feat: scaffold nix-pxe-bootstrap (skeleton, implementation TBD)#2
Closed
JacobPEvans-personal wants to merge 4 commits into
Closed
feat: scaffold nix-pxe-bootstrap (skeleton, implementation TBD)#2JacobPEvans-personal wants to merge 4 commits into
JacobPEvans-personal wants to merge 4 commits into
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Scaffolds the initial nix-pxe-bootstrap repository structure for a NixOS-based PXE host (Pi/MiniPC) intended to serve netboot.xyz and Proxmox auto-installer artifacts, including CI/release automation and architecture documentation.
Changes:
- Added a Nix flake with a placeholder NixOS configuration (
pxe-host), placeholder host modules, and stub service modules underservices.dryvist.pxe.*. - Added CI + automation plumbing (flake checks, CodeQL for Actions, dependency update workflows, release-please, Renovate).
- Added architecture diagrams (Mermaid sources + rendered SVGs), ADRs, and placeholder Proxmox answer files + SOPS scaffolding.
Reviewed changes
Copilot reviewed 34 out of 39 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
.envrc |
direnv entrypoint for a dev environment (external flake reference). |
.gitignore |
Ignores direnv artifacts and common Nix build outputs/images. |
.release-please-manifest.json |
Initializes release-please manifest/version. |
.sops.yaml |
SOPS creation rules and placeholder age recipients. |
.github/workflows/ci.yml |
CI workflow running nix flake check. |
.github/workflows/codeql.yml |
CodeQL workflow (Actions-only scan for now). |
.github/workflows/deps-update-flake.yml |
Scheduled nix flake update automation via PR. |
.github/workflows/mermaid-render-check.yml |
Mermaid render-diff gate for diagram sources/SVGs. |
.github/workflows/release-please.yml |
Release-please automation on main. |
AGENTS.md |
Repo-specific AI agent/contributor guidance and bring-up workflow. |
CHANGELOG.md |
release-please-managed changelog stub. |
CLAUDE.md |
Agent config pointer to AGENTS.md. |
LICENSE |
MIT license with added copyright holder. |
README.md |
Project overview, intended install flow, and repo layout. |
answer-files/proxmox-b.toml |
Placeholder Proxmox auto-installer answer file for node B. |
answer-files/proxmox-c.toml |
Placeholder Proxmox auto-installer answer file for node C. |
answer-files/proxmox-d.toml |
Placeholder Proxmox auto-installer answer file for node D. |
docs/adr/0001-netbootxyz-not-maas.md |
ADR documenting netboot.xyz choice over MAAS/Foreman. |
docs/adr/0002-nixos-on-pi-rationale.md |
ADR documenting hardware/host rationale. |
docs/adr/0003-answer-file-format.md |
ADR documenting TOML for Proxmox answer files. |
docs/architecture/ecosystem-context.mmd |
Mermaid source for ecosystem context diagram. |
docs/architecture/ecosystem-context.svg |
Rendered ecosystem context diagram. |
docs/architecture/network-topology.mmd |
Mermaid source for network topology diagram. |
docs/architecture/network-topology.svg |
Rendered network topology diagram. |
docs/architecture/pxe-boot-flow.mmd |
Mermaid source for PXE boot flow sequence. |
docs/architecture/pxe-boot-flow.svg |
Rendered PXE boot flow diagram. |
flake.lock |
Pins flake inputs. |
flake.nix |
Defines inputs/outputs (NixOS config, devShell, checks, formatter). |
hosts/pxe-host/default.nix |
Host composition module importing placeholders and service stubs. |
hosts/pxe-host/disko.nix |
Placeholder disko layout (empty devices). |
hosts/pxe-host/hardware-configuration.nix.example |
Documentation-only hardware config template. |
hosts/pxe-host/networking.nix |
Placeholder static networking shape for pxe-host. |
lib/checks.nix |
Centralized nixfmt-rfc-style/statix/deadnix check definitions. |
modules/netbootxyz.nix |
Stub module defining services.dryvist.pxe.netbootxyz.enable. |
modules/nginx-static.nix |
Stub module defining services.dryvist.pxe.nginxStatic.enable. |
modules/proxmox-auto-installer.nix |
Stub module defining services.dryvist.pxe.proxmoxAutoInstaller.enable. |
release-please-config.json |
release-please configuration. |
renovate.json5 |
Renovate configuration and GitHub Actions grouping rule. |
secrets/system.enc.yaml |
Placeholder secrets file (intentionally unencrypted stub). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GitHub Actions Linux runners cannot grant the SUID sandbox helper that nix-built chromium-148 requires (mode 4755 / root ownership), so every mmdc invocation aborted with `Failed to launch the browser process`. Add `.github/scripts/puppeteer-config.json` carrying the standard `--no-sandbox` + `--disable-setuid-sandbox` args and feed it to mmdc via `--puppeteerConfigFile`. Workflow path filter now also reruns on changes to the puppeteer config so future tweaks regate properly. Refs: dryvist Server Infrastructure project — Mirror + scaffold epic
Previous fix used nix-built mermaid-cli with a --no-sandbox puppeteer config, but nix-built mermaid-cli on Linux still produced different SVG output than my Mac local render (different chromium build, different font metrics). The diff gate kept tripping. Switch both local and CI to the minlag/mermaid-cli docker image. Same container, same chromium, same fonts -> byte-identical SVG output. Refresh the three committed .svg files using the new docker pipeline.
- README.md, .github/workflows/ci.yml header, AGENTS.md: replace `alejandra` references with `nixfmt-rfc-style` to match the actual formatter used in `lib/checks.nix`. The implementation always was nixfmt-rfc-style; only the docs were stale. - answer-files/proxmox-b.toml: comment said "bcrypt" but the placeholder uses $6$ (sha512-crypt). Proxmox accepts crypt(3) formats; clarified the comment to match the placeholder format. Pushes back implicitly on the mermaid-cli thread — the workflow already runs `bash .github/scripts/render-mermaid.sh` which uses the minlag/mermaid-cli docker image, not `nix run nixpkgs#mermaid-cli`. The thread was stale; will reply on the thread.
Member
Author
|
Closing — skeleton scaffold open for 11+ days without implementation follow-through; reopen with implementation when ready. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brand-new repo. This PR scaffolds
dryvist/nix-pxe-bootstrapper the v2buildout plan. Skeleton only — every module body is an
mkEnableOptionstub. Functional implementation lands in a follow-up session, tracked as
the
netboot.xyz on Pi: implementationepic in the dryvist ServerInfrastructure Project.
What's in here
flake.nix— inputs: nixpkgs/nixos-25.11, nixos-hardware (raspberry-pi-4),sops-nix, disko. Outputs:
nixosConfigurations.pxe-host, formatter, checks,devShell.
hosts/pxe-host/—default.nixcomposes all modules;disko.nix,networking.nix,hardware-configuration.nix.exampleare placeholders.modules/{netbootxyz,proxmox-auto-installer,nginx-static}.nix— emptymkEnableOptionstubs underservices.dryvist.pxe.*.answer-files/proxmox-{b,c,d}.toml— Proxmox auto-installer placeholders(placeholder root pw hashes, MACs, IPs).
secrets/system.enc.yaml— SOPS placeholder (real recipients TBD).lib/checks.nix— alejandra/statix/deadnix mirroring the nix-darwinpattern.
.github/workflows/{ci,codeql,deps-update-flake,release-please,mermaid-render-check}.ymldocs/architecture/{network-topology,pxe-boot-flow,ecosystem-context}.{mmd,svg}docs/adr/0001..0003.mdLICENSE(MIT, dryvist + Jacob P. Evans),README.md,AGENTS.md,CLAUDE.md,CHANGELOG.md,release-please-config.json,.release-please-manifest.json,renovate.json5,.envrc,.sops.yaml,.gitignore.Why this PR exists now
The dryvist Proxmox cluster (B+C+D) is installed unattended via PXE +
Proxmox auto-installer. PXE blocks B install per plan decision Q15, so the
repo must exist before B physically arrives — even if the implementation is
deferred to a follow-up session.
Validation
nix flake check --no-build— succeeds (Linux NixOS configs omitted ondarwin host, expected).
nix run nixpkgs#statix -- check— clean.nix run nixpkgs#deadnix -- -L --fail— clean.nix run nixpkgs#nixfmt-rfc-style -- --check— clean..mmdsources rendered to.svgvianix run nixpkgs#mermaid-cli.Test plan
disko.nix,networking.nix, andhardware-configuration.nixonce target hardware is bound.