updates. (from the past :/)

deploy.sh

@@ -0,0 +1,43 @@
+set -e
+
+#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop pgpool ; done
+#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl stop postgresql ; done
+
+deploy() {
+    TARGET="$1"
+    shift
+    nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo "$@"
+}
+spread_token() {
+  #PW=$(
+  #  ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token /etc/k3s.token | grep . | head -1 | grep . \
+  #    || dd if=/dev/random bs=16 count=1 status=none | xxd -ps
+  #)
+  PW=$(
+    ssh snorlax sudo cat /etc/k3s.token | grep . | head -1 | grep . \
+      || dd if=/dev/random bs=16 count=1 status=none | xxd -ps
+  )
+  for f in snorlax sobble rowlet;do
+      ssh $f "sudo bash -c 'touch /etc/k3s.token; chmod 600 /etc/k3s.token; dd of=/etc/k3s.token oflag=sync'" <<<"$PW"
+  done
+}
+k3s_reset() {
+    ssh $1 sudo /nix/store/*k3s*/bin/k3s-killall.sh || true
+    ssh $1 sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
+}
+#k3s_reset snorlax
+#k3s_reset sobble
+#k3s_reset rowlet
+#nix run nixpkgs#natscli -- -s 172.16.1.2 kv del kine -f || true
+#nix run nixpkgs#natscli -- -s 172.16.1.2 kv del k0-kine -f || true
+
+#spread_token
+#deploy snorlax
+#spread_token
+deploy snorlax "$@"
+deploy sobble "$@"
+deploy rowlet "$@"
+
+#(PW=$(dd if=/dev/random bs=16 count=1 status=none | xxd -ps);for f in 172.16.1.{2,3};do ssh $f "sudo bash -c 'cat > /etc/pool_passwd'" <<<"$PW";done)
+#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start postgresql ; done
+#for f in 172.16.1.{2,3};do ssh -l james $f sudo systemctl start pgpool ; done

flake.lock

@@ -54,6 +54,24 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "interlude": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -90,11 +108,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1719708727,
-        "narHash": "sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY=",
+        "lastModified": 1723942470,
+        "narHash": "sha256-QdSArN0xKESEOTcv+3kE6yu4B4WX9lupZ4+Htx3RXGg=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6",
+        "rev": "531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251",
         "type": "github"
       },
       "original": {
@@ -111,11 +129,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720859326,
-        "narHash": "sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ=",
+        "lastModified": 1724028932,
+        "narHash": "sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7",
+        "rev": "5fd22603892e4ec5ac6085058ed658243143aacd",
         "type": "github"
       },
       "original": {
@@ -157,11 +175,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1720954236,
-        "narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=",
+        "lastModified": 1723938990,
+        "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27",
+        "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
         "type": "github"
       },
       "original": {
@@ -185,17 +203,33 @@
         "type": "indirect"
       }
     },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1721838734,
+        "narHash": "sha256-o87oh2nLDzZ1E9+j1I6GaEvd9865OWGYvxaPSiH9DEU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1855c9961e0bfa2e776fa4b58b7d43149eeed431",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "numbers": {
       "inputs": {
         "ipcalc": "ipcalc",
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1721191005,
-        "narHash": "sha256-iZn/aTs/b38+GD9sak1JgOnBTXKxxvZeqCAZocf0jr0=",
+        "lastModified": 1724036520,
+        "narHash": "sha256-KJU6W5qghjMTjlTFnK0F2zJVw0qmTfC6nkMBhUNgjow=",
         "ref": "refs/heads/main",
-        "rev": "7dfc2d363050b5108f8a671f9d31b8387e5a6c77",
-        "revCount": 15,
+        "rev": "4550d62254e030c9075343a4897a985fcfda1fd6",
+        "revCount": 29,
         "type": "git",
         "url": "https://git.strudelline.net/cascade/numbers"
       },
@@ -204,6 +238,25 @@
         "url": "https://git.strudelline.net/cascade/numbers"
       }
     },
+    "putex": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1721923974,
+        "narHash": "sha256-yz3VioYJXUTdl4TU1RZnGbRMj3ng3OTtVDEbGPFXGLE=",
+        "ref": "refs/heads/main",
+        "rev": "eed14b5adada7325e916dfc3a89cbd4beef806a8",
+        "revCount": 7,
+        "type": "git",
+        "url": "https://git.strudelline.net/james/putex"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.strudelline.net/james/putex"
+      }
+    },
     "root": {
       "inputs": {
         "deploy-rs": "deploy-rs",
@@ -211,6 +264,7 @@
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs_3",
         "numbers": "numbers",
+        "putex": "putex",
         "unstable": "unstable"
       }
     },
@@ -244,13 +298,28 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "unstable": {
       "locked": {
-        "lastModified": 1721116560,
-        "narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
+        "lastModified": 1723985069,
+        "narHash": "sha256-MGtXhZHLZGKhtZT/MYXBJEuMkZB5DLYjY679EYNL7Es=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
+        "rev": "ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1",
         "type": "github"
       },
       "original": {

