Cleanup remote LUKS unlock

common/boot/default.nix

@@ -5,6 +5,6 @@
     ./firmware.nix
     ./efi.nix
     ./bios.nix
-    ./luks.nix
+    ./remote-luks-unlock.nix
   ];
 }

common/boot/remote-luks-unlock.nix

@@ -1,22 +1,14 @@
 { config, pkgs, lib, ... }:
 
 let
-  cfg = config.luks;
+  cfg = config.remoteLuksUnlock;
 in {
-  options.luks = {
+  options.remoteLuksUnlock = {
     enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
-    device = {
+    enableTorUnlock = lib.mkOption {
-      name = lib.mkOption {
+      type = lib.types.bool;
-        type = lib.types.str;
+      default = cfg.enable;
-        default = "enc-pv";
+      description = "Make machine accessable over tor for ssh boot unlock";
-      };
-      path = lib.mkOption {
-        type = lib.types.either lib.types.str lib.types.path;
-      };
-      allowDiscards = lib.mkOption {
-        type = lib.types.bool;
-        default = false;
-      };
     };
     sshHostKeys = lib.mkOption {
       type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
@@ -40,10 +32,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    boot.initrd.luks.devices.${cfg.device.name} = {
+    # boot.initrd.luks.devices.${cfg.device.name} = {
-      device = cfg.device.path;
+    #   device = cfg.device.path;
-      allowDiscards = cfg.device.allowDiscards;
+    #   allowDiscards = cfg.device.allowDiscards;
-    };
+    # };
 
     # Unlock LUKS disk over ssh
     boot.initrd.network.enable = true;
@@ -61,41 +53,41 @@ in {
       echo /crypt-ramfs/passphrase >> /dev/null
     '';
 
-    # Make machine accessable over tor for boot unlock
+    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
-    boot.initrd.secrets = {
       "/etc/tor/onion/bootup" = cfg.onionConfig;
     };
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
       copy_bin_and_libs ${pkgs.tor}/bin/tor
       copy_bin_and_libs ${pkgs.haveged}/bin/haveged
     '';
-    # start tor during boot process
+    boot.initrd.network.postCommands = lib.mkMerge [
-    boot.initrd.network.postCommands = let
+      (''
-      torRc = (pkgs.writeText "tor.rc" ''
+        # Add nice prompt for giving LUKS passphrase over ssh
+        echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
+      '')
+      
+      (let torRc = (pkgs.writeText "tor.rc" ''
         DataDirectory /etc/tor
         SOCKSPort 127.0.0.1:9050 IsolateDestAddr
         SOCKSPort 127.0.0.1:9063
         HiddenServiceDir /etc/tor/onion/bootup
         HiddenServicePort 22 127.0.0.1:22
-      '');
+      ''); in lib.mkIf cfg.enableTorUnlock ''
-    in ''
+        echo "tor: preparing onion folder"
-      # Add nice prompt for giving LUKS passphrase over ssh
+        # have to do this otherwise tor does not want to start
-      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
+        chmod -R 700 /etc/tor
 
-      echo "tor: preparing onion folder"
+        echo "make sure localhost is up"
-      # have to do this otherwise tor does not want to start
+        ip a a 127.0.0.1/8 dev lo
-      chmod -R 700 /etc/tor
+        ip link set lo up
 
-      echo "make sure localhost is up"
+        echo "haveged: starting haveged"
-      ip a a 127.0.0.1/8 dev lo
+        haveged -F &
-      ip link set lo up
 
-      echo "haveged: starting haveged"
+        echo "tor: starting tor"
-      haveged -F &
+        tor -f ${torRc} --verify-config
-
+        tor -f ${torRc} &
-      echo "tor: starting tor"
+      '')
-      tor -f ${torRc} --verify-config
+    ];
-      tor -f ${torRc} &
-    '';
   };
 }

common/network/hosts.nix

@@ -8,6 +8,7 @@ let
   # hostnames that resolve on clearnet for LUKS unlocking
   unlock-clearnet-hosts = {
     ponyo = "unlock.ponyo.neet.dev";
+    s0 = "s0";
   };
 
