infra/flake.nix

{
  description = "Gortium infra flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.darwin.follows = "";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix = {
      url = "git+https://git.lix.systems/lix-project/lix?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";
    nixos-uconsole = {
      url = "github:gortium/nixos-uconsole/cm5_fix";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
    };
    nixos-raspberrypi = {
      url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
    };
  };

  outputs = { self, nixpkgs, agenix, lix
            , nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi
            , ... }@inputs:
    let
      system = "x86_64-linux";
      keys = import ./lib/keys.nix;
      paths = {
        flake = "/home/gortium/infra";
        identities = [
          "/home/gortium/.ssh/gortium_ssh_key"
          "/etc/ssh/ssh_host_ed25519_key"
          "/root/.age/bootstrap.key" ];
      };
      overlays = [ agenix.overlays.default ];
      pkgs = import nixpkgs {
        inherit system overlays;
        config.allowUnfree = true;
        config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
      };
      devShell = import ./shells/nix_dev.nix {
        inherit pkgs system agenix;
      };
    in {
      nixosConfigurations = {
        lazyworkhorse = nixpkgs.lib.nixosSystem {
          specialArgs = { inherit system self keys paths inputs; };
          modules = [
            {
              nixpkgs.overlays = overlays;
              nixpkgs.config.allowUnfree = true;
              nixpkgs.config.rocmSupport = true;
              nixpkgs.config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
              nix.package = lix.packages.${system}.default;
            }
            agenix.nixosModules.default
            ./hosts/lazyworkhorse/configuration.nix
            ./hosts/lazyworkhorse/hardware-configuration.nix
            ./modules/nixos/filesystem/hoardingcow-mount.nix
            ./modules/nixos/services/docker_manager.nix
            ./modules/nixos/services/open_code_server.nix
            ./modules/nixos/services/ollama_init_custom_models.nix
            ./modules/nixos/services/openclaw_node.nix
            ./modules/nixos/security/ai-worker-restricted.nix
            ./users/gortium.nix
            ./users/ai-worker.nix
          ];
        };

        cyt-pi = nixpkgs.lib.nixosSystem {
          specialArgs = { inherit self keys paths inputs; };
          modules = [
            {
              nixpkgs.overlays = overlays;
              nixpkgs.config.allowUnfree = true;
              nixpkgs.hostPlatform = "aarch64-linux";
              nix.package = lix.packages."aarch64-linux".default;
            }
            ./hosts/cyt-pi/configuration.nix
            ./hosts/cyt-pi/hardware-configuration.nix
          ];
        };

        uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = {
            inherit self keys paths inputs;
            nixos-raspberrypi = nixos-raspberrypi;
            isCM4 = false;
          };
          modules = [
            {
              nixpkgs.buildPlatform = "x86_64-linux";
              nixpkgs.hostPlatform = "aarch64-linux";
              nixpkgs.config.allowUnfree = true;
              boot.loader.raspberry-pi.bootloader = "kernel";
              # Kill camera packages — not needed on uConsole, break cross-compile
              nixpkgs.overlays = [
                # Make camera packages "unavailable" so no pkgs depend on them
                (final: prev: {
                  libcamera = prev.libcamera.overrideAttrs (_: { meta.platforms = []; });
                  libcamera-rpi = prev.libcamera-rpi.overrideAttrs (_: { meta.platforms = []; });
                  libpisp = prev.libpisp.overrideAttrs (_: { meta.platforms = []; });
                  # Pipewire in nixos-25.11 has libcamera unconditionally in buildInputs;
                  # meta.platforms trick doesn't help — must actually remove it
                  pipewire = prev.pipewire.overrideAttrs (old: {
                    buildInputs = builtins.filter
                      (x: !(x?pname && x.pname == "libcamera"))
                      (old.buildInputs or []);
                    mesonFlags = builtins.filter
                      (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
                      (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
                  });
                })
              ];
            }
            nixos-raspberrypi.nixosModules.nixpkgs-rpi
            # Disable libcamera in rpi pipewire too (separate nixpkgs instance)
            ({ config, lib, pkgs, ... }: {
              nixpkgs.overlays = [
                (final: prev: {
                  pipewire = prev.pipewire.overrideAttrs (old: {
                    buildInputs = builtins.filter
                      (x: !(x?pname && x.pname == "libcamera"))
                      (old.buildInputs or []);
                    mesonFlags = builtins.filter
                      (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
                      (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
                  });
                })
              ];
            })

