2023-06-27 16:00:45 +00:00
|
|
|
|
# Edit this configuration file to define what should be installed on
|
|
|
|
|
|
# your system. Help is available in the configuration.nix(5) man page
|
|
|
|
|
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
|
|
|
|
{
|
|
|
|
|
|
config,
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
lib,
|
|
|
|
|
|
...
|
|
|
|
|
|
}: let
|
|
|
|
|
|
psCfg = config.pub-solar;
|
|
|
|
|
|
in {
|
|
|
|
|
|
imports = [
|
|
|
|
|
|
# Include the results of the hardware scan.
|
|
|
|
|
|
./hardware-configuration.nix
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
|
|
boot.kernelParams = [
|
|
|
|
|
|
"boot.shell_on_fail=1"
|
|
|
|
|
|
"ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off"
|
|
|
|
|
|
];
|
|
|
|
|
|
networking.hostName = "nougat-2";
|
|
|
|
|
|
|
|
|
|
|
|
# The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner',
|
|
|
|
|
|
# but the hostname for each machine may be different, and mdadm's HOMEHOST
|
|
|
|
|
|
# setting defaults to '<system>' (using the system hostname).
|
|
|
|
|
|
# This results mdadm considering such disks as "foreign" as opposed to
|
|
|
|
|
|
# "local", and showing them as e.g. '/dev/md/hetzner:root0'
|
|
|
|
|
|
# instead of '/dev/md/root0'.
|
|
|
|
|
|
# This is mdadm's protection against accidentally putting a RAID disk
|
|
|
|
|
|
# into the wrong machine and corrupting data by accidental sync, see
|
|
|
|
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward.
|
|
|
|
|
|
# We do not worry about plugging disks into the wrong machine because
|
|
|
|
|
|
# we will never exchange disks between machines, so we tell mdadm to
|
|
|
|
|
|
# ignore the homehost entirely.
|
|
|
|
|
|
environment.etc."mdadm.conf".text = ''
|
|
|
|
|
|
HOMEHOST <ignore>
|
|
|
|
|
|
ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705
|
|
|
|
|
|
ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa
|
|
|
|
|
|
'';
|
|
|
|
|
|
# The RAIDs are assembled in stage1, so we need to make the config
|
|
|
|
|
|
# available there.
|
|
|
|
|
|
boot.initrd.services.swraid.enable = true;
|
|
|
|
|
|
boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
|
|
|
|
|
|
|
|
|
|
|
|
boot.initrd.network.enable = true;
|
|
|
|
|
|
boot.initrd.network.ssh = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
port = 22;
|
|
|
|
|
|
authorizedKeys =
|
|
|
|
|
|
if psCfg.user.publicKeys != null
|
|
|
|
|
|
then psCfg.user.publicKeys
|
|
|
|
|
|
else [];
|
|
|
|
|
|
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
|
|
|
|
|
|
networking.useDHCP = false;
|
|
|
|
|
|
networking.interfaces."enp0s31f6".ipv4.addresses = [
|
|
|
|
|
|
{
|
|
|
|
|
|
address = "135.181.179.123";
|
|
|
|
|
|
prefixLength = 26;
|
|
|
|
|
|
}
|
|
|
|
|
|
];
|
|
|
|
|
|
networking.defaultGateway = "135.181.179.65";
|
|
|
|
|
|
|
|
|
|
|
|
networking.interfaces."enp0s31f6".ipv6.addresses = [
|
|
|
|
|
|
#{
|
|
|
|
|
|
# address = "2a01:4f9:3a:2170::1";
|
|
|
|
|
|
# prefixLength = 64;
|
|
|
|
|
|
#}
|
|
|
|
|
|
];
|
|
|
|
|
|
networking.defaultGateway6 = {
|
|
|
|
|
|
address = "fe80::1";
|
|
|
|
|
|
interface = "enp0s31f6";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2023-07-02 18:36:30 +00:00
|
|
|
|
networking.nameservers = ["1.1.1.1"];
|
2023-06-27 16:00:45 +00:00
|
|
|
|
|
|
|
|
|
|
# Initial empty root password for easy login:
|
|
|
|
|
|
users.users.root.initialHashedPassword = "";
|
|
|
|
|
|
users.users.root.openssh.authorizedKeys.keys =
|
|
|
|
|
|
if psCfg.user.publicKeys != null
|
|
|
|
|
|
then psCfg.user.publicKeys
|
|
|
|
|
|
else [];
|
|
|
|
|
|
|
2023-07-02 18:36:30 +00:00
|
|
|
|
users.users.hakkonaut = {
|
|
|
|
|
|
home = "/home/hakkonaut";
|
|
|
|
|
|
description = "CI and automation user";
|
|
|
|
|
|
useDefaultShell = true;
|
|
|
|
|
|
group = "hakkonaut";
|
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
|
|
|
|
|
];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
users.groups.hakkonaut = {};
|
|
|
|
|
|
ids.uids.hakkonaut = 998;
|
|
|
|
|
|
ids.gids.hakkonaut = 998;
|
|
|
|
|
|
|
2023-06-27 16:00:45 +00:00
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
|
|
|
|
|
|
2023-07-02 10:48:34 +00:00
|
|
|
|
pub-solar.core.disk-encryption-active = false;
|
|
|
|
|
|
pub-solar.core.lite = true;
|
|
|
|
|
|
|
|
|
|
|
|
virtualisation = {
|
|
|
|
|
|
docker = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
oci-containers = {
|
|
|
|
|
|
backend = "docker";
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
security.sudo.extraRules = [
|
|
|
|
|
|
{
|
|
|
|
|
|
users = ["${psCfg.user.name}"];
|
|
|
|
|
|
commands = [
|
|
|
|
|
|
{
|
|
|
|
|
|
command = "ALL";
|
|
|
|
|
|
options = ["NOPASSWD"];
|
|
|
|
|
|
}
|
|
|
|
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
];
|
|
|
|
|
|
|
2023-06-27 16:00:45 +00:00
|
|
|
|
# This value determines the NixOS release with which your system is to be
|
|
|
|
|
|
# compatible, in order to avoid breaking some software such as database
|
|
|
|
|
|
# servers. You should change this only after NixOS release notes say you
|
|
|
|
|
|
# should.
|
|
|
|
|
|
system.stateVersion = "23.05"; # Did you read the comment?
|
|
|
|
|
|
}
|
