naruhodo.nix (5912B)
1 { sources ? import ../../nix 2 , lib ? sources.lib 3 , pkgs ? sources.pkgs { } 4 , ... 5 }: 6 7 with lib; 8 let 9 hostname = "naruhodo"; 10 secretPath = ../../secrets/machines.nix; 11 secretCondition = (builtins.pathExists secretPath); 12 13 ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 14 ips = lists.optionals secretCondition ([ "${ip}/24" ]); 15 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 16 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 17 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 18 19 getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs; 20 in 21 { 22 imports = [ 23 ../hardware/thinkpad-t480s.nix 24 (import ../../nix).home-manager 25 ../modules 26 (import ../../users).vincent 27 (import ../../users).root 28 ]; 29 30 fileSystems."/" = { 31 device = "/dev/mapper/root"; 32 fsType = "ext4"; 33 options = [ "noatime" "discard" ]; 34 }; 35 36 boot.initrd.luks.devices = { 37 root = { 38 device = "/dev/disk/by-uuid/50d7faba-8923-4b30-88f7-40df26e02def"; 39 preLVM = true; 40 allowDiscards = true; 41 }; 42 }; 43 44 fileSystems."/boot" = { 45 device = "/dev/disk/by-uuid/0101-68DE"; 46 fsType = "vfat"; 47 }; 48 49 swapDevices = [{ device = "/dev/disk/by-uuid/aff86817-55ae-47ed-876a-e5a027b560ba"; }]; 50 51 networking = { 52 hostName = hostname; 53 }; 54 55 boot = { 56 kernelPackages = pkgs.linuxPackages_latest; 57 tmpOnTmpfs = true; 58 plymouth = { 59 enable = true; 60 themePackages = [ pkgs.my.adi1090x-plymouth ]; 61 theme = "cuts"; 62 # hexagon, green_loader, deus_ex, cuts, sphere, spinner_alt 63 }; 64 extraModulePackages = with pkgs.linuxPackages_latest; [ 65 v4l2loopback 66 ]; 67 kernelModules = [ "v4l2loopback" ]; 68 extraModprobeConfig = '' 69 options v4l2loopback exclusive_caps=1 70 ''; 71 binfmt.registrations = { 72 s390x-linux = { 73 # interpreter = getEmulator "s390x-linux"; 74 interpreter = "${pkgs.qemu}/bin/qemu-s390x"; 75 magicOrExtension = ''\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16''; 76 mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff''; 77 }; 78 }; 79 binfmt.emulatedSystems = [ 80 "armv6l-linux" 81 "armv7l-linux" 82 "aarch64-linux" 83 # "s390x-linux" 84 "powerpc64le-linux" 85 ]; 86 }; 87 88 # FIXME Fix tmpOnTmpfs 89 systemd.additionalUpstreamSystemUnits = [ "tmp.mount" ]; 90 91 # nix.distributedBuilds = true; 92 nix.buildMachines = [ 93 { 94 hostName = "192.168.1.77"; 95 maxJobs = 8; 96 sshUser = "builder"; 97 sshKey = "/etc/nixos/secrets/builder"; 98 systems = [ "x86_64-linux" "aarch64-linux" "armv7l-linux" "armv6l-linux" "powerpc64le-linux" "s390x-linux" ]; 99 supportedFeatures = [ 100 "big-parallel" 101 "kvm" 102 "nixos-test" 103 ]; 104 } 105 # { 106 # hostName = "192.168.1.115"; 107 # maxJobs = 8; 108 # sshUser = "builder"; 109 # sshKey = "/etc/nixos/secrets/builder"; 110 # systems = [ "x86_64-linux" "aarch64-linux" "armv7l-linux" "armv6l-linux" "powerpc64le-linux" "s390x-linux" ]; 111 # supportedFeatures = [ 112 # "big-parallel" 113 # "kvm" 114 # "nixos-test" 115 # ]; 116 # } 117 ]; 118 119 programs.ssh.knownHosts = { 120 "wakasu" = { 121 hostNames = [ "wakasu.home" "192.168.1.77" ]; 122 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2GB030S1+iZMqwgYhkl5CuBOKBjZoujc0aVHII39/x"; 123 }; 124 "hokkaido" = { 125 hostNames = [ "hokkaido.home" "192.168.1.115" ]; 126 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5hoyiE7fj+/vUzvvFD2r2Mm4p86p6uPDOp0ChzR5ZC"; 127 }; 128 }; 129 130 services.udev.extraRules = '' 131 # Teensy rules for the Ergodox EZ 132 ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" 133 ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" 134 SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" 135 KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" 136 137 # STM32 rules for the Moonlander and Planck EZ 138 SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \ 139 MODE:="0666", \ 140 SYMLINK+="stm32_dfu" 141 142 # Suspend the system when battery level drops to 5% or lower 143 SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate" 144 ''; 145 services.hardware.bolt.enable = true; 146 core.nix = { 147 # temporary 148 localCaches = [ ]; 149 }; 150 151 profiles = { 152 desktop.i3.enable = true; 153 laptop.enable = true; 154 home = true; 155 dev.enable = true; 156 yubikey.enable = true; 157 virtualization = { enable = true; nested = true; }; 158 redhat.enable = true; 159 scanning.enable = true; 160 }; 161 environment.systemPackages = with pkgs; [ 162 virtmanager 163 # force xbacklight to work 164 acpilight 165 ]; 166 167 services = { 168 wireguard = { 169 enable = true; 170 ips = ips; 171 endpoint = endpointIP; 172 endpointPort = endpointPort; 173 endpointPublicKey = endpointPublicKey; 174 }; 175 syncthing.guiAddress = "${ip}:8384"; 176 }; 177 systemd.services.buildkitd.wantedBy = lib.mkForce [ ]; 178 systemd.services.containerd.wantedBy = lib.mkForce [ ]; 179 systemd.services.docker.wantedBy = lib.mkForce [ ]; 180 systemd.services.docker.requires = [ "containerd.socket" ]; 181 182 virtualisation.podman.enable = true; 183 virtualisation.containers = { 184 enable = true; 185 registries = { 186 search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; 187 }; 188 policy = { 189 default = [{ type = "insecureAcceptAnything"; }]; 190 transports = { 191 docker-daemon = { 192 "" = [{ type = "insecureAcceptAnything"; }]; 193 }; 194 }; 195 }; 196 }; 197 }