add oci target

.gitignore

@@ -1,4 +1,4 @@
-result
+result*
 .stfolder
 flake.lock
 

flake.nix

@@ -31,7 +31,6 @@
     ...
   }:
     let
-      system = "x86_64-linux";
       repoLocalPath =
         let
           fromEnv = builtins.getEnv "NIXOS_CONFIG_ROOT";
@@ -42,26 +41,21 @@
         inputs.nur.overlays.default
       ];
 
-      pkgs = import nixpkgs {
+      mkPkgs = system: import nixpkgs {
         inherit system;
         config.allowUnfree = true;
         flake.setFlakeRegistry = true;
         inherit overlays;
       };
 
-      pkgs-unstable = import nixpkgs-unstable {
+      mkPkgsUnstable = system: import nixpkgs-unstable {
         inherit system;
         config.allowUnfree = true;
         flake.setFlakeRegistry = true;
         inherit overlays;
       };
 
-      sharedSpecialArgs = {
+      mkSharedModules = pkgs: pkgs-unstable: [
-        inherit repoLocalPath pkgs-unstable;
-        repoRoot = self;
-      };
-
-      sharedModules = [
         ./nixos/modules/base.nix
         inputs.home-manager.nixosModules.home-manager
         ({ ... }: {
@@ -77,15 +71,23 @@
 
       mkHost = {
         hostName,
+        system,
         nixosModules ? [ ],
         hmModules ? [ ],
         extraModules ? [ ],
       }:
+        let
+          pkgs = mkPkgs system;
+          pkgs-unstable = mkPkgsUnstable system;
+        in
         nixpkgs.lib.nixosSystem {
           inherit system pkgs;
-          specialArgs = sharedSpecialArgs;
+          specialArgs = {
+            inherit repoLocalPath pkgs-unstable;
+            repoRoot = self;
+          };
           modules =
-            sharedModules
+            (mkSharedModules pkgs pkgs-unstable)
             ++ [ (./nixos/hosts + "/${hostName}/configuration.nix") ]
             ++ nixosModules
             ++ extraModules
@@ -125,6 +127,7 @@
       nixosConfigurations = {
         electra = mkHost {
           hostName = "electra";
+          system = "x86_64-linux";
           nixosModules = workstationModules;
           hmModules = workstationHomeModules ++ [
             ./home/hosts/alisceon/electra.nix
@@ -133,6 +136,7 @@
 
         tower = mkHost {
           hostName = "tower";
+          system = "x86_64-linux";
           nixosModules = workstationModules;
           hmModules = workstationHomeModules ++ [
             ./home/hosts/alisceon/tower.nix
@@ -141,6 +145,7 @@
 
         tesla-nixos = mkHost {
           hostName = "tesla-nixos";
+          system = "x86_64-linux";
           nixosModules = serverModules;
           hmModules = serverHomeModules;
           extraModules = [
@@ -151,6 +156,14 @@
 
         nuc = mkHost {
           hostName = "nuc";
+          system = "x86_64-linux";
+          nixosModules = serverModules;
+          hmModules = serverHomeModules;
+        };
+
+        oci-a1 = mkHost {
+          hostName = "oci-a1";
+          system = "aarch64-linux";
           nixosModules = serverModules;
           hmModules = serverHomeModules;
         };

home/modules/programs/ssh.nix

@@ -34,6 +34,10 @@
         hostname = "oci.malice.zone";
         user = "opc";
       };
+      "oci-a1" = {
+        hostname = "oci-a1";
+        user = "alisceon";
+      };
       "dnspi" = {
         hostname = "10.40.0.2";
         user = "pi";

nixos/hosts/oci-a1/configuration.nix

@@ -0,0 +1,99 @@
+{ lib, pkgs, modulesPath, ... }:
+let
+  fetchOciAuthorizedKeys = pkgs.writeShellApplication {
+    name = "fetch-oci-authorized-keys";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.curl
+    ];
+    text = ''
+      install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh
+
+      if [ -s /home/alisceon/.ssh/authorized_keys ]; then
+        echo "OCI authorized_keys already present for alisceon"
+        exit 0
+      fi
+
+      curl --fail --silent --show-error --location \
+        --header "Authorization: Bearer Oracle" \
+        --output /home/alisceon/.ssh/authorized_keys \
+        http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys
+
+      chown alisceon:users /home/alisceon/.ssh/authorized_keys
+      chmod 0600 /home/alisceon/.ssh/authorized_keys
+    '';
+  };
+in
+{
+  imports = [
+    "${modulesPath}/virtualisation/oci-image.nix"
+  ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+
+  networking = {
+    hostName = "nixos-oci-a1";
+    networkmanager.enable = lib.mkForce false;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "virtio_pci"
+    "virtio_blk"
+    "virtio_scsi"
+    "virtio_net"
+    "xhci_pci"
+  ];
+
+  users.users.alisceon.extraGroups = [ "systemd-journal" ];
+
+  security.sudo-rs.wheelNeedsPassword = false;
+
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    PermitRootLogin = lib.mkForce "prohibit-password";
+  };
+
+  services.cloud-init = {
+    enable = true;
+    network.enable = true;
+    settings = {
+      datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];
+      users = [ "default" ];
+      system_info.default_user = {
+        name = "alisceon";
+        gecos = "Alisceon";
+        groups = [ "wheel" "systemd-journal" ];
+        shell = "/run/current-system/sw/bin/xonsh";
+        lock_passwd = true;
+      };
+    };
+  };
+
+  systemd.services.fetch-oci-authorized-keys = {
+    description = "Fetch OCI metadata authorized_keys for alisceon";
+    wantedBy = [ "sshd.service" ];
+    before = [ "sshd.service" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      StandardError = "journal+console";
+      StandardOutput = "journal+console";
+    };
+    script = lib.getExe fetchOciAuthorizedKeys;
+  };
+
+  systemd.services.fetch-ssh-keys.enable = false;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    htop
+    jq
+    vim
+    wget
+  ];
+
+  system.stateVersion = lib.mkForce "25.11";
+}

nixos/modules/profiles/workstation.nix

@@ -19,6 +19,7 @@ in
       "udev.log_level=3"
       "systemd.show_status=auto"
     ];
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   security.sudo.wheelNeedsPassword = false;