include static config in template

flake.lock

@@ -18,18 +18,86 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
+    "lix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1746827285,
+        "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=",
+        "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz"
+      }
+    },
+    "lix-module": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "flakey-profile": "flakey-profile",
+        "lix": "lix",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746838955,
+        "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=",
+        "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733550349,
-        "narHash": "sha256-NcGumB4Lr6KSDq+nIqXtNA8QwAQKDSZT7N9OTGWbTrs=",
+        "lastModified": 1750133334,
+        "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e2605d0744c2417b09f8bf850dfca42fcf537d34",
+        "rev": "36ab78dab7da2e4e27911007033713bab534187b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -37,6 +105,7 @@
     "root": {
       "inputs": {
         "flake-utils": "flake-utils",
+        "lix-module": "lix-module",
         "nixpkgs": "nixpkgs"
       }
     },
@@ -54,6 +123,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,26 +1,36 @@
 {
   description = "NixOS ISO of netali";
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     flake-utils.url = "github:numtide/flake-utils";
+    lix-module.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz";
+    lix-module.inputs.nixpkgs.follows = "nixpkgs";
   };
-  outputs = { self, nixpkgs, flake-utils, ... }@inputs: {
+  outputs = { self, nixpkgs, flake-utils, lix-module, ... }@inputs: {
 
     iso = (nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = inputs;
-      modules = [ ./iso.nix ];
+      modules = [
+        ./iso.nix
+        lix-module.nixosModules.default
+      ];
     }).config.system.build.isoImage;
 
     hydraJobs.iso = self.iso;
 
     overlays.default = (import ./packages);
   } // flake-utils.lib.eachDefaultSystem (system: let
-    pkgs = nixpkgs.legacyPackages.${system};
+    lixpkgs = import nixpkgs {
+      inherit system;
+      overlays = [
+        lix-module.overlays.default
+      ];
+    };
   in {
     packages = {
-      netali-configure-net-ruby = pkgs.callPackage ./packages/netali-configure-net-ruby {};
-      netali-default-config-ruby = pkgs.callPackage ./packages/netali-default-config-ruby {};
+      netali-configure-net-ruby = lixpkgs.callPackage ./packages/netali-configure-net-ruby {};
+      netali-default-config-ruby = lixpkgs.callPackage ./packages/netali-default-config-ruby {};
     };
   });
 }

iso.nix

@@ -12,7 +12,7 @@
   nixpkgs.overlays = [ (import ./packages) ];
 
   networking.hostName = "netalis-nixos-iso";
-  isoImage.isoBaseName = "netalis-nixos-iso";
+  isoImage.isoBaseName = lib.mkForce "netalis-nixos-iso";
 
   boot.supportedFilesystems =
     [ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ] ++
@@ -21,6 +21,32 @@
   # Configure host id for ZFS to work
   networking.hostId = lib.mkDefault "8425e349";
 
+  nix = {
+    settings = {
+      trusted-users = [ "@wheel" ];
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+    };
+    extraOptions = ''
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+    '';
+    nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+    registry = lib.mkForce {
+      "nixpkgs" = {
+        from = {
+          type = "indirect";
+          id = "nixpkgs";
+        };
+        to = {
+          type = "path";
+          path = lib.cleanSource pkgs.path;
+        };
+        exact = true;
+      };
+    };
+  };
+
   environment.systemPackages = with pkgs; [
     w3m-nographics # needed for the manual anyway
     testdisk # useful for repairing boot problems

packages/netali-configure-net-ruby/default.nix

@@ -1,20 +1,31 @@
 { writeShellScriptBin, iproute2 }:
 
 writeShellScriptBin "netali-configure-net-ruby" ''
-  if [[ $# -ne 2 ]]; then
-    echo "Usage: netali-configure-net-ruby [interface] [last-ip-block]"
+  if [[ $# -ne 3 ]]; then
+    echo "Usage: netali-configure-net-ruby [interface] [last-ip-block] [mode]"
     echo ""
     echo "interface:       name of the network interface to configure"
     echo "last-ip-block:   last block of the IPv6 address of this host"
+    echo "mode:            'public' or 'internal' (affects IP subnet)"
     exit 1
   fi
 
   INTERFACE=$1
   LAST_IP_BLOCK=$2
+  MODE=$3
+
+  if [[ $MODE == "public" ]]; then
+    PREFIX="2a00:fe0:1:21f::"
+    GATEWAY="2a00:fe0:1:21f::1"
+  else
+    PREFIX="2a00:fe0:3f5:1000::"
+    GATEWAY="2a00:fe0:3f5:1000::1"
+  fi
 
