interim import

.gitignore

@@ -4,3 +4,4 @@ result
 .*
 !.git*
 *poop*
+*.iso

Makefile

@@ -0,0 +1,5 @@
+installer.iso: flake.nix modules hosts/installer.nix
+	nix build .#nixosConfigurations.installer.config.system.build.isoImage
+	rm -f installer.iso
+	cp result/iso/nixos-*.iso installer.iso
+

flake.lock

@@ -7,11 +7,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1718194053,
-        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -54,24 +54,6 @@
         "type": "github"
       }
     },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "interlude": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -91,28 +73,13 @@
         "url": "https://git.strudelline.net/nix/interlude"
       }
     },
-    "ipcalc": {
-      "locked": {
-        "lastModified": 1720829192,
-        "narHash": "sha256-uo1vVwyhdbEqzUa27/wxvnIZFIRyiTidIDRXeP59FWg=",
-        "ref": "refs/heads/main",
-        "rev": "e7e8242a9918161d8e0b3fb4b725612aef8a03bb",
-        "revCount": 3,
-        "type": "git",
-        "url": "https://git.strudelline.net/nix/ipcalc"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.strudelline.net/nix/ipcalc"
-      }
-    },
     "nixlib": {
       "locked": {
-        "lastModified": 1723942470,
-        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -129,11 +96,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724028932,
-        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -175,11 +142,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1723938990,
-        "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
         "type": "github"
       },
       "original": {
@@ -188,83 +155,12 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1720691131,
-        "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-24.05",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1721838734,
-        "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "numbers": {
-      "inputs": {
-        "ipcalc": "ipcalc",
-        "nixpkgs": "nixpkgs_4"
-      },
-      "locked": {
-        "lastModified": 1724036520,
-        "narHash": "sha256-KJU6W5qghjMTjlTFnK0F2zJVw0qmTfC6nkMBhUNgjow=",
-        "ref": "refs/heads/main",
-        "rev": "4550d62254e030c9075343a4897a985fcfda1fd6",
-        "revCount": 29,
-        "type": "git",
-        "url": "https://git.strudelline.net/cascade/numbers"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.strudelline.net/cascade/numbers"
-      }
-    },
-    "putex": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_5"
-      },
-      "locked": {
-        "lastModified": 1721923974,
-        "narHash": "sha256-yz3VioYJXUTdl4TU1RZnGbRMj3ng3OTtVDEbGPFXGLE=",
-        "ref": "refs/heads/main",
-        "rev": "eed14b5adada7325e916dfc3a89cbd4beef806a8",
-        "revCount": 7,
-        "type": "git",
-        "url": "https://git.strudelline.net/james/putex"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.strudelline.net/james/putex"
-      }
-    },
     "root": {
       "inputs": {
         "deploy-rs": "deploy-rs",
         "interlude": "interlude",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_3",
-        "numbers": "numbers",
-        "putex": "putex",
         "unstable": "unstable"
       }
     },
@@ -298,28 +194,13 @@
         "type": "github"
       }
     },
-    "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "unstable": {
       "locked": {
-        "lastModified": 1723985069,
-        "narHash": "sha256-MGtXhZHLZGKhtZT/MYXBJEuMkZB5DLYjY679EYNL7Es=",
+        "lastModified": 1744536153,
+        "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1",
+        "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,79 +2,46 @@
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-24.05";
     unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-    numbers.url = "git+https://git.strudelline.net/cascade/numbers";
     interlude.url = "git+https://git.strudelline.net/nix/interlude";
-    putex.url = "git+https://git.strudelline.net/james/putex";
     nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; };
