nix-config/hosts/glotzbert/default.nix

{ zentralwerk, secretsFile, config, pkgs, ... }:

{
  imports = [ ./hardware-configuration.nix ];

  c3d2 = {
    isInHq = true;
    hq.interface = "eno1";
    hq.enableBinaryCache = false;
    users.k-ot = true;
    users.emery = true;
  };
  users.users.emery.cryptHomeLuks = "/home/emery.luks.img";

  nixpkgs.config.allowUnfree = true;
  nix = {
    useSandbox = true;
    buildCores = 4;
    maxJobs = 4;
  };

  sops.defaultSopsFile = secretsFile;
  sops.secrets = {
    "ceph/secret" = {};
  };
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;

  networking.hostName = "glotzbert"; # Define your hostname.
  networking.interfaces.eno1.useDHCP = true;

  # Select internationalisation properties.
  console = {
    font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
    keyMap = "de";
  };
  i18n.defaultLocale = "en_US.UTF-8";

  environment.systemPackages = with pkgs; [
    screen
    chromium
    firefox
    mpv
    kodi
    ceph
  ];

  systemd.user.services.x11vnc = {
    description = "X11 VNC server";
    wantedBy = [ "graphical-session.target" ];
    partOf = [ "graphical-session.target" ];
    serviceConfig = {
      ExecStart = ''
        ${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot
      '';
      RestartSec = 3;
      Restart = "always";
    };
  };

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Or disable the firewall altogether.
  networking.firewall.enable = false;

  # Enable sound.
  sound.enable = true;
  hardware.pulseaudio = {
    enable = true;
    # Users must be in "audio" group
    systemWide = true;
    support32Bit = true;
    zeroconf.discovery.enable = true;
    zeroconf.publish.enable = true;
    tcp = {
      enable = true;
      anonymousClients.allowAll = true;
    };
    extraConfig = ''
      load-module module-tunnel-sink server=pulsebert.hq.c3d2.de
    '';
    extraClientConf = ''
      default-server = pulsebert.hq.c3d2.de
    '';
  };

  # Enable the X11 windowing system.
  services.xserver.enable = true;
  services.xserver.layout = "de";
  services.xserver.xkbOptions = "eurosign:e";

  services.xserver.displayManager = {
    lightdm = { enable = true; };
    autoLogin = {
      enable = true;
      user = "k-ot";
    };
    defaultSession = "gnome-xorg";
  };
  services.xserver.desktopManager = {
    gnome.enable = true;
    kodi.enable = true;
  };

  security.sudo = {
    enable = true;
    wheelNeedsPassword = false;
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.groups."k-ot" = { gid = 1000; };
  users.users."k-ot" = {
    isNormalUser = true;
    uid = 1000;
    group = "k-ot";
    extraGroups = [ "wheel" "networkmanager" "audio" "video" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 astro"
    ];
  };

  services.ceph = {
    enable = true;
    global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
    client.enable = true;
  };
  fileSystems."/mnt/storage" =
    let
      monHosts = pkgs.lib.concatMapStringsSep "," (host:
        zentralwerk.lib.config.site.net.cluster.hosts4.${host}
      ) [ "server5" "server6" "server8" ];
    in {
      fsType = "ceph";
      device = "${monHosts}:/";
      options = [
        "_netdev"
        "name=c3d2"
        "secretfile=${config.sops.secrets."ceph/secret".path}"
        "noatime"
        "x-systemd.automount"
        "x-systemd.device-timeout=5"
      ];
    };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "18.09"; # Did you read the comment?

}