aomi.nix (5999B)
1 { sources ? import ../../nix 2 , lib ? sources.lib 3 , pkgs ? sources.pkgs { } 4 , ... 5 }: 6 7 with lib; 8 let 9 hostname = "aomi"; 10 secretPath = ../../secrets/machines.nix; 11 secretCondition = (builtins.pathExists secretPath); 12 13 ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 14 ips = lists.optionals secretCondition ([ "${ip}/24" ]); 15 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 16 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 17 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 18 metadata = importTOML ../../ops/hosts.toml; 19 in 20 { 21 imports = [ 22 ../hardware/lenovo-p1.nix 23 (import ../../users/vincent) 24 (import ../../users/root) 25 ]; 26 27 boot.initrd.luks.devices = { 28 root = { 29 device = "/dev/disk/by-uuid/91b05f64-b97d-4405-8405-8785699ada8f"; 30 preLVM = true; 31 allowDiscards = true; 32 keyFile = "/dev/disk/by-id/mmc-SD08G_0x704a5a38"; 33 keyFileSize = 4096; 34 fallbackToPassword = true; 35 }; 36 }; 37 38 fileSystems."/" = { 39 # device = "/dev/disk/by-uuid/6bedd234-3179-46f7-9a3f-feeffd880791"; 40 device = "/dev/mapper/root"; 41 fsType = "ext4"; 42 options = [ "noatime" "discard" ]; 43 }; 44 45 fileSystems."/boot" = { 46 device = "/dev/disk/by-uuid/32B9-94CC"; 47 fsType = "vfat"; 48 }; 49 50 swapDevices = [{ device = "/dev/disk/by-uuid/24da6a46-cd28-4bff-9220-6f449e3bd8b5"; }]; 51 52 networking = { 53 hostName = hostname; 54 firewall.enable = false; # we are in safe territory :D 55 }; 56 57 # extract this from desktop 58 networking.networkmanager = { 59 enable = true; 60 unmanaged = [ 61 "interface-name:br-*" 62 "interface-name:ve-*" 63 "interface-name:veth*" 64 "interface-name:wg0" 65 "interface-name:docker0" 66 "interface-name:virbr*" 67 ]; 68 packages = with pkgs; [ networkmanager-openvpn ]; 69 }; 70 71 sops.defaultSopsFile = ../../secrets/secrets.yaml; 72 73 boot = { 74 loader.systemd-boot.netbootxyz.enable = true; 75 kernelPackages = pkgs.linuxPackages_latest; 76 tmpOnTmpfs = true; 77 }; 78 79 services.hardware.bolt.enable = true; 80 81 modules = { 82 core.binfmt.enable = true; 83 hardware = { 84 laptop.enable = true; 85 }; 86 dev = { 87 enable = true; 88 containers = { 89 enable = true; 90 docker = { 91 enable = true; 92 package = pkgs.docker_27; 93 }; 94 podman.enable = true; 95 buildkit = { 96 enable = true; 97 grpcAddress = [ 98 "unix:///run/buildkit/buildkitd.sock" 99 "tcp://aomi.home:1234" 100 "tcp://${metadata.hosts.aomi.addrs.v4}:1234" 101 "tcp://${metadata.hosts.aomi.wireguard.addrs.v4}:1234" 102 ]; 103 }; 104 image-mirroring = { 105 enable = true; 106 targets = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ]; 107 settings = { 108 "docker.io" = { 109 "images" = { 110 # sync latest and edge tags 111 "alpine" = [ "latest" "edge" ]; 112 }; 113 "images-by-tag-regex" = { 114 # sync all "3.x" images" 115 "alpine" = "^3\.[0-9]+$"; 116 }; 117 }; 118 }; 119 }; 120 }; 121 }; 122 services = { 123 avahi.enable = true; 124 ssh.enable = true; 125 syncthing = { 126 enable = true; 127 guiAddress = "${metadata.hosts.aomi.wireguard.addrs.v4}:8384"; 128 }; 129 }; 130 virtualisation.libvirt = { enable = true; nested = true; }; 131 }; 132 133 modules.profiles = { 134 # externalbuilder.enable = true; 135 home = true; 136 }; 137 138 139 services.udev.extraRules = '' 140 # STM32 rules for the Moonlander and Planck EZ 141 SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \ 142 MODE:="0666", \ 143 SYMLINK+="stm32_dfu" 144 145 # Suspend the system when battery level drops to 5% or lower 146 SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate" 147 ''; 148 149 services = { 150 envfs.enable = false; 151 netdata.enable = true; 152 logind.extraConfig = '' 153 HandleLidSwitch=ignore 154 HandleLidSwitchExternalPower=ignore 155 HandleLidSwitchDocked=ignore 156 ''; 157 smartd = { 158 enable = true; 159 devices = [{ device = "/dev/nvme0n1"; }]; 160 }; 161 wireguard = { 162 enable = true; 163 ips = [ "${metadata.hosts.aomi.wireguard.addrs.v4}/24" ]; 164 endpoint = endpointIP; 165 endpointPort = endpointPort; 166 endpointPublicKey = endpointPublicKey; 167 }; 168 }; 169 170 # Move this to a "builder" role 171 users.extraUsers.builder = { 172 isNormalUser = true; 173 uid = 1018; 174 extraGroups = [ ]; 175 openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ]; 176 }; 177 nix.trustedUsers = [ "root" "vincent" "builder" ]; 178 179 # RedHat specific 180 systemd.services.osp-vdemeest-nightly = { 181 description = "Build nightly builds"; 182 requires = [ "network-online.target" ]; 183 after = [ "network-online.target" ]; 184 185 restartIfChanged = false; 186 unitConfig.X-StopOnRemoval = false; 187 188 serviceConfig = { 189 Type = "oneshot"; 190 User = "vincent"; 191 OnFailure = "status-email-root@%.service"; 192 }; 193 194 path = with pkgs; [ git openssh bash coreutils-full nix which gnumake ]; 195 script = '' 196 set -e 197 cd /home/vincent/src/osp/p12n/p12n 198 git fetch -p --all 199 git clean -fd 200 git reset --hard HEAD 201 git checkout main 202 git rebase upstream/main 203 # Make versions 204 make versions 205 for v in 1.7 1.8 1.9 1.10; do 206 echo "Build $v" 207 ( 208 cd versions/$v 209 git clean -fd 210 git reset --hard HEAD 211 git co upstream/pipelines-$v-rhel-8 212 nix-shell /home/vincent/src/osp/shell.nix --command "make REMOTE=quay.io/vdemeest TAG=$v sources/upgrade sources/operator/fetch-payload bundle/push" 213 ) 214 done 215 ''; 216 217 startAt = "daily"; 218 }; 219 security.pam.enableSSHAgentAuth = true; 220 }