     deploy-rs.url = "github:serokell/deploy-rs";
   };
-  outputs = { self, nixpkgs, unstable, numbers, interlude, putex, nixos-generators, deploy-rs }@inputs:
+  outputs = { self, nixpkgs, unstable, interlude, nixos-generators, deploy-rs }@inputs:
   with builtins;
   with nixpkgs.lib;
   with interlude.lib;
   let
-    includableModules =
-      let localModules = "${./.}" + "/modules";
-          dirContents = readDir (localModules);
-          filenames = attrNames (dirContents);
-          dirs = (filter (n: dirContents."${n}" == "directory" &&
-                             readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames);
-          files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames);
-      in
-        foldl recursiveUpdate {} (
-             (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}" "${localModules}/${x}"); }) (trace "dirs: ${toJSON dirs}" dirs))
-          ++ (map (x: { nixosModules."${x}" = import (trace "importing ${localModules}/${x}.nix" "${localModules}/${x}.nix"); }) (trace "files: ${toJSON files}" files))
-        );
-    buildMachine' = name: mods: cfg: {
+    buildMachine = name: arch:
+      {
       # the evaluated machine
-      nixosConfigurations."${name}" =
+         nixosConfigurations."${name}" =
+          let
+            pkgs = import nixpkgs { config = { allowUnfree = true; }; system = arch; };
+            specialArgs = { basePath = "${toString ./.}"; inherit inputs; };
+          in nixosSystem (
+            {
+              inherit pkgs specialArgs;
+              modules = [
+	        (import "${./.}/hosts/${name}.nix")
+                {
+                  system.stateVersion = mkForce "24.05";
+                  nix.settings.require-sigs = mkForce false;
+                  networking.hostName = name; # Define your hostname.
+                }
+                self.nixosModules.vmFormats
+                self.nixosModules.fixFlakeRegistry
+              ];
+            });
+      };
+    hosts =
       let
-        pkgs = import nixpkgs { config = { allowUnfree = true; };};
-        specialArgs = { basePath = "${toString ./.}"; inherit inputs numbers; };
-      in nixosSystem (cfg // {
-        inherit pkgs specialArgs;
-        modules = [
-          self.nixosModules.vmFormats
-          numbers.nixosModules.users
-          self.nixosModules.session
-          putex.nixosModules.default
-          {
-            # global fixed values.
-            networking.hostName = mkForce name;
-            system.stateVersion = mkForce "24.05";
-            nix.settings.require-sigs = mkForce false;
-          }
-        ] ++ mods;
-      });
-    };
-    buildMachine = name:
-      # the evaluated machine
-      with numbers.api;
-      let
-        modules = [
-          self.nixosModules.fixFlakeRegistry
-          numbers.nixosModules.networking
-          self.nixosModules.packages
-          self.nixosModules.luks
-          self.nixosModules.systemd-efi
-          numbers.nixosModules.users
-        ] ++ (map (x: self.nixosModules."${x}") (hostModules name));
-        arch = hostSystem name;
+        hostsPath = "${./.}" + "/hosts";
+        dirContents = readDir hostsPath;
+        filenames = attrNames dirContents;
+        #dirs = (filter (n: dirContents."${n}" == "directory" &&
+        #                   readFileType "${hostsPath}/${n}/default.nix" == "regular") filenames);
       in
-        (buildMachine' name modules { system = arch; })
-          //
-        {
-          deploy.nodes."${name}" = {
-            hostname = "172.16.19.1";
-            profiles.system = {
-              user = "root";
-              path = deploy-rs.lib."${arch}".activate.nixos self.nixosConfigurations."${name}";
-            };
-          };
-          
-          # This is highly advised, and will prevent many possible mistakes
-          checks = deploy-rs.lib."${arch}".deployChecks self.deploy;
-        };
+        concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames);
   in
   foldl recursiveUpdate {
     nixosModules = {
@@ -91,9 +58,6 @@
 
