incus preseed reload not working

flake.lock

@@ -278,11 +278,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1719601133,
+        "lastModified": 1719686367,
-        "narHash": "sha256-2+e92LyX1fFj3mIZft+K8OzR9NT/1xtheO8hO/3DyRc=",
+        "narHash": "sha256-zQ/Mgrg3GjE4QkweXPLAtbO8SnfzTXZrqmm8oZwXBV4=",
         "ref": "refs/heads/master",
-        "rev": "278ccbbd646e86cab5fd38d43d9134270d8123d0",
+        "rev": "eb8d568c7e30a8c45148fa5c235ebd49bc8effee",
-        "revCount": 141,
+        "revCount": 148,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
@@ -340,11 +340,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1719254875,
+        "lastModified": 1719506693,
-        "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
+        "narHash": "sha256-C8e9S7RzshSdHB7L+v9I51af1gDM5unhJ2xO1ywxNH8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
+        "rev": "b2852eb9365c6de48ffb0dc2c9562591f652242a",
         "type": "github"
       },
       "original": {
@@ -368,11 +368,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1719469291,
+        "lastModified": 1719657372,
-        "narHash": "sha256-Efir01r7ThPabDBFOygX1UDyerJFHelbRGdMo/VNw14=",
+        "narHash": "sha256-3uCk0WXaUZPErNGUNCCbOg+DgZIjA6OgyqFYJwfZ4+0=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "8f52e4d1e34039937efb0ee05825b9963ef29739",
+        "rev": "5b94f0caddc9f406554701a214f879c75fb0ee60",
         "type": "github"
       },
       "original": {
@@ -384,11 +384,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1719596768,
+        "lastModified": 1719679086,
-        "narHash": "sha256-quSWztqqMxvSJIKddYp1D0GdR7Kg8JjEVCIzMbtBTQ4=",
+        "narHash": "sha256-4s1Tn2T9EY9WE94bu9dGZXvl2L1BaerQSzoUfkpSINY=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "35e48702118124ec52a071e300f55c78a4b7b338",
+        "rev": "0dee89a38d574f3fd8a1ebe1dc43bfe8fb3448ec",
         "type": "github"
       },
       "original": {

hosts/common/containers/postgres.yaml

@@ -0,0 +1,38 @@
+architecture: x86_64
+config:
+  boot.autostart: "true"
+  image.architecture: amd64
+  image.description: Nixos unstable amd64 (20240630_01:00)
+  image.os: Nixos
+  image.release: unstable
+  image.requirements.secureboot: "false"
+  image.serial: "20240630_01:00"
+  image.type: squashfs
+  image.variant: default
+  security.nesting: "true"
+  volatile.base_image: bbd293f2d08dfe82b4d81f28aeb3f1f7fef829f717e3073423c59fd6a7794749
+  volatile.cloud-init.instance-id: 90575adf-c804-483b-bb95-a188cdc47101
+  volatile.eth0.host_name: veth79bf6370
+  volatile.eth0.hwaddr: 00:16:3e:17:c1:da
+  volatile.idmap.base: "0"
+  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
+  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
+  volatile.last_state.idmap: '[]'
+  volatile.last_state.power: RUNNING
+  volatile.uuid: 62db570b-8c46-4199-8657-1c387f6fddba
+  volatile.uuid.generation: 62db570b-8c46-4199-8657-1c387f6fddba
+devices:
+  eth0:
+    name: eth0
+    nictype: bridged
+    parent: lxdBrDefault
+    type: nic
+  root:
+    path: /
+    pool: test
+    type: disk
+ephemeral: false
+profiles:
+- default
+stateful: false
+description: ""

hosts/common/disks/zfs/post-install-setup.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./zspeed.nix

hosts/common/disks/zfs/zspeed.nix

@@ -0,0 +1,73 @@
+{
+  disko.devices = {
+    disk = {
+      x = {
+        type = "disk";
+        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zspeed";
+              };
+            };
+          };
+        };
+      };
+      y = {
+        type = "disk";
+        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zspeed";
+              };
+            };
+          };
+        };
+      };
+    };
+    zpool = {
+      zspeed = {
+        type = "zpool";
+        mode = "mirror";
+        rootFsOptions = {
+          "compression" = "zstd-4";
+          "com.sun:auto-snapshot" = "false";
+          "xattr" = "sa";
+          "atime" = "off";
+        };
+        options = {
+          "ashift" = "13";
+        };
+        postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zspeed@blank$' || zfs snapshot zspeed@blank";
+
+        datasets = {
+          postgres = {
+            type = "zfs_volume";
+            size = "10G -s";
+            options = {
+              "com.sun:auto-snapshot:daily" = "true";
+              "volblocksize" = "8k";
+            };
+          };
+          lxc = {
+            type = "zfs_volume";
+            size = "10G -s";
+            options = {
+              "com.sun:auto-snapshot:daily" = "true";
+              "volblocksize" = "8k";
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/common/optional/lxd/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./lxd-preseed.nix
+  ];
+  networking.nftables.enable = true;
+  networking.firewall.enable = false;
+  virtualisation = {
+    incus = {
+      package = pkgs.incus;
+      enable = true;
+    };
+  };
+}

