feat: introduce cutting edge Lix

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

.gitignore

@@ -1 +1,3 @@
 .direnv
+result
+.gcroots

configurations.nix

@@ -9,7 +9,6 @@ let
     colmena
     flake-registry
     nixos-hardware
-    nixpkgs-unstable
     srvos
     disko
     ;
@@ -29,7 +28,6 @@ let
     ./modules/users/admins.nix
     ./modules/packages.nix
     ./modules/nix-daemon.nix
-    ./modules/auto-upgrade.nix
     ./modules/tor-ssh.nix
     ./modules/hosts.nix
     ./modules/network.nix

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1716561646,
-        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+        "lastModified": 1718371084,
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
         "type": "github"
       },
       "original": {
@@ -32,11 +32,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1711742460,
-        "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
+        "lastModified": 1717279440,
+        "narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
         "owner": "zhaofengli",
         "repo": "attic",
-        "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
+        "rev": "717cc95983cdc357bc347d70be20ced21f935843",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702918879,
-        "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
+        "lastModified": 1717025063,
+        "narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
+        "rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716431128,
-        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
+        "lastModified": 1718846788,
+        "narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
+        "rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
         "type": "github"
       },
       "original": {
@@ -163,6 +163,22 @@
         "type": "github"
       }
     },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -170,11 +186,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715865404,
-        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
         "type": "github"
       },
       "original": {
@@ -186,11 +202,11 @@
     "flake-registry": {
       "flake": false,
       "locked": {
-        "lastModified": 1705308826,
-        "narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=",
+        "lastModified": 1717415742,
+        "narHash": "sha256-HKvoLGZUsBpjkxWkdtctGYj6RH0bl6vcw0OjTOqyzJk=",
         "owner": "NixOS",
         "repo": "flake-registry",
-        "rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd",
+        "rev": "895a65f8d5acf848136ee8fe8e8f736f0d27df96",
         "type": "github"
       },
       "original": {
@@ -257,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717527182,
-        "narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=",
+        "lastModified": 1718530513,
+        "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
         "owner": "rycee",
         "repo": "home-manager",
-        "rev": "845a5c4c073f74105022533907703441e0464bc3",
+        "rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
         "type": "github"
       },
       "original": {
@@ -271,13 +287,54 @@
         "type": "github"
       }
     },
+    "lix": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "nix2container": "nix2container",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression",
+        "pre-commit-hooks": "pre-commit-hooks"
+      },
+      "locked": {
+        "lastModified": 1727301466,
+        "narHash": "sha256-357IEOtI+QZy9NzmKhU0vAS7aY528Uvh2n/gXQFgRpY=",
+        "ref": "refs/changes/46/1946/1",
+        "rev": "2c74949780830b5cfcd913ef24514dc8e7db5f14",
+        "revCount": 16269,
+        "type": "git",
+        "url": "https://gerrit.lix.systems/lix"
+      },
+      "original": {
+        "ref": "refs/changes/46/1946/1",
+        "type": "git",
+        "url": "https://gerrit.lix.systems/lix"
+      }
+    },
+    "nix2container": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1720642556,
+        "narHash": "sha256-qsnqk13UmREKmRT7c8hEnz26X3GFFyIQrqx4EaRc1Is=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "3853e5caf9ad24103b13aa6e0e8bcebb47649fe4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1716715385,
-        "narHash": "sha256-fe6Z33pbfqu4TI5ijmcaNc5vRBs633tyxJ12HTghy3w=",
+        "lastModified": 1719069430,
+        "narHash": "sha256-d9KzCJv3UG6nX9Aur5OSEf4Uj+ywuxojhiCiRKYVzXA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2e7d6c568063c83355fe066b8a8917ee758de1b8",
+        "rev": "e8232c132a95ddc62df9d404120ad4ff53862910",
         "type": "github"
       },
       "original": {
@@ -302,6 +359,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1711460390,
@@ -318,13 +391,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1716715802,
-        "narHash": "sha256-usk0vE7VlxPX8jOavrtpOqphdfqEQpf9lgedlY/r66c=",
+        "lastModified": 1724932487,
+        "narHash": "sha256-zzbqHmY1mt21omyk1+14QbAkII1B7OHlwKLcczVq22w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2dd4e18cc1c7314e24154331bae07df76eb582f",
+        "rev": "b4f7fb71438d00539b21f1b1e6968c0eac060127",
         "type": "github"
       },
       "original": {
@@ -334,34 +407,34 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nur": {
       "locked": {
-        "lastModified": 1709742294,
-        "narHash": "sha256-8iPomMqw7grXVsugMJhsnHdbre8LnXOQUtHtMXRaWqc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "56051fbe049bf39adc1f08eb51740c226a4c3b90",
+        "lastModified": 1719099906,
+        "narHash": "sha256-xo1cNkVBW7NxTU5zMu0B7ZkismtkHfTRWfhBXbNnp9g=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "315cf1f8c5f5e92150d81ccafba7525c54327094",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "56051fbe049bf39adc1f08eb51740c226a4c3b90",
+        "owner": "nix-community",
+        "repo": "NUR",
         "type": "github"
       }
     },
-    "nur": {
+    "pre-commit-hooks": {
+      "flake": false,
       "locked": {
-        "lastModified": 1716741358,
-        "narHash": "sha256-4bxptwbmplGKq3W4tl6Zem/bOHsdLP4DSPcm/FfCaFE=",
-        "owner": "nix-community",
-        "repo": "NUR",
-        "rev": "c65a3bde6793b437a705edfe5ff8435cbb8307a2",
+        "lastModified": 1721042469,
+        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "NUR",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
         "type": "github"
       }
     },
@@ -374,9 +447,9 @@
         "flake-parts": "flake-parts",
         "flake-registry": "flake-registry",
         "home-manager": "home-manager_2",
+        "lix": "lix",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
         "srvos": "srvos"
       }
@@ -388,15 +461,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1716425501,
-        "narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=",
-        "owner": "numtide",
+        "lastModified": 1724920817,
+        "narHash": "sha256-qWXS+4M9kHXxG1HgZuv+3gm3KQc1aPdBZUPnLLev8w0=",
+        "owner": "nix-community",
         "repo": "srvos",
-        "rev": "1122cd50a23647e09c3e7a679d37ec02113bc412",
+        "rev": "977841b31ddbd3c919f56767a6f85d0615440759",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
+        "owner": "nix-community",
         "repo": "srvos",
         "type": "github"
       }