         # the sample format from nixos-generators
         # formatConfigs.my-custom-format = { config, modulesPath, ... }: {
-        #   imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-base.nix" ];
-        #   formatAttr = "isoImage";
-        #   fileExtension = ".iso";
         #   networking.wireless.networks = {
         #     # ...
         #   };
@@ -104,9 +68,7 @@
         unstable.flake = inputs.unstable;
       };};
     };
-  } ( # lists to recursively merge into the config.
-         [ includableModules ]
-      ++ (with numbers.api; map (h: buildMachine h) deployableHosts)
-      ++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )]
+  } ( [] # lists to recursively merge into the config.
+      ++ (map (h: buildMachine h "x86_64-linux") hosts)
   );
 }

hosts/installer.nix

@@ -0,0 +1,92 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+let installer = pkgs.writeShellApplication {
+  name = "cascade-installer";
+  runtimeInputs = with pkgs; [
+    btrfs-progs
+    coreutils
+    cryptsetup
+    dig
+    dosfstools
+    e2fsprogs
+    git
+    lvm2
+    nix
+    parted
+    util-linux
+  ];
+
+  text =
+  let
+    shq = lib.escapeShellArg;
+    partedMin = cmd: ''
+      parted -f -a minimal "$DEVICE" --script ${cmd}
+    '';
+    partedOpt = cmd: ''
+      parted -f -a optimal "$DEVICE" --script ${cmd}
+    '';
+  in
+  ''
+    if [ "$#" -ne 2 ];then
+      1>&2 echo "usage: $0 hostname full-disk-device"
+      exit 1
+    fi
+    HOSTNAME="$1"
+    DEVICE="$2"
+    LABEL="$HOSTNAME"-luks0
+    LV="$HOSTNAME"-luks
+
+    echo ABOUT TO DESTROY THIS MACHINE
+    sleep 10 || exit 1
+
+    wipefs -a "$DEVICE"
+
+    ${partedMin "mklabel gpt"}
+    ${partedMin "mkpart ESP fat32 0% 1GB"}
+    ${partedMin "set 1 esp on"}
+    ${partedOpt "mkpart \"$HOSTNAME\"-luks0 ext4 1GB 100%"}
+
+    sleep 1
+
+    cryptsetup -q luksFormat --type luks2 /dev/disk/by-partlabel/"$LABEL" -d /dev/zero -l 32
+    cryptsetup -q luksOpen /dev/disk/by-partlabel/"$LABEL" "$LABEL" -d /dev/zero -l 32
+
+    pvcreate /dev/mapper/"$LABEL"
+    vgcreate "$LV" /dev/mapper/"$LABEL"
+    lvcreate -L 20G -n "$HOSTNAME"-root "$LV"
+    
+    mkfs.fat -F 32 -n BOOT /dev/disk/by-partlabel/ESP
+    mkfs.ext4 -L "$HOSTNAME"-root /dev/"$LV"/"$HOSTNAME"-root
+
+    sleep 1
+
+    # note to future self who "fixes" this:
+    # the -p is to prevent error if the path exists, not to create / which obviously exists.
+    # this is a scenario that happens when rerunning these commands during debugging.  just
+    # leave the -p, future me.  please just leave it.
+    mkdir -p /mnt
+    mount /dev/disk/by-label/"$HOSTNAME"-root /mnt
+    mkdir -p /mnt/boot
+    mount /dev/disk/by-label/BOOT /mnt/boot
+    mkdir -p /mnt/root
+
+    TOKEN="$(dig +short lan-auth-token.strudelline.net TXT | tr -d '"')"
+    umask 0077
+    mkdir -p /root
+    printf 'machine git.strudelline.net\nlogin lan-auth\npassword %s\n' "$TOKEN" > /root/.netrc
+    printf 'machine git.strudelline.net\nlogin lan-auth\npassword %s\n' "$TOKEN" > /mnt/root/.netrc
+
+    nixos-install --flake git+https://git.strudelline.net/cascade/nixos#"$HOSTNAME" --impure --no-root-password
+  '';
+};
+in
+{
+  imports = [
+    ../types/minimal.nix
+    (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")
+  ];
+
+  environment.systemPackages = [
+    installer
+  ];
+}

hosts/xerneas.nix

@@ -0,0 +1,20 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, inputs, ... }:
+
+let iface = import ../iface-templates.nix;
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ../types/server.nix
+    ];
+  config = lib.mkMerge [
+    (iface.bridge "lan0" "172.16.1.252/12" "172.16.1.1" "phy0" "d8:9e:f3:1b:7f:8a")
+    (iface.dhcp "phy1" "98:b7:85:01:39:1a")
+    (iface.dhcp "phy2" "98:b7:85:01:39:1b")
+    (iface.dhcp "phy3" "98:b7:85:01:39:1c")
+    (iface.dhcp "phy4" "98:b7:85:01:39:1d")
+  ];
+}

hosts/yveltal.nix

@@ -0,0 +1,21 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, inputs, ... }:
+
+let iface = import ../iface-templates.nix;
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ../types/server.nix
+    ];
+  config = lib.mkMerge [
+    (iface.bridge "lan0" "172.16.1.251/12" "172.16.1.1" "phy0" "50:9a:4c:49:cc:1b")
+    (iface.dhcp "phy1" "98:b7:85:01:36:ec")
+    (iface.dhcp "phy2" "98:b7:85:01:36:ed")
+    (iface.dhcp "phy3" "98:b7:85:01:36:ee")
+    (iface.dhcp "phy4" "98:b7:85:01:36:ef")
+  ];
+
+}

