add vf2

.sops.yaml

@@ -8,3 +8,8 @@ creation_rules:
       - age:
           - *vf2
           - *lotte
+  - path_regex: services/tailscale\.yaml$
+    key_groups:
+      - age:
+          - *vf2
+          - *lotte

config/default.nix

@@ -0,0 +1,7 @@
+{nixos-config, ...}: {
+  imports = [
+    "${nixos-config}/modules"
+    "${nixos-config}/services/tailscale.nix"
+    ./systemd-boot.nix
+  ];
+}

config/systemd-boot.nix

@@ -0,0 +1,5 @@
+_: {
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730190761,
+        "narHash": "sha256-o5m5WzvY6cGIDupuOvjgNSS8AN6yP2iI9MtUC6q/uos=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "3979285062d6781525cded0f6c4ff92e71376b55",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -168,6 +188,21 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1730161780,
+        "narHash": "sha256-z5ILcmwMtiCoHTXS1KsQWqigO7HJO8sbyK7f7wn9F/E=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "07d15e8990d5d86a631641b4c429bc0a7400cfb8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1730101162,
@@ -250,6 +285,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "flakey-profile": "flakey-profile",
@@ -258,6 +294,7 @@
         "lix": "lix",
         "lix-module": "lix-module",
         "nix2container": "nix2container",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks",
         "riscv-overlay": "riscv-overlay",

flake.nix

@@ -2,6 +2,10 @@
   description = "Lotte’s nix configuration";
 
   inputs = {
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     flake-compat = {
       url = "github:edolstra/flake-compat";
       flake = false;
@@ -39,6 +43,7 @@
       inputs.flake-utils.follows = "flake-utils";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nixos-hardware.url = "github:NixOS/nixos-hardware";
     nixpkgs.url = "github:nixos/nixpkgs";
     pre-commit-hooks = {
       url = "github:cachix/git-hooks.nix";
@@ -133,6 +138,12 @@
               or {}
               // inputs';
           });
+      systems' = {
+        vf2 = {
+          config = ./machine/vf2;
+          system = "riscv64-linux";
+        };
+      };
       containers = mapAttrs (_: container:
         mkSystem {
           inherit (container) system;
@@ -141,8 +152,16 @@
           ];
         })
       self.nixosContainers;
+      systems = mapAttrs (_: system:
+        mkSystem {
+          inherit (system) system;
+          modules = [
+            system.config
+          ];
+        })
+      systems';
     in
-      containers;
+      containers // systems;
     hydraJobs = {
       inherit (self) checks devShells;
       nixosConfigurations = nixpkgs.lib.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;

machine/vf2/default.nix

@@ -0,0 +1,12 @@
+{
+  nixos-config,
+  nixos-hardware,
+  ...
+}: {
+  imports = [
+    "${nixos-config}/config"
+    ./disko.nix
+    ./hardware.nix
+  ];
+  system.stateVersion = "24.11";
+}

machine/vf2/disko.nix

@@ -0,0 +1,63 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-eui.002538b371b824db";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "1024M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = ["umask=0077"];
+              };
+            };
+            root = {
+              size = "-8G";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/root" = {
+                    mountOptions = ["compress=zstd"];
+                    mountpoint = "/";
+                  };
+                  # Subvolume name is the same as the mountpoint
+                  "/persistent" = {
+                    mountOptions = ["compress=zstd"];
+                    mountpoint = "/persistent";
+                  };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = ["compress=zstd" "noatime"];
+                    mountpoint = "/nix";
+                  };
+                };
+                mountpoint = "/partition-root";
+              };
+            };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                resumeDevice = true; # resume from hiberation from this device
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machine/vf2/hardware.nix

