os/hosts/nougat-2/configuration.nix

137 lines
4.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off"
];
networking.hostName = "nougat-2";
# The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner',
# but the hostname for each machine may be different, and mdadm's HOMEHOST
# setting defaults to '<system>' (using the system hostname).
# This results mdadm considering such disks as "foreign" as opposed to
# "local", and showing them as e.g. '/dev/md/hetzner:root0'
# instead of '/dev/md/root0'.
# This is mdadm's protection against accidentally putting a RAID disk
# into the wrong machine and corrupting data by accidental sync, see
# https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward.
# We do not worry about plugging disks into the wrong machine because
# we will never exchange disks between machines, so we tell mdadm to
# ignore the homehost entirely.
environment.etc."mdadm.conf".text = ''
HOMEHOST <ignore>
ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705
ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa
'';
# The RAIDs are assembled in stage1, so we need to make the config
# available there.
boot.initrd.services.swraid.enable = true;
boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 22;
authorizedKeys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces."enp0s31f6".ipv4.addresses = [
{
address = "135.181.179.123";
prefixLength = 26;
}
];
networking.defaultGateway = "135.181.179.65";
networking.interfaces."enp0s31f6".ipv6.addresses = [
{
address = "2a01:4f9:3a:2170::1";
prefixLength = 64;
}
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp0s31f6";
};
networking.nameservers = ["1.1.1.1"];
# Initial empty root password for easy login:
users.users.root.initialHashedPassword = "";
users.users.root.openssh.authorizedKeys.keys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
users.users.hakkonaut = {
home = "/home/hakkonaut";
description = "CI and automation user";
useDefaultShell = true;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
];
};
users.groups.hakkonaut = {};
ids.uids.hakkonaut = 998;
ids.gids.hakkonaut = 998;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
pub-solar.core.disk-encryption-active = false;
pub-solar.core.lite = true;
virtualisation = {
docker = {
enable = true;
};
oci-containers = {
backend = "docker";
};
};
security.sudo.extraRules = [
{
users = ["${psCfg.user.name}"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "23.05"; # Did you read the comment?
}