Enable ISO ARM cross-compilation & update CI config

- Allow rune to cross compile ARM binaries

.github/workflows/build-iso.yml

@@ -17,22 +17,16 @@ jobs:
     strategy:
       matrix:
         include:
-          # x86 ISOs on x86 runners
           - iso-type: server
             arch: x86
-            runner: ubuntu-latest
-          - iso-type: desktop
-            arch: x86
-            runner: ubuntu-latest
-          # ARM ISOs on ARM runners
           - iso-type: server
             arch: arm
-            runner: ubuntu-latest-arm64
+          - iso-type: desktop
+            arch: x86
           - iso-type: desktop
             arch: arm
-            runner: ubuntu-latest-arm64
 
-    runs-on: ${{ matrix.runner }}
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
@@ -41,9 +35,22 @@ jobs:
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v9
 
+      - name: Setup QEMU for ARM emulation
+        if: ${{ matrix.arch == 'arm' }}
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+
       - name: Setup Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@v2
 
+      - name: Enable ARM emulation
+        if: ${{ matrix.arch == 'arm' }}
+        run: |
+          echo "extra-platforms = aarch64-linux" >> $HOME/.config/nix/nix.conf
+          echo "extra-sandbox-paths = /run/binfmt" >> $HOME/.config/nix/nix.conf
+          sudo systemctl restart nix-daemon.service
+
       - name: Build ISO (with retry)
         uses: nick-fields/retry@v3
         with:
@@ -52,15 +59,27 @@ jobs:
           retry_wait_seconds: 30
           command: |
             cd iso
-            nix build .#${{ matrix.iso-type }}-iso-${{ matrix.arch }} \
-              --print-build-logs \
-              --accept-flake-config
+            if [ "${{ matrix.arch }}" = "arm" ]; then
+              nix build .#${{ matrix.iso-type }}-iso-arm \
+                --system x86_64-linux \
+                --extra-platforms aarch64-linux \
+                --print-build-logs \
+                --accept-flake-config
+            else
+              nix build .#${{ matrix.iso-type }}-iso-x86 \
+                --print-build-logs \
+                --accept-flake-config
+            fi
 
       - name: Get ISO filename
         id: iso-info
         run: |
           cd iso
-          ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-${{ matrix.arch }} --print-out-paths --no-link)
+          if [ "${{ matrix.arch }}" = "arm" ]; then
+            ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-arm --print-out-paths --no-link)
+          else
+            ISO_PATH=$(nix build .#${{ matrix.iso-type }}-iso-x86 --print-out-paths --no-link)
+          fi
           ISO_FILE=$(find $ISO_PATH -name "*.iso" -o -name "*.iso.zst" | head -1)
           ISO_NAME=$(basename "$ISO_FILE")
           echo "iso-path=$ISO_FILE" >> $GITHUB_OUTPUT
@@ -99,7 +118,7 @@ jobs:
             - **Server ISOs**: Minimal server environment with SSH access
             - **Desktop ISOs**: GNOME desktop environment for installation
             - **x86**: Intel/AMD 64-bit systems
-            - **ARM**: ARM64 systems
+            - **ARM**: ARM64 systems (cross-compiled)
 
             ### Usage:
             1. Download the appropriate ISO for your system
@@ -109,4 +128,4 @@ jobs:
 
             Built automatically from commit: ${{ github.sha }}
           draft: false
-          prerelease: false
+          prerelease: false

hosts/arm/caenus/hardware.nix

@@ -19,18 +19,13 @@ in
   ## Boot ##
   boot = {
     loader = {
-      grub = {
-        enable = true;
-        device = "/dev/vda";
-        useOSProber = true;
-      };
+      systemd-boot.enable = true;
       efi.canTouchEfiVariables = true;
       timeout = 3;
     };
 
