hokkaido.nix (3608B)
1 { pkgs, lib, ... }: 2 3 with lib; 4 let 5 hostname = "hokkaido"; 6 secretPath = ../../secrets/machines.nix; 7 secretCondition = (builtins.pathExists secretPath); 8 9 ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 10 ips = lists.optionals secretCondition ([ "${ip}/24" ]); 11 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 12 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 13 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 14 in 15 { 16 imports = [ 17 ../hardware/dell-latitude-e6540.nix 18 (import ../../nix).home-manager-stable 19 ../modules 20 (import ../../users).vincent 21 (import ../../users).root 22 ]; 23 fileSystems."/" = 24 { 25 device = "/dev/disk/by-uuid/3e86d004-5554-4a90-b436-fcca63775f9d"; 26 fsType = "ext4"; 27 }; 28 29 fileSystems."/boot" = 30 { 31 device = "/dev/disk/by-uuid/D91F-14E8"; 32 fsType = "vfat"; 33 }; 34 35 swapDevices = 36 [{ device = "/dev/disk/by-uuid/f065180d-8889-45ba-81d1-a67ac746dfeb"; }]; 37 38 networking = { 39 hostName = hostname; 40 bridges.br1.interfaces = [ "eno1" ]; 41 firewall.enable = false; # we are in safe territory :D 42 useDHCP = false; 43 interfaces.br1 = { 44 useDHCP = true; 45 }; 46 }; 47 48 boot = { 49 tmpOnTmpfs = true; 50 plymouth.enable = true; 51 }; 52 53 boot.binfmt.registrations = { 54 s390x-linux = { 55 # interpreter = getEmulator "s390x-linux"; 56 interpreter = "${pkgs.qemu}/bin/qemu-s390x"; 57 magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16''; 58 mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff''; 59 }; 60 }; 61 boot.binfmt.emulatedSystems = [ 62 "armv6l-linux" 63 "armv7l-linux" 64 "aarch64-linux" 65 # "s390x-linux" 66 "powerpc64le-linux" 67 ]; 68 69 users.extraUsers.builder = { 70 isNormalUser = true; 71 uid = 1018; 72 extraGroups = [ ]; 73 openssh.authorizedKeys.keys = [ (builtins.readFile "/etc/nixos/secrets/builder.pub") ]; 74 }; 75 nix.trustedUsers = [ "root" "vincent" "builder" ]; 76 77 profiles = { 78 home = true; 79 dev.enable = true; 80 desktop.enable = lib.mkForce false; 81 laptop.enable = true; 82 docker.enable = true; 83 avahi.enable = true; 84 syncthing.enable = true; 85 ssh = { enable = true; forwardX11 = true; }; 86 virtualization = { enable = true; nested = true; listenTCP = true; }; 87 kubernetes.enable = true; 88 openshift.enable = true; 89 tekton.enable = false; 90 yubikey.enable = true; 91 }; 92 virtualisation.podman.enable = true; 93 virtualisation.containers = { 94 enable = true; 95 registries = { 96 search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; 97 }; 98 policy = { 99 default = [{ type = "insecureAcceptAnything"; }]; 100 transports = { 101 docker-daemon = { 102 "" = [{ type = "insecureAcceptAnything"; }]; 103 }; 104 }; 105 }; 106 }; 107 108 services = { 109 logind.extraConfig = '' 110 HandleLidSwitch=ignore 111 HandleLidSwitchExternalPower=ignore 112 HandleLidSwitchDocked=ignore 113 ''; 114 wireguard = { 115 enable = true; 116 ips = ips; 117 endpoint = endpointIP; 118 endpointPort = endpointPort; 119 endpointPublicKey = endpointPublicKey; 120 }; 121 }; 122 systemd.services.buildkitd.wantedBy = lib.mkForce [ ]; 123 systemd.services.containerd.wantedBy = lib.mkForce [ ]; 124 systemd.services.docker.wantedBy = lib.mkForce [ ]; 125 systemd.services.docker.requires = [ "containerd.socket" ]; 126 127 }