Skyworks/skyworks-Nix-infra

Fork: 0

Skyworks / skyworks-Nix-infra

2026-03-14	71dec76 Browse files » monitoring: add ZFS pool health exec input ... Custom script reports zpool health as numeric metric (0=ONLINE, 1=DEGRADED, 2=FAULTED, etc.) via Telegraf inputs.exec, enabling Grafana alerting on pool degradation. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	9494e34 Browse files » skydick: use all_squash for media/torrent NFS exports ... Map all NFS client UIDs to qbittorrent:storage (900:997) on media and torrent exports. Eliminates need for UID/GID coordination between NFS clients and server. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	4774172 Browse files » skydick: fix qbittorrent UID collision with ylw ... UID 1002 was already assigned to ylw on skydick. Change qbittorrent system user to UID 900 to avoid the collision. NFS sec=sys maps by UID number, so this must not conflict with any normal user. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	2ca6967 Browse files » monitoring: fix InfluxDB URL and add nvme-cli to Telegraf PATH ... Use door1's LAN IP (10.0.91.30) instead of WireGuard IP (172.16.1.1) for InfluxDB endpoint. Add nvme-cli to Telegraf's PATH for NVMe SMART attribute collection. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	5a4ec17 Browse files » skydick: add qbittorrent user and make media NFS export writable ... Add qbittorrent system user (UID 1002, group storage) for NFS root_squash write access. Change /srv/media export from ro,async to rw,sync to support *arr torrent downloads under /srv/media/torrents/. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	dfb0924 Browse files » monitoring: add lm_sensors and smartmontools to Telegraf PATH ... Telegraf inputs.sensors needs the `sensors` binary in PATH. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	10fdb5b Browse files » skydick: add Telegraf monitoring with SMART, ZFS, and system metrics ... Sends metrics to door1 InfluxDB (bucket: skydick) via Telegraf. Monitors all 5 Mach2 SAS drives, NVMe P4500, and boot SSD via SMART. InfluxDB token encrypted with agenix. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
	fc8ae7e Browse files » skydick: add NVMe SLOG+L2ARC documentation for datapool ... Intel DC P4600 750GB: 8GB SLOG partition for sync write acceleration, remaining ~690GB as L2ARC read cache for VM working sets. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
2026-03-13	81a7489 Browse files » skydick: fill in actual Mach2 WWNs for datapool creation ... 5x ST14000NM0001 14TB SAS Mach2 drives, 4 active + 1 spare. Mirror vdevs pair LUN0/LUN1 from different physical drives. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 13 Mar
2026-03-13	cf3ab56 Browse files » skydick: extract datapool.nix for Mach2 ZFS storage config ... Move all storage-serving config (NFS, Samba, iSCSI, tmpfiles, firewall ports, storage group) from default.nix into datapool.nix. Add Mach2 dual-actuator mirror layout documentation, new datasets (torrent, vm), and clean permission model (setgid storage group for user data). Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 13 Mar
2026-03-11	29a37da Browse files » users: equalize ldx and ylw permissions ... - Add ylw to NOPASSWD sudo rule (matching ldx for deploy-rs) - Add ldx hashedPassword on xlab-gateway (matching ylw) Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 11 Mar
	ea06729 Browse files » users: unify ylw as common admin, keep host-specific passwords and groups ... Move ylw base identity (isNormalUser, wheel, SSH key) to modules/users.nix alongside ldx. Host configs retain only extra groups and hashedPassword. Also renames ye-lw21 to ylw on skydick. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 11 Mar
	c94592e Browse files » nix: add ldx as trusted-user for deploy-rs unsigned store paths ... Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 11 Mar
	9b633cc Browse files » xlab-gateway: fix ylw user missing isNormalUser and add wheel group ... Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 11 Mar
	9645503 Browse files » add ylw user to xlab-gateway physicsdolphin committed on 11 Mar
2026-03-09	9394ffd Browse files » xlab-gateway: add ULA route for internal IPv6 reachability ... Route fd99:23eb:1682::/48 via wg-to-wgnet in main table so xlab-gateway and LAN clients can reach 10.0.0.1's IPv6 (fd99:23eb:1682::1). Without this, ULA traffic went through the WAN default route and got dropped. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 9 Mar