   # hostnames that resolve on tor for LUKS unlocking
@@ -15,6 +16,7 @@ let
     liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
     router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
     ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+    s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
   };
 in {
   networking.hosts = {
@@ -57,6 +59,10 @@ in {
       hostNames = [ "s0" "s0.zt.neet.dev" ];
       publicKey = system.s0;
     };
+    s0-unlock = {
+      hostNames = [ unlock-onion-hosts.s0 ];
+      publicKey = system.s0-unlock;
+    };
     n1 = {
       hostNames = [ "n1" ];
       publicKey = system.n1;

common/network/vpn.nix

@@ -74,9 +74,11 @@ in
         pia.enable = true;
         pia.server = "swiss.privacy.network"; # swiss vpn
 
+        # TODO fix so it does run it's own resolver again
         # run it's own DNS resolver
         networking.useHostResolvConf = false;
-        services.resolved.enable = true;
+        # services.resolved.enable = true;
+        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
       };
     };
 

common/ssh.nix

@@ -14,6 +14,7 @@ rec {
     router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
     router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
     s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
+    s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
     n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
     n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
     n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";

flake.nix

@@ -73,7 +73,7 @@
       "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
       "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
       "router" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/router/configuration.nix;
-      "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
+      "s0" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
       "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
       "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
       "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;

machines/liza/hardware-configuration.nix

@@ -20,10 +20,8 @@
     device = "/dev/sda";
   };
 
-  luks = {
+  remoteLuksUnlock.enable = true;
-    enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
-    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
-  };
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";

machines/ponyo/hardware-configuration.nix

@@ -17,10 +17,8 @@
     device = "/dev/sda";
   };
 
-  luks = {
+  remoteLuksUnlock.enable = true;
-    enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
-    device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
-  };
 
   fileSystems."/" =
     { device = "/dev/mapper/enc-pv";

machines/ray/hardware-configuration.nix

@@ -34,6 +34,7 @@
   };
 
   # disks
+  remoteLuksUnlock.enable = true;
   boot.initrd.luks.devices."enc-pv" = {
     device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
     allowDiscards = true;

machines/router/hardware-configuration.nix

@@ -27,10 +27,8 @@
   };
 
   # disks
-  luks = {
+  remoteLuksUnlock.enable = true;
-    enable = true;
+  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
-    device.path = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
-  };
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
       fsType = "btrfs";

machines/storage/s0/configuration.nix

@@ -2,48 +2,43 @@
 
 {
   imports =[
-    ./helios64
     ./hardware-configuration.nix
   ];
 
   networking.hostName = "s0";
 
-  boot.loader.grub.enable = false;
-  boot.loader.generic-extlinux-compatible.enable = true;
-
   system.autoUpgrade.enable = true;
 
-  boot.supportedFilesystems = [ "bcachefs" ];
+  # mesh networking
-
+  services.tailscale.exitNode = true;
   services.zerotierone.enable = true;
 
   # for education purposes only
   services.pykms.enable = true;
   services.pykms.openFirewallPort = true;
 
-  users.users.googlebot.packages = with pkgs; [
+  # samba
-    bcachefs-tools
-  ];
-
   services.samba.enable = true;
 
+  # navidrome
   services.navidrome = {
     enable = true;
     settings = {
       Address = "0.0.0.0";
       Port = 4533;
-      MusicFolder = "/data/samba/Public/Plex/Music";
+      MusicFolder = "/data/samba/Public/Media/Music";
     };
   };
   networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
 
+  # allow access to transmisson data
   users.users.googlebot.extraGroups = [ "transmission" ];
   users.groups.transmission.gid = config.ids.gids.transmission;
 
   vpn-container.enable = true;
   vpn-container.mounts = [
     "/var/lib"
-    "/data/samba/Public/Plex"
+    "/data/samba/Public"
   ];
   vpn-container.config = {
     # servarr services
@@ -61,9 +56,6 @@
     services.lidarr.user = "public_data";
     services.lidarr.group = "public_data";
 
-    services.jellyfin.enable = true;
-    users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
-
     services.transmission = {
       enable = true;
       performanceNetParameters = true;
@@ -73,7 +65,7 @@
         /* directory settings */
         # "watch-dir" = "/srv/storage/Transmission/To-Download";
         # "watch-dir-enabled" = true;
-        "download-dir" = "/data/samba/Public/Plex/Transmission";
+        "download-dir" = "/data/samba/Public/Media/Transmission";
         "incomplete-dir" = "/var/lib/transmission/.incomplete";
         "incomplete-dir-enabled" = true;
 
