From 7f8bf5c5258b559aafdf8cc67f3c736e8b584076 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 4 Aug 2024 09:31:50 +0200 Subject: [PATCH 1/2] feat(toplevel): add x13s (proprietary) bluetooth and wifi firmware this allows them to be reused more easily --- flake.lock | 30 ++++++++++++++ flake.nix | 37 ++++++++++++++++++ misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw | Bin 0 -> 6378 bytes nix/os/devices/steveej-x13s/configuration.nix | 4 +- nix/os/devices/steveej-x13s/flake.lock | 34 ---------------- nix/os/devices/steveej-x13s/flake.nix | 10 ----- 6 files changed, 70 insertions(+), 45 deletions(-) create mode 100755 misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw diff --git a/flake.lock b/flake.lock index c5cd20b..03b4e3b 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,22 @@ "type": "github" } }, + "ath11k-firmware": { + "flake": false, + "locked": { + "lastModified": 1720482684, + "narHash": "sha256-p6ifwtRNUOyQ2FN2VhSXS6dcrvrtiFZawu/iVXQ4uR0=", + "ref": "refs/heads/main", + "rev": "bb527dcebac835c47ed4f5428a7687769fa9b1b2", + "revCount": 152, + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + }, + "original": { + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + } + }, "brainwart_x13s-nixos": { "flake": false, "locked": { @@ -823,6 +839,7 @@ "inputs": { "adamcstephens_stop-export": "adamcstephens_stop-export", "aphorme_launcher": "aphorme_launcher", + "ath11k-firmware": "ath11k-firmware", "brainwart_x13s-nixos": "brainwart_x13s-nixos", "colmena": "colmena", "crane": "crane", @@ -860,6 +877,7 @@ "salut": "salut", "sops-nix": "sops-nix", "srvos": "srvos", + "x13s-bt-firmware": "x13s-bt-firmware", "yofi": "yofi" } }, @@ -1057,6 +1075,18 @@ "type": "github" } }, + "x13s-bt-firmware": { + "flake": false, + "locked": { + "narHash": "sha256-FCWkZp+MtEGS5lS5+pxmpCl4wU9GGRegolebcmCN7RU=", + "type": "file", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=2ba1beaae0c649ce8a50baecc8df9e81cd524e65" + }, + "original": { + "type": "file", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=2ba1beaae0c649ce8a50baecc8df9e81cd524e65" + } + }, "yofi": { "inputs": { "flake-utils": "flake-utils_4", diff --git a/flake.nix b/flake.nix index 768c194..a63a5c2 100644 --- a/flake.nix +++ b/flake.nix @@ -119,6 +119,31 @@ flake = false; url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; }; + + x13s-bt-firmware = { + flake = false; + + # revisions for this file: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/qca/hpbtfw21.tlv + + # 2024-07-29 + # not working well + # url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=d118dc8ad5562ac0ae0c07be748cbe35a9361b47"; + + # 2024-05-30 + # url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=436b0a920352d13290043d9ec9e50c420ab10f92"; + + # 2023-12-18 + # not working well + # url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=598f5bd22361d7e92eebe8452d1f8013a1d35b9a"; + + # 2013-01-17 + url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/qca/hpbtfw21.tlv?id=2ba1beaae0c649ce8a50baecc8df9e81cd524e65"; + }; + + ath11k-firmware = { + url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; + flake = false; + }; }; outputs = inputs @ { @@ -337,6 +362,18 @@ buildInputs = [ ]; }; + + x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} '' + mkdir -p $out/lib/firmware/qca + cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin + cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv + ''; + + x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + ''; }; formatter = pkgs.alejandra; diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw new file mode 100755 index 0000000000000000000000000000000000000000..ea5b5b88fbfe2fd9b4df0142dd11527fbf002756 GIT binary patch literal 6378 zcmZQ@_Y83kiVO&0D4$-+{OVh|XP`58y^PP|6)cM`m0k*Q*jeYOw&=}Og>zfJN@V1G z4i`RtW>MP9z&H)_D85jc?d_t6?