flake.nix

@@ -4,18 +4,19 @@
     unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     numbers.url = "git+https://git.strudelline.net/cascade/numbers";
     interlude.url = "git+https://git.strudelline.net/nix/interlude";
+    putex.url = "git+https://git.strudelline.net/james/putex";
     nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; };
     deploy-rs.url = "github:serokell/deploy-rs";
   };
-  outputs = { self, nixpkgs, unstable, numbers, interlude, nixos-generators, deploy-rs }@inputs:
+  outputs = { self, nixpkgs, unstable, numbers, interlude, putex, nixos-generators, deploy-rs }@inputs:
   with builtins;
   with nixpkgs.lib;
   with interlude.lib;
   let
     includableModules =
       let localModules = "${./.}" + "/modules";
-          dirContents = readDir (traceVal localModules);
-          filenames = attrNames (trace "dirContents: ${toJSON dirContents}" dirContents);
+          dirContents = readDir (localModules);
+          filenames = attrNames (dirContents);
           dirs = (filter (n: dirContents."${n}" == "directory" &&
                              readFileType "${localModules}/${n}/default.nix" == "regular" ) filenames);
           files = concatMap (filterAndStripSuffix ".nix") (filter (n: dirContents."${n}" == "regular") filenames);
@@ -36,12 +37,13 @@
           self.nixosModules.vmFormats
           numbers.nixosModules.users
           self.nixosModules.session
-          ({...}: {
-            # fixed values.
-            networking.hostName = traceVal name;
-            system.stateVersion = "24.05";
-            nix.settings.require-sigs = false;
-          })
+          putex.nixosModules.default
+          {
+            # global fixed values.
+            networking.hostName = mkForce name;
+            system.stateVersion = mkForce "24.05";
+            nix.settings.require-sigs = mkForce false;
+          }
         ] ++ mods;
       });
     };
@@ -106,6 +108,5 @@
          [ includableModules ]
       ++ (with numbers.api; map (h: buildMachine h) deployableHosts)
       ++ [(buildMachine' "cascade-installer" [self.nixosModules.installer] {} )]
-      #++ [(buildMachine' "cascade-installer" [] {} )]
   );
 }

k3s_reset.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+for f in snorlax sobble rowlet;do
+    ssh $f sudo systemctl stop k3s || true
+    ssh $f sudo k3s-killall.sh || true
+    ssh $f sudo rm -rf /var/lib/rancher/k3s /etc/rancher/k3s
+done
+
+deploy() {
+    TARGET="$1"
+    nixos-rebuild --flake ".#$TARGET" --target-host "$TARGET" switch --impure --use-remote-sudo
+}
+
+deploy snorlax
+TOKEN="$(ssh snorlax sudo cat /var/lib/rancher/k3s/server/node-token)"
+echo "$TOKEN" | ssh sobble "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
+echo "$TOKEN" | ssh rowlet "sudo bash -c 'umask 077; cat > /etc/k3s.token'"
+deploy sobble
+deploy rowlet
+
+import-k3s-creds.sh sobble k0 172.16.1.2
+
+flux bootstrap gitea --hostname=git.strudelline.net --owner=cascade --repository=k0 --token-auth