     # use latest kernel
     kernelPackages = pkgs.linuxPackages_latest;
-
     initrd = {
       availableKernelModules = [
         "ahci"
@@ -42,6 +37,7 @@ in
       systemd.enable = true;
       verbose = false;
     };
+    kernelParams = [ "net.ifnames=0" ];
     kernelModules = [ ];
     extraModulePackages = [ ];
   };

hosts/x86/rune/hardware.nix

@@ -48,6 +48,9 @@
       "amdgpu"
     ];
     extraModulePackages = [ ];
+
+    # Allow running ARM binaries on x86_64; for Cross Compilation
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   # For less permission issues with SSHFS

iso/default.nix

@@ -7,16 +7,20 @@
   system,
   ...
 }:
+let
+  isCross = pkgs.stdenv.buildPlatform.system != pkgs.stdenv.hostPlatform.system;
+in
 {
-  # ISO settings
   isoImage = {
     isoName = lib.mkForce "nixos-${config.hostSpec.hostName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
     makeEfiBootable = true;
     makeUsbBootable = true;
     compressImage = false;
+    squashfsCompression = lib.mkIf isARM "gzip";
+    includeSystemBuildDependencies = lib.mkIf (isARM || isCross) false;
   };
 
-  # Enable root SSH access
+  ## SSH  & NETWORK ##
   services.openssh = {
     enable = true;
     settings = {
@@ -31,7 +35,7 @@
     enableIPv6 = false;
   };
 
-  # Extra pkgs; iso tools
+  ## PKGS ##
   environment.systemPackages = with pkgs; [
     parted
     gptfdisk
@@ -39,11 +43,10 @@
     gparted
   ];
 
-  # VM guest additions to improve host-guest interaction
+  ## VM additions ##
   services.spice-vdagentd.enable = true;
   services.qemuGuest.enable = true;
   virtualisation.vmware.guest.enable = pkgs.stdenv.hostPlatform.isx86;
-  # https://github.com/torvalds/linux/blob/00b827f0cffa50abb6773ad4c34f4cd909dae1c8/drivers/hv/Kconfig#L7-L8
   virtualisation.hypervGuest.enable =
     pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isAarch64;
   services.xe-guest-utilities.enable = pkgs.stdenv.hostPlatform.isx86;
@@ -51,9 +54,19 @@
   # which lags behind kernel releases, potentially causing broken builds.
   virtualisation.virtualbox.guest.enable = false;
 
-  # Basic system settings
+  ## System ##
   system.stateVersion = "25.05";
   nixpkgs.hostPlatform = system;
-  nixpkgs.config.allowUnsupportedSystem = true; # Cross-compilation
   users.mutableUsers = lib.mkForce true; # Allow password changes
+
+  nixpkgs.config = {
+    allowUnsupportedSystem = true;
+    allowUnfree = true;
+    allowBroken = false;
+  };
+
+  systemd.services = lib.mkIf isARM {
+    systemd-firstboot.enable = lib.mkForce false;
+    systemd-machine-id-commit.enable = lib.mkForce false;
+  };
 }

iso/flake.nix

@@ -87,7 +87,7 @@
           }) configs
         );
 
-      # Generate packages per system - each system only exposes its own packages
+      # Generate packages per system - all available on x86_64 via cross-compilation
       mkPackages =
         system:
         let
@@ -103,13 +103,11 @@
     {
       nixosConfigurations = mkConfigurations;
 
-      # Each system only exposes packages it can build
       packages = {
-        "${X86}" = mkPackages X86;
+        "${X86}" = (mkPackages X86) // (mkPackages ARM);
         "${ARM}" = mkPackages ARM;
       };
 
-      # For convenience - all systems get all configs
       inherit (dot-nix.outputs) overlays;
     };
 }

iso/not-secrets.nix

@@ -48,4 +48,8 @@ in
       };
     };
   };
+
+  # Override the installation-cd defaults to prevent password conflicts
+  users.users.nixos.initialHashedPassword = lib.mkForce null;
+  users.users.root.initialHashedPassword = lib.mkForce null;
 }