infra/nix/os/devices/steveej-t14/system.nix

{
  pkgs,
  lib,
  config,
  nodeName,
  repoFlake,
  ...
}: let
  passwords = import ../../../variables/passwords.crypt.nix;

  localTcpPorts = [
    22

    # syncthing
    22000

    # iperf3
    5201
  ];

  localUdpPorts = [
    # syncthing
    22000
    21027
  ];

in {
  imports = [
    ../../snippets/nix-settings-holo-chain.nix
  ];

  nix.settings = {
    substituters = [
    ];
    trusted-public-keys = [
    ];
  };

  nix.distributedBuilds = true;
  nix.buildMachines = [
    {
      hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
      # TODO: make this a reference
      sshUser = "nix-remote-builder";
      protocol = "ssh-ng";
      system = "x86_64-linux";
      maxJobs = 24;
      speedFactor = 100;
      supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
    }
  ];

  networking.extraHosts = ''
  '';

  networking.bridges."virbr1".interfaces = [];
  networking.interfaces."virbr1".ipv4.addresses = [
    {
      address = "10.254.254.254";
      prefixLength = 24;
    }
  ];

  # needed to make wireguard managed by networkmanager route all traffic through it
  networking.firewall.checkReversePath = false;

  networking.firewall.enable = true;
  services.openssh.openFirewall = false;

  # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
  networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts;
  networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts;
  networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts;
  networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts;

  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

  services.fwupd.enable = true;

  services.fprintd.enable = true;
  security.pam.services = {
    login.fprintAuth = true;
    sudo.fprintAuth = true;
  };

  # virtualization
  virtualisation = {
    libvirtd = {enable = true;};

    virtualbox.host = {
      enable = false;
      addNetworkInterface = false;
    };

    podman = {
      enable = true;
      dockerCompat = true;
      # defaultNetwork.dnsname.enable = true;
    };
  };

  services.samba.extraConfig = ''
    # client min protocol = NT1
  '';
  services.gvfs = {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };
  environment.systemPackages = with pkgs; [lxqt.lxqt-policykit]; # provides a default authentification client for policykit

  security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];

  services.xserver.videoDrivers = lib.mkForce ["amdgpu"];
  services.xserver.serverFlagsSection = ''
    Option "BlankTime" "0"
    Option "StandbyTime" "0"
    Option "SuspendTime" "0"
    Option "OffTime" "0"
  '';

  time.timeZone = lib.mkForce passwords.timeZone.stefan;

  hardware.ledger.enable = true;

  services.zerotierone = {
    enable = true;
    joinNetworks = [
      # moved to the service below as it's now secret
    ];
  };

  systemd.services.zerotieroneSecretNetworks = {
    enable = false;
    requiredBy = ["zerotierone.service"];
    partOf = ["zerotierone.service"];

    serviceConfig.Type = "oneshot";
    serviceConfig.RemainAfterExit = true;

    script = let
      secret = config.sops.secrets.zerotieroneNetworks;
    in ''
      # include the secret's hash to trigger a restart on change
      # ${builtins.hashString "sha256" (builtins.toJSON secret)}

      ${config.systemd.services.zerotierone.preStart}

      rm -rf /var/lib/zerotier-one/networks.d/*.conf
      for network in `grep -v '#' ${secret.path}`; do
        touch /var/lib/zerotier-one/networks.d/''${network}.conf
      done
    '';
  };

  sops.secrets.zerotieroneNetworks = {
    sopsFile = ../../../../secrets/zerotierone.txt;
    format = "binary";
  };

  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
  ];
}
format and change 2023-02-07 18:23:51 +01:00			`{`
			`pkgs,`
			`lib,`
			`config,`
feat: flakify, gnome3 chore: nix fmt refactor: split out more home-manager programs feat: migrate shell as flake devShell feat: initial flake structure with colmena feat: migrate elias-e525 to colmena feat: migrate steveej-t14 with colmena feat: configure chromium extensions chore: remove all overlays and package overrides chore: delete some of _archive feat: migrate vmd102066 feat: migrate sj-vps-htz0 2023-04-15 12:21:22 +02:00			`nodeName,`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`repoFlake,`
format and change 2023-02-07 18:23:51 +01:00			`...`
			`}: let`
fix(nix): move location related values to encrypted file 2022-11-19 16:33:35 -06:00			`passwords = import ../../../variables/passwords.crypt.nix;`
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00
			`localTcpPorts = [`
			`22`