@J!taaGemILcu1m14aK<;rrKm->q`szX`q*Oq7pVGgnRgnc%9s z^U7+K5AYj3<#oyPyONod{`>~_3cK&z+y5Dyl<^3YI;GUjoUvx*-Gl0Ty`TMvZ1p&` zeDz{U^`+S*b@|-VH6GI*E`9Rr#kJIVGk)C(7ZdoAlaVncK5(?>npzIhkQNQa!Ty>CgI6hY^yK*REREJYVv!3>iyFii1Q+Zh&z2@i4T`7e|q!Y0wXWMv`dWfOE@e7&K;IXGjQ0S zr_9Fl?+HtpX2*?Uqo|L&tp4$b_|9Sbym)4R?iA*ouKf+yFC2DY&6l)z=(qd(n&>~; zX~joq+0bFjfh(FH|Jw&d8y;pa;W+du*mYjwy`oNe1@cAHAL-VNMC1=hnslMJ>L2N&l<{xs~74Bf- zy4dLS`bQcD#`_}YI(TbT&RjcV-@Y}v;t5Z$rkRy5Se1Kt*=qB5GmOe!g*Vxi2hY_D ztDYiopJ9o}1-4^M?N=-q=ki~XIouU~b>H?aUwZs~I;*$dm=K+FsM7G0!*Lc9?e!In zhgcN!*MvE982rD!#IkjrQ!(>lmU8WGizSY7roAOzwFTB%%&Wrh>BW7Py>zHFWAno$ zLPw8qB$&v_@c9ZIn)v%U7t?L|+w3QTtH0A5-tIHiXXE$&Ip-G%i17A=xBj{I;F(pUJM-48O3rCkw+|{xTh8;_ zsd)4jSCyv9l#U*g`Z)!oy@uqD_y&J^XfOWG$Vo|ediHw$xQEQ_ z3x03+yeg42zj8Xa>&p81|8;-m*{gRyF0h_3*=c%>XvNp=rzK5aS9D+6)v{qdLs5zR zw``WM_u^Cj_D9t3F5j7WFyf%xZ>NO+4vE|sx>7YC>=IX+es->|vDu}J3bqGnno3N2 zLW(c$eRTD-uho^f1E#l5uzk#(qV-CxFF0n;vBZGKPi1Fbf8i*fQTD`P6?<#b+h6Hg z5-~d3Ik9VJWKNxZ>C?s)_rrwG^gi!MNPM5NNyuVzm$hQc#=039<*GxH`0EN-kM`M zXKi|4HWW{ne73+dtw3}wN3U9Rb5{GuWebcqUv?wM-TU;`>i^vE zFm1K?>Ejbu|5o&u>^RG^Ys*#lc7uhx4(zXc{jI&vV8>yTitcai=iE0&^zEu-(p`1% zWu?R})>y}1a~_?z+$%YC&f0U+eDtsJ9uQ%Sc^R>D-PGN>+qkyQ(z;Wor!(O;FQ=&R z)tqCzN5213aTD9T=E`rS`loIeHZ$q1kY!!|C%LLp*2O;V#cP9(zaOGIW^ee-`8t37 zveS1@N-H-Waa!T29Q-9;J7rJRUYn`O%L>$&?0?1)$o=O$m*(vZ z4aACj=CF*7u6emuX&NkeeuTUBe9Fy zRjw)A`^jKs`!uDG*YMT-iE?`u=scIY{5dMTAbtJ|X+75fje}OV3y$sxIJz_?cgrDe zIkm%EvV_BT&JbN=n|EX4jCmJ|3-{PgFn3E{*74u^{olHRcPgS{DbLOnom2Y7SRdf_ z#P`Snaa}ddn-v$fzx>_3>*2Y7#mpVr5ejJrpUac$|8ur)d$?HI@VAy<^YqKAuiN?zqxn01 zbT0ljtbL)UY`AveYag3%XMz5{oo(swQ}k2rv}bRZc<4F9`h&ik@V}J#0&W6|%h)gN z*HYK^2)njpeznEiQ!M{^k0&0CERrJrRNoWxSDozeD&4U0`D5X%h3Bswi(od~ z(({Lh$@}dpl^IKW#Q#=)=zHb1>SUdN((D4`xk2x(?F2Jk+!2_dX~VBqKDG1~dsv__lMW@;~{5uS!Q{^lv?9v zrn`GX$)25d6XuC432vNh5S738RK=f|juU#9&x*7iuu3V`nsG@ZEVubUW(wa8(M5kA zonKUXH9}XbeSx~br8W5xGLt^Omp`p&es^uGR;cA!l}EeLz5X4b)bEt%zx@ml4aImX@Dr<>M(Zmd2keDBMQ4#TOAc5lmF zF0P%rM@1pdHd^fYPiu?+jWy1TcUDc>{E+vqde+y@e?GHX+hW|W_rE??Gi_7-r9%@} z^Jy91`zE3FP1Bm8ck+CRC%8J}FVm zFeQ*0~u;99?h?Sf-xGXMSM=q&eBm={x0{~$v@`{s??ab-HmQ^F_4wf}zkW!udr z)zEhR^qS*J(Wbfk_Pp6$%h7$X)a_l4gwj0KHk}I!3(|DV+5Fe<`EI)Hguqk9#|29a zyN~UtF8nitL3{?2CdbKzQ}6!t^Y$*X*ft?Gd->1UlU@EriyWUVSJDfO{F>hx>)|8w zC+mJzpnt})jFQXmWmhNPpAvoF&_&QB;IPN<-hbyi+E3XmzA*LcJsyoKufN|vdwuba z6MlDiH}_6vJf@&r{5Sa5mk_7vb1e&OBNhEVxCW`dn_*dz7uivmV(^nevf|shJJs6D z&-h>ZF>zs7W|_w|jvE2a4JV7l*7X15PMWQAeA|!QCG(9}&Fe|{xY0)@d`I{xk#wGj zK3;2vZRy#oiY^AfmwO^-ihBZC70P5R$P^MGahe{3rW3`()R zro}cjEylUlPjptT^tH{ecji`FJ)QEHTdYy>%(p{3?c@IZliz=O_4-?DJ$c2SH*q+7 z8XvZpn)-I?Hp#2=jBj@Qv)#G2h*>;!^3EUo+d{IR6u(*}zc_tfzpK8N#G9L2=hh3% zVqA1s<$fnW^DZsHH-C=axMonfmDw=iX2+4X4&UcxwLHStCiQMT&Ne%$PxppbFk4IB zO8$_*p9VW0N&WPn)RXfr@9?`eHP3cyksWOeW%JH2FHGk%pL5eeCAoEvLXvWJ5+ zK=!@t8(n@=Pfcr0`}Xq%Oz*4B1;4(U8vjb*pqcU%#oC3ojCxO4rt)fQX;^ZYPuaic zYURSbG%42X02PsBcP{ys())H1-?$1h<^(YvSJ@gr;r8zryfwR=w|z5sb@BU#;Cse( z|9lL4?q72WV^LVT!