mklocks.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+nats() {
+    command nix run nixpkgs#natscli -- -s 172.16.1.2 "$@"
+}
+
+nats stream add locks --defaults --discard-per-subject --subjects='lock.router' --storage=memory --discard=new --max-msgs-per-subject=1

modules/_tmpl.nix

@@ -0,0 +1,6 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+  };
+}

modules/cascade-router-host.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+    systemd.services."cascade-router".unitConfig = {
+      Wants = [ "sys-subsystem-net-devices-wan0.device" ];
+      After = [ "sys-subsystem-net-devices-wan0.device" ];
+    };
+
+    services.putex.putexes = {
+      sec-router = {
+        start = "/run/current-system/sw/bin/systemctl --no-block start cascade-router.service";
+        stop = ''
+          /run/current-system/sw/bin/systemctl stop -f -s 9 cascade-router.service
+        '';
+        healthcheck = ''
+          set -e
+          cd /sys/class/net
+          
+          # cat all carrier values we care about,
+          # filter out the ones that are 1
+          # if there's anything left, exit 1.
+          if (for f in wan0 sec0 lan0;do echo "$f $(cat "$f"/carrier)"; done|grep -v 1|grep -q .) ;then
+            exit 1
+          fi
+          exit 0
+        '';
+      };
+    };
+
+    virtualisation.libvirtd.allowedBridges = [ "sec0" "lan0" "wan0" ];
+  };
+}

modules/cascade-router.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+    #system.activationScripts."arpFilter" = ''
+    #PATH=${pkgs.procps}/bin:${pkgs.iptables}/bin:$PATH
+    #  sysctl net.ipv4.conf.all.arp_filter=1
+    #  sysctl net.ipv4.conf.default.arp_filter=1
+    #'';
+
+    environment.systemPackages = with pkgs; [
+      tcpdump
+    ];
+
+    networking = {
+      nat = {
+        enable = true;
+        externalInterface = "wan0";
+        internalInterfaces = [ "lan0" "sec0" ];
+      };
+      useHostResolvConf = false;
+      useNetworkd = true;
+      useDHCP = false;
+      interfaces."wan0" = {
+        useDHCP = true;
+        #macAddress = "a0:ce:c8:c6:d2:5f";
+      };
+    };
+
+    system.stateVersion = "24.05";
+  };
+}

modules/corenet-flux.yaml

@@ -0,0 +1,5 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: test-wow

modules/corenet.nix

@@ -1,12 +1,91 @@
-{config, ...}:
+{config, numbers, pkgs, lib, ...}:
+
+with lib;
+
+let
+hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
+strIfHasIface = iface: s: if hasIface iface then s else "";
+attrsetIfHasIface = iface: as: if hasIface iface then as else {};
+eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];
+
+nameservers = filter (x: x != "") [
+    "127.0.0.1"
+    (if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "")
+    (if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "")
+    (if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "")
+  ];
+
+in
 
 {
+  imports = [
+    #./pgpool.nix
+    ./udp514.nix
+  ];
+
+  services.udp514-journal.enable = true;
   services.coredns = {
     enable = true;
     config = ''
       . {
-        whoami
+        ${strIfHasIface "sxxxxec0" "bind sec0"}
+        ${strIfHasIface "xxxxlan0" "bind lan0"}
+        nsid ${config.networking.hostName}
+        forward . 172.16.1.8
+        template IN A server.dns {
+          answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}"
+        }
       }
     '';
   };
+  services.resolved.enable = false;
+  #networking.resolvconf.enable = false;
+
+  environment.etc."resolv.conf".text = foldl'
+    (a: s: if s == "" then a else "${a}nameserver ${s}\n")
+    "" nameservers;
+  networking.nameservers = nameservers;
+
+
+  system.activationScripts."corenet-flux" = mkIf true ''
+    ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml
+  '';
+
+  services.k3s = {
+    enable = true;
+    tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token";
+    serverAddr =
+      mkIf (config.networking.hostName != "snorlax")
+        "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
+    clusterInit = config.networking.hostName == "snorlax";
+    extraFlags = (
+    #" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+
+    " --disable=traefik"+
+    " --disable=local-storage"+
+    " --cluster-cidr=10.128.0.0/16"+
+    " --service-cidr=10.129.0.0/16"+
+    " --flannel-backend=vxlan"+
+    " --embedded-registry"+
+    (strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
+    #(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
+    "");
+  };
+
+  environment.etc."rancher/k3s/registries.yaml".text = ''
+    mirrors:
+      "*":
+  '';
+
+  networking.firewall.allowedUDPPorts = [
+    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 5000; to = 32767; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
+  ];
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 5000; to = 32767; }
+  ];
 }