@@ -120,9 +112,26 @@
     };
   };
 
-  # unpackerr
+  # jellyfin
-  # flaresolverr
+  # jellyfin cannot run in the vpn container and use hardware encoding
+  # I could not figure out how to allow the container to access the encoder
+  services.jellyfin.enable = true;
+  users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      vaapiIntel
+      vaapiVdpau
+      libvdpau-va-gl
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+    ];
+  };
 
+  # nginx
   services.nginx.enable = true;
   services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
   services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
@@ -131,57 +140,15 @@
   services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
   services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
   services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
-    proxyPass = "http://vpn.containers:8096";
+    proxyPass = "http://localhost:8096";
     proxyWebsockets = true;
   };
   services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
-    proxyPass = "http://vpn.containers:8096";
+    proxyPass = "http://localhost:8096";
     proxyWebsockets = true;
   };
   services.nginx.virtualHosts."transmission.s0".locations."/" = {
     proxyPass = "http://vpn.containers:9091";
     proxyWebsockets = true;
   };
-
-  # tailscale
-  services.tailscale.exitNode = true;
-
-  nixpkgs.overlays = [
-    (final: prev: {
-      radarr = prev.radarr.overrideAttrs (old: rec {
-        installPhase = ''
-          runHook preInstall
-          mkdir -p $out/{bin,share/${old.pname}-${old.version}}
-          cp -r * $out/share/${old.pname}-${old.version}/.
-          makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Radarr \
-            --add-flags "$out/share/${old.pname}-${old.version}/Radarr.dll" \
-            --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
-              final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
-          runHook postInstall
-        '';
-      });
-
-      prowlarr = prev.prowlarr.overrideAttrs (old: {
-        installPhase = ''
-          runHook preInstall
-          mkdir -p $out/{bin,share/${old.pname}-${old.version}}
-          cp -r * $out/share/${old.pname}-${old.version}/.
-          makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Prowlarr \
-            --add-flags "$out/share/${old.pname}-${old.version}/Prowlarr.dll" \
-            --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
-              final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
-          runHook postInstall
-        '';
-      });
-
-      pykms = prev.pykms.overrideAttrs (old: {
-        src = pkgs.fetchFromGitHub {
-          owner = "Py-KMS-Organization";
-          repo = "py-kms";
-          rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
-          sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
-        };
-      });
-    })
-  ];
 }

machines/storage/s0/hardware-configuration.nix

@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
@@ -8,51 +5,59 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [
+  # boot
-    "ahci"
+  efi.enable = true;
-    "usb_storage"
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
-    "bcache"
-  ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  boot.initrd.luks.devices."enc-pv1" = {
+  # firmware
-    device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
+  firmware.x86_64.enable = true;
-    allowDiscards = true; # SSD
-  };
-  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
-  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
-  boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
-  boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
-  boot.initrd.luks.devices."enc-pvUSB" = {
-    device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
-    allowDiscards = true; # SSD
-  };
 
+  ### disks ###
+
+  # zfs
+  networking.hostId = "5e6791f0";
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+
+  # luks
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
+  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
+  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
+  boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
+
+  # mounts
   fileSystems."/" =
-    { device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
+    { device = "rpool/nixos/root";
-      fsType = "bcachefs";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+    };
+  fileSystems."/home" =
+    { device = "rpool/nixos/home";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+    };
+  fileSystems."/var/lib" =
+    { device = "rpool/nixos/var/lib";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+    };
+  fileSystems."/var/log" =
+    { device = "rpool/nixos/var/log";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
     };
 
+  fileSystems."/data" =
+    { device = "rpool/nixos/data";
+      fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
+    };
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/8F7E-53C4";
+    { device = "/dev/disk/by-uuid/4FB4-738E";
       fsType = "vfat";
     };
+  swapDevices = [ ];
 
-  swapDevices = [
+  networking.interfaces.eth0.useDHCP = true;
-    {
-      device = "/dev/mmcblk1p2";
-      randomEncryption.enable = true;
-    }
-  ];
 