# Patches are now in gortium/nixos-uconsole fork (cm5_fix branch)
            nixos-raspberrypi.nixosModules.raspberry-pi-5.base
            nixos-raspberrypi.lib.inject-overlays
            nixos-raspberrypi.lib.inject-overlays-global
            nixos-uconsole.nixosModules.uconsole-cm5
            ({ config, lib, pkgs, inputs, ... }: let
              lix-cross = import inputs.nixpkgs-uconsole {
                localSystem = { system = "x86_64-linux"; };
                crossSystem = { system = "aarch64-linux"; };
                overlays = [ inputs.lix.overlays.default ];
              };
            in { nix.package = lix-cross.lix; })
            agenix.nixosModules.default
            ./hosts/uconsole-cm5/configuration.nix
            ./hosts/uconsole-cm5/hardware-configuration.nix
          ];
        };
      };

      devShells.${system}.default = devShell;

      packages.${system} = {
        uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = {
            inherit self keys inputs;
            nixos-raspberrypi = nixos-raspberrypi;
            isCM4 = false;
          };
          modules = [
            {
              nixpkgs.buildPlatform = system;
              nixpkgs.hostPlatform = "aarch64-linux";
            }
            nixos-raspberrypi.nixosModules.nixpkgs-rpi
            nixos-raspberrypi.nixosModules.raspberry-pi-5.base
            nixos-raspberrypi.lib.inject-overlays-global
            nixos-raspberrypi.nixosModules.sd-image
            nixos-uconsole.nixosModules.uconsole-cm5
            agenix.nixosModules.default
            ./hosts/uconsole-cm5/configuration.nix
          ];
        }).config.system.build.sdImage;
      };
    };
}
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00			`{`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`description = "Gortium infra flake";`
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00
			`inputs = {`
			`nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`agenix = {`
			`url = "github:ryantm/agenix";`
			`inputs.darwin.follows = "";`
			`inputs.nixpkgs.follows = "nixpkgs";`
			`};`
feat: add openclaw node service and migrate to lix - Add headless openclaw node systemd service for host execution - Migrate from nix to lix package manager - Permit openclaw-2026.3.12 (insecure package warning) - Use ai-worker user for node service 2026-04-04 16:26:33 -04:00			`lix = {`
			`url = "git+https://git.lix.systems/lix-project/lix?ref=main";`
			`inputs.nixpkgs.follows = "nixpkgs";`
			`};`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";`
			`nixos-uconsole = {`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`url = "github:gortium/nixos-uconsole/cm5_fix";`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`inputs.nixpkgs.follows = "nixpkgs-uconsole";`
fix(uconsole): resolve conflicting SSH options + properly override nixos-uconsole's nixos-raspberrypi input - mkForce on PermitRootLogin and PasswordAuthentication - nixos-uconsole.inputs.nixos-raspberrypi follows our fork 2026-06-12 16:43:33 -04:00			`inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`};`
			`nixos-raspberrypi = {`
			`url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";`
			`inputs.nixpkgs.follows = "nixpkgs-uconsole";`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`};`
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00			`};`

feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`outputs = { self, nixpkgs, agenix, lix`
			`, nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi`
			`, ... }@inputs:`
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00			`let`
			`system = "x86_64-linux";`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`keys = import ./lib/keys.nix;`
			`paths = {`
			`flake = "/home/gortium/infra";`
Working bootstrap key 2025-08-24 19:02:42 -04:00			`identities = [`
			`"/home/gortium/.ssh/gortium_ssh_key"`
			`"/etc/ssh/ssh_host_ed25519_key"`
			`"/root/.age/bootstrap.key" ];`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`};`
			`overlays = [ agenix.overlays.default ];`
Some more work toward a modular config 2025-08-04 22:15:59 -04:00			`pkgs = import nixpkgs {`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`inherit system overlays;`
			`config.allowUnfree = true;`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];`
Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00			`};`
			`devShell = import ./shells/nix_dev.nix {`
			`inherit pkgs system agenix;`
Some more work toward a modular config 2025-08-04 22:15:59 -04:00			`};`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`in {`
			`nixosConfigurations = {`
			`lazyworkhorse = nixpkgs.lib.nixosSystem {`
			`specialArgs = { inherit system self keys paths inputs; };`
			`modules = [`
			`{`
			`nixpkgs.overlays = overlays;`
			`nixpkgs.config.allowUnfree = true;`
			`nixpkgs.config.rocmSupport = true;`
			`nixpkgs.config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];`
			`nix.package = lix.packages.${system}.default;`
			`}`
			`agenix.nixosModules.default`
			`./hosts/lazyworkhorse/configuration.nix`
			`./hosts/lazyworkhorse/hardware-configuration.nix`
			`./modules/nixos/filesystem/hoardingcow-mount.nix`
			`./modules/nixos/services/docker_manager.nix`
			`./modules/nixos/services/open_code_server.nix`
			`./modules/nixos/services/ollama_init_custom_models.nix`
			`./modules/nixos/services/openclaw_node.nix`
			`./modules/nixos/security/ai-worker-restricted.nix`
			`./users/gortium.nix`
			`./users/ai-worker.nix`
			`];`
			`};`
feat: isolate docker networks and add cyt-pi remote node config - Refactor all 12 compose stacks to use isolated networks with Traefik as the hub - Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425) - Add sshnode entrypoint to Traefik configuration - Add cyt-pi host configuration for Pi Zero 2 W (headless) - Include kismet and target_detector_cli services for remote Wi-Fi monitoring - Add reverse SSH tunnel service via autossh 2026-04-06 19:14:57 -04:00
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`cyt-pi = nixpkgs.lib.nixosSystem {`
			`specialArgs = { inherit self keys paths inputs; };`
			`modules = [`
			`{`
			`nixpkgs.overlays = overlays;`
			`nixpkgs.config.allowUnfree = true;`
			`nixpkgs.hostPlatform = "aarch64-linux";`
			`nix.package = lix.packages."aarch64-linux".default;`
			`}`
			`./hosts/cyt-pi/configuration.nix`
			`./hosts/cyt-pi/hardware-configuration.nix`
			`];`
			`};`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {`
			`system = "aarch64-linux";`
			`specialArgs = {`
			`inherit self keys paths inputs;`
			`nixos-raspberrypi = nixos-raspberrypi;`
			`isCM4 = false;`
feat(uconsole): add cm5 cross-compiled nixosConfiguration - New host: uconsole-cm5 (aarch64-linux, cross-built from x86_64) - SSH authorizedKeys: gortium.main + ai-worker.main - NetworkManager enabled (WiFi password via agenix later) - Display: vc4/panel_cwu50/rp1_dsi with empty initrd - Config.txt [pi5] section (not [cm5]) - Backlight fix service - nixos-raspberrypi → gortium/cm5-cross-v1 fork (PR #197) - nixpkgs-uconsole pinned to nixos-25.11 (kernel patch compat) V3 branch saved as archive/uconsole-cm5-v3 (Reticulum/SDR/HAM config). 2026-06-12 16:02:13 -04:00			`};`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`modules = [`
			`{`
			`nixpkgs.buildPlatform = "x86_64-linux";`
			`nixpkgs.hostPlatform = "aarch64-linux";`
			`nixpkgs.config.allowUnfree = true;`
			`boot.loader.raspberry-pi.bootloader = "kernel";`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`# Kill camera packages — not needed on uConsole, break cross-compile`
			`nixpkgs.overlays = [`
fix: remove libcamera from pipewire buildInputs (both overlays) meta.platforms = [] on libcamera doesn't help because nixos-25.11 pipewire has libcamera unconditionally in buildInputs. Must overrideAttrs to: - filter libcamera out of buildInputs - clear existing libcamera meson flags and set -Dlibcamera=disabled 2026-06-14 09:03:44 -04:00			`# Make camera packages "unavailable" so no pkgs depend on them`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`(final: prev: {`
fix: remove libcamera from pipewire buildInputs (both overlays) meta.platforms = [] on libcamera doesn't help because nixos-25.11 pipewire has libcamera unconditionally in buildInputs. Must overrideAttrs to: - filter libcamera out of buildInputs - clear existing libcamera meson flags and set -Dlibcamera=disabled 2026-06-14 09:03:44 -04:00			`libcamera = prev.libcamera.overrideAttrs (_: { meta.platforms = []; });`
			`libcamera-rpi = prev.libcamera-rpi.overrideAttrs (_: { meta.platforms = []; });`
			`libpisp = prev.libpisp.overrideAttrs (_: { meta.platforms = []; });`
			`# Pipewire in nixos-25.11 has libcamera unconditionally in buildInputs;`
			`# meta.platforms trick doesn't help — must actually remove it`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`pipewire = prev.pipewire.overrideAttrs (old: {`
fix: remove libcamera from pipewire buildInputs (both overlays) meta.platforms = [] on libcamera doesn't help because nixos-25.11 pipewire has libcamera unconditionally in buildInputs. Must overrideAttrs to: - filter libcamera out of buildInputs - clear existing libcamera meson flags and set -Dlibcamera=disabled 2026-06-14 09:03:44 -04:00			`buildInputs = builtins.filter`
			`(x: !(x?pname && x.pname == "libcamera"))`
			`(old.buildInputs or []);`
			`mesonFlags = builtins.filter`
			`(flag: !(builtins.isString flag && builtins.match ".libcamera." flag != null))`
			`(old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`});`
			`})`
			`];`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`}`
			`nixos-raspberrypi.nixosModules.nixpkgs-rpi`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`# Disable libcamera in rpi pipewire too (separate nixpkgs instance)`
			`({ config, lib, pkgs, ... }: {`
			`nixpkgs.overlays = [`
			`(final: prev: {`
			`pipewire = prev.pipewire.overrideAttrs (old: {`
fix: remove libcamera from pipewire buildInputs (both overlays) meta.platforms = [] on libcamera doesn't help because nixos-25.11 pipewire has libcamera unconditionally in buildInputs. Must overrideAttrs to: - filter libcamera out of buildInputs - clear existing libcamera meson flags and set -Dlibcamera=disabled 2026-06-14 09:03:44 -04:00			`buildInputs = builtins.filter`
			`(x: !(x?pname && x.pname == "libcamera"))`
			`(old.buildInputs or []);`
			`mesonFlags = builtins.filter`
			`(flag: !(builtins.isString flag && builtins.match ".libcamera." flag != null))`
			`(old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];`
fix: disable libcamera in pipewire via mesonFlags for both pkgs and rpi 2026-06-14 00:56:31 -04:00			`});`
			`})`
			`];`
			`})`

switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00			`# Patches are now in gortium/nixos-uconsole fork (cm5_fix branch)`
			`nixos-raspberrypi.nixosModules.raspberry-pi-5.base`
			`nixos-raspberrypi.lib.inject-overlays`
			`nixos-raspberrypi.lib.inject-overlays-global`
			`nixos-uconsole.nixosModules.uconsole-cm5`
			`({ config, lib, pkgs, inputs, ... }: let`
			`lix-cross = import inputs.nixpkgs-uconsole {`
			`localSystem = { system = "x86_64-linux"; };`
			`crossSystem = { system = "aarch64-linux"; };`
			`overlays = [ inputs.lix.overlays.default ];`
			`};`
			`in { nix.package = lix-cross.lix; })`
			`agenix.nixosModules.default`
			`./hosts/uconsole-cm5/configuration.nix`
			`./hosts/uconsole-cm5/hardware-configuration.nix`
			`];`
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00			`};`
			`};`
switch to gortium/nixos-uconsole fork 2026-06-13 23:15:53 -04:00
			`devShells.${system}.default = devShell;`

			`packages.${system} = {`
			`uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {`
			`system = "aarch64-linux";`
			`specialArgs = {`
			`inherit self keys inputs;`
			`nixos-raspberrypi = nixos-raspberrypi;`
			`isCM4 = false;`
			`};`
			`modules = [`
			`{`
			`nixpkgs.buildPlatform = system;`
			`nixpkgs.hostPlatform = "aarch64-linux";`
			`}`
			`nixos-raspberrypi.nixosModules.nixpkgs-rpi`
			`nixos-raspberrypi.nixosModules.raspberry-pi-5.base`
			`nixos-raspberrypi.lib.inject-overlays-global`
			`nixos-raspberrypi.nixosModules.sd-image`
			`nixos-uconsole.nixosModules.uconsole-cm5`
			`agenix.nixosModules.default`
			`./hosts/uconsole-cm5/configuration.nix`
			`];`
			`}).config.system.build.sdImage;`
			`};`
			`};`
Preparing to switch to flakes 2025-08-03 15:42:02 -04:00			`}`