devices.pi3b: fix build

2026-01-12 07:09:22 +08:00 · 2024-03-25 17:03:13 +08:00
parent 9b1ec2d09c
commit b8c4e79183
5 changed files with 93 additions and 50 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  - &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
  - &xmupc1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
  - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+  - &pi3b age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
 creation_rules:
  - path_regex: devices/pc/secrets/.*$
    key_groups:
@@ -43,3 +44,8 @@ creation_rules:
    - age:
      - *chn
      - *xmupc2
+  - path_regex: devices/pi3b/secrets/.*$
+    key_groups:
+    - age:
+      - *chn
+      - *pi3b
--- a/devices/pi3b/default.nix
+++ b/devices/pi3b/default.nix
@@ -23,6 +23,7 @@ inputs:
        grub.installDevice = "efi";
        networking = { hostname = "pi3b"; networkd = {}; };
        binfmt.enable = false;
+        nixpkgs.arch = "aarch64";
      };
      packages.packageSet = "server";
    };
--- a/devices/pi3b/secrets/default.yaml
+++ b/devices/pi3b/secrets/default.yaml
@@ -0,0 +1,38 @@
+hello: ENC[AES256_GCM,data:gYWUY12BwOdE0/xVvxPzfJRlpkghKUIPjSr8f6EImTGT2xzpPf+zsKCSAhCpFA==,iv:7Z/yCADBqjerLBq1bJapZ2K6hajSpakvb/lbkmUvpHw=,tag:rvI/70cZyy33XB+XQ6ERlg==,type:str]
+example_key: ENC[AES256_GCM,data:dRe2yzZieLjgWjviSA==,iv:pTNmxYo6pewcavnFXt4i4a6ybxdc5kF4LAPbOY9RbD0=,tag:h7Dtrjvt954lIVryCnDfoQ==,type:str]
+example_array:
+    - ENC[AES256_GCM,data:0xfhD2tQuQsIrJMAD40=,iv:8E214l7PoJwjP9wkGMkN91s2vRefYzqqNuANappwGTo=,tag:TglXrM74sE6ukc1mQsPRIA==,type:str]
+    - ENC[AES256_GCM,data:mj9YI0JTBd/MNE/czkk=,iv:BCUQEOnlyflyXJwuIz2hwUDISS4JjXFKAPknxdfrW5M=,tag:r+2zvCKxAjWt2TuMTaVtaw==,type:str]
+example_number: ENC[AES256_GCM,data:0rxe8tlinN1pPg==,iv:sReZgb8dadC/LUcLTScRA5X8DblllMdRGdYGNtPDlkk=,tag:BKNzaRlXTaMlrwTE1gh/sw==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:li2/7Q==,iv:QrNSpMbnGbp94wmTUjI3HISMmtGwy+sLYSfdALUf5kA=,tag:mcUYXhcjqUhyN4zjuBqiXg==,type:bool]
+    - ENC[AES256_GCM,data:7WLBDdM=,iv:NdAvGVpfPrd2IuRgW6yLGP6Hum5Oo4vVyaVykTfMB6U=,tag:N5bxC/2+347C4/gHsqRKWA==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoV25wc1hPNE9wdnIxc25p
+            WjBxUHhVOCt0RFlhRlc1SVZnMlgyK1diS2lFCnUvdnVvaS9nTU9mNGMyQXQ2bHJ1
+            c0NDWW5HZUpacDBnbnJhZkdVWkNWc0kKLS0tIHR2WHlKYXVybVZmMk9pWERkOGZB
+            YTlUZGdNT0d5MGEzOWczSTVGeW9DVVUKeQnRRGJYFTnbF6gzxpIKpbvMWt61jliH
+            phg2S8SRvSty+78mn/n/qs0rol/87E38ToJf7c+1E2PkDDAQ9d76YQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcTZIczFWSHhPMGZ2Kzdu
+            SnBxV1B4TFV1ckRRM1kvWkJHUG9QbzEwV2drCnRydkRnK1VjUHRHRkh2eFo1UEt1
+            cUV1Ymt1SkRnS0JOMkdsWHA2ZXBQNEUKLS0tIFFYeVJoMGd5UmVsN0dKL01peFRM
+            NE5vNm96MHpTNk5sYTdFTDRyZVFzdE0K7vEfh1wZ5m48joS5lamVcuXWRn6cZh4v
+            peYqTk5FxepZLycNVdmo9Gl+ZfoTCZd528ABdRxG2jjLw428lU0tzg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-25T09:00:52Z"
+    mac: ENC[AES256_GCM,data:+7I5AT1UCgTSpYhxjBGn4FT2UhgBRhof6oi3yjpsOEZZW5iNFLCmUhNgD9nHBIlTZ6jbFBPtepWmMJWMKWdMbw36U0cv1iGbG5NhaZcUI4+n9Ilkr4lUfbcWoezNLdbM0Ud1h3NYRbGzMRhQetrE1XNwAkUVUhsPGopHu82LAig=,iv:11+GojRpaunD3wb6tJ3nefXuBNTp4Eg2J2hDCfRep58=,tag:6AyUF6wqguX2nVbJOgZPpw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -26,7 +26,7 @@ inputs:
      inherit (inputs.lib) mkIf mkMerge;
      inherit (inputs.config.nixos.services) wireguard;
      inherit (builtins) map toString listToAttrs filter;
-    in mkMerge
+    in mkIf wireguard.enable (mkMerge
    [
      {
        assertions =
@@ -35,56 +35,53 @@ inputs:
          message = "wireguard.listenIp should be not null when behindNat is false.";
        }];
      }
-      (
-        mkIf wireguard.enable
+      {
+        networking =
        {
-          networking =
+          firewall = { allowedUDPPorts = [ wireguard.listenPort ]; trustedInterfaces = [ "wireguard" ]; };
+          wireguard.interfaces.wireguard =
          {
-            firewall = { allowedUDPPorts = [ wireguard.listenPort ]; trustedInterfaces = [ "wireguard" ]; };
-            wireguard.interfaces.wireguard =
-            {
-              ips = [ "${wireguard.wireguardIp}/24" ];
