171 lines
4.2 KiB
Nix
171 lines
4.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let yggaddr = import ../../lib/server7-yggaddr.nix;
|
|
in {
|
|
imports = [
|
|
# <nixpkgs/nixos/modules/profiles/minimal.nix>
|
|
../../lib
|
|
../../lib/default-gateway.nix
|
|
./borgbackup.nix
|
|
./containers
|
|
./hardware-configuration.nix
|
|
./hydra.nix
|
|
./nix-serve.nix
|
|
];
|
|
|
|
security.acme = {
|
|
email = " mail@c3d2.de";
|
|
acceptTerms = true;
|
|
};
|
|
|
|
c3d2 = {
|
|
users = {
|
|
emery = true;
|
|
windsleep = true;
|
|
};
|
|
isInHq = true;
|
|
mapHqHosts = true;
|
|
hq = {
|
|
interface = "br0";
|
|
statistics.enable = true;
|
|
};
|
|
};
|
|
|
|
fileSystems."/srv/ceph" = {
|
|
device = "172.22.99.13:6789:/";
|
|
fsType = "ceph";
|
|
options = [
|
|
"name=storage2"
|
|
"secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
|
|
"noatime,_netdev"
|
|
"noauto"
|
|
"x-systemd.automount"
|
|
"x-systemd.device-timeout=175"
|
|
"users"
|
|
];
|
|
};
|
|
|
|
# Route IPv6
|
|
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
|
|
# Obtain global IPv6 despite being a router myself
|
|
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
|
|
|
|
services.yggdrasil = {
|
|
enable = true;
|
|
configFile = "/var/lib/yggdrasil/keys";
|
|
config = {
|
|
Peers = [
|
|
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
|
"tcp://ygg.thingylabs.io:443" # Nürnberg
|
|
"tcp://176.223.130.120:22632" # Wrocław
|
|
"tcp://[2a05:9403::8b]:7743" # Praha
|
|
];
|
|
NodeInfo = {
|
|
location = "Dresden";
|
|
name = "server7.y.c3d2.de";
|
|
admin =
|
|
"toxid:DF0AC9107E0A30E7201C6832B017AC836FBD1EDAC390EE99B68625D73C3FD929FB47F1872CA4";
|
|
};
|
|
};
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
services.openssh = {
|
|
enable = true;
|
|
passwordAuthentication = false;
|
|
# DO NOT CHANGE, KINDERGARTEN IS OVER
|
|
};
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
gc.automatic = true;
|
|
optimise.automatic = true;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes ca-references
|
|
post-build-hook = ${
|
|
pkgs.writeScript "post-build-sign-paths" ''
|
|
#!${pkgs.runtimeShell}
|
|
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
|
|
''
|
|
}
|
|
'';
|
|
};
|
|
nixpkgs.overlays = [
|
|
(self: super: {
|
|
nix = super.nix // { meta.platforms = lib.platforms.linux; };
|
|
})
|
|
];
|
|
|
|
virtualisation.docker.enable = true;
|
|
|
|
networking = {
|
|
firewall.enable = false;
|
|
firewall.trustedInterfaces = [ "br0" ];
|
|
hostName = "server7";
|
|
hostId = "454fe12c";
|
|
useDHCP = false;
|
|
bridges.br0.interfaces = [ "enp2s0f0" ];
|
|
interfaces = {
|
|
br0 = {
|
|
useDHCP = true;
|
|
tempAddress = "disabled";
|
|
ipv4.addresses = [{
|
|
address = "172.22.99.245";
|
|
prefixLength = 24;
|
|
}];
|
|
ipv6.addresses = [{
|
|
address = yggaddr.prefix64 + "::1";
|
|
prefixLength = 64;
|
|
}];
|
|
};
|
|
enp2s0f1.useDHCP = false;
|
|
};
|
|
};
|
|
|
|
boot.kernel.sysctl."net.bridge.bridge-nf-call-arptables" = 0;
|
|
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
|
|
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
tmux
|
|
htop
|
|
vim
|
|
gitMinimal
|
|
nixfmt
|
|
zfsStable
|
|
];
|
|
|
|
services.collectd.extraConfig = ''
|
|
LoadPlugin memory
|
|
LoadPlugin processes
|
|
LoadPlugin disk
|
|
LoadPlugin df
|
|
LoadPlugin cpu
|
|
LoadPlugin entropy
|
|
LoadPlugin load
|
|
LoadPlugin swap
|
|
LoadPlugin cgroups
|
|
LoadPlugin vmem
|
|
LoadPlugin interface
|
|
'';
|
|
|
|
boot.tmpOnTmpfs = true;
|
|
|
|
# Use the systemd-boot EFI boot loader.
|
|
boot.loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
system.stateVersion = "19.09"; # Did you read the comment?
|
|
|
|
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
|
|
# allow the old hydra to build here
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
|
|
];
|
|
}
|