{ config, pkgs, lib, ... }: let yggaddr = import ./yggaddr.nix; in { imports = [ # ../../lib ../../lib/default-gateway.nix ./borgbackup.nix ./containers ./hardware-configuration.nix ./hydra.nix ./nix-serve.nix ]; security.acme = { email = " mail@c3d2.de"; acceptTerms = true; }; c3d2 = { users = { emery = true; windsleep = true; }; isInHq = true; mapHqHosts = true; hq = { interface = "br0"; statistics.enable = true; }; }; fileSystems."/srv/ceph" = { device = "172.22.99.13:6789:/"; fsType = "ceph"; options = [ "name=storage2" "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw==" "noatime,_netdev" "noauto" "x-systemd.automount" "x-systemd.device-timeout=175" "users" ]; }; # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; services.yggdrasil = { enable = true; configFile = "/var/lib/yggdrasil/keys"; config.Peers = [ "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha "tcp://ygg.thingylabs.io:443" # Nürnberg "tcp://176.223.130.120:22632" # Wrocław "tcp://[2a05:9403::8b]:7743" # Praha ]; }; security.sudo.wheelNeedsPassword = false; services.openssh = { enable = true; passwordAuthentication = false; # DO NOT CHANGE, KINDERGARTEN IS OVER }; programs.mosh.enable = true; nix = { package = pkgs.nixFlakes; gc.automatic = true; optimise.automatic = true; extraOptions = '' experimental-features = nix-command flakes ca-references post-build-hook = ${ pkgs.writeScript "post-build-sign-paths" '' #!${pkgs.runtimeShell} nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS '' } ''; }; nixpkgs.overlays = [ (self: super: { nix = super.nix // { meta.platforms = lib.platforms.linux; }; }) ]; virtualisation.docker.enable = true; networking = { firewall.enable = false; firewall.trustedInterfaces = [ "br0" ]; hostName = "server7"; hostId = "454fe12c"; useDHCP = false; bridges.br0.interfaces = [ "enp2s0f0" ]; interfaces = { br0 = { useDHCP = true; tempAddress = "disabled"; ipv4.addresses = [{ address = "172.22.99.245"; prefixLength = 24; }]; ipv6.addresses = [{ address = yggaddr.prefix64 + "::1"; prefixLength = 64; }]; }; enp2s0f1.useDHCP = false; }; }; boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0; boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0; boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0; environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt zfsStable ]; services.collectd.extraConfig = '' LoadPlugin sensors LoadPlugin memory LoadPlugin irq LoadPlugin thermal LoadPlugin processes LoadPlugin disk LoadPlugin hddtemp LoadPlugin df LoadPlugin cpu LoadPlugin cpufreq LoadPlugin entropy LoadPlugin load LoadPlugin swap LoadPlugin cgroups LoadPlugin vmem LoadPlugin interface ''; boot.tmpOnTmpfs = true; # Use the systemd-boot EFI boot loader. boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; time.timeZone = "Europe/Berlin"; system.stateVersion = "19.09"; # Did you read the comment? users.extraUsers.hydra.openssh.authorizedKeys.keys = [ # allow the old hydra to build here "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" ]; }