-              inherit (wireguard) listenPort;
-              privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
-              peers = map
-                (peer:
-                {
-                  publicKey = peer.publicKey;
-                  allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
-                  endpoint = mkIf (!peer.behindNat) "${peer.listenIp}:${builtins.toString peer.listenPort}";
-                  persistentKeepalive = mkIf peer.lighthouse 5;
-                })
-                (map
-                  (peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
-                  wireguard.peers);
-            };
-          };
-          sops.secrets."wireguard/privateKey" = {};
-          # somehow fix wireguard connection
-          systemd.services = mkIf wireguard.behindNat (listToAttrs (map
-            (peer:
-            {
-              name = "wireguard-ping-${peer.name}";
-              value =
-              {
-                description = "ping ${peer.name}";
-                after = [ "network.target" ];
-                wantedBy = [ "multi-user.target" ];
-                serviceConfig =
-                {
-                  ExecStart = "${inputs.pkgs.iputils}/bin/ping -i 5 ${peer.value.wireguardIp}";
-                  Restart = "always";
-                };
-              };
-            })
-            (filter (peer: !peer.value.behindNat) (map
+            ips = [ "${wireguard.wireguardIp}/24" ];
+            inherit (wireguard) listenPort;
+            privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
+            peers = map
              (peer:
              {
-                name = peer;
-                value = inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard;
+                publicKey = peer.publicKey;
+                allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
+                endpoint = mkIf (!peer.behindNat) "${peer.listenIp}:${builtins.toString peer.listenPort}";
+                persistentKeepalive = mkIf peer.lighthouse 5;
              })
-              wireguard.peers))));
-        }
-      )
-    ];
+              (map
+                (peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
+                wireguard.peers);
+          };
+        };
+        sops.secrets."wireguard/privateKey" = {};
+        # somehow fix wireguard connection
+        systemd.services = mkIf wireguard.behindNat (listToAttrs (map
+          (peer:
+          {
+            name = "wireguard-ping-${peer.name}";
+            value =
+            {
+              description = "ping ${peer.name}";
+              after = [ "network.target" ];
+              wantedBy = [ "multi-user.target" ];
+              serviceConfig =
+              {
+                ExecStart = "${inputs.pkgs.iputils}/bin/ping -i 5 ${peer.value.wireguardIp}";
+                Restart = "always";
+              };
+            };
+          })
+          (filter (peer: !peer.value.behindNat) (map
+            (peer:
+            {
+              name = peer;
+              value = inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard;
+            })
+            wireguard.peers))));
+      }
+    ]);
 }
--- a/modules/system/nixpkgs.nix
+++ b/modules/system/nixpkgs.nix
@@ -2,6 +2,7 @@ inputs:
 {
  options.nixos.system.nixpkgs = let inherit (inputs.lib) mkOption types; in
  {
+    arch = mkOption { type = types.enum [ "x86_64" "aarch64" ]; default = "x86_64"; };
    march = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
    cuda =
    {
@@ -24,8 +25,8 @@ inputs:
          permittedInsecurePackages =
            [ "openssl_1_1" "electron_19" "python2" "electron_12" "electron_24" "zotero" "electron_25" ];
          hostPlatform = if nixpkgs.march != null
-            then { inherit (inputs.pkgs) system; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; }
-            else inputs.pkgs.system;
+            then { system = "${nixpkgs.arch}-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; }
+            else "${nixpkgs.arch}-linux";
          cudaConfig = inputs.lib.optionalAttrs nixpkgs.cuda.enable
          (
            { cudaSupport = true; }