change the default user shell to zsh

common/base-server.nix

@@ -4,6 +4,7 @@
   nix.package = lib.mkDefault pkgs.lix;
   services.openssh.enable = lib.mkForce true;
 
+  networking.nftables.enable = true;
   networking.firewall.enable = true;
   networking.firewall.logRefusedConnections = false;
   networking.firewall.logReversePathDrops = true;
@@ -33,4 +34,21 @@
   boot.kernelParams = [
     "panic=30" "boot.panic_on_fail"
   ];
+
+  boot.kernel.sysctl = {
+    # Set default TCP congestion control algorithm
+    "net.ipv4.tcp_congestion_control" = "bbr";
+
+    # Enable ECN
+    "net.ipv4.tcp_ecn" = 1;
+
+    # Enable TCP fast open
+    "net.ipv4.tcp_fastopen" = 3;
+  };
+
+  # reduce closure size, feel free to add your locale here
+  i18n.supportedLocales = [
+    "en_US.UTF-8/UTF-8"
+    "fr_FR.UTF-8/UTF-8"
+  ];
 }

common/default.nix

@@ -1,10 +1,12 @@
 {
   imports = [
     ./admins.nix
-    ./raito-vm.nix
-    ./raito-proxy-aware-nginx.nix
     ./base-server.nix
-    ./sysadmin
     ./hardening.nix
+    ./nix.nix
+    ./raito-proxy-aware-nginx.nix
+    ./raito-vm.nix
+    ./sysadmin
+    ./zsh.nix
   ];
 }

common/nix.nix

@@ -0,0 +1,21 @@
+{ lib, pkgs, ... }:
+{
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  # Provision a useful nixpkgs in NIX_PATH and flake registry on infra
+  # machines.
+  nixpkgs.flake = {
+    source = lib.cleanSource pkgs.path;
+    setNixPath = true;
+    setFlakeRegistry = true;
+  };
+
+  # Use our cache and trust its signing key. Still use cache.nixos.org as
+  # fallback.
+  nix.settings.substituters = [ "https://bagel-cache.s3-web.delroth.net/" ];
+  nix.settings.trusted-public-keys = [
+    "cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
+  ];
+}

common/zsh.nix

@@ -0,0 +1,16 @@
+{ lib, pkgs, config, ... }: {
+  users.defaultUserShell = pkgs.zsh;
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestions.enable = true;
+    interactiveShellInit = ''
+      ${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
+    '';
+    promptInit = ''
+      # https://grml.org/zsh/grml-zsh-refcard.pdf
+      source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
+      PS1='%n@${config.networking.fqdn} %/ \$ '
+    '';
+  };
+}

flake.nix

@@ -101,5 +101,7 @@
       fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
       wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
     } // builders;
+
+    hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
   };
 }

hosts/bagel-box/default.nix

@@ -39,8 +39,8 @@
 
     hydra.enable = true;
     hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
-    # Takes 10 builders (0 → 9).
+    # Takes 4 builders (0 → 3).
-    hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 9;
+    hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 4;
 
     ofborg.enable = true;
   };

hosts/wob-vpn-gw/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ pkgs, lib, ... }:
 
 {
   ###### Hardware ######
@@ -86,6 +86,11 @@
     }) (lib.genList lib.id 12));
   };
 
+  networking.nftables.enable = true;
+  networking.firewall.extraInputRules = ''
+    iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
+  '';
+
   networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
     interface = "oob";
     id = 101 + x;
@@ -111,5 +116,7 @@
 
   bagel.sysadmin.enable = true;
 
+  environment.systemPackages = [ pkgs.ipmitool ];
+
   system.stateVersion = "24.05";
 }

secrets.nix

@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-signing-priv = [ machines.bagel-box ];
     hydra-ssh-key-priv = [ machines.bagel-box ];
     netbox-environment = [ machines.meta01 ];
     mimir-environment = [ machines.meta01 ];

services/baremetal-builder/default.nix

@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
   cfg = config.bagel.baremetal.builders;
 in
@@ -91,10 +91,25 @@ in
     deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
     deployment.tags = [ "builders" ];
 
-    networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64
+    # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
+    services.coredns = {
+      enable = true;
+      config = ''
+        . {
+          bind lo
+          forward . 2001:4860:4860::6464
+          template ANY A { rcode NOERROR }
+        }
+      '';
+    };
+    services.resolved.enable = false;
+    networking.resolvconf.useLocalResolver = true;
+
 
     bagel.sysadmin.enable = true;
 
+    environment.systemPackages = [ pkgs.ipmitool ];
+
     system.stateVersion = "24.05";
   };
 }

services/hydra/default.nix

@@ -48,6 +48,9 @@ in {
 
     age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
 
+    age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
+
     age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
     age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
 
@@ -59,7 +62,16 @@ in {
     # XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
     #
     # Can be removed once this is added to some common config template.
-    nix.settings.trusted-users = [ "root" "hydra" "@wheel" ];
+    nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
+
+    # Because Hydra can't fetch flake inputs otherwise... also yes, this
+    # prefix-based matching is absurdly bad.
+    nix.settings.allowed-uris = [
+      "github:"
+      "https://github.com/"
+      "https://git.lix.systems/"
+      "https://git@git.lix.systems/"
+    ];
 
     services.hydra-dev = {
       enable = true;
@@ -90,7 +102,7 @@ in {
           endpoint = "s3.delroth.net";
           region = "garage";
 
-          #secret-key = "TODO";
+          secret-key = config.age.secrets.hydra-signing-priv.path;
 
           compression = "zstd";
           log-compression = "br";

terraform/hydra.nix

@@ -111,5 +111,32 @@ in
         }
       ];
     };
+
+    resource.hydra_project.infra = {
+      name = "infra";
+      display_name = "ForkOS Infra";
+      description = "ForkOS infra repository";
+      homepage = "https://git.lix.system/the-distro/infra";
+      owner = "terraform";
+      enabled = true;
+      visible = true;
+    };
+
+    resource.hydra_jobset.infra_main = {
+      project = config.resource.hydra_project.infra.name;
+      state = "enabled";
+      visible = true;
+      name = "main";
+      type = "flake";
+      description = "main branch for the infra repo";
+
+      flake_uri = "git+https://git.lix.systems/the-distro/infra";
+
+      check_interval = 600;
+      scheduling_shares = 3000;
+      keep_evaluations = 5;
+
+      email_notifications = false;
+    };
   };
 }