   ${iproute2}/bin/ip link set up $INTERFACE
-  ${iproute2}/bin/ip a a 2001:67c:a6c:a::$LAST_IP_BLOCK/64 dev $INTERFACE
-  ${iproute2}/bin/ip r a default via fe80::1 dev $INTERFACE
+  ${iproute2}/bin/ip a a $PREFIX$LAST_IP_BLOCK/64 dev $INTERFACE
+  ${iproute2}/bin/ip r a default via $GATEWAY dev $INTERFACE
 
-  echo "nameserver 2606:4700:4700::1111" > /etc/resolv.conf
+  echo "nameserver 2a00:fe0:0:2::300" > /etc/resolv.conf
+  echo "nameserver 2a00:fe0:0:3::300" >> /etc/resolv.conf
 ''

packages/netali-default-config-ruby/config-template.txt

@@ -4,12 +4,12 @@
   imports =
     [
       ./hardware-configuration.nix
+      ./static.nix
     ];
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-
-  boot.tmp.useTmpfs = true;
+  boot.tmp.cleanOnBoot = true;
 
   networking.nftables.enable = true;
 
@@ -18,7 +18,7 @@
   users.users.netali = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV4f3/OcNQIHqomvH0nGLDmXDlrO/u7JKE9Fgq2Vuqs me@netali.de" ];
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqnMKa8BZmbRM2Oc4E8N9h9N26ABPLgPTketLNSK7l7 me@netali.de" ];
   };
 
   time.timeZone = "Europe/Berlin";
@@ -31,7 +31,7 @@
 
   services.qemuGuest.enable = true;
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "$STATE_VERSION";
 
   networking.hostName = "$TARGET_HOSTNAME";
 
@@ -42,7 +42,7 @@
   networking.useDHCP = false;
   networking.dhcpcd.enable = false;
 
-  networking.nameservers = [ "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+  networking.nameservers = [ "2a00:fe0:0:2::300" "2a00:fe0:0:3::300" ];
 
   nix = {
     settings = {
@@ -64,16 +64,16 @@
   systemd.network = {
     enable = true;
     networks = {
-      "40-ens18" = {
-        name = "ens18";
+      "40-$INTERFACE" = {
+        name = "$INTERFACE";
         networkConfig = {
           IPv6AcceptRA = false;
         };
         address = [
-          "2001:67c:a6c:a::$LAST_IP_BLOCK/64"
+          "$PREFIX$LAST_IP_BLOCK/64"
         ];
         gateway = [
-          "2001:67c:a6c:a::1"
+          "$GATEWAY"
         ];
       };
     };

packages/netali-default-config-ruby/default.nix

@@ -1,18 +1,34 @@
 { writeShellScriptBin, envsubst }:
 
 writeShellScriptBin "netali-default-config-ruby" ''
-  if [[ $# -ne 3 ]]; then
-    echo "Usage: netali-default-config-ruby [out-path] [hostname] [last-ip-block]"
+  if [[ $# -ne 6 ]]; then
+    echo "Usage: netali-default-config-ruby [out-path] [hostname] [interface] [last-ip-block] [mode] [state-version]"
     echo ""
     echo "out-path:        path to which the configuration will be written"
-    echo "hostname:        path to which the configuration will be written"
+    echo "hostname:        hostname of the new host"
+    echo "interface:       name of the network interface to configure"
     echo "last-ip-block:   last block of the IPv6 address of this host"
+    echo "mode:            'public' or 'internal' (affects IP subnet)"
+    echo "state-version:   NixOS State Version"
     exit 1
   fi
   
   OUT_PATH=$1
   export TARGET_HOSTNAME="$2"
-  export LAST_IP_BLOCK="$3"
+  export INTERFACE=$3
+  export LAST_IP_BLOCK=$4
+  MODE=$5
+  export STATE_VERSION=$6
 
-  ${envsubst}/bin/envsubst -i ${./config-template.txt} -o $OUT_PATH
+  if [[ $MODE == "public" ]]; then
+    export PREFIX="2a00:fe0:1:21f::"
+    export GATEWAY="2a00:fe0:1:21f::1"
+  else
+    export PREFIX="2a00:fe0:3f5:1000::"
+    export GATEWAY="2a00:fe0:3f5:1000::1"
+  fi
+
+  cp ${./static.nix} $OUT_PATH/static.nix
+  chmod 644 $OUT_PATH/static.nix
+  ${envsubst}/bin/envsubst -i ${./config-template.txt} -o $OUT_PATH/configuration.nix
 ''

packages/netali-default-config-ruby/static.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Pin current nixpkgs channel and flake registry to the nixpkgs version
+  # the host got build with
+  nix.nixPath = lib.mkForce [ "nixpkgs=\\${lib.cleanSource pkgs.path}" ];
+  nix.registry = lib.mkForce {
+    "nixpkgs" = {
+      from = {
+        type = "indirect";
+        id = "nixpkgs";
+      };
+      to = {
+        type = "path";
+        path = lib.cleanSource pkgs.path;
+      };
+      exact = true;
+    };
+  };
+}