flake.nix

@@ -4,15 +4,16 @@
   # To update all inputs:
   # $ nix flake update --recreate-lock-file
   inputs = {
+    lix.url = "git+https://gerrit.lix.systems/lix?ref=refs/changes/46/1946/1";
+    lix.inputs.nixpkgs.follows = "nixpkgs";
+
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
 
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-    # contains kernel 6.7.7, do not update
-    nixpkgs.url = "github:NixOS/nixpkgs/56051fbe049bf39adc1f08eb51740c226a4c3b90";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
 
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     nur.url = "github:nix-community/NUR";
@@ -28,7 +29,7 @@
 
     attic.url = "github:zhaofengli/attic";
 
-    srvos.url = "github:numtide/srvos";
+    srvos.url = "github:nix-community/srvos";
     # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 

hosts/epyc.nix

@@ -1,7 +1,7 @@
-{ lib, pkgs, ... }:
+{ inputs, lib, pkgs, ... }:
 let
   gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ]
-    ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
+  ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
 in
 {
   imports = [
@@ -9,25 +9,22 @@ in
     ../modules/hardware/supermicro-H12SSL-i.nix
     ../modules/iperf-server.nix
     ../modules/hypervisor.nix
-    ../modules/hydra/coordinator.nix
     ../modules/android-cache.nix
     ../modules/garage.nix
     ../modules/users/friends.nix
+    ../modules/bagel-container.nix
+    ../modules/lix-bug-details-pls
   ];
 
   networking.hostName = "epyc";
 