^kx8%~G|cq3;!MAKJC{?1J0vR3KLs^$}3 zqVpo_uaur;lYLsk-uC(SM8`(?7c6(y@?~QSh@pl-bGU#Bk|e<@$@?_N))u zS=s#VnD03*5%Nu51cj0??Cs@P&?1k#;nyTl14Xcjc*!VQTi_Ly@%(FR>6+YAS zUo2MGI&Epwnt2J^PA;8nJ&$AV+*Mt@ap6}ZZZez>KQm2V{!XOWeKW<Kl_!q;aDCX$sCn1fy=ahzW(-aR$W|q=Di8&)~^Dk9^Z2h zuTjeVGa<%eN#SPT#oJ+g>6vG$(lJXD<7Q(nliOgWvWFoeHqo zda69e&C8p`QbOV8?(0s=f4JnIHk)v6LjPo!)wNMkfv1z)gp%eh+Hhs{8_B+FX%9?v z-=;23HVzBo{panyT%_iY;h~xfQVVn+^n7l(Fta#>@9i7ivJ|%^tISJexuWHtuDMyA zYkIJ7|9#`v#VxsQokGb8p~)=wj|M~+Og`=SGo!+%&w1bO{*0Y>mqchve_vG@z38{~ z$N7AV*9k9{Ha^79sTb&HTK8{DrRw&T+}W&8t(xo2rsTg3*u{~4UA|CIH%p&wZ`eLH zsSPTZe*a|_dvrfkH+23lky{DBzA>;_yb62wN<}&#ux*!hNWkoAdkb&fxcbn+HSW^g zoVgP7|IM5B?qlEm_TSt*2@6zsc0IIqnUim$=R7BR!8ODFRL{AQU)~Bm$p7*vy3J=# zS=!QuFwH{4yMJTXmjrsb)ISm)P**cMLpxH>uC`&IH$w% z;_ypD;g&i(*}zpRICEytJMmOWKUq=X#!s13j7Fly>s~ndIS7=!obz7q`@*}gYS!)z zj5+Kfc4U@opyIO6We--Hf4}YY`S#SK>x1}wD!(0Q3|!#&v}L|mmPCZk&M=$GjcueYu<%*NW`OFmg|OB<-BIuVrhacHvEVcl*DJEjdM51xqK&9ag>( z6*6;{CsW&$n1k!D3CvxzX-=J@PR<9z<#K+8#?2ONJATBvPOfX-cesIjPr{p{Qr?=S z{ehQ0v|m&Hck#-_v*-M`ahWvUzj%D>>0erkx}268>ZexTt0~e6`ZamC-naCMg4ZE` z9<%WaoSW-eE}%G3y>vy~3trdg|5eeE^8*iiHy@G{h%;~xkjgQ<(tPqe=UYp`_uQX7 zmO2ODV}0OJus^f;qVMO3*PoV4z18#S-lF!%-(*e#kK-jt?>V-~=M$6mbaHOio*=k% z|0k7`vNjuz-)Q1cz86|5D;=WPkga!bfAq>Dx7z2uU;OY0U*7pBl}(a9k6ernn!juN zbo9%@glFfp&slud7XO@|N54e0+}!^8@57Hqu0@?LiO=iIqQaj# zik{7#d&l5?=z59pg3=x5pTB>#+#-cN{DkKG`%B)6ue4*d+%5I>9NQ|tM4Jnq79kAo zeb=woJ=-6+t2Ru!^InawUx(6EwRFGVf|r?c-+$F+isV)p3PIGQ+255^a~ouecv--}}bQtBSkI z$LWLrPT8iFCPrI!`U}4bWvRMgV0HT4x)T$7_mtmxsrM{FdY(4FpT*hxWfqT}9-WEQ zT)Zc5_8P0S+4sJ?Jn%H@T3R~4MD5IV6T82wzMHd!p5^p=!4=c^!}DiK%43enUWQ*K zz7)>!{LOCsyOC-8_D3QiwTDe4n)|vfBOJck9$fOK@_f{+si8CTsvi83^ZexUWzS-V zB?}_FSP!UrMz6_!KC|OLe-HDOXpM`)YFQ^F9y`?)1fSsh$dWN(a?7513@(?m_B`Ku zO1*CHlP8T%Yv$yI-90wVhWX-4hTqHY-Y|5%S^wSVPU)TRrg!~XZmbWuHY?Wcrk>Bg zo%$d5DEFoJ<}bTh^nUq5w~nLyYhOQ$zuD3GZsMG~UpDnUPdt{Gzqq-s@MFHmG3^4! zQxZx(1+J~4^Jk^4Uw6DO6*07DcnfpZ2*Iy4Cfu@`DBL)2F{JiR0=HQuW?^ zkF$+ytLMr0=@WbpO>_8QS6$dyuwcS(|4g^lj1?Mc!g`u(C+bu$$XGh*t_pXdlfV|q zY)-+cQ!n4=5m8VqNq^txGA(4;sRf@eyenEEro(?+=v-aUvLn{a?fDkXOyU!s>0OCj zTeLOCG&k5eF`ZAO`JFMp8T-q`VY&6ugUHa=Vx8=&X*$x^@<(5q9;Yh!9YHsli&gv;W%|11J0@4)^c=Bh4#U}sa zoay!VMMLV>c0a_j_hGELZ2PvE7(ptFUUtgoJPT#m7SXex7Q- zb4KUwq=|P8TREjxFWM_sTWs_o_3^5&hx@;tyY*M@{LGw6&B+(t)}H$E?D|ulDTkle zG1+BR#oIf@=e=taOqnI@{7Y`C?ScD;_c{cwUMh7WVgcJeUfU%qg6D(J_OYiI6eV-7 X-7@w1YtMjvMM1JjlFJfj_c8$hH1=NC literal 0 HcmV?d00001 diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 63f932e..41a9b8c 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -7,6 +7,7 @@ nodeName, localDomainName, system, + packages', ... }: { nixos-x13s = { @@ -193,7 +194,8 @@ }; hardware.firmware = lib.mkBefore [ - nodeFlake.packages.${system}.x13s-ath11k-firmware + packages'.x13s-bt-firmware + packages'.x13s-ath11k-firmware ]; # see https://linrunner.de/tlp/ diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 4d3d60a..724c6e9 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -1,21 +1,5 @@ { "nodes": { - "ath11k-firmware": { - "flake": false, - "locked": { - "lastModified": 1720482684, - "narHash": "sha256-p6ifwtRNUOyQ2FN2VhSXS6dcrvrtiFZawu/iVXQ4uR0=", - "ref": "refs/heads/main", - "rev": "bb527dcebac835c47ed4f5428a7687769fa9b1b2", - "revCount": 152, - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - }, - "original": { - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - } - }, "crane": { "inputs": { "nixpkgs": [ @@ -141,22 +125,6 @@ "type": "github" } }, - "mobile-nixos": { - "flake": false, - "locked": { - "lastModified": 1722056346, - "narHash": "sha256-50fcuCppaLMfSOTFO4IkCBs4folToCwlhTgc6IdZFHg=", - "owner": "NixOS", - "repo": "mobile-nixos", - "rev": "717ce90cfadffa449480bae2e155185c651e9993", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "mobile-nixos", - "type": "github" - } - }, "mycelium": { "inputs": { "crane": "crane", @@ -291,11 +259,9 @@ }, "root": { "inputs": { - "ath11k-firmware": "ath11k-firmware", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", - "mobile-nixos": "mobile-nixos", "mycelium": "mycelium", "nixos-x13s": "nixos-x13s", "nixpkgs": "nixpkgs_3", diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 8a30dbe..110c2ae 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -20,17 +20,12 @@ # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; mycelium.url = "github:threefoldtech/mycelium"; - ath11k-firmware = { - url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; - flake = false; - }; }; outputs = { self, get-flake, nixpkgs, - ath11k-firmware, ... }: let targetPlatform = "aarch64-linux"; @@ -93,11 +88,6 @@ }; }; packages.${targetPlatform} = { - x13s-ath11k-firmware = nixpkgs.legacyPackages.${targetPlatform}.runCommand "x13s-ath11k-firmware-before" {} '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - ''; }; }; } From 53481414df4a24aff7f26161a7b6ad42e82a847e Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 13 Jun 2024 16:42:55 +0200 Subject: [PATCH 2/2] feat: experimental k3s + nix-snapshotter snippet --- nix/os/containers/mycelium/configuration.nix | 0 nix/os/containers/mycelium/flake.lock | 141 ++++++++ nix/os/containers/mycelium/flake.nix | 340 ++++++++++++++++++ nix/os/devices/steveej-x13s/configuration.nix | 16 +- nix/os/devices/steveej-x13s/flake.lock | 62 +++- nix/os/devices/steveej-x13s/flake.nix | 6 + nix/os/snippets/k3s-w-nix-snapshotter.nix | 41 +++ 7 files changed, 602 insertions(+), 4 deletions(-) create mode 100644 nix/os/containers/mycelium/configuration.nix create mode 100644 nix/os/containers/mycelium/flake.lock create mode 100644 nix/os/containers/mycelium/flake.nix create mode 100644 nix/os/snippets/k3s-w-nix-snapshotter.nix diff --git a/nix/os/containers/mycelium/configuration.nix b/nix/os/containers/mycelium/configuration.nix new file mode 100644 index 0000000..e69de29 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock new file mode 100644 index 0000000..899ee98 --- /dev/null +++ b/nix/os/containers/mycelium/flake.lock @@ -0,0 +1,141 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715438114, + "narHash": "sha256-btb702TXuhDg0D6tW0dCOy4+II9Wl6BJ0LvpT+O9wrs=", + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "rev": "7b251c9356bc7bb383ebeedcd0045b3ae431bff7", + "type": "github" + }, + "original": { + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718025593, + "narHash": "sha256-WZ1gdKq/9u1Ns/oXuNsDm+W0salonVA0VY1amw8urJ4=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "35c20ba421dfa5059e20e0ef2343c875372bdcf3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1718086528, + "narHash": "sha256-hoB7B7oPgypePz16cKWawPfhVvMSXj4G/qLsfFuhFjw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "47b604b07d1e8146d5398b42d3306fdebd343986", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-systemd256": { + "locked": { + "lastModified": 