home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

hokkaido.nix (3608B)


      1 { pkgs, lib, ... }:
      2 
      3 with lib;
      4 let
      5   hostname = "hokkaido";
      6   secretPath = ../../secrets/machines.nix;
      7   secretCondition = (builtins.pathExists secretPath);
      8 
      9   ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
     10   ips = lists.optionals secretCondition ([ "${ip}/24" ]);
     11   endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
     12   endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     13   endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
     14 in
     15 {
     16   imports = [
     17     ../hardware/dell-latitude-e6540.nix
     18     (import ../../nix).home-manager-stable
     19     ../modules
     20     (import ../../users).vincent
     21     (import ../../users).root
     22   ];
     23   fileSystems."/" =
     24     {
     25       device = "/dev/disk/by-uuid/3e86d004-5554-4a90-b436-fcca63775f9d";
     26       fsType = "ext4";
     27     };
     28 
     29   fileSystems."/boot" =
     30     {
     31       device = "/dev/disk/by-uuid/D91F-14E8";
     32       fsType = "vfat";
     33     };
     34 
     35   swapDevices =
     36     [{ device = "/dev/disk/by-uuid/f065180d-8889-45ba-81d1-a67ac746dfeb"; }];
     37 
     38   networking = {
     39     hostName = hostname;
     40     bridges.br1.interfaces = [ "eno1" ];
     41     firewall.enable = false; # we are in safe territory :D
     42     useDHCP = false;
     43     interfaces.br1 = {
     44       useDHCP = true;
     45     };
     46   };
     47 
     48   boot = {
     49     tmpOnTmpfs = true;
     50     plymouth.enable = true;
     51   };
     52 
     53   boot.binfmt.registrations = {
     54     s390x-linux = {
     55       # interpreter = getEmulator "s390x-linux";
     56       interpreter = "${pkgs.qemu}/bin/qemu-s390x";
     57       magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16'';
     58       mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'';
     59     };
     60   };
     61   boot.binfmt.emulatedSystems = [
     62     "armv6l-linux"
     63     "armv7l-linux"
     64     "aarch64-linux"
     65     # "s390x-linux"
     66     "powerpc64le-linux"
     67   ];
     68 
     69   users.extraUsers.builder = {
     70     isNormalUser = true;
     71     uid = 1018;
     72     extraGroups = [ ];
     73     openssh.authorizedKeys.keys = [ (builtins.readFile "/etc/nixos/secrets/builder.pub") ];
     74   };
     75   nix.trustedUsers = [ "root" "vincent" "builder" ];
     76 
     77   profiles = {
     78     home = true;
     79     dev.enable = true;
     80     desktop.enable = lib.mkForce false;
     81     laptop.enable = true;
     82     docker.enable = true;
     83     avahi.enable = true;
     84     syncthing.enable = true;
     85     ssh = { enable = true; forwardX11 = true; };
     86     virtualization = { enable = true; nested = true; listenTCP = true; };
     87     kubernetes.enable = true;
     88     openshift.enable = true;
     89     tekton.enable = false;
     90     yubikey.enable = true;
     91   };
     92   virtualisation.podman.enable = true;
     93   virtualisation.containers = {
     94     enable = true;
     95     registries = {
     96       search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
     97     };
     98     policy = {
     99       default = [{ type = "insecureAcceptAnything"; }];
    100       transports = {
    101         docker-daemon = {
    102           "" = [{ type = "insecureAcceptAnything"; }];
    103         };
    104       };
    105     };
    106   };
    107 
    108   services = {
    109     logind.extraConfig = ''
    110       HandleLidSwitch=ignore
    111       HandleLidSwitchExternalPower=ignore
    112       HandleLidSwitchDocked=ignore
    113     '';
    114     wireguard = {
    115       enable = true;
    116       ips = ips;
    117       endpoint = endpointIP;
    118       endpointPort = endpointPort;
    119       endpointPublicKey = endpointPublicKey;
    120     };
    121   };
    122   systemd.services.buildkitd.wantedBy = lib.mkForce [ ];
    123   systemd.services.containerd.wantedBy = lib.mkForce [ ];
    124   systemd.services.docker.wantedBy = lib.mkForce [ ];
    125   systemd.services.docker.requires = [ "containerd.socket" ];
    126 
    127 }