			`# syncthing`
			`22000`

			`# iperf3`
			`5201`
			`];`

			`localUdpPorts = [`
			`# syncthing`
			`22000`
			`21027`
			`];`

steveej-t14: init 2020-12-21 14:35:50 +01:00			`in {`
refactor nix settings 2023-12-01 21:00:17 +01:00			`imports = [`
			`../../snippets/nix-settings-holo-chain.nix`
			`];`

feat(nix): extend wayland with sway setup 2023-05-23 18:11:30 +02:00			`nix.settings = {`
			`substituters = [`
feat: flakify, gnome3 chore: nix fmt refactor: split out more home-manager programs feat: migrate shell as flake devShell feat: initial flake structure with colmena feat: migrate elias-e525 to colmena feat: migrate steveej-t14 with colmena feat: configure chromium extensions chore: remove all overlays and package overrides chore: delete some of _archive feat: migrate vmd102066 feat: migrate sj-vps-htz0 2023-04-15 12:21:22 +02:00			`];`
feat(nix): extend wayland with sway setup 2023-05-23 18:11:30 +02:00			`trusted-public-keys = [`
steveej-t14: use holochain-ci binary cache 2021-08-20 23:28:23 +02:00			`];`
			`};`
steveej-t14: init 2020-12-21 14:35:50 +01:00
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00			`nix.distributedBuilds = true;`
			`nix.buildMachines = [`
			`{`
			`hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;`
			`# TODO: make this a reference`
			`sshUser = "nix-remote-builder";`
			`protocol = "ssh-ng";`
			`system = "x86_64-linux";`
			`maxJobs = 24;`
			`speedFactor = 100;`
			`supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];`
			`}`
			`];`

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`networking.extraHosts = ''`
			`'';`

format and change 2023-02-07 18:23:51 +01:00			`networking.bridges."virbr1".interfaces = [];`
			`networking.interfaces."virbr1".ipv4.addresses = [`
			`{`
			`address = "10.254.254.254";`
			`prefixLength = 24;`
			`}`
			`];`
steveej-t14: init 2020-12-21 14:35:50 +01:00
WIP: set up bpir3 2023-08-22 10:20:16 +02:00			`# needed to make wireguard managed by networkmanager route all traffic through it`
			`networking.firewall.checkReversePath = false;`

steveej-t14: init 2020-12-21 14:35:50 +01:00			`networking.firewall.enable = true;`
flakfiy some Justfile recipes and experiment with wayland based custom desktop 2023-05-21 11:58:57 +02:00			`services.openssh.openFirewall = false;`

			# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00			`networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts;`
			`networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts;`
			`networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts;`
			`networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts;`
feat(steveej-t14): use holochain-ci-internal and expose port 80 on wifi 2023-10-01 11:10:55 +02:00
steveej-t14: init 2020-12-21 14:35:50 +01:00			`networking.firewall.logRefusedConnections = false;`
			`networking.usePredictableInterfaceNames = false;`

feat: flakify, gnome3 chore: nix fmt refactor: split out more home-manager programs feat: migrate shell as flake devShell feat: initial flake structure with colmena feat: migrate elias-e525 to colmena feat: migrate steveej-t14 with colmena feat: configure chromium extensions chore: remove all overlays and package overrides chore: delete some of _archive feat: migrate vmd102066 feat: migrate sj-vps-htz0 2023-04-15 12:21:22 +02:00			`services.fwupd.enable = true;`
steveej-t14: init 2020-12-21 14:35:50 +01:00
			`services.fprintd.enable = true;`
			`security.pam.services = {`
			`login.fprintAuth = true;`
			`sudo.fprintAuth = true;`
			`};`