1718397913, + "narHash": "sha256-omV+dq3GdXQQTaewxhkBgxM4Bbwqa4D9FVS4dTITxOQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "962cf03fb8c782c5e00f465397e03dc84284acc9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "962cf03fb8c782c5e00f465397e03dc84284acc9", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-snapshotter": "nix-snapshotter", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs", + "nixpkgs-systemd256": "nixpkgs-systemd256" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix new file mode 100644 index 0000000..6f247a1 --- /dev/null +++ b/nix/os/containers/mycelium/flake.nix @@ -0,0 +1,340 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-snapshotter = { + url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + outputs = { + self, + nixpkgs, + nixos-generators, + ... + }: let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in { + nixosConfigurations.default = + nixpkgs.lib.nixosSystem + { + system = "aarch64-linux"; + + specialArgs = {}; + + modules = [ + ({ + config, + modulesPath, + pkgs, + lib, + ... + }: { + nixpkgs.overlays = [ + (final: previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; + + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; + + imports = [ + (modulesPath + "/profiles/minimal.nix") + ]; + system.stateVersion = "24.05"; + + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; + + services.nscd.enable = false; + system.nssModules = lib.mkForce []; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = true; + + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; + # services.udev.enable = false; + + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + ''); + + systemd.services.testing-credentials = { + description = "testing credentials"; + wantedBy = ["multi-user.target"]; + path = [pkgs.coreutils]; + + serviceConfig = { + SyslogIdentifier = "testing-credential"; + StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + LoadCredential = [ + "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + "hosts:/etc/hosts" + ]; + SetCredential = "nosecret:not secret string"; + ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + ''); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off + ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; + }; + }) + ]; + }; + packages = forAllSystems (system: let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; + + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ + ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [9651]; + udp = [9650 9651]; + }; + + inherit + (config) + entrypoint + # port + + args + # nodePort + + ; + + pkgs = import nixpkgs { + overlays = [nix-snapshotter.overlays.default]; + }; + + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [entrypoint]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in { + k8s = let + pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = {inherit name;}; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + }); + + service = pkgs.writeText "${name}-service.json" (builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = {inherit name;}; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + }); + in + pkgs.runCommand "declarative-k8s" {} '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + }); + }; +} diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 41a9b8c..8fd0122 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -10,6 +10,12 @@ packages', ... }: { + nixpkgs.overlays = [ + (final: previous: { + # inherit (nodeFlake.inputs.nixpkgs-systemd256.legacyPackages.