infra/nix/os/devices/sj-bm-hostkey0/configuration.nix

{
  modulesPath,
  repoFlake,
  packages',
  pkgs,
  lib,
  config,
  nodeFlake,
  nodeName,
  system,
  ...
}: let
  pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
  pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
  disabledModules = [
  ];

  imports = [
    nodeFlake.inputs.disko.nixosModules.disko
    repoFlake.inputs.sops-nix.nixosModules.sops

    nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
    {
      roles.nix-remote-builder.schedulerPublicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"

        # TODO: make this a reference to the private key's secret
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
      ];
    }

    ../../profiles/common/user.nix
    ../../snippets/nix-settings.nix
    ../../snippets/nix-settings-holo-chain.nix
    {
      nix.settings.sandbox = lib.mkForce "relaxed";
    }

    ../../snippets/holo-zerotier.nix

    # TODO
    # ./network.nix
    # ./monitoring.nix

    # user config
    ../../snippets/home-manager-with-zsh.nix
    {
      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };

      home-manager.users.steveej = {pkgs, ...}: {
        imports = [
          ../../../home-manager/programs/pass.nix
        ];

        home.packages = [
          pkgs.nil
          pkgs.rnix-lsp
          pkgs.nixd
          pkgs.nixpkgs-fmt
          pkgs.alejandra
          pkgs.nixfmt

          repoFlake.packages.${system}.rperf

          # TODO: automate linking this
          # 1. get the commit with: `codium --version`
          # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
          # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/

          /*
          e.g.:
          ```
          (
            set -e
            export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
            ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
          )
          ```
          */
          (pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
            src = repoFlake.inputs.openvscode-server;
            version = "1.88.1";
            yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Ts=";});
          }))
        ];
      };

      programs.zsh.enable = true;
      users.defaultUserShell = pkgs.zsh;
      environment.pathsToLink = ["/share/zsh"];
    }

    ../../snippets/mycelium.nix
  ];

  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = "yes";
  services.openssh.extraConfig = ''
    StreamLocalBindUnlink yes
  '';

  boot = {
    kernel = {
      sysctl = {
        "net.ipv4.conf.all.forwarding" = true;
        "net.ipv6.conf.all.forwarding" = true;
      };
    };
  };

  networking = {
    hostName = nodeName;
    useNetworkd = true;
    useDHCP = true;

    # No local firewall.
    nat.enable = true;
    firewall.enable = false;

    firewall.allowedTCPPorts = [
      5201
    ];
    firewall.allowedUDPPorts = [
      5201
    ];
  };

  disko.devices = let
    disk = id: {
      type = "disk";
      device = "/dev/${id}";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            size = "1M";
            type = "EF02"; # for grub MBR
          };
          mdadm = {
            size = "100%";
            content = {
              type = "mdraid";
              name = "raid0";
            };
          };
        };
      };
    };
  in {
    disk = {
      sda = disk "sda";
      sdb = disk "sdb";
    };
    mdadm = {
      raid0 = {
        type = "mdadm";
        level = 0;
        content = {
          type = "gpt";
          partitions = {
            primary = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "btrfs";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };

  system.stateVersion = "23.11";

  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.initrd.includeDefaultModules = true;
  boot.initrd.kernelModules = [
    "dm-raid"
    "dm-integrity"
    "xhci_pci_renesas"
  ];

  hardware.enableRedistributableFirmware = true;

  environment.systemPackages = [
    pkgs.hdparm
    pkgs.fuse
  ];

  programs.fuse.userAllowOther = true;

  services.caddy.enable = true;
  services.caddy.email = "mail@stefanjunker.de";
  services.caddy.globalConfig = ''
    auto_https disable_redirects
  '';
  services.caddy.virtualHosts = let
    holochainDomain = "dev.infra.holochain.org";
  in {
    "${nodeName}.${holochainDomain}" = {
      extraConfig = ''
        handle_path /s3/* {
          reverse_proxy http://127.0.0.1:9000
        }
      '';
    };
  };

  # home-manager.users.steveej = _: {
  #   imports = [
  #     ../../../home-manager/configuration/text-minimal.nix
  #   ];

  #   home.sessionVariables = {
  #   };

  #   home.packages = with pkgs; [
  #   ];
  # };

  virtualisation.libvirtd.enable = true;
  virtualisation.docker.enable = true;

  virtualisation.podman.enable = true;
  virtualisation.podman.autoPrune.enable = true;
  # virtualisation.podman.dockerSocket.enable = true;

  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
  ];

  steveej.holo-zerotier = {
    enable = true;
    autostart = false;
  };
}
nix fmt 2024-02-08 20:53:22 +01:00			`{`
			`modulesPath,`
			`repoFlake,`
			`packages',`
			`pkgs,`
			`lib,`
			`config,`
			`nodeFlake,`
			`nodeName,`
			`system,`
			`...`
feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00			`}: let`
feat: update flakes, attempt to repair espanso 2024-05-02 09:48:15 +02:00			`pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};`
feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00			`pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};`
			`in {`
update README 2023-11-23 16:03:07 +01:00			`disabledModules = [`
			`];`

