commit cda9428fd6dc4f472f27923cc2b8231f687147c2 parent cb9d2da87d0f6cbdf9a2ca1ffa69baa43fea3c56 Author: Vincent Demeester <vincent@sbr.pm> Date: Fri, 11 Dec 2020 17:18:57 +0100 flake: copy naruhodo.nix to flake Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | flake.nix | | | 2 | +- |
A | systems/hosts/naruhodo.flake.nix | | | 102 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
2 files changed, 103 insertions(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix @@ -130,7 +130,7 @@ }) # FIXME remove flake suffix once migrated (import ./systems/modules/default.flake.nix) - (import ./systems/profiles) + # (import ./systems/profiles) (import config) ]; specialArgs = { inherit name inputs; }; diff --git a/systems/hosts/naruhodo.flake.nix b/systems/hosts/naruhodo.flake.nix @@ -0,0 +1,102 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "naruhodo"; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + + ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + ips = lists.optionals secretCondition ([ "${ip}/24" ]); + endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; +in +{ + imports = [ + ../hardware/thinkpad-t480s.nix + ../modules + (import ../../users).vincent + (import ../../users).root + ]; + + fileSystems."/" = + { + device = "/dev/mapper/root"; + fsType = "ext4"; + options = [ "noatime" "discard" ]; + }; + + boot.initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/50d7faba-8923-4b30-88f7-40df26e02def"; + preLVM = true; + allowDiscards = true; + }; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/0101-68DE"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/aff86817-55ae-47ed-876a-e5a027b560ba"; }]; + + networking = { + hostName = hostname; + }; + + boot = { + tmpOnTmpfs = true; + plymouth.enable = true; + extraModulePackages = with pkgs.linuxPackages; [ + v4l2loopback + ]; + kernelModules = [ "v4l2loopback" ]; + extraModprobeConfig = '' + options v4l2loopback exclusive_caps=1 + ''; + }; + + services.hardware.bolt.enable = true; + profiles = { + desktop.i3.enable = true; + laptop.enable = true; + home = true; + dev.enable = true; + yubikey.enable = true; + virtualization = { enable = true; nested = true; }; + docker.enable = true; + redhat.enable = true; + scanning.enable = true; + }; + environment.systemPackages = with pkgs; [ virtmanager ]; + + services = { + wireguard = { + enable = true; + ips = ips; + endpoint = endpointIP; + endpointPort = endpointPort; + endpointPublicKey = endpointPublicKey; + }; + }; + + virtualisation.podman.enable = true; + virtualisation.containers = { + enable = true; + registries = { + search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + }; + policy = { + default = [{ type = "insecureAcceptAnything"; }]; + transports = { + docker-daemon = { + "" = [{ type = "insecureAcceptAnything"; }]; + }; + }; + }; + }; +}