	ddc2e9c Browse files » users: grant ldx full NOPASSWD sudo for deploy-rs ... deploy-rs runs activate-rs, nix-env, switch-to-configuration, and confirmation commands through separate non-interactive SSH sessions. Per-command NOPASSWD rules cannot cover all paths it uses. Full NOPASSWD is the intended deploy-rs setup. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 9 Mar
	cdf9658 Browse files » skydick: disable IPv6 to avoid wg-outbound ULA masquerade timeout ... IPv6 traffic from skydick goes through freedom routing on 10.0.0.1, which masquerades with ULA fd99:23eb:1682:fe::2 (not globally routable). This causes nix/cargo downloads to timeout on AAAA records. Skydick has no IPv6 use cases as a LAN storage server. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 9 Mar
	30a833d Browse files » refactor xlab-gateway IPv6: /64 SLAAC, scoped policy routing, no NAT66 ... - Change LAN prefix from fd99:23eb:1682:fd:df::/80 to fd99:23eb:1682:1::/64 - Switch from DHCPv6 stateful to SLAAC (AdvAutonomous on, AdvManagedFlag off) - Add RDNSS in radvd pointing to fd99:23eb:1682::1 - Scope policy routing rules to LAN sources only (fixes gateway IPv6 breakage) - Remove NAT66 masquerade on wg-to-wgnet (10.0.0.1 routes fd99:23eb:1682:1::/64 natively) Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 9 Mar
	60a670c Browse files » add systemctl and reboot to NOPASSWD sudo rules ... Needed for restarting services (systemd-networkd, nftables) after deploy when switch-to-configuration doesn't detect unit changes. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 9 Mar
2026-03-08	588cd28 Browse files » fix nftables syntax: use meta nfproto ipv6 in inet table ... Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 8 Mar
2026-03-08	4749ad1 Browse files » xlab-gateway: route client IPv6 through wg-to-wgnet ... - Re-add IPv6 default route (::/0) via wg-to-wgnet in table 1002 - Add NAT66 masquerade on wg-to-wgnet for client ULA→tunnel translation - Campus WAN has no IPv6 transit; wgnet provides it Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 8 Mar
2026-03-07	9568bd6 Browse files » Add switch-to-configuration to NOPASSWD sudo rules ... Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	eaac556 Browse files » Add skydick SSH key, set xlab-gateway deploy to LAN IP ... - Authorize ldx@skydick ed25519 key for cross-machine deploy-rs - Change xlab-gateway deploy hostname to 10.253.254.1 (LAN, reachable from skydick) Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	c158fe2 Browse files » deploy-rs: update xlab-gateway hostname, add NOPASSWD sudo ... - Change xlab-gateway deploy hostname to WAN IP (166.111.98.29) - Add NOPASSWD sudo rules for deploy-rs activation commands (nix-env, activate scripts) Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	f4e6594 Browse files » xlab-gateway: fix IPv6 routing, clean up table names ... - Remove IPv6 default route from freedom table (1002) — wgnet peer doesn't forward IPv6, causing TLS resets on outbound connections - Remove Tsinghua IPv6 throw route (unnecessary without IPv6 default) - IPv6 now uses native WAN path instead of WireGuard tunnel - Rename table 1002 from typo 'wg-to-skywme' to 'freedom-wgnet' Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	2f79a4a Browse files » xlab-gateway: add hardware-configuration.nix, disable wait-online ... - Import generated hardware-configuration.nix (Intel CPU microcode, boot modules for ehci_pci, ahci, nvme, kvm-intel) - Disable systemd-networkd-wait-online (gateway doesn't need to block boot waiting for WireGuard interfaces) Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	01b7580 Browse files » Re-encrypt secrets with SSH recipients (not age recipients) ... age encrypts differently for age vs SSH recipients. agenix passes raw SSH host keys as identities, which can only decrypt SSH-recipient stanzas. Previously used ssh-to-age conversion which created age-recipient stanzas, causing "no identity matched" errors. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	cf894dc Browse files » Re-encrypt secrets with correct full host public key ... The xlab-gateway SSH public key was previously truncated (missing AAAAC3NzaC1lZDI1NTE5 type prefix), causing agenix decryption failures. Re-encrypted all .age files with the correct full key. Verified decryption succeeds on target host. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	3481177 Browse files » Add agenix-encrypted secrets and flake.lock ... - Encrypted WireGuard keys for xlab-gateway (wgnet, skyworks, warp) - Encrypted WireGuard PSK for wg-to-wgnet - Placeholder skydick WireGuard secret - Updated disko.nix with correct NVMe disk ID (MEMPEK1J016GAD) - Generated flake.lock pinning nixpkgs 24.11, disko, agenix, deploy-rs Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar