nix-config/hosts/server7/default.nix

{ config, pkgs, lib, ... }:

let yggaddr = import ../../lib/server7-yggaddr.nix;
in {
  imports = [
    ../../lib
    ../../lib/default-gateway.nix
    ./borgbackup.nix
    ./containers
    ./hardware-configuration.nix
    ./hydra.nix
    ./nix-serve.nix
  ];

  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  security.acme = {
    email = "mail@c3d2.de";
    acceptTerms = true;
  };

  c3d2 = {
    users = {
      emery = true;
      windsleep = true;
    };
    isInHq = true;
    mapHqHosts = true;
    hq = {
      interface = "br0";
      statistics.enable = true;
    };
  };

  fileSystems."/srv/ceph" = {
    #device = "172.22.99.13:6789:/";
    device = "172.20.72.53:6789:/";
    fsType = "ceph";
    options = [
      "name=storage2"
      "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
      "noatime,_netdev"
      "noauto"
      "x-systemd.automount"
      "x-systemd.device-timeout=175"
      "users"
    ];
  };

  fileSystems."/var/lib/ceph/osd/ceph-7" = { fsType = "tmpfs"; };

  # Route IPv6
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  # Obtain global IPv6 despite being a router myself
  boot.kernel.sysctl."net.ipv6.conf.br0.accept_ra" = 2;

  services.yggdrasil = {
    enable = true;
    configFile = "/var/lib/yggdrasil/keys";
    config = {
      Peers = [

        # Deutschland
        "tcp://45.11.19.26:5001"
        "tcp://82.165.69.111:61216"
        "tcp://[2001:8d8:1800:8224::1]:61216"

        # Czechia
        "tcp://195.123.245.146:7743"
        "tcp://37.205.14.171:46370"
        "tcp://[2a03:3b40:fe:ab::1]:46370"
        "tcp://[2a05:9403::8b]:7743"

        # Poland
        "tcp://176.223.130.120:22632"
        "tcp://51.75.44.73:50001"
        "tcp://54.37.137.221:37145"
        "tcp://[2001:41d0:601:1100::cf2]:37145"
        "tcp://n2o.ddns.net:22632"
        "tls://54.37.137.221:14987"
        "tls://[2001:41d0:601:1100::cf2]:14987"

      ];
      NodeInfo = {
        location = "Dresden";
        name = "server7.y.c3d2.de";
        admin =
          "toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
      };
    };
  };

  security.sudo.wheelNeedsPassword = false;
  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    # DO NOT CHANGE, KINDERGARTEN IS OVER
  };

  programs.mosh.enable = true;

  nix = {
    package = pkgs.nixFlakes;
    gc.automatic = true;
    optimise.automatic = true;
    extraOptions = ''
      experimental-features = nix-command flakes ca-references
      post-build-hook = ${
        pkgs.writeScript "post-build-sign-paths" ''
          #!${pkgs.runtimeShell}
          nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
        ''
      }
    '';
  };
  nixpkgs.overlays = [
    (self: super: {
      nix = super.nix // { meta.platforms = lib.platforms.linux; };
    })
  ];

  virtualisation.docker.enable = true;

  docker-containers.ceph-osd-7 = {
    cmd = [ "ceph-osd" "-i" "7" "--setuser" "ceph" "--setgroup" "ceph" "-d" ];
    environment = { OSD_DEVICE = "/dev/sdb"; };
    image = "ceph/ceph:v14.2.9";
    log-driver = "journald";
    extraDockerOptions =
      [ "--rm" "--net=host" "--ipc=host" "--privileged=true" ];
    volumes =
      [ "/dev:/dev" "/etc/ceph:/etc/ceph" "/var/lib/ceph/:/var/lib/ceph" ];
  };
  systemd.services.docker-ceph-osd-7.serviceConfig = {
    ExecStartPre = [
      "-${pkgs.docker}/bin/docker run --rm --net=host --ipc=host --privileged=true -v /dev:/dev -v /etc/ceph:/etc/ceph -v /var/lib/ceph/:/var/lib/ceph -e OSD_DEVICE=/dev/sdb -it ceph/ceph:v14.2.9 ceph-volume lvm activate --all"
    ];
  };

  networking = {
    firewall.enable = false;
    firewall.trustedInterfaces = [ "br0" ];
    hostName = "server7";
    hostId = "454fe12c";
    useDHCP = false;
    bridges.br0.interfaces = [ "enp2s0f0" ];
    interfaces = {
      br0 = {
        useDHCP = true;
        tempAddress = "disabled";
        ipv4.addresses = [{
          address = "172.22.99.245";
          prefixLength = 24;
        }];
        ipv6.addresses = [{
          address = yggaddr.prefix64 + "::1";
          prefixLength = 64;
        }];
      };
      enp2s0f1.useDHCP = false;
    };
  };

  boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;
  boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
  boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;

  environment.systemPackages = with pkgs; [
    tmux
    htop
    vim
    gitMinimal
    nixfmt
    zfsStable
  ];

  services.collectd.extraConfig = ''
    LoadPlugin memory
    LoadPlugin processes
    LoadPlugin disk
    LoadPlugin df
    LoadPlugin cpu
    LoadPlugin entropy
    LoadPlugin load
    LoadPlugin swap
    LoadPlugin cgroups
    LoadPlugin vmem
    LoadPlugin interface
  '';

  boot.tmpOnTmpfs = true;

  # Use the systemd-boot EFI boot loader.
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };

  time.timeZone = "Europe/Berlin";

  system.stateVersion = "19.09"; # Did you read the comment?

  users.extraUsers.hydra.openssh.authorizedKeys.keys = [
    # allow the old hydra to build here
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
  ];

  services.dhcpd4 = {
    enable = false;
    interfaces = [ "br0" ];
    extraConfig = "not authoritative;";
  };
}