vtluug · mehbark · Oct 23, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 11, 2025
diff --git a/flake.lock b/flake.lock
diff --git a/hosts/bastille/blade-names.nix b/hosts/bastille/blade-names.nix
@@ -1,16 +1,18 @@
-# keep-sorted start
-[
-  "backbiter"
-  "damocles"
-  "durendal"
-  "eyelander"
-  "excalibur"
-  "gram"
-  "gryffindor"
-  "kusanagi"
-  "narsil"
-  "oathbringer"
-  "riptide"
-  "sting"
-]
-# keep-sorted end
+{
+  # TODO: prospit's a special case and won't remain here forever
+  "d8:9e:f3:3e:f9:41" = "prospit";
+
+  "40:f2:e9:c6:65:5f" = "backbiter";
+  "40:f2:e9:c6:69:43" = "damocles";
+  "40:f2:e9:c6:69:67" = "durendal";
+  "40:f2:e9:c6:74:59" = "eyelander";
+  "40:f2:e9:c6:75:f1" = "excalibur";
+  "40:f2:e9:c6:76:21" = "gram";
+
+  "unassigned-0" = "gryffindor";
+  "unassigned-1" = "kusanagi";
+  "unassigned-2" = "narsil";
+  "unassigned-3" = "oathbringer";
+  "unassigned-4" = "riptide";
+  "unassigned-5" = "sting";
+}
diff --git a/hosts/bastille/blade.nix b/hosts/bastille/blade.nix
@@ -0,0 +1,23 @@
+{ modulesPath, pkgs, lib, ... }: {
+  imports = [
+    ./eno1-imm-disable.nix
+    (import ../common/k3s.nix {})
+    ../common/nix.nix
+    ../common/sshd.nix
+    ../common/users-local.nix
+    (modulesPath + "/installer/netboot/netboot-minimal.nix")
+  ];
+
+  # Get hostname from DHCP request
+  networking.hostName = "";
+
+  # when making the ISO, the initialHashedPassword is set to "" for some reason
+  # we already set a hashed password, so null this
+  users.users.root.initialHashedPassword = lib.mkForce null;
+
+  environment.systemPackages = [
+    pkgs.fastfetch
+  ];
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/bastille/eno1-imm-disable.nix b/hosts/bastille/eno1-imm-disable.nix
@@ -0,0 +1,30 @@
+{ pkgs, lib, ... }:
+let
+  eno1-imm-disable = pkgs.writeShellApplication {
+    name = "eno1-imm-disable";
+
+    runtimeInputs = [
+      pkgs.iproute2
+    ];
+
+    text = ''
+      if grep "Lenovo NeXtScale nx360 M5" /sys/devices/virtual/dmi/id/product_name; then
+        ip link set down eno1
+      fi
+    '';
+  };
+in {
+  systemd.services."eno1-imm-disable" = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    unitConfig = {
+      Description = "Disable eno1 on Lenovo NeXtScale nodes to avoid issues with using the imm interface";
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${lib.getExe eno1-imm-disable}";
+    };
+  };
+}
diff --git a/hosts/common/k3s.nix b/hosts/common/k3s.nix
@@ -0,0 +1,17 @@
+{ role ? "agent", clusterInit ? false }: {
+  networking.firewall.allowedTCPPorts = [
+    6443
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    8472
+  ];
+
+  services.k3s = {
+    inherit role clusterInit;
+
+    enable = true;
+    token = "garbage secret";
+    serverAddr = "https://10.98.3.2:6443";
+  };
+}
diff --git a/hosts/common/nfs.nix b/hosts/common/nfs.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+let
+  mkNfs = {path, options ? [ "vers=4.0" "soft" "nodev" "nosuid" ]}: {
+    device = "${path}";
+    fsType = "nfs";
+    inherit options;
+  };
+in
+{
+  environment.systemPackages = [ pkgs.nfs-utils ];
+
+  fileSystems."/nfs/cistern/share" = mkNfs {path = "10.98.0.7:/cistern/nfs/share";};
+  fileSystems."/nfs/cistern/files" = mkNfs {path = "10.98.0.7:/cistern/nfs/files";};
+  fileSystems."/nfs/cistern/home" = mkNfs {
+    path = "10.98.0.7:/cistern/nfs/home";
+    options = [ "vers=4.0" "soft" "nodev" "nosuid" ];
+  };
+  fileSystems."/nfs/cistern/libvirt" = mkNfs {path = "10.98.0.7:/cistern/nfs/libvirt";};
+  fileSystems."/nfs/cistern/docker/data" = mkNfs {path = "10.98.0.7:/cistern/nfs/docker/data";};
+}
diff --git a/hosts/vesuvius/README.md b/hosts/vesuvius/README.md
@@ -10,3 +10,13 @@ Giant storage server + future LHCPISCSIPXEIDK thing maybe?
 ## Storage
 We currently have one (manually created) RAID-Z2 pool mounted at `/forge` with `8` drives of `12 Tb` each.
 We have capacity for `48`(!) drives, but still only paper (and tape) caddies.
+
+```
+# for the nix store
+zfs create -o mountpoint=legacy \
+           -o compression=zstd \
+           -o xattr=sa \
+           -o acltype=posixacl \
+           -o atime=off \
+           forge/nix
+```
diff --git a/hosts/vesuvius/configuration.nix b/hosts/vesuvius/configuration.nix
@@ -2,9 +2,16 @@
 {
   imports = [
     ./hardware-configuration.nix
+    (import ../common/k3s.nix { role = "server"; clusterInit = true; })
     ./nix.nix
     ./zfs.nix
+    ./ipa.nix
     ./netboot.nix
+
+    ../common/nfs.nix
+    ../common/tz-locale.nix
+    ../common/users-local.nix
+    ../common/sshd.nix
   ];
 