modules/packages.nix

@@ -7,20 +7,20 @@
 {
   environment.systemPackages = with pkgs; [
     seatd
-    emacs-nox
+    #emacs-nox
     inetutils
     unzip
     buildah
     curl
     vim
-    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    neovim
     wget
     sshfs
     dig
     gost
     elinks
-    dislocker
-    ntfs3g
+    #dislocker
+    #ntfs3g
     kubectl
     sops
     git
@@ -32,6 +32,7 @@
     brightnessctl
     kubernetes-helm
     ripgrep
+    bridge-utils
     nettools
     psmisc
 

modules/pgpool.nix

@@ -0,0 +1,101 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.pgpool;
+  shq = lib.escapeShellArg;
+  configFile = pkgs.writeText "pgpool.conf" cfg.config;
+in
+{
+
+  options = {
+    services.pgpool = {
+      enable = mkEnableOption "pgpool-II";
+      config = mkOption {
+        default = ''
+          backend_clustering_mode = 'snapshot_isolation'
+          backend_hostname0 = '127.0.0.1'
+          backend_port0 = 5432
+          backend_weight0 = 1
+          logging_collector = true
+          log_destination = 'syslog,stderr'
+          log_min_messages = 'INFO'
+        '';
+        example = ''
+          backend_clustering_mode = 'snapshot_isolation'
+          backend_hostname0 = '127.0.0.1'
+          backend_port0 = 5432
+          backend_weight0 = 1
+          logging_collector = true
+          log_destination = 'syslog,stderr'
+          log_min_messages = 'INFO'
+        '';
+        description = ''
+          Verbatim pgpool.conf to use
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "pgpool";
+        description = ''
+          User account under which pgpool runs.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "pgpool";
+        description = ''
+          User group under which pgpool runs.
+        '';
+      };
+
+      package = mkPackageOption pkgs "pgpool" { };
+      extraArgs = mkOption {
+        default = [];
+        example = [ "-dns.port=53" ];
+        type = types.listOf types.str;
+        description = "Extra arguments to pass to coredns.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      extraGroups = mkIf config.services.postgresql.enable [ "postgres" ];
+    };
+    users.groups.${cfg.group} = {};
+
+    environment.etc."pgpool.conf" = {
+      source = configFile;
+    };
+
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services.pgpool = {
+      description = "pgpool-II postgresql load balancer and replication manager";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        PermissionsStartOnly = true;
+        LimitNPROC = 512;
+        LimitNOFILE = 1048576;
+        #CapabilityBoundingSet = "cap_net_bind_service";
+        #AmbientCapabilities = "cap_net_bind_service";
+        NoNewPrivileges = true;
+        User = cfg.user;
+        Group = cfg.group;
+        PIDFile = "/run/pgpool/pgpool.pid";
+        RuntimeDirectory = "pgpool";
+        ExecStart = "${getBin cfg.package}/bin/pgpool ${lib.escapeShellArgs cfg.extraArgs}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+        Restart = "no";
+        Type = "forking";
+      };
+    };
+  };
+}

modules/server.nix

@@ -9,23 +9,6 @@
 
   virtualisation = {
     kvmgt.enable = true;
-    libvirtd = {
-      enable = true;
-      qemu = {
-        runAsRoot = true;
-        verbatimConfig = ''
-          cgroup_device_acl = ["/dev/kvmfr0", "/dev/kvm"]
-        '';
-	swtpm = {
-	  enable = true;
-	};
-      };
-    };
-    docker = {
-      enable = true;
-      enableNvidia = false;
-    };
-    
     containers = {
       enable = true;
       policy = {
@@ -39,6 +22,8 @@
     };
   };
 