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  powerManagement.cpuFreqGovernor = "powersave";
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = lib.mkDefault false;
-  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-  networking.interfaces.eth1.useDHCP = lib.mkDefault true;
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }

machines/storage/s0/helios64/README.md

@@ -1,62 +0,0 @@
-Kobol Helios64
-==============
-
-The `default.nix` module provides the required setup for the system to work.
-
-The `recommended.nix` module adds recommended settings for the system.
-
-Status
-------
-
-### Works
-
- - SATA hard drives
- - Ethernet (1gbps)
- - Serial through USB type-c (`ttyS2`)
-
-### Untested
-
- - Ethernet (2.5gbps)
- - DP video out
- - UPS behaviour
- - `rootfs` on SATA drives
-
-### Disabled
-
-Due to misbehaviour, `ttyS0` (`&uart0`, `serial@ff180000`) has been disabled
-via a kernel patch.
-
-Without this change, using, or attempting to use `ttyS0` will break serial
-output from `ttyS2`.
-
-
-Kernel
-------
-
-Only Linux 5.10 (LTS) is supported, using the patch set derived from Armbian.
-
-
-Requirements
-------------
-
-A *platform firmware* needs to be provided out of band for the system.
-
-The author recommends Tow-Boot, for which a [draft pull request](https://github.com/Tow-Boot/Tow-Boot/pull/54)
-adds support for the Helios64.
-
-Any other supported *platform firmware* should work too.
-
-> **NOTE**: at the time of writing (2021-10-10) the *platform firmware*
-> **must** make use of the proprietary ram training. The open source equivalent
-> will make the system unstable, and worse, will cause silent memory
-> corruption, in addition to loud memory corruption.
-
-
-Notes
------
-
-### Baud rate
-
-The serial baud rate is configured for `115200`, which is a more common default
-than the usual for Rockchip at `1500000`. See [the rationale for the decision](https://github.com/Tow-Boot/Tow-Boot/pull/33).
-

machines/storage/s0/helios64/default.nix

@@ -1,27 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports = [
-    ./modules/fancontrol.nix
-    ./modules/heartbeat.nix
-    ./modules/ups.nix
-  ];
-
-  boot.kernelParams = lib.mkAfter [
-    "console=ttyS2,115200n8"
-    "earlycon=uart8250,mmio32,0xff1a0000"
-  ];
-
-  # Required for rootfs on sata
-  boot.initrd.availableKernelModules = [
-    "pcie-rockchip-host" # required for rootfs on pcie sata disks
-    "phy-rockchip-pcie" # required for rootfs on pcie sata disks
-    "phy-rockchip-usb" # maybe not needed
-    "uas" # required for rootfs on USB 3.0 sata disks
-  ];
-
-  # bcachefs kernel is 5.15. but need patches that are only in 5.16+
-  # Patch the device tree to add support for getting the cpu thermal temp
-  hardware.deviceTree.enable = true;
-  hardware.deviceTree.kernelPackage = pkgs.linux_latest;
-}

machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules

@@ -1,23 +0,0 @@
-# Helios64 persistent hwmon
-
-ACTION=="remove", GOTO="helios64_hwmon_end"
-
-#
-KERNELS=="fan1", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
-KERNELS=="fan2", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
-KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1"
-
-SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end"
-
-ENV{HWMON_PATH}="/sys%p"
-#
-ATTR{name}=="cpu_thermal", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu"
-#
-ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board"
-ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}"
-
-#
-ENV{IS_HELIOS64_HWMON}=="1", RUN+="/bin/ln -sf $env{HWMON_PATH} $env{HELIOS64_SYMLINK}"
-
-LABEL="helios64_hwmon_end"
-

machines/storage/s0/helios64/modules/bsp/90-helios64-ups.rules

@@ -1,11 +0,0 @@
-ACTION=="add", GOTO="helios64_ups_end"
-ACTION=="remove", GOTO="helios64_ups_end"
-
-# Power loss event
-ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="0", RUN+="/usr/bin/systemctl start helios64-ups.timer"
-
-# Power restore event
-ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="1", RUN+="/usr/bin/systemctl stop helios64-ups.timer"
-
-LABEL="helios64_ups_end"
-

