
Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

137 lines
4.1 KiB
Raw Normal View History

2023-06-27 18:00:45 +02:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
networking.hostName = "nougat-2";
# The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner',
# but the hostname for each machine may be different, and mdadm's HOMEHOST
# setting defaults to '<system>' (using the system hostname).
# This results mdadm considering such disks as "foreign" as opposed to
# "local", and showing them as e.g. '/dev/md/hetzner:root0'
# instead of '/dev/md/root0'.
# This is mdadm's protection against accidentally putting a RAID disk
# into the wrong machine and corrupting data by accidental sync, see
# https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward.
# We do not worry about plugging disks into the wrong machine because
# we will never exchange disks between machines, so we tell mdadm to
# ignore the homehost entirely.
environment.etc."mdadm.conf".text = ''
HOMEHOST <ignore>
ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705
ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa
# The RAIDs are assembled in stage1, so we need to make the config
# available there.
boot.initrd.services.swraid.enable = true;
boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 22;
authorizedKeys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces."enp0s31f6".ipv4.addresses = [
address = "";
prefixLength = 26;
networking.defaultGateway = "";
networking.interfaces."enp0s31f6".ipv6.addresses = [
2023-07-03 13:20:13 +02:00
address = "2a01:4f9:3a:2170::1";
prefixLength = 64;
2023-06-27 18:00:45 +02:00
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp0s31f6";
2023-07-02 20:36:30 +02:00
networking.nameservers = [""];
2023-06-27 18:00:45 +02:00
# Initial empty root password for easy login:
users.users.root.initialHashedPassword = "";
users.users.root.openssh.authorizedKeys.keys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
2023-07-02 20:36:30 +02:00
users.users.hakkonaut = {
home = "/home/hakkonaut";
description = "CI and automation user";
useDefaultShell = true;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
users.groups.hakkonaut = {};
ids.uids.hakkonaut = 998;
ids.gids.hakkonaut = 998;
2023-06-27 18:00:45 +02:00
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
2023-07-02 12:48:34 +02:00
pub-solar.core.disk-encryption-active = false;
pub-solar.core.lite = true;
virtualisation = {
docker = {
enable = true;
oci-containers = {
backend = "docker";
security.sudo.extraRules = [
users = ["${psCfg.user.name}"];
commands = [
command = "ALL";
options = ["NOPASSWD"];
2023-06-27 18:00:45 +02:00
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "23.05"; # Did you read the comment?