home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

aomi.nix (5999B)


      1 { sources ? import ../../nix
      2 , lib ? sources.lib
      3 , pkgs ? sources.pkgs { }
      4 , ...
      5 }:
      6 
      7 with lib;
      8 let
      9   hostname = "aomi";
     10   secretPath = ../../secrets/machines.nix;
     11   secretCondition = (builtins.pathExists secretPath);
     12 
     13   ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
     14   ips = lists.optionals secretCondition ([ "${ip}/24" ]);
     15   endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
     16   endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     17   endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
     18   metadata = importTOML ../../ops/hosts.toml;
     19 in
     20 {
     21   imports = [
     22     ../hardware/lenovo-p1.nix
     23     (import ../../users/vincent)
     24     (import ../../users/root)
     25   ];
     26 
     27   boot.initrd.luks.devices = {
     28     root = {
     29       device = "/dev/disk/by-uuid/91b05f64-b97d-4405-8405-8785699ada8f";
     30       preLVM = true;
     31       allowDiscards = true;
     32       keyFile = "/dev/disk/by-id/mmc-SD08G_0x704a5a38";
     33       keyFileSize = 4096;
     34       fallbackToPassword = true;
     35     };
     36   };
     37 
     38   fileSystems."/" = {
     39     # device = "/dev/disk/by-uuid/6bedd234-3179-46f7-9a3f-feeffd880791";
     40     device = "/dev/mapper/root";
     41     fsType = "ext4";
     42     options = [ "noatime" "discard" ];
     43   };
     44 
     45   fileSystems."/boot" = {
     46     device = "/dev/disk/by-uuid/32B9-94CC";
     47     fsType = "vfat";
     48   };
     49 
     50   swapDevices = [{ device = "/dev/disk/by-uuid/24da6a46-cd28-4bff-9220-6f449e3bd8b5"; }];
     51 
     52   networking = {
     53     hostName = hostname;
     54     firewall.enable = false; # we are in safe territory :D
     55   };
     56 
     57   # extract this from desktop
     58   networking.networkmanager = {
     59     enable = true;
     60     unmanaged = [
     61       "interface-name:br-*"
     62       "interface-name:ve-*"
     63       "interface-name:veth*"
     64       "interface-name:wg0"
     65       "interface-name:docker0"
     66       "interface-name:virbr*"
     67     ];
     68     packages = with pkgs; [ networkmanager-openvpn ];
     69   };
     70 
     71   sops.defaultSopsFile = ../../secrets/secrets.yaml;
     72 
     73   boot = {
     74     loader.systemd-boot.netbootxyz.enable = true;
     75     kernelPackages = pkgs.linuxPackages_latest;
     76     tmpOnTmpfs = true;
     77   };
     78 
     79   services.hardware.bolt.enable = true;
     80 
     81   modules = {
     82     core.binfmt.enable = true;
     83     hardware = {
     84       laptop.enable = true;
     85     };
     86     dev = {
     87       enable = true;
     88       containers = {
     89         enable = true;
     90         docker = {
     91           enable = true;
     92           package = pkgs.docker_27;
     93         };
     94         podman.enable = true;
     95         buildkit = {
     96           enable = true;
     97           grpcAddress = [
     98             "unix:///run/buildkit/buildkitd.sock"
     99             "tcp://aomi.home:1234"
    100             "tcp://${metadata.hosts.aomi.addrs.v4}:1234"
    101             "tcp://${metadata.hosts.aomi.wireguard.addrs.v4}:1234"
    102           ];
    103         };
    104         image-mirroring = {
    105           enable = true;
    106           targets = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ];
    107           settings = {
    108             "docker.io" = {
    109               "images" = {
    110                 # sync latest and edge tags
    111                 "alpine" = [ "latest" "edge" ];
    112               };
    113               "images-by-tag-regex" = {
    114                 # sync all "3.x" images"
    115                 "alpine" = "^3\.[0-9]+$";
    116               };
    117             };
    118           };
    119         };
    120       };
    121     };
    122     services = {
    123       avahi.enable = true;
    124       ssh.enable = true;
    125       syncthing = {
    126         enable = true;
    127         guiAddress = "${metadata.hosts.aomi.wireguard.addrs.v4}:8384";
    128       };
    129     };
    130     virtualisation.libvirt = { enable = true; nested = true; };
    131   };
    132 
    133   modules.profiles = {
    134     # externalbuilder.enable = true;
    135     home = true;
    136   };
    137 
    138 
    139   services.udev.extraRules = ''
    140     # STM32 rules for the Moonlander and Planck EZ
    141     SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \
    142         MODE:="0666", \
    143         SYMLINK+="stm32_dfu"
    144 
    145     # Suspend the system when battery level drops to 5% or lower
    146     SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
    147   '';
    148 
    149   services = {
    150     envfs.enable = false;
    151     netdata.enable = true;
    152     logind.extraConfig = ''
    153       HandleLidSwitch=ignore
    154       HandleLidSwitchExternalPower=ignore
    155       HandleLidSwitchDocked=ignore
    156     '';
    157     smartd = {
    158       enable = true;
    159       devices = [{ device = "/dev/nvme0n1"; }];
    160     };
    161     wireguard = {
    162       enable = true;
    163       ips = [ "${metadata.hosts.aomi.wireguard.addrs.v4}/24" ];
    164       endpoint = endpointIP;
    165       endpointPort = endpointPort;
    166       endpointPublicKey = endpointPublicKey;
    167     };
    168   };
    169 
    170   # Move this to a "builder" role
    171   users.extraUsers.builder = {
    172     isNormalUser = true;
    173     uid = 1018;
    174     extraGroups = [ ];
    175     openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ];
    176   };
    177   nix.trustedUsers = [ "root" "vincent" "builder" ];
    178 
    179   # RedHat specific
    180   systemd.services.osp-vdemeest-nightly = {
    181     description = "Build nightly builds";
    182     requires = [ "network-online.target" ];
    183     after = [ "network-online.target" ];
    184 
    185     restartIfChanged = false;
    186     unitConfig.X-StopOnRemoval = false;
    187 
    188     serviceConfig = {
    189       Type = "oneshot";
    190       User = "vincent";
    191       OnFailure = "status-email-root@%.service";
    192     };
    193 
    194     path = with pkgs; [ git openssh bash coreutils-full nix which gnumake ];
    195     script = ''
    196       set -e
    197       cd /home/vincent/src/osp/p12n/p12n
    198       git fetch -p --all
    199       git clean -fd
    200       git reset --hard HEAD
    201       git checkout main
    202       git rebase upstream/main
    203       # Make versions
    204       make versions
    205       for v in 1.7 1.8 1.9 1.10; do
    206         echo "Build $v"
    207         (
    208         cd versions/$v
    209         git clean -fd
    210         git reset --hard HEAD
    211         git co upstream/pipelines-$v-rhel-8
    212         nix-shell /home/vincent/src/osp/shell.nix --command "make REMOTE=quay.io/vdemeest TAG=$v sources/upgrade sources/operator/fetch-payload  bundle/push"
    213         )
    214       done
    215     '';
    216 
    217     startAt = "daily";
    218   };
    219   security.pam.enableSSHAgentAuth = true;
    220 }