{ config, pkgs, lib, ... }: let yggaddr = import ./yggaddr.nix; in { imports = [ # ../../lib ../../lib/default-gateway.nix ./borgbackup.nix ./containers ./hardware-configuration.nix ./hydra.nix ./nix-serve.nix ]; security.acme = { email = " mail@c3d2.de"; acceptTerms = true; }; c3d2 = { users = { emery = true; windsleep = true; }; isInHq = true; mapHqHosts = true; hq = { interface = "br0"; statistics.enable = true; }; }; fileSystems."/srv/ceph" = { device = "172.22.99.13:6789:/"; fsType = "ceph"; options = [ "name=storage2" "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ]; }; # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; services.yggdrasil = { enable = true; configFile = "/var/lib/yggdrasil/keys"; config.Peers = [ "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha "tcp://ygg.thingylabs.io:443" # Nürnberg "tcp://176.223.130.120:22632" # Wrocław "tcp://[2a05:9403::8b]:7743" # Praha ]; }; security.sudo.wheelNeedsPassword = false; services.openssh = { enable = true; passwordAuthentication = false; # DO NOT CHANGE, KINDERGARTEN IS OVER }; programs.mosh.enable = true; nix = { package = pkgs.nixFlakes; gc.automatic = true; optimise.automatic = true; extraOptions = '' experimental-features = nix-command flakes ca-references post-build-hook = ${ pkgs.writeScript "post-build-sign-paths" '' #!${pkgs.runtimeShell} nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS '' } ''; }; nixpkgs.overlays = [ (self: super: { nix = super.nix // { meta.platforms = lib.platforms.linux; }; }) ]; virtualisation.docker.enable = true; networking = { firewall.enable = false; firewall.trustedInterfaces = [ "br0" ]; hostName = "server7"; hostId = "454fe12c"; useDHCP = false; bridges.br0.interfaces = [ "enp2s0f0" ]; interfaces = { br0 = { useDHCP = true; tempAddress = "disabled"; ipv4.addresses = [{ address = "172.22.99.245"; prefixLength = 24; }]; ipv6.addresses = [{ address = yggaddr.prefix64 + "::1"; prefixLength = 64; }]; }; enp2s0f1.useDHCP = false; }; }; boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0; boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0; boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0; environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt zfsStable ]; services.collectd.extraConfig = '' LoadPlugin memory LoadPlugin processes LoadPlugin disk LoadPlugin df LoadPlugin cpu LoadPlugin entropy LoadPlugin load LoadPlugin swap LoadPlugin cgroups LoadPlugin vmem LoadPlugin interface ''; boot.tmpOnTmpfs = true; # Use the systemd-boot EFI boot loader. boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; time.timeZone = "Europe/Berlin"; system.stateVersion = "19.09"; # Did you read the comment? users.extraUsers.hydra.openssh.authorizedKeys.keys = [ # allow the old hydra to build here "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" ]; }