# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, ... }: let psCfg = config.pub-solar; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "boot.shell_on_fail=1" "ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off" ]; networking.hostName = "nougat-2"; # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner', # but the hostname for each machine may be different, and mdadm's HOMEHOST # setting defaults to '' (using the system hostname). # This results mdadm considering such disks as "foreign" as opposed to # "local", and showing them as e.g. '/dev/md/hetzner:root0' # instead of '/dev/md/root0'. # This is mdadm's protection against accidentally putting a RAID disk # into the wrong machine and corrupting data by accidental sync, see # https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward. # We do not worry about plugging disks into the wrong machine because # we will never exchange disks between machines, so we tell mdadm to # ignore the homehost entirely. environment.etc."mdadm.conf".text = '' HOMEHOST ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705 ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa ''; # The RAIDs are assembled in stage1, so we need to make the config # available there. boot.initrd.services.swraid.enable = true; boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text; boot.initrd.network.enable = true; boot.initrd.network.ssh = { enable = true; port = 22; authorizedKeys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else []; hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; }; # Network (Hetzner uses static IP assignments, and we don't use DHCP here) networking.useDHCP = false; networking.interfaces."enp0s31f6".ipv4.addresses = [ { address = "135.181.179.123"; prefixLength = 26; } ]; networking.defaultGateway = "135.181.179.65"; networking.interfaces."enp0s31f6".ipv6.addresses = [ #{ # address = "2a01:4f9:3a:2170::1"; # prefixLength = 64; #} ]; networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s31f6"; }; networking.nameservers = ["1.1.1.1"]; # Initial empty root password for easy login: users.users.root.initialHashedPassword = ""; users.users.root.openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else []; users.users.hakkonaut = { home = "/home/hakkonaut"; description = "CI and automation user"; useDefaultShell = true; group = "hakkonaut"; isSystemUser = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6" ]; }; users.groups.hakkonaut = {}; ids.uids.hakkonaut = 998; ids.gids.hakkonaut = 998; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "prohibit-password"; pub-solar.core.disk-encryption-active = false; pub-solar.core.lite = true; virtualisation = { docker = { enable = true; }; oci-containers = { backend = "docker"; }; }; security.sudo.extraRules = [ { users = ["${psCfg.user.name}"]; commands = [ { command = "ALL"; options = ["NOPASSWD"]; } ]; } ]; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "23.05"; # Did you read the comment? }