iface-templates.nix

@@ -0,0 +1,28 @@
+let build = iface: mac: rest: {
+    systemd.network.enable = true;
+    systemd.network.links."${iface}" = {
+      linkConfig.Name = iface;
+      matchConfig.PermanentMACAddress = mac;
+    };
+    systemd.network.networks."${iface}".enable = true;
+} // rest; in
+{
+  bridge = bridge: ip: gateway: build {
+      systemd.network.networks."${iface}".bridge = [ bridge ];
+      systemd.network.networks."${bridge}" = {
+        address = [ ip ];
+        gateway = [ gateway ];
+      };
+      systemd.network.netdevs."${bridge}" = {
+        netdevConfig = {
+          Name = bridge;
+          Kind = "bridge";
+        };
+      };
+    };
+  dhcp = build {
+    systemd.network.networks."${iface}" = {
+      DHCP = "yes";
+    };
+  };
+}

modules/corenet.nix

@@ -8,43 +8,26 @@ strIfHasIface = iface: s: if hasIface iface then s else "";
 attrsetIfHasIface = iface: as: if hasIface iface then as else {};
 eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
 
-nameservers = filter (x: x != "") [
-    "127.0.0.1"
-    (if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "")
-    (if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "")
-    (if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "")
-  ];
-
 in
 
 {
   imports = [
-    #./pgpool.nix
     ./udp514.nix
   ];
 
   services.udp514-journal.enable = true;
-  services.coredns = {
-    enable = true;
-    config = ''
-      . {
-        ${strIfHasIface "sxxxxec0" "bind sec0"}
-        ${strIfHasIface "xxxxlan0" "bind lan0"}
-        nsid ${config.networking.hostName}
-        forward . 172.16.1.8
-        template IN A server.dns {
-          answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}"
-        }
-      }
-    '';
-  };
   services.resolved.enable = false;
-  #networking.resolvconf.enable = false;
 
-  environment.etc."resolv.conf".text = foldl'
-    (a: s: if s == "" then a else "${a}nameserver ${s}\n")
-    "" nameservers;
-  networking.nameservers = nameservers;
+  environment.etc."resolv.conf".text = ''
+    nameserver 172.16.1.8
+    nameserver 172.16.1.1
+    search cascade.strudelline.net
+  '';
+
+  networking.nameservers = [
+    172.16.1.8
+    172.16.1.1
+  ];
 
 
   system.activationScripts."corenet-flux" = mkIf true ''
@@ -55,19 +38,17 @@ in
     enable = true;
     tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token";
     serverAddr =
-      mkIf (config.networking.hostName != "snorlax")
-        "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
+        "https://${(numbers.apt.hostIface "snorlax" "sec0").ip}:6443";
     clusterInit = config.networking.hostName == "snorlax";
     extraFlags = (
-    #" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+
     " --disable=traefik"+
     " --disable=local-storage"+
     " --cluster-cidr=10.128.0.0/16"+
     " --service-cidr=10.129.0.0/16"+
     " --flannel-backend=vxlan"+
     " --embedded-registry"+
-    (strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
-    #(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
+    " --node-ip=172.16.1.254"+
+    " --tls-san=k8s.cascade.strudelline.net")+
     "");
   };
 

modules/k3s.nix

@@ -0,0 +1,65 @@
+{config, numbers, pkgs, lib, ...}:
+
+with lib;
+
+let
+hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
+strIfHasIface = iface: s: if hasIface iface then s else "";
+attrsetIfHasIface = iface: as: if hasIface iface then as else {};
+eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
+
+in
+
+{
+  networking.nameservers = [
+    "172.16.1.53"
+    "172.16.1.8"
+  ];
+
+  system.activationScripts."corenet-flux" = mkIf true ''
+    ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml
+  '';
+
+  services.k3s = {
+    enable = true;
+    tokenFile = "/etc/k3s.token";
+    serverAddr =
+        "https://172.16.17.1:6443";
+    extraFlags = (
+    " --flannel-backend=wireguard-native"+
+    " --disable=traefik"+
+    " --disable=servicelb"+
+    " --disable=local-storage"+
+    " --tls-san=k8s.cascade.strudelline.net"+
+    " --kubelet-arg=config=/etc/rancher/k3s/kubelet.config}"+
+    " --kubelet-arg=allowed-unsafe-sysctls=net.*"+
+    " --embedded-registry"+
+    " --nonroot-devices"+
+    "");
+  };
+  
+  environment.etc = {
+    "rancher/k3s/kubelet.config".text = ''
+      apiVersion: kubelet.config.k8s.io/v1beta1
+      kind: KubeletConfiguration
+      maxPods: 250
+    '';
+    "rancher/k3s/registries.yaml".text = ''
+      mirrors:
+        "*":
+    '';
+  };
+
+  networking.firewall.allowedUDPPorts = [
+    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 5000; to = 32767; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
+  ];
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 5000; to = 32767; }
+  ];
+}

