feat: Bootstrap new config for Oracle cloud server

- Fix ACME issues causing DNS challenges to fail
- Move agenix import to homelab module
- Add initial password to main user

flake.nix

@@ -66,6 +66,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.nixpkgs-stable.follows = "nixpkgs-stable";
     };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = { self, nixpkgs, home-manager, darwin, flake-utils, pre-commit-hooks

hostModules/homelab/acme.nix

@@ -29,8 +29,6 @@ in {
 
       certs.${config.homelab.domain} = {
         extraDomainNames = [ "*.${config.homelab.domain}" ];
-        # This is intended to be used on a local network
-        dnsPropagationCheck = false;
       };
     };
 

hostModules/homelab/default.nix

@@ -9,6 +9,7 @@ in {
     ./homepage.nix
     ./samba.nix
     inputs.nix-topology.nixosModules.default
+    inputs.agenix.nixosModules.default
   ];
 
   options.homelab = {

hostModules/homelab/media/default.nix

@@ -60,7 +60,7 @@ in {
       };
     }];
 
-    services.samba.shares = lib.mkIf cfg.enableSambaShare {
+    services.samba.settings = lib.mkIf cfg.enableSambaShare {
       media = {
         path = cfg.storageRoot;
         writable = true;

hostModules/homelab/samba.nix

@@ -11,11 +11,11 @@ in {
       enable = true;
       package = pkgs.samba4Full;
       openFirewall = true;
-      extraConfig = ''
-        server smb encrypt = required
+      settings.global = {
+        "server smb encrypt" = "required";
         # ^^ Note: Breaks `smbclient -L <ip/host> -U%` by default, might require the client to set `client min protocol`?
-        server min protocol = SMB3_00
-      '';
+        "server min protocol" = "SMB3_00";
+      };
     };
 
     services.avahi = {

hostModules/personal/user.nix

@@ -20,6 +20,8 @@ in {
       shell = lib.mkForce pkgs.zsh;
       description = lib.mkDefault "Nikita";
       isNormalUser = lib.mkDefault true;
+      initialHashedPassword =
+        "$y$j9T$3DxK1nrBp3Xl2DHN8X97y0$19IRZEIoDdq.owYAW9MFataPDunzsyfWXS25aT3Am77";
     };
 
     home-manager = {

hosts/default.nix

@@ -24,4 +24,9 @@
     inherit specialArgs;
     modules = [ ./iris ];
   };
+  hermes = nixpkgs.lib.nixosSystem {
+    system = "aarch64-linux";
+    inherit specialArgs;
+    modules = [ ./hermes ];
+  };
 }

hosts/hades/default.nix

@@ -1,9 +1,6 @@
-{ self, inputs, config, secrets, ... }: {
+{ self, config, secrets, ... }: {
   imports = [
     ./hardware-configuration.nix
-    inputs.agenix.nixosModules.default
-    inputs.nix-topology.nixosModules.default
-
     self.nixosModules.personal
     self.nixosModules.homelab
   ];

hosts/hermes/default.nix

@@ -0,0 +1,16 @@
+# Bootstrapped via the following command:
+# $ nix run github:nix-community/nixos-anywhere -- --flake .#hermes <user@host> --build-on-remote
+{ self, inputs, ... }: {
+  imports = [
+    self.nixosModules.personal
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+  networking.hostName = "hermes";
+
+  services.tailscale.useRoutingFeatures = "server";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/hermes/disk-config.nix

@@ -0,0 +1,50 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              end = "4G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              name = "root";
+              end = "-12G";
+              content = {
+                type = "filesystem";
+                format = "bcachefs";
+                mountpoint = "/";
+              };
+            };
+            encryptedSwap = {
+              size = "6G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                priority =
+                  100; # prefer to encrypt as long as we have space for it
+              };
+            };
+            plainSwap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                resumeDevice = true; # resume from hiberation from this device
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/hermes/hardware-configuration.nix

@@ -0,0 +1,21 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.tmp.useTmpfs = false;
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}

hosts/iris/default.nix

@@ -1,7 +1,5 @@
-{ self, inputs, config, lib, secrets, ... }: {
+{ self, config, lib, secrets, ... }: {
   imports = [
-    inputs.agenix.nixosModules.default
-
     self.nixosModules.raspi4sd
     self.nixosModules.personal
     self.nixosModules.homelab