+  #hardware.nvidia-container-toolkit.enable = true;
+
   services.openssh.enable = true;
   networking.firewall.enable = true;
 
@@ -50,4 +35,14 @@
 
   systemd.network.wait-online.enable = lib.mkDefault false;
   networking.useDHCP = false;
+  #services.tcsd.enable = true;
+
+  security.sudo = {
+    enable = true;
+    extraRules = [
+      { users = [ "%wheel" ];
+        commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
+      }
+    ];
+  };
 }

modules/stateless-vm.nix

@@ -0,0 +1,4 @@
+{
+  imports = [ ./vm.nix ];
+  config.virtualisation.diskImage = null;
+}

modules/tank-nvme-luks.nix

@@ -0,0 +1,33 @@
+{config,...}:
+
+# to use this, you must have created the lvm devices for the host
+# in this example, my hostname is sobble and the disk is /dev/sda:
+# 
+#     fdisk /dev/sda
+#     n  # new partition, assuming this is a blank disk.
+#        #     (enter for all defauls until you're back at the prompt)
+#     t  # set type
+#     1  # first partition, again assuming this was a blank disk
+#     8e # lvm
+#     w  # write and quit
+#     
+#     either make the lv inside an existing vg like the root luks one
+#     ----------
+#     lvcreate -L50G -n sobble-tank-nvme sobble-luks
+#     --- or ---
+#     pvcreate /dev/nvme0n2p15
+#     vgcreate sobble-tank-nvme /dev/nvme0n2p15
+#     lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme
+#     -- then --
+#     mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
+
+let
+m = "${config.networking.hostName}-luks";
+n = "${config.networking.hostName}-tank-nvme";
+in
+{
+  fileSystems."/tank/nvme" = {
+    device = "/dev/${m}/${n}";
+    fsType = "ext4";
+  };
+}

modules/tank-nvme.nix

@@ -0,0 +1,26 @@
+{config,...}:
+
+# to use this, you must have created the lvm devices for the host
+# in this example, my hostname is sobble and the disk is /dev/sda:
+# 
+#     fdisk /dev/sda
+#     n  # new partition, assuming this is a blank disk.
+#        #     (enter for all defauls until you're back at the prompt)
+#     t  # set type
+#     1  # first partition, again assuming this was a blank disk
+#     8e # lvm
+#     w  # write and quit
+#     
+#     pvcreate /dev/nvme5n7p9
+#     vgcreate sobble-tank-nvme /dev/nvme5n7p9
+#     lvcreate -l 100%FREE -n sobble-tank-nvme sobble-tank-nvme 
+#     mkfs.ext4 /dev/sobble-tank-nvme/sobble-tank-nvme
+
+let n = "${config.networking.hostName}-tank-nvme";
+in
+{
+  fileSystems."/tank/nvme" = {
+    device = "/dev/${n}/${n}";
+    fsType = "ext4";
+  };
+}

modules/tank-ssd-luks.nix

@@ -0,0 +1,28 @@
+{config,...}:
+
+# to use this, you must have created the lvm devices for the host
+# in this example, my hostname is sobble and the disk is /dev/sda:
+# 
+#     fdisk /dev/sda
+#     n  # new partition, assuming this is a blank disk.
+#        #     (enter for all defauls until you're back at the prompt)
+#     t  # set type
+#     1  # first partition, again assuming this was a blank disk
+#     8e # lvm
+#     w  # write and quit
+#     
+#     pvcreate /dev/sda1
+#     vgcreate sobble-tank-ssd /dev/sda1
+#     lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd 
+#     mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
+
+let
+m = "${config.networking.hostName}-luks";
+n = "${config.networking.hostName}-tank-ssd";
+in
+{
+  fileSystems."/tank/ssd" = {
+    device = "/dev/${m}/${n}";
+    fsType = "ext4";
+  };
+}