   boot.loader.systemd-boot.enable = true;
@@ -15,44 +22,11 @@
   networking.networkmanager.enable = true;
   networking.networkmanager.unmanaged = [ "interface-name:enp1s0f1" ];
 
-  time.timeZone = "America/New_York";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
-  };
-
-  users.users.papatux = {
-    isNormalUser = true;
-    description = "papatux";
-    extraGroups = [ "networkmanager" "wheel" ];
-    openssh.authorizedKeys.keys = import ../../papatux-keys.nix;
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-
   nixpkgs.config.allowUnfree = true;
 
   environment.systemPackages = with pkgs; [
     neovim
   ];
 
-  services.openssh.enable = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "25.05"; # Did you read the comment?
 }
diff --git a/hosts/vesuvius/ipa.nix b/hosts/vesuvius/ipa.nix
@@ -1,10 +1,17 @@
 # TODO: /etc/krb5.keytab missing, maybe agenix
 { config, pkgs, ... }:
 {
-  age.secrets."krb5.keytab".file = ../../secrets/krb5.keytab.age;
-
+  age.secrets."krb5.keytab" = {
+    file = ../../secrets/keytabs/vesuvius.keytab.age;
+    path = "/etc/krb5.keytab";
+    owner = "root";
+    group = "root";
+    mode = "0600";
+  };
   environment.variables.KRB5_KTNAME = config.age.secrets."krb5.keytab".path;
 
+  networking.domain = "vtluug.org";
+
   security.ipa = {
     enable = true;
 
@@ -19,4 +26,15 @@
       sha256 = "16wv6kfvnm0hcyzr0wjrgmymw3asm84m8r1wbfq09qvqrjycfc6s";
     };
   };
+  security.sudo.extraRules = [
+    {
+      groups = [ "sudoers" ];
+      commands = [
+        {
+          command = "ALL";
+          options = [ "SETENV" ];
+        }
+      ];
+    }
+  ];
 }