hosts/common/optional/lxd/lxd-preseed.nix

@@ -0,0 +1,35 @@
+{ ... }:
+
+let
+  lxd_profiles = {
+    "postgres" = (import ./profiles/postgres.nix);
+    "default" = (import ./profiles/default.nix);
+  };
+in
+{
+  virtualisation = {
+    incus = {
+      preseed = {
+
+        config = {
+          "core.https_address" = ":8443";
+          "images.auto_update_interval" = 9;
+        };
+
+        networks = [
+          lxd_profiles.default.network
+          lxd_profiles.postgres.network
+        ];
+
+        profiles = [
+          lxd_profiles.default.profile
+          lxd_profiles.postgres.profile
+        ];
+
+        storage_pools =
+          lxd_profiles.default.storage_pools ++
+          lxd_profiles.postgres.storage_pools;
+      };
+    };
+  };
+}

hosts/common/optional/lxd/profiles/default.nix

@@ -0,0 +1,43 @@
+{
+  network = {
+    name = "lxdBrDefault";
+    type = "bridge";
+
+    config = {
+      "ipv4.address" = "10.100.2.1/8";
+      "ipv4.nat" = "true";
+      "ipv4.firewall" = "false";
+    };
+  };
+
+  storage_pools = [
+    {
+      name = "postgres";
+      driver = "btrfs";
+      config.source = "/dev/zvol/zspeed/postgres";
+    }
+    {
+      name = "lxc";
+      driver = "btrfs";
+      config.source = "/dev/zvol/zspeed/lxc";
+    }
+  ];
+
+  profile = {
+    name = "default";
+    devices = {
+      "eth0" = {
+        name = "eth0";
+        nictype = "bridged";
+        parent = "lxdBrDefault";
+        type = "nic";
+      };
+      "root" = {
+        path = "/";
+        pool = "default";
+        size = "8GiB";
+        type = "disk";
+      };
+    };
+  };
+}

hosts/common/optional/lxd/profiles/postgres.nix

@@ -0,0 +1,49 @@
+{
+  network = {
+    name = "lxdBrPsql";
+    type = "bridge";
+
+    config = {
+      "ipv4.address" = "10.100.1.1/8";
+      "ipv4.nat" = "true";
+      "ipv4.firewall" = "false";
+    };
+  };
+
+  storage_pools = [
+    {
+      name = "postgres";
+      driver = "btrfs";
+      config.source = "/dev/zvol/zspeed/postgres";
+    }
+    {
+      name = "lxc";
+      driver = "btrfs";
+      config.source = "/dev/zvol/zspeed/lxc";
+    }
+  ];
+
+  profile = {
+    name = "postgres";
+    devices = {
+      "eth0" = {
+        name = "eth0";
+        nictype = "bridged";
+        parent = "lxdBrPsql";
+        type = "nic";
+      };
+      "root" = {
+        path = "/";
+        pool = "default";
+        size = "8GiB";
+        type = "disk";
+      };
+      "db" = {
+        path = "/var/lib/postgresql/16/";
+        pool = "postgres";
+        source = "db";
+        type = "disk";
+      };
+    };
+  };
+}

hosts/common/users/admin/default.nix

@@ -1,5 +1,6 @@
 { pkgs, inputs, config, lib, ... }:
 let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
   username = "admin";
   pubKeys = lib.filesystem.listFilesRecursive (../keys);
   hostname = config.networking.hostName;
@@ -7,7 +8,7 @@ let
   secretsDirectory = builtins.toString inputs.nix-secrets;
   secretsFile = "${secretsDirectory}/secrets.yaml";
 
-in 
+in
 {
   users.users.${username} = {
     isNormalUser = true;
@@ -15,7 +16,13 @@ in
     hashedPasswordFile = sopsHashedPasswordFile;
     openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
 
-    extraGroups = ["wheel"]; 
+    extraGroups = [
+      "wheel"
+    ] ++ ifTheyExist [
+      "docker"
+      "lxc"
+      "git"
+    ];
 
     packages = with pkgs; [
     ];
@@ -30,7 +37,7 @@ in
       path = "/home/${username}/.ssh/id_ed25519";
       mode = "0600";
       owner = "${username}";
-      };
+    };
     "ssh_keys/${username}/id_ed25519.pub" = {
       path = "/home/${username}/.ssh/id_ed25519.pub";
       mode = "0644";

hosts/nebula/default.nix

@@ -1,11 +1,10 @@
-{ inputs, config, lib, pkgs, outputs, ... }:
+{ inputs, ... }:
 let
   # Disko setup
   fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
-  dev = "/dev/sda"; # depends on target hardware
+  dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005"; # depends on target hardware
   encrypted = false; # currrently only applies to btrfs
   impermanence = false; # currrently only applies to btrfs
-  btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
   user = "admin";
 in
 {
@@ -14,7 +13,7 @@ in
       # Create users for this host
       ../common/users/${user}
 
-      # Disk configuration
+      # Root disk configuration
       inputs.disko.nixosModules.disko
       (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
 
@@ -24,7 +23,7 @@ in
 
       # Import optional options
       ../common/optional/openssh.nix
-
+      ../common/optional/lxd
 
     ];
 

psql.nix

@@ -0,0 +1,49 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, modulesPath, ... }:
+
+{
+  imports =
+    [
+      # Include the default lxd configuration.
+      "${modulesPath}/virtualisation/lxc-container.nix"
+      # Include the container-specific autogenerated configuration.
+      ./lxd.nix
+    ];
+
+  networking = {
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."50-eth0" = {
+      matchConfig.Name = "eth0";
+      networkConfig = {
+        DHCP = "ipv4";
+        IPv6AcceptRA = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  environment.systemPackages = [
+    pkgs.vim
+  ];
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+    ensureDatabases = [ "default" ];
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+      local all       all     trust
+    '';
+  };
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+}