machines/storage/s0/helios64/modules/fancontrol.nix

@@ -1,41 +0,0 @@
-{ pkgs, ... }:
-{
-  hardware.fancontrol.enable = true;
-  hardware.fancontrol.config = ''
-    # Helios64 PWM Fan Control Configuration
-    # Temp source : /dev/thermal-cpu
-    INTERVAL=10
-    FCTEMPS=/dev/fan-p6/pwm1=/dev/thermal-cpu/temp1_input /dev/fan-p7/pwm1=/dev/thermal-cpu/temp1_input
-    MINTEMP=/dev/fan-p6/pwm1=40 /dev/fan-p7/pwm1=40
-    MAXTEMP=/dev/fan-p6/pwm1=80 /dev/fan-p7/pwm1=80
-    MINSTART=/dev/fan-p6/pwm1=60 /dev/fan-p7/pwm1=60
-    MINSTOP=/dev/fan-p6/pwm1=29 /dev/fan-p7/pwm1=29
-    MINPWM=20
-  '';
-
-  services.udev.packages = [
-    # Fan control
-    (pkgs.callPackage (
-      { stdenv, lib, coreutils }:
-      stdenv.mkDerivation {
-        name = "helios64-udev-fancontrol";
-
-        dontUnpack = true;
-        dontBuild = true;
-
-        installPhase = ''
-          mkdir -p "$out/etc/udev/rules.d/";
-          install -Dm644 "${./bsp/90-helios64-hwmon.rules}" \
-            "$out/etc/udev/rules.d/90-helios64-hwmon.rules"
-          substituteInPlace "$out/etc/udev/rules.d/90-helios64-hwmon.rules" \
-            --replace '/bin/ln'  '${lib.getBin coreutils}/bin/ln'
-        '';
-
-        meta = with lib; {
-          description = "Udev rules for fancontrol for the Helios64";
-          platforms = platforms.linux;
-        };
-      }
-    ) {})
-  ];
-}

machines/storage/s0/helios64/modules/heartbeat.nix

@@ -1,22 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  systemd.services.heartbeat = {
-    enable = true;
-    description = "Enable heartbeat & network activity led on Helios64";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = ''
-        ${lib.getBin pkgs.bash}/bin/bash -c 'echo heartbeat | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:green\\:status/trigger'
-
-        # this led is not supported yet in the kernel i'm using
-        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo netdev | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/trigger'
-        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo eth0 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/device_name'
-        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/link'
-        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/rx'
-        # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/tx'
-      '';
-    };
-    after = [ "getty.target" ];
-    wantedBy = [ "multi-user.target" ];
-  };
-}

machines/storage/s0/helios64/modules/ups.nix

@@ -1,51 +0,0 @@
-{ pkgs, ... }:
-{
-  systemd.services.helios64-ups = {
-    enable = true;
-    description = "Helios64 UPS Action";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.systemd}/bin/poweroff";
-    };
-  };
-
-  systemd.timers.helios64-ups = {
-    enable = true;
-    description = "Helios64 UPS Shutdown timer on power loss";
-    # disabling the timer by default. Even though armbian enaled
-    # the timer by default through this, we don't, as we can't
-    # rely on the udev rules to disable it after a system switch.
-    # wantedBy = [ "multi-user.target" ];
-    timerConfig = {
-      OnActiveSec = "10m";
-      AccuracySec = "1s";
-      Unit = "helios64-ups.service";
-    };
-  };
-  # The udev rule that will trigger the above service.
-  services.udev.packages = [
-    (pkgs.callPackage (
-      { stdenv, lib, coreutils, systemd }:
-      stdenv.mkDerivation {
-          name = "helios64-udev-ups";
-
-          dontUnpack = true;
-          dontBuild = true;
-
-          installPhase = ''
-              mkdir -p "$out/etc/udev/rules.d/";
-              install -Dm644 "${./bsp/90-helios64-ups.rules}" \
-                "$out/etc/udev/rules.d/90-helios64-ups.rules"
-              substituteInPlace "$out/etc/udev/rules.d/90-helios64-ups.rules" \
-                  --replace '/bin/ln'  '${lib.getBin coreutils}/bin/ln' \
-                  --replace '/usr/bin/systemctl' '${lib.getBin systemd}/bin/systemctl'
-          '';
-
-          meta = with lib; {
-              description = "Udev rules for UPS for the Helios64";
-              platforms = platforms.linux;
-          };
-      }
-    ) {})
-  ];
-}

machines/storage/s0/helios64/recommended.nix

@@ -1,8 +0,0 @@
-{ lib, ... }:
-{
-  # Since 20.03, you must explicitly specify to use dhcp on an interface
-  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-
-  # Helps with 4GiB of RAM
-  zramSwap.enable = lib.mkDefault true;
-}