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "epyc@lahfa.xyz";
+
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  virtualisation.docker = {
-    enable = true;
-    rootless.enable = true;
-  };
-
-  # TODO: there's a critical bug on 6.8+ where btrfs won't mount the rootfs at all.
-  # Do not upgrade until it is fixed. Ping Raito when needed.
-  boot.kernelPackages = pkgs.linuxPackages_6_7;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 
   # Open public access to our PostgreSQL.
   services.postgresql.enable = true;

modules/bagel-container.nix

@@ -0,0 +1,46 @@
+# Stateful/mutable container used for Bagel (tm) related infra (mostly
+# rebuilding nixpkgs a lot).
+#
+# System image is stored at /var/lib/machines/bagel.
+{
+  systemd.nspawn.bagel = {
+    execConfig = {
+      Boot = true;
+      Ephemeral = false;
+      PrivateUsers = true;
+      NotifyReady = true;
+      LinkJournal = "try-guest";
+    };
+
+    networkConfig = {
+      Bridge = "wan-br";
+      VirtualEthernetExtra = "vb-bagel-v4:host1";
+    };
+  };
+
+  systemd.services."systemd-nspawn@bagel" = {
+    wantedBy = [ "machines.target" ];
+    wants = [ "network.target" ];
+    after = [ "network.target" ];
+    overrideStrategy = "asDropin";
+  };
+
+  systemd.network.networks."20-vb-bagel-v4" = {
+    matchConfig.Name = "vb-bagel-v4";
+    networkConfig.Address = [ "172.16.100.1/24" ];
+    networkConfig.IPMasquerade = true;
+  };
+
+  # Configure a local Nix builder account, since getting sandboxing and KVM
+  # working inside the container will be tricky.
+  users.users.bagel-builder = {
+    isSystemUser = true;
+    group = "nogroup";
+    home = "/var/empty";
+    shell = "/bin/sh";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
+    ];
+  };
+  nix.settings.trusted-users = [ "bagel-builder" ];
+}

modules/buildbot/default.nix

@@ -34,7 +34,6 @@ in
       pkgs.gh
       pkgs.nix
       pkgs.nix-output-monitor
-      inputs.attic.packages.x86_64-linux.attic
     ];
     environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}";
     environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989'';

modules/hardware/supermicro-H12SSL-i.nix

@@ -14,33 +14,43 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  boot.initrd.extraUtilsCommands = ''
-    copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme
-    copy_bin_and_libs ${pkgs.util-linux}/bin/blkzone
-    copy_bin_and_libs ${pkgs.util-linux}/bin/lsblk
-  '';
+  boot.initrd.services.lvm.enable = true;
+  boot.initrd.systemd.enable = true;
 
-  boot.initrd.systemd.enable = lib.mkForce false;
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3a81ba8f-f5bb-446c-89a3-ad77e354dae0";
-      fsType = "btrfs";
+  fileSystems."/experiments" =
+    { device = "/dev/disk/by-uuid/40ef7d25-91c5-41e4-a40f-b0fb93658ffe";
+      fsType = "ext4";
     };
 
-  boot.initrd.luks.devices."nixroot" = {
-   device = "/dev/disk/by-uuid/c10d2822-cb83-4666-98f8-0aa04be259bc";
-   keyFile = "/dev/zero";
-   keyFileSize = 1;
-  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/53cc33a3-1488-44c4-8f5d-a2bc67914274";
+      fsType = "xfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/cee7b903-53f6-4967-b95d-654d34ccd460";
+      fsType = "xfs";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/5625935d-579b-41e4-be35-03df8437bc2c";
+      fsType = "xfs";
+    };
+
+  fileSystems."/var" =
+    { device = "/dev/disk/by-uuid/33bf7f4e-37f5-4121-84ac-70d06964ea21";
+      fsType = "xfs";
+    };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/AFF2-3149";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/93e251e1-1bfc-4bd4-8585-ea2eae7795bf"; }
-  ];
+    ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

modules/lix-bug-details-pls/0001-wip-complain-about-failing-goals-at-warn-level.patch

@@ -0,0 +1,40 @@
+From 96937c58232ad6eaa11d1370220101c3ce2d00c3 Mon Sep 17 00:00:00 2001
+From: Jade Lovelace <lix@jade.fyi>
+Date: Thu, 29 Aug 2024 23:04:39 -0700
+Subject: [PATCH] wip: complain about failing goals at warn level
+
+I want to fix the bug that appears here:
+
+error: build of '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' on 'ssh-ng://nix@epyc.infra.newtype.fr' failed: error: some dependencies of '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' are missing
+error: builder for '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' failed with exit code 1
+error: 1 dependencies of derivation '/nix/store/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-vm-test-run-nix-copy-closure.drv' failed to build
+
+However, this is conditional on nrFailed, and I cannot for the life of
+me figure out *who* is failing and *why*.
+
+Hopefully with these data I can narrow down why this bug is happening
+
+Change-Id: I7dca71b1c8ac92e7cc40c47ab37c952a7673cf42
+---
+ src/libstore/build/worker.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstore/build/worker.cc b/src/libstore/build/worker.cc
+index 1b4633e64..a93be28a6 100644
+--- a/src/libstore/build/worker.cc
++++ b/src/libstore/build/worker.cc
+@@ -160,7 +160,10 @@ void Worker::goalFinished(GoalPtr goal, Goal::Finished & f)
+ 
+             waiting->trace(fmt("waitee '%s' done; %d left", goal->name, waiting->waitees.size()));
+ 
+-            if (f.result != Goal::ecSuccess) ++waiting->nrFailed;
++            if (f.result != Goal::ecSuccess) {
++                ++waiting->nrFailed;
++                warn("Waiter %s experienced non-success of waitee %s with result %d", waiting->getName(), goal->getName(), f.result);
++            }
+             if (f.result == Goal::ecNoSubstituters) ++waiting->nrNoSubstituters;
+             if (f.result == Goal::ecIncompleteClosure) ++waiting->nrIncompleteClosure;
+ 
+-- 
+2.44.1
+

modules/lix-bug-details-pls/default.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  # jade: this exists because of a Lix bug that has me losing my damn mind and we really cannot debug it without either:
+  # * debug logs (infeasible. they are way too spammy)
+  # * patching lix (well look where we are)
+  #
+  # I don't really think it's necessarily appropriate to log at info level when
+  # a derivation fails on `main`, so here we have a yolopatch to get the damn
+  # thing in the log.
+  #
+  # I suspect it is a race condition with the garbage collector.
+  nixpkgs.overlays = [
+    (final: prev: {
+      lix = prev.lix.overrideAttrs (old: {
+        patches = old.patches ++ [
+          ./0001-wip-complain-about-failing-goals-at-warn-level.patch
+        ];
+      });
+    })
+  ];
+}

modules/network.nix

@@ -14,8 +14,8 @@
     '')
     config.networking.newtype.hosts);
 
-  # leave container interfaces alone
-  systemd.network.networks."05-veth".extraConfig = ''
+  # leave container interfaces alone unless otherwise specified
+  systemd.network.networks."95-veth".extraConfig = ''
     [Match]
     Driver = veth
 
@@ -34,12 +34,29 @@
     linkConfig.Name = "nat-lan";
   };
 
-  systemd.network.networks."10-wan" = {
-    matchConfig.Name = "wan";
+  systemd.network.netdevs."10-wan-br" = {
+    netdevConfig.Name = "wan-br";
+    netdevConfig.Kind = "bridge";
+    netdevConfig.MACAddress = "none";
+    bridgeConfig.MulticastSnooping = false;
+  };
+
+  systemd.network.links."10-wan-br" = {
+    matchConfig.Name = "wan-br";
+    linkConfig.MACAddressPolicy = "none";
+  };
+
+  systemd.network.networks."10-wan-br" = {
+    matchConfig.Name = "wan-br";
     linkConfig.RequiredForOnline = true;
     networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
   };
 
