantMachines self.packages.${system});
-        all-machines = pkgs.linkFarm "all-machines"
+          all-machines =
+            pkgs.linkFarm "all-machines"
             (lib.getAttrs allMachines self.packages.${system});
 
           simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
@@ -325,7 +354,8 @@
             modules = [
               ./topology
               {
-              nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
+                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
+                  nixosCfg.extendModules {
                     modules = [
                       inputs.nix-topology.nixosModules.default
                       ./topology/service-extractors/greg-ng.nix
@@ -333,13 +363,15 @@
                       ./topology/service-extractors/mysql.nix
                       ./topology/service-extractors/gitea-runners.nix
                     ];
-              }) self.nixosConfigurations;
+                  })
+                self.nixosConfigurations;
               }
             ];
           };
         in {
           topology = topology'.config.output;
-        topology-png = pkgs.runCommand "pvv-config-topology-png" {
+          topology-png =
+            pkgs.runCommand "pvv-config-topology-png" {
               nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
             } ''
               mkdir -p "$out"

hosts/ildkule/configuration.nix

@@ -1,8 +1,14 @@
-{ config, fp, pkgs, lib, values, ... }:
 {
+  config,
+  fp,
+  pkgs,
+  lib,
+  values,
+  ...
+}: {
   imports = [
-      # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ./disks.nix
     (fp /base)
 
     ./services/monitoring
@@ -10,8 +16,8 @@
     ./services/journald-remote.nix
   ];
 
-  boot.loader.systemd-boot.enable = false;
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.grub.enable = true;
+  boot.loader.systemd-boot.enable = lib.mkForce false;
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
@@ -27,13 +33,22 @@
     nameservers = values.defaultNetworkConfig.dns;
     defaultGateway.address = hostConf.ipv4_internal_gw;
 
-    interfaces."ens4" = {
+    interfaces."ens3" = {
       ipv4.addresses = [
-        { address = hostConf.ipv4;          prefixLength = 32; }
-        { address = hostConf.ipv4_internal; prefixLength = 24; }
+        {
+          address = hostConf.ipv4;
+          prefixLength = 32;
+        }
+        {
+          address = hostConf.ipv4_internal;
+          prefixLength = 24;
+        }
       ];
       ipv6.addresses = [
-        { address = hostConf.ipv6;          prefixLength = 64; }
+        {
+          address = hostConf.ipv6;
+          prefixLength = 64;
+        }
       ];
     };
   };

hosts/ildkule/disks.nix

@@ -0,0 +1,27 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            bios = {
+              size = "1M";
+              type = "EF02";
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/ildkule/hardware-configuration.nix

@@ -1,16 +1,24 @@
-{ modulesPath, lib, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
-    fsType = "ext4";
-  };
-  fileSystems."/data" = {
-    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
-    fsType = "ext4";
-  };
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
 
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }

values.nix

@@ -37,10 +37,10 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "129.241.153.213";
-      ipv4_internal = "192.168.12.209";
-      ipv4_internal_gw = "192.168.12.1";
-      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.100.145";
+      ipv4_internal = "192.168.1.17";
+      ipv4_internal_gw = "192.168.1.1";
+      ipv6 = "2001:700:305:8a0f:f816:3eff:fef5:e400";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;