nix-config/hosts/server7/default.nix

163 lines
4.0 KiB
Nix

{ config, pkgs, lib, ... }:
let yggaddr = import ./yggaddr.nix;
in {
imports = [
# <nixpkgs/nixos/modules/profiles/minimal.nix>
../../lib
../../lib/default-gateway.nix
./borgbackup.nix
./containers
./hardware-configuration.nix
./hydra.nix
./nix-serve.nix
];
security.acme = {
email = " mail@c3d2.de";
acceptTerms = true;
};
c3d2 = {
users = {
emery = true;
windsleep = true;
};
isInHq = true;
mapHqHosts = true;
hq = {
interface = "br0";
statistics.enable = true;
};
};
fileSystems."/srv/ceph" = {
device = "172.22.99.13:6789:/";
fsType = "ceph";
options = [
"name=storage2"
"secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
"noatime,_netdev"
"noauto"
"x-systemd.automount"
"x-systemd.device-timeout=175"
"users"
];
};
# Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
services.yggdrasil = {
enable = true;
configFile = "/var/lib/yggdrasil/keys";
config.Peers = [
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
"tcp://ygg.thingylabs.io:443" # Nürnberg
"tcp://176.223.130.120:22632" # Wrocław
"tcp://[2a05:9403::8b]:7743" # Praha
];
};
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
passwordAuthentication = false;
# DO NOT CHANGE, KINDERGARTEN IS OVER
};
programs.mosh.enable = true;
nix = {
package = pkgs.nixFlakes;
gc.automatic = true;
optimise.automatic = true;
extraOptions = ''
experimental-features = nix-command flakes ca-references
post-build-hook = ${
pkgs.writeScript "post-build-sign-paths" ''
#!${pkgs.runtimeShell}
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
''
}
'';
};
virtualisation.docker.enable = true;
networking = {
firewall.enable = false;
firewall.trustedInterfaces = [ "br0" ];
hostName = "server7";
hostId = "454fe12c";
useDHCP = false;
bridges.br0.interfaces = [ "enp2s0f0" ];
interfaces = {
br0 = {
useDHCP = true;
tempAddress = "disabled";
ipv4.addresses = [{
address = "172.22.99.245";
prefixLength = 24;
}];
ipv6.addresses = [{
address = yggaddr.prefix64 + "::1";
prefixLength = 64;
}];
};
enp2s0f1.useDHCP = false;
};
};
boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
environment.systemPackages = with pkgs; [
tmux
htop
vim
gitMinimal
nixfmt
zfsStable
];
services.collectd.extraConfig = ''
LoadPlugin sensors
LoadPlugin memory
LoadPlugin irq
LoadPlugin thermal
LoadPlugin processes
LoadPlugin disk
LoadPlugin hddtemp
LoadPlugin df
LoadPlugin cpu
LoadPlugin cpufreq
LoadPlugin entropy
LoadPlugin load
LoadPlugin swap
LoadPlugin cgroups
LoadPlugin vmem
LoadPlugin interface
'';
boot.tmpOnTmpfs = true;
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "19.09"; # Did you read the comment?
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
# allow the old hydra to build here
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
];
}