			`# virtualization`
			`virtualisation = {`
format and change 2023-02-07 18:23:51 +01:00			`libvirtd = {enable = true;};`
steveej-t14: init 2020-12-21 14:35:50 +01:00
			`virtualbox.host = {`
chore: nixfmt * 2022-10-31 11:04:38 +01:00			`enable = false;`
steveej-t14: init 2020-12-21 14:35:50 +01:00			`addNetworkInterface = false;`
			`};`

feat: flakify, gnome3 chore: nix fmt refactor: split out more home-manager programs feat: migrate shell as flake devShell feat: initial flake structure with colmena feat: migrate elias-e525 to colmena feat: migrate steveej-t14 with colmena feat: configure chromium extensions chore: remove all overlays and package overrides chore: delete some of _archive feat: migrate vmd102066 feat: migrate sj-vps-htz0 2023-04-15 12:21:22 +02:00			`podman = {`
steveej-t14: init 2020-12-21 14:35:50 +01:00			`enable = true;`
feat: flakify, gnome3 chore: nix fmt refactor: split out more home-manager programs feat: migrate shell as flake devShell feat: initial flake structure with colmena feat: migrate elias-e525 to colmena feat: migrate steveej-t14 with colmena feat: configure chromium extensions chore: remove all overlays and package overrides chore: delete some of _archive feat: migrate vmd102066 feat: migrate sj-vps-htz0 2023-04-15 12:21:22 +02:00			`dockerCompat = true;`
flakfiy some Justfile recipes and experiment with wayland based custom desktop 2023-05-21 11:58:57 +02:00			`# defaultNetwork.dnsname.enable = true;`
steveej-t14: init 2020-12-21 14:35:50 +01:00			`};`
			`};`

steveej-t14: enable smb v1 and add holo.host nix cache 2022-01-10 17:49:31 +01:00			`services.samba.extraConfig = ''`
			`# client min protocol = NT1`
			`'';`
WIP: set up bpir3 2023-08-22 10:20:16 +02:00			`services.gvfs = {`
			`enable = true;`
			`package = lib.mkForce pkgs.gnome3.gvfs;`
			`};`
nix fmt 2023-11-23 17:52:21 +01:00			`environment.systemPackages = with pkgs; [lxqt.lxqt-policykit]; # provides a default authentification client for policykit`
steveej-t14: enable smb v1 and add holo.host nix cache 2022-01-10 17:49:31 +01:00
format and change 2023-02-07 18:23:51 +01:00			`security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];`
steveej-t14: init 2020-12-21 14:35:50 +01:00
format and change 2023-02-07 18:23:51 +01:00			`services.xserver.videoDrivers = lib.mkForce ["amdgpu"];`
steveej-t14: init 2020-12-21 14:35:50 +01:00			`services.xserver.serverFlagsSection = ''`
			`Option "BlankTime" "0"`
			`Option "StandbyTime" "0"`
			`Option "SuspendTime" "0"`
			`Option "OffTime" "0"`
			`'';`

fix(nix): move location related values to encrypted file 2022-11-19 16:33:35 -06:00			`time.timeZone = lib.mkForce passwords.timeZone.stefan;`

steveej-t14: init 2020-12-21 14:35:50 +01:00			`hardware.ledger.enable = true;`
flakfiy some Justfile recipes and experiment with wayland based custom desktop 2023-05-21 11:58:57 +02:00
			`services.zerotierone = {`
			`enable = true;`
			`joinNetworks = [`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`# moved to the service below as it's now secret`
flakfiy some Justfile recipes and experiment with wayland based custom desktop 2023-05-21 11:58:57 +02:00			`];`
			`};`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00
			`systemd.services.zerotieroneSecretNetworks = {`
steveej-t14: disable zerotierone for now 2023-12-28 14:01:44 +01:00			`enable = false;`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`requiredBy = ["zerotierone.service"];`
			`partOf = ["zerotierone.service"];`

			`serviceConfig.Type = "oneshot";`
			`serviceConfig.RemainAfterExit = true;`

			`script = let`
			`secret = config.sops.secrets.zerotieroneNetworks;`
			`in ''`
			`# include the secret's hash to trigger a restart on change`
			`# ${builtins.hashString "sha256" (builtins.toJSON secret)}`

			`${config.systemd.services.zerotierone.preStart}`

			`rm -rf /var/lib/zerotier-one/networks.d/*.conf`
			for network in `grep -v '#' ${secret.path}`; do
			`touch /var/lib/zerotier-one/networks.d/''${network}.conf`
			`done`
			`'';`
			`};`

			`sops.secrets.zerotieroneNetworks = {`
			`sopsFile = ../../../../secrets/zerotierone.txt;`
			`format = "binary";`
			`};`
feat(router0-dmz0): init bpir3 based router 2023-08-10 21:45:49 +02:00
			`boot.binfmt.emulatedSystems = [`
			`"aarch64-linux"`
			`];`
steveej-t14: init 2020-12-21 14:35:50 +01:00			`}`