.github/workflows/build-iso.yml

@@ -17,16 +17,22 @@ jobs:
     strategy:
       matrix:
         include:
+          # x86 ISOs on x86 runners
           - iso-type: server
             arch: x86
-          - iso-type: server
+            runner: ubuntu-latest
-            arch: arm
           - iso-type: desktop
             arch: x86
+            runner: ubuntu-latest
+          # ARM ISOs on ARM runners
+          - iso-type: server
+            arch: arm
+            runner: ubuntu-latest-arm64
           - iso-type: desktop
             arch: arm
+            runner: ubuntu-latest-arm64
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
 
     steps:
       - name: Checkout repository
@@ -35,22 +41,9 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v9
 
-      - name: Setup QEMU for ARM emulation
-        if: ${{ matrix.arch == 'arm' }}
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-
       - name: Setup Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@v2
 
-      - name: Enable ARM emulation
-        if: ${{ matrix.arch == 'arm' }}
-        run: |
-          echo "extra-platforms = aarch64-linux" >> $HOME/.config/nix/nix.conf
-          echo "extra-sandbox-paths = /run/binfmt" >> $HOME/.config/nix/nix.conf
-          sudo systemctl restart nix-daemon.service
-
       - name: Build ISO (with retry)
         uses: nick-fields/retry@v3
         with:
@@ -59,27 +52,15 @@ jobs:
           retry_wait_seconds: 30
           command: |
             cd iso
-            if [ "${{ matrix.arch }}" = "arm" ]; then
+            nix build .#${{ matrix.iso-type }}-iso-${{ matrix.arch }} \
-              nix build .#${{ matrix.iso-type }}-iso-arm \
+              --print-build-logs \
-                --system x86_64-linux \
+              --accept-flake-config
-                --extra-platforms aarch64-linux \
-                --print-build-logs \
-                --accept-flake-config
-            else
-              nix build .#${{ matrix.iso-type }}-iso-x86 \
-                --print-build-logs \
-                --accept-flake-config
-            fi
 
       - name: Get ISO filename
         id: iso-info
         run: |
           cd iso
-          if [ "${{ matrix.arch }}" = "arm" ]; then
+          ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-${{ matrix.arch }} --print-out-paths --no-link)
-            ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-arm --print-out-paths --no-link)
-          else
-            ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-x86 --print-out-paths --no-link)
-          fi
           ISO_FILE=$(find $ISO_PATH -name "*.iso" -o -name "*.iso.zst" | head -1)
           ISO_NAME=$(basename "$ISO_FILE")
           echo "iso-path=$ISO_FILE" >> $GITHUB_OUTPUT
@@ -118,7 +99,7 @@ jobs:
             - **Server ISOs**: Minimal server environment with SSH access
             - **Desktop ISOs**: GNOME desktop environment for installation
             - **x86**: Intel/AMD 64-bit systems
-            - **ARM**: ARM64 systems (cross-compiled)
+            - **ARM**: ARM64 systems
 
             ### Usage:
             1. Download the appropriate ISO for your system
@@ -128,4 +109,4 @@ jobs:
 
             Built automatically from commit: ${{ github.sha }}
           draft: false
-          prerelease: false
+          prerelease: false

hosts/arm/caenus/hardware.nix

@@ -19,13 +19,18 @@ in
   ## Boot ##
   boot = {
     loader = {
-      systemd-boot.enable = true;
+      grub = {
+        enable = true;
+        device = "/dev/vda";
+        useOSProber = true;
+      };
       efi.canTouchEfiVariables = true;
       timeout = 3;
     };
 
     # use latest kernel
     kernelPackages = pkgs.linuxPackages_latest;
+
     initrd = {
       availableKernelModules = [
         "ahci"
@@ -37,7 +42,6 @@ in
       systemd.enable = true;
       verbose = false;
     };
-    kernelParams = [ "net.ifnames=0" ];
     kernelModules = [ ];
     extraModulePackages = [ ];
   };

hosts/x86/rune/hardware.nix

@@ -48,9 +48,6 @@
       "amdgpu"
     ];
     extraModulePackages = [ ];
-
-    # Allow running ARM binaries on x86_64; for Cross Compilation
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   # For less permission issues with SSHFS

iso/default.nix

@@ -7,20 +7,16 @@
   system,
   ...
 }:
-let
-  isCross = pkgs.stdenv.buildPlatform.system != pkgs.stdenv.hostPlatform.system;
-in
 {
+  # ISO settings
   isoImage = {
     isoName = lib.mkForce "nixos-${config.hostSpec.hostName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
     makeEfiBootable = true;
     makeUsbBootable = true;
     compressImage = false;
-    squashfsCompression = lib.mkIf isARM "gzip";
-    includeSystemBuildDependencies = lib.mkIf (isARM || isCross) false;
   };
 
-  ## SSH  & NETWORK ##
+  # Enable root SSH access
   services.openssh = {
     enable = true;
     settings = {
@@ -35,7 +31,7 @@ in
     enableIPv6 = false;
   };
 
-  ## PKGS ##
+  # Extra pkgs; iso tools
   environment.systemPackages = with pkgs; [
     parted
     gptfdisk
@@ -43,10 +39,11 @@ in
     gparted
   ];
 
-  ## VM additions ##
+  # VM guest additions to improve host-guest interaction
   services.spice-vdagentd.enable = true;
   services.qemuGuest.enable = true;
   virtualisation.vmware.guest.enable = pkgs.stdenv.hostPlatform.isx86;
+  # https://github.com/torvalds/linux/blob/00b827f0cffa50abb6773ad4c34f4cd909dae1c8/drivers/hv/Kconfig#L7-L8
   virtualisation.hypervGuest.enable =
     pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isAarch64;
   services.xe-guest-utilities.enable = pkgs.stdenv.hostPlatform.isx86;
@@ -54,19 +51,9 @@ in
   # which lags behind kernel releases, potentially causing broken builds.
   virtualisation.virtualbox.guest.enable = false;
 
-  ## System ##
+  # Basic system settings
   system.stateVersion = "25.05";
   nixpkgs.hostPlatform = system;
+  nixpkgs.config.allowUnsupportedSystem = true; # Cross-compilation
   users.mutableUsers = lib.mkForce true; # Allow password changes
-
-  nixpkgs.config = {
-    allowUnsupportedSystem = true;
-    allowUnfree = true;
-    allowBroken = false;
-  };
-
-  systemd.services = lib.mkIf isARM {
-    systemd-firstboot.enable = lib.mkForce false;
-    systemd-machine-id-commit.enable = lib.mkForce false;
-  };
 }

iso/flake.nix

@@ -87,7 +87,7 @@
           }) configs
         );
 
-      # Generate packages per system - all available on x86_64 via cross-compilation
+      # Generate packages per system - each system only exposes its own packages
       mkPackages =
         system:
         let
@@ -103,11 +103,13 @@
     {
       nixosConfigurations = mkConfigurations;
 
+      # Each system only exposes packages it can build
       packages = {
-        "${X86}" = (mkPackages X86) // (mkPackages ARM);
+        "${X86}" = mkPackages X86;
         "${ARM}" = mkPackages ARM;
       };
 
+      # For convenience - all systems get all configs
       inherit (dot-nix.outputs) overlays;
     };
 }

iso/not-secrets.nix

@@ -48,8 +48,4 @@ in
       };
     };
   };
-
-  # Override the installation-cd defaults to prevent password conflicts
-  users.users.nixos.initialHashedPassword = lib.mkForce null;
-  users.users.root.initialHashedPassword = lib.mkForce null;
 }