@@ -0,0 +1,31 @@
+{nixos-hardware, ...}: {
+  imports = [
+    "${nixos-hardware}/starfive/visionfive/v2/default.nix"
+  ];
+  boot.loader.systemd-boot.extraInstallCommands = ''
+    set -euo pipefail
+    ${pkgs.coreutils}/bin/cp --no-preserve=mode -r ${config.hardware.deviceTree.package} ${config.boot.loader.efi.efiSysMountPoint}/
+    for filename in ${config.boot.loader.efi.efiSysMountPoint}/loader/entries/nixos*-generation-[1-9]*.conf; do
+      if ! ${pkgs.gnugrep}/bin/grep -q 'devicetree' $filename; then
+        ${pkgs.coreutils}/bin/echo "devicetree /dtbs/${config.hardware.deviceTree.name}" >> $filename
+      fi
+    done
+  '';
+  hardware.deviceTree.name = "starfive/jh7110-starfive-visionfive-2-v1.3b.dtb";
+  boot.initrd.kernelModules = [
+    "dw_mmc-starfive"
+    "motorcomm"
+    "dwmac-starfive"
+    "cdns3-starfive"
+    "jh7110-trng"
+    "phy-jh7110-usb"
+    "clk-starfive-jh7110-aon"
+    "clk-starfive-jh7110-stg"
+    "clk-starfive-jh7110-vout"
+    "clk-starfive-jh7110-isp"
+    "clk-starfive-jh7100-audio"
+    "phy-jh7110-pcie"
+    "pcie-starfive"
+    "nvme"
+  ];
+}

modules/default.nix

@@ -1,9 +1,10 @@
-{...}: {
+{disko, ...}: {
   imports = [
     ./riscv.nix
     ./containers/autoconfig.nix
     ./nix/lix.nix
     ./environment/impermanence.nix
     ./secrets/sops.nix
+    disko.nixosModules.default
   ];
 }

modules/environment/impermanence.nix

@@ -56,7 +56,7 @@ with lib; {
         {
           assertion =
             if hasAttr "/" config.fileSystems
-            then any (t: t == "subvol=root") config.fileSystems."/".options
+            then any (t: t == "subvol=root" || t == "subvol=/root") config.fileSystems."/".options
             else false;
           message = "rootfs must mount subvolume root";
         }

services/tailscale.nix

@@ -0,0 +1,7 @@
+{config, ...}: {
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets."services/tailscale/authKey".path;
+  };
+  sops.secrets."services/tailscale/authKey".sopsFile = ./tailscale.yaml;
+}

services/tailscale.yaml

@@ -0,0 +1,32 @@
+services:
+    tailscale:
+        authKey: ENC[AES256_GCM,data:VCiJpCOcDzX2JZBgljugvALjF5L/diF454RvYbRQCg7iFXj/Zc/qHTUG6j+VYhnyHG9cACFasXE/cHrExxY=,iv:e8bb3BywefCXoArCTBZknkCbxiBTq5UtMuEW00yuXG0=,tag:G3dIyGW+Q7Je0uscRQ7Img==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOcGF4UmpiMm1QeWNMQ3Rr
+            YTZLWlVlSlBMWEJndlZWb2FMbjh3aS9VRWswCmV3RGRLY2VHVmJqbTlWNGdpNWNM
+            SFh4NUZSQ3ZmNGRyR1VYcVZUbExpMVkKLS0tIGJvQVFNTXlINnQwbFc3N2l3UUJy
+            Z1d0QURwUTRFS0hicmwxRUhHOXVzYWMKn/VylEyrs86CQp4FOx093rxH+32Oa6Xx
+            dGTgV4PAUuwwoJiWN7yGMqNbCUuAxdwQCJwq/XShGUSMVhIAo1FnuA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RUVTOXc3ZlNseldZSmZN
+            bmtZTjlJTHZLbUd2bVRzWFk0MDJiZUo2RFM4CkdETzcwUUJRZUZlTm5iTFk4WUJN
+            TFA0c1Rha1JjV2s1amZqT0VKeGMvNW8KLS0tIHJWSjMxQmYzUFE5SnAwZmRQZTRv
+            c2VpVjdEL1pLSUlwRlhVOWUyUlhHeTQKalEeAV7BVFSphEnvL8ZZ8nOLpmOLR/vU
+            lR1z2ujjAXsgybpYANc4rBItKJ8ceo8hLLJs8qNJLyJqPdrdavO4tA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-29T09:11:58Z"
+    mac: ENC[AES256_GCM,data:0DTvlOMKIRR11bPB5VElyIKb1Xz5gJZuSOpwahnjlnKF/ba+0RENiKdkb60YTuS6+tv/gVxT+Xs4KWDTJw/3JcTIPhaah3x8q90UfmqE91zLy4oUWzRqFXBDEL5dNtN79/EKI4b19102jSOETvmTTGjjrXV1VSdL0ZMse1g07BA=,iv:WeoU6xUka6zMo5wZviU78OofS5+vTHTWD4m/29hHHp0=,tag:6QessEZIGVRr8NkaLydjtw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1