modules/tank-ssd.nix

@@ -0,0 +1,26 @@
+{config,...}:
+
+# to use this, you must have created the lvm devices for the host
+# in this example, my hostname is sobble and the disk is /dev/sda:
+# 
+#     fdisk /dev/sda
+#     n  # new partition, assuming this is a blank disk.
+#        #     (enter for all defauls until you're back at the prompt)
+#     t  # set type
+#     1  # first partition, again assuming this was a blank disk
+#     8e # lvm
+#     w  # write and quit
+#     
+#     pvcreate /dev/sda1
+#     vgcreate sobble-tank-ssd /dev/sda1
+#     lvcreate -l 100%FREE -n sobble-tank-ssd sobble-tank-ssd 
+#     mkfs.ext4 /dev/sobble-tank-ssd/sobble-tank-ssd
+
+let n = "${config.networking.hostName}-tank-ssd";
+in
+{
+  fileSystems."/tank/ssd" = {
+    device = "/dev/${n}/${n}";
+    fsType = "ext4";
+  };
+}

modules/udp514-pkg.nix

@@ -0,0 +1,19 @@
+{ pkgs ? import <nixpkgs> {}, ... }:
+with pkgs;
+
+stdenv.mkDerivation {
+  name = "udp514-journal";
+  src = fetchFromGitHub {
+    owner = "eworm-de"; repo = "udp514-journal"; rev = "main";
+    hash = "sha256-lk2Uz3OemhXd4MMR2zFi54XCQiGjibgvT1iz0a7R1j4=";
+  };
+  buildInputs = [ systemd ];
+  nativeBuildInputs = [ pkg-config multimarkdown ];
+  buildPhase = ''
+    make udp514-journal
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+    cp udp514-journal $out/bin/udp514-journal
+  '';
+}

modules/udp514.nix

@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let udp514-journal = import ./udp514-pkg.nix { inherit pkgs; };
+    cfg = config.services.udp514-journal;
+    port = 514;
+    # not configurable yet.
+    # cfg.port;
+in
+
+{
+  options = {
+    services.udp514-journal = {
+      enable = mkEnableOption "udp514-journal";
+      openFirewall = mkOption {
+        default = true;
+        type = types.bool;
+        description = "Whether to open the firewall for the specified port.";
+      };
+      # this is apparently not configurable yet.
+      #port = mkOption {
+      #  default = 514;
+      #  type = types.port;
+      #  description = "udp514-journal syslog ingest port";
+      #};
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services."udp514-journal" = {
+      description = "udp514-journal syslog to journald adapter";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        DynamicUser = true;
+        ProtectSystem = "full";
+        CapabilityBoundingSet = "cap_net_bind_service";
+        AmbientCapabilities = "cap_net_bind_service";
+        Type = "notify";
+        Restart = "always";
+        ExecStart = "${udp514-journal}/bin/udp514-journal";
+        ProtectHome = true;
+        PrivateDevices = true;
+      };
+    };
+    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ port ];
+  };
+}

modules/vm.nix

@@ -0,0 +1,27 @@
+{ config, lib, modulesPath, numbers, ... }:
+with lib;
+
+let
+  makeNic = { matchMac, iface, media, ... }:
+    # because of the bridge logic, br=iface _and_ internal-iface=iface
+    if media != "eth" then [] else [ "-nic bridge,id=${iface},br=${iface},model=virtio,mac=${matchMac}" ];
+  makeNicFromHostIface = host: iface: makeNic (numbers.api.hostIface host iface);
+  makeNics = host: concatMap (makeNicFromHostIface host) (numbers.api.hostIfaces host);
+  makeQemuNetworkingOptions = host:
+    (makeNics host) ++ [
+    #  "-net nic,netdev=user.0,model=virtio"
+    #  "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
+    ];
+in
+
+{
+  imports = [
+    "${modulesPath}/virtualisation/qemu-vm.nix"
+    ./server.nix
+  ];
+
+  config = {
+    virtualisation.graphics = false;
+    virtualisation.qemu.networkingOptions = makeQemuNetworkingOptions config.networking.hostName;
+  };
+}

snorlax.nix

@@ -7,7 +7,6 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      #./hardware-configuration.nix
       ./lib/packages.nix
       ./lib/server.nix
       ./lib/session.nix