modules/luks.nix

@@ -18,5 +18,4 @@
       device = "/dev/disk/by-label/BOOT";
       fsType = "vfat";
   };
-
 }

modules/nvidia.nix

@@ -0,0 +1,3 @@
+{
+  hardware.nvidia-container-toolkit.enable = true;
+}

modules/serial-console.nix

@@ -0,0 +1,8 @@
+{
+  boot.kernelParams = [ "console=ttyS0,115200n8" ];
+  boot.loader.grub.extraConfig = "
+    serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+    terminal_input serial
+    terminal_output serial
+  ";
+}

modules/server.nix

@@ -22,8 +22,6 @@
     };
   };
 
-  #hardware.nvidia-container-toolkit.enable = true;
-
   services.openssh.enable = true;
   networking.firewall.enable = true;
 

modules/users.nix

@@ -0,0 +1,23 @@
+{config, lib, ...}:
+with builtins;
+with lib;
+let adminGroups =
+  filter (x: hasAttr x config.users.groups) [ "users" "networkmanager" "wheel" "keyd" "tss" "plugdev" "uinput" "tss" "disk" "dialout" "kvm" "docker" "libvirtd" ]
+  ;
+adminUser = name: { hashedPassword, sshKeys ? [], ...}@options: {
+  users.users."${name}" = {
+    isNormalUser = true;
+    description = name;
+    linger = true;
+    extraGroups = adminGroups;
+    hashedPassword = hashedPassword;
+    openssh.authorizedKeys.keys = if (isList sshKeys) then sshKeys else [ sshKeys ];
+  };
+};
+in
+{ config = mkMerge [
+    (adminUser "james" {
+      hashedPassword = "$6$rounds=3329299$pm3dw//wbFgSL3vc$9oXIvCyHqvQHpcn0cvn686mlbt5T4Qd4c5vgSdI8oNhVGXb7pteLyzN.b2pJ3w22NsPovWoL9M.ScyJXRTPP10";
+      sshKeys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2FMpfO9p2xfATWwaqpT3cGwYOtraiTMfmRXDBI7jrR james";
+    })
+];}

rowlet.nix

@@ -1,21 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, lib, flake-inputs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      #./hardware-configuration.nix
-      ./lib/packages.nix
-      ./lib/server.nix
-      ./lib/session.nix
-    ];
-
-  networking.hostName = "rowlet"; # Define your hostname.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
-  system.stateVersion = "24.05";
-}

snorlax.nix

@@ -1,20 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, lib, flake-inputs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ./lib/packages.nix
-      ./lib/server.nix
-      ./lib/session.nix
-    ];
-
-  networking.hostName = "snorlax"; # Define your hostname.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
-  system.stateVersion = "24.05";
-}

sobble.nix

@@ -1,21 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      #./hardware-configuration.nix
-      ./lib/packages.nix
-      ./lib/server.nix
-      ./lib/session.nix
-    ];
-
-  networking.hostName = "sobble"; # Define your hostname.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
-  system.stateVersion = "24.05";
-}

types/k3s-server.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./server.nix
+    ../modules/k3s.nix
+  ];
+  
+  system.stateVersion = "24.05";
+}

types/minimal.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, lib, flake-inputs, ... }:
+
+{
+  imports = [
+    ../modules/session.nix
+    ../modules/users.nix
+    ../modules/serial-console.nix
+  ];
+
+  system.stateVersion = "24.05";
+}

types/server.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, flake-inputs, ... }:
+
+{
+  imports = [
+    ../modules/session.nix
+    ../modules/server.nix
+    ../modules/systemd-efi.nix
+    ../modules/luks.nix
+    ../modules/users.nix
+    ../modules/serial-console.nix
+  ];
+
+  system.stateVersion = "24.05";
+}