feat(dev): add hosts/dev self-managed QEMU VM fleet host (ADR-0018) #165

Merged

dominik.polakovics merged 1 commit from feat/dev-fleet-host into main

2026-06-14 18:09:27 +02:00

dominik.polakovics commented

2026-06-14 18:01:00 +02:00

Owner

Authors hosts/dev/ — the self-managed NixOS fleet host that runs on the QEMU VM (ADR-0018, PR2). Builds on the onboarding already on main (e573a5b: &dev-new age key, hosts/dev/ sops rule, fleet.nix dev key).

What's here

configuration.nix — the dev guest config (dev tooling, dominik user, lab, forgejo-mcp, sops, zram, ddev, NOPASSWD sudo) ported to a standalone fleet host: imports bento + set-nix-channel + autoupgrade + hardware-configuration.nix, root SSH keys, the git.cloonar.com known-host, static .97.16 networking matched on the temp MAC, aggressive GC (daily / 3d, min-free 20 G / max-free 40 G, optimise), and no borgbackup (cattle).
hardware-configuration.nix — from the infect (grub on /dev/vda, ext4 root).
channel → nixos-26.05; stateVersion 25.05 (the infect version); home-manager pinned to release-26.05.
lab gets KillMode=process so a config switch never drops a Claude session (the #161 follow-up).
secrets.yaml copied from hosts/fw/vms/dev/ (decryptable by dev-new); the microvm keeps its own copy until PR3.
allowUnfree (intelephense / claude-code) + the 26.05 pypy2.7 insecure-predicate — both needed standalone (the microvm inherited them from fw's pkgs).

No central registration needed — test-configuration / sync-host --all work generically off hosts/<host>/, and the dev pre-commit skip was already removed (ADR-0003).

Gate

Pre-commit dry-build of dev is green against 26.05.

Eval can't cover — your PR2 validation, post-deploy

nix-shell -p in dominik's shell — I override bento's NIX_PATH to re-add the channel's nixpkgs, but that's only verifiable at runtime.
nvim/treesitter + any 26.05 build-time gates (udevadm verify, …) — build/runtime only.
First-boot networking / bento pull / secrets decrypt.

Still open on #161 (post-merge)

restartIfChanged = false on the qemu-vm.nix <name>-vm service (separate module change).
Deploy → confirm bento converges → validate (test session; a switch keeps it alive; a reboot boots a guest-built kernel).

Part of #161.

Authors `hosts/dev/` — the self-managed NixOS fleet host that runs on the QEMU VM (ADR-0018, PR2). Builds on the onboarding already on `main` (`e573a5b`: `&dev-new` age key, `hosts/dev/` sops rule, `fleet.nix` dev key). ## What's here - **configuration.nix** — the dev guest config (dev tooling, `dominik` user, `lab`, `forgejo-mcp`, sops, zram, ddev, NOPASSWD sudo) ported to a standalone fleet host: imports `bento` + `set-nix-channel` + `autoupgrade` + `hardware-configuration.nix`, root SSH keys, the `git.cloonar.com` known-host, static `.97.16` networking matched on the temp MAC, **aggressive GC** (daily / `3d`, min-free 20 G / max-free 40 G, `optimise`), and **no borgbackup** (cattle). - **hardware-configuration.nix** — from the infect (grub on `/dev/vda`, ext4 root). - **channel** → `nixos-26.05`; **stateVersion `25.05`** (the infect version); home-manager pinned to `release-26.05`. - **lab** gets `KillMode=process` so a config `switch` never drops a Claude session (the #161 follow-up). - **secrets.yaml** copied from `hosts/fw/vms/dev/` (decryptable by `dev-new`); the microvm keeps its own copy until PR3. - `allowUnfree` (intelephense / claude-code) + the 26.05 `pypy2.7` insecure-predicate — both needed standalone (the microvm inherited them from fw's `pkgs`). No central registration needed — `test-configuration` / `sync-host --all` work generically off `hosts/<host>/`, and the `dev` pre-commit skip was already removed (ADR-0003). ## Gate Pre-commit dry-build of `dev` is **green against 26.05**. ## Eval can't cover — your PR2 validation, post-deploy - `nix-shell -p` in dominik's shell — I override bento's `NIX_PATH` to re-add the channel's nixpkgs, but that's only verifiable at runtime. - nvim/treesitter + any 26.05 build-time gates (udevadm verify, …) — build/runtime only. - First-boot networking / bento pull / secrets decrypt. ## Still open on #161 (post-merge) - `restartIfChanged = false` on the `qemu-vm.nix` `<name>-vm` service (separate module change). - Deploy → confirm bento converges → validate (test session; a `switch` keeps it alive; a reboot boots a guest-built kernel). Part of #161.

dominik.polakovics added 1 commit

2026-06-14 18:01:00 +02:00

feat(dev): add hosts/dev self-managed QEMU VM fleet host (ADR-0018) fe06fd20c6

dominik.polakovics merged commit a6b0367f8e into main

2026-06-14 18:09:27 +02:00

dominik.polakovics referenced this pull request from a commit

2026-06-14 18:09:29 +02:00

Merge pull request 'feat(dev): add hosts/dev self-managed QEMU VM fleet host (ADR-0018)' (#165) from feat/dev-fleet-host into main