${system}) systemd systemdMinimal; + }) + ]; + nixos-x13s = { enable = true; # TODO: use hardware address @@ -87,6 +93,8 @@ sops.secrets.builder-private-key = {}; nix.distributedBuilds = true; nix.buildMachines = [ + # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@sj-bm-hostkey0.dev.infra.holochain.org?ssh-key=/run/secrets/builder-private-key' + { hostName = "sj-bm-hostkey0.dev.infra.holochain.org"; sshUser = "nix-remote-builder"; @@ -148,6 +156,8 @@ ../../snippets/radicale.nix ../../snippets/holo-zerotier.nix + + ../../snippets/k3s-w-nix-snapshotter.nix ]; networking.hostName = nodeName; @@ -210,11 +220,11 @@ # android on linux virtualisation.waydroid.enable = false; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; - hardware.ledger.enable = true; + virtualisation.containers.enable = true; + virtualisation.podman.enable = true; + nix.settings.substituters = [ "https://nixos-x13s.cachix.org" ]; diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 724c6e9..9633bbc 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -54,7 +54,44 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -162,9 +199,31 @@ "type": "github" } }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717948701, + "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "rev": "c10b066a4b1bb3451507c141636014e3335e579e", + "type": "github" + }, + "original": { + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "type": "github" + } + }, "nixos-x13s": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": "nixpkgs_2" }, "locked": { @@ -263,6 +322,7 @@ "get-flake": "get-flake", "home-manager": "home-manager", "mycelium": "mycelium", + "nix-snapshotter": "nix-snapshotter", "nixos-x13s": "nixos-x13s", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable" diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 110c2ae..6b8ed7e 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -20,6 +20,12 @@ # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; mycelium.url = "github:threefoldtech/mycelium"; + + nix-snapshotter = { + url = "github:yu-re-ka/nix-snapshotter"; + # url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix new file mode 100644 index 0000000..0243018 --- /dev/null +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -0,0 +1,41 @@ +# experiment with k3s, nix-snapshotter, and nixos images +{ + nodeFlake, + nodeFlakeInputs', + pkgs, + lib, + system, + ... +}: { + # (1) Import nixos module. + imports = [ + nodeFlake.inputs.nix-snapshotter.nixosModules.default + ]; + + # (2) Add overlay. + nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default]; + + # (3) Enable service. + virtualisation.containerd = { + enable = true; + k3sIntegration = false; + nixSnapshotterIntegration = true; + + # TODO: understand if this has an influence on the systemd LoadCredential issue + settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; + }; + services.nix-snapshotter = { + enable = true; + }; + + # (4) Add a containerd CLI like nerdctl. + environment.systemPackages = [ + pkgs.nerdctl + nodeFlake.inputs.nix-snapshotter.packages.${system}.default + ]; + + services.k3s = { + enable = false; + setKubeConfig = true; + }; +}