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "wan";
+    networkConfig.Bridge = "wan-br";
+  };
+
   systemd.network.links."10-wan" = {
     matchConfig.MACAddress = "3c:ec:ef:7e:bd:c9";
     linkConfig.Name = "wan";

modules/nix-daemon.nix

@@ -57,9 +57,9 @@ in
       # Randomize GC to avoid thundering herd effects.
       gc.randomizedDelaySec = "1800";
 
-      # Inchallah, it works.
-      package = pkgs.nixVersions.nix_2_18;
-      # package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17;
+      # A much better choice.
+      # Raito: We use this machine as a testing bed for cutting edge Lix features.
+      package = inputs.lix.packages.x86_64-linux.default;
 
       # should be enough?
       nrBuildUsers = 128;

modules/packages.nix

@@ -1,4 +1,4 @@
-{ pkgs, inputs, ... }: {
+{ pkgs, config, inputs, ... }: {
   # this extends the list from:
   # https://github.com/numtide/srvos/blob/master/server.nix#L10
   environment.systemPackages = with pkgs; [
@@ -6,7 +6,6 @@
     whois
 
     nix-output-monitor
-    inputs.attic.packages.x86_64-linux.attic
     jq
     psmisc
     libarchive
@@ -35,9 +34,10 @@
     ethtool
     usbutils
 
-    ipmitool
+    config.boot.kernelPackages.perf
+    pwru
 
-    nix-top
+    ipmitool
     # tries to default to soft-float due to out-dated cc-rs
   ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich;
 }

modules/users/friends.nix

@@ -80,5 +80,15 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV"
       ];
     };
+    # Raito: Temporary account for the next week, for VM testing in the context of the systemd-hardening project.
+    jmarquet = {
+      isNormalUser = true;
+      home = "/home/jmarquet";
+      uid = 2008;
+      expires = "2024-08-30";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d thejohncrafter@system76-pc"
+      ];
+    };
   };
 }

modules/users/keys/akechi.keys

@@ -1,2 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmC/lBooMyJZnyuU0/f6Qufi48DCEQ1RNT1l25cbvZWCXRrAJuQUTgb7u2nl8SEiQTRbZy/FTesaoPNBRWtWXK/8M0K58DeTMdNeTV8joW+vwEzRF3LPb9gU3FqCuuFFRqhJNC16cFBxXMCyjmktl8EG9o5yVcT/6HdwvXRKlas+EqXHlZblXxYQfCjWkpd3vzIoEfPwkUpQFlvLltTBT+EUWTiysvF8cCCuBx7EXHX++fNNySDoB9bQJ+sYoAvuhtfZ5eYNePpYQCV71KMEPYBqJ7AQpvdbMa34Rx7mghGCLk580qWTuXf/vqKRD4EAsvPYtK/xJNyjrCTX99TL60NIsBgNzQvvFFIaAsD91nD13gaEvybOjIo1lbzSZhbreX1qdWeUCR32HDUH4fEVv81VSaPbH2zxWqIf8bLDMJ7pCLKncyCZD1yVFCXsDV/J8BQq0c3GtFh3eEt59bkk6iU+LXv9dvwJtCvsp087Yh4qhj0L9z2zgczeljKJtFFTZhWbY3WEKiureoI7iPEJvLB8B6pGF0qQmIjbIIx6gtBoJc891w+XUmaXfHhWsVV7eq2y/AU7BvXAZp3LigWvosmPpoYsgjS0RNp2RJo2ufN6wKBtq+qv0xM+S6JvXo5pf2Oe11qp8hxF32MNv+djFK3Qf/JMkZAQd1Y/vW/Gg8Xw==
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5vbxUd8I+uF/OY/PpPhSzrLN14Waq82uyQXNPYpHjA
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICRDM7fyeGRgYzuW+falRZayYSf5xMwj2d2PI9vSyjOD