			`imports = [`
			`nodeFlake.inputs.disko.nixosModules.disko`
			`repoFlake.inputs.sops-nix.nixosModules.sops`

feat(steveej-x13s,sj-bm-hostkey0): configure buildmachine 2024-05-02 09:45:30 +02:00			`nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder`
			`{`
			`roles.nix-remote-builder.schedulerPublicKeys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s"`

			`# TODO: make this a reference to the private key's secret`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"`
			`];`
			`}`

update README 2023-11-23 16:03:07 +01:00			`../../profiles/common/user.nix`
feat,fix: cach up hostkey0 with structure changes, update x13s and config firewall 2024-03-07 22:01:03 +01:00			`../../snippets/nix-settings.nix`
refactor nix settings 2023-12-01 21:00:17 +01:00			`../../snippets/nix-settings-holo-chain.nix`
feat(nix,bm-hostkey0): relaxed sandbox, SSH RemoteForward support, add pass, holo cache 2024-05-16 15:42:15 +02:00			`{`
			`nix.settings.sandbox = lib.mkForce "relaxed";`
			`}`
update README 2023-11-23 16:03:07 +01:00
feat(bm-hostkey0): add zerotier config 2024-04-04 21:04:39 +02:00			`../../snippets/holo-zerotier.nix`

update README 2023-11-23 16:03:07 +01:00			`# TODO`
			`# ./network.nix`
			`# ./monitoring.nix`

work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00			`# user config`
feat,fix: cach up hostkey0 with structure changes, update x13s and config firewall 2024-03-07 22:01:03 +01:00			`../../snippets/home-manager-with-zsh.nix`
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00			`{`
update README 2023-11-23 16:03:07 +01:00			`users.commonUsers = {`
			`enable = true;`
			`enableNonRoot = true;`
			`};`
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00
nix fmt 2024-02-08 20:53:22 +01:00			`home-manager.users.steveej = {pkgs, ...}: {`
feat(nix,bm-hostkey0): relaxed sandbox, SSH RemoteForward support, add pass, holo cache 2024-05-16 15:42:15 +02:00			`imports = [`
			`../../../home-manager/programs/pass.nix`
			`];`

workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00			`home.packages = [`
			`pkgs.nil`
			`pkgs.rnix-lsp`
			`pkgs.nixd`
			`pkgs.nixpkgs-fmt`
			`pkgs.alejandra`
			`pkgs.nixfmt`
feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00
feat: update flakes, attempt to repair espanso 2024-05-02 09:48:15 +02:00			`repoFlake.packages.${system}.rperf`

feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00			`# TODO: automate linking this`
			# 1. get the commit with: `codium --version`
			# 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/`
			# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
feat: update flakes, attempt to repair espanso 2024-05-02 09:48:15 +02:00
			`/*`
			`e.g.:`
			```
			`(`
			`set -e`
			`export COMMIT=$(codium --version \| rg '^[0-9a-f]{40}$')`
feat: update openvscode 2024-05-25 11:36:21 +02:00			`ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"`
feat: update flakes, attempt to repair espanso 2024-05-02 09:48:15 +02:00			`)`
			```
			`*/`
			`(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {`
feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00			`src = repoFlake.inputs.openvscode-server;`
feat: update openvscode 2024-05-25 11:36:21 +02:00			`version = "1.88.1";`
			`yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Ts=";});`
feat(vscodium remote): attempt to match versions on client and server environments 2024-03-07 21:58:24 +01:00			`}))`
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00			`];`
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00			`};`

			`programs.zsh.enable = true;`
			`users.defaultUserShell = pkgs.zsh;`
nix fmt 2024-02-08 20:53:22 +01:00			`environment.pathsToLink = ["/share/zsh"];`
update README 2023-11-23 16:03:07 +01:00			`}`
feat(bm-hostkey0): set up mycelium 2024-05-25 11:35:26 +02:00
			`../../snippets/mycelium.nix`
update README 2023-11-23 16:03:07 +01:00			`];`
nix fmt 2023-11-23 17:52:21 +01:00
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00			`services.openssh.enable = true;`
			`services.openssh.settings.PermitRootLogin = "yes";`
feat(nix,bm-hostkey0): relaxed sandbox, SSH RemoteForward support, add pass, holo cache 2024-05-16 15:42:15 +02:00			`services.openssh.extraConfig = ''`
			`StreamLocalBindUnlink yes`
			`'';`
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00
update README 2023-11-23 16:03:07 +01:00			`boot = {`
			`kernel = {`
			`sysctl = {`
			`"net.ipv4.conf.all.forwarding" = true;`
			`"net.ipv6.conf.all.forwarding" = true;`
			`};`
			`};`
			`};`

			`networking = {`
			`hostName = nodeName;`
			`useNetworkd = true;`
			`useDHCP = true;`

			`# No local firewall.`
			`nat.enable = true;`
			`firewall.enable = false;`
fixup! WIP: use two wg interfaces on both routers and route traffic via distinct ISPs 2024-06-01 10:55:40 +02:00
			`firewall.allowedTCPPorts = [`
			`5201`
			`];`
			`firewall.allowedUDPPorts = [`
			`5201`
			`];`
update README 2023-11-23 16:03:07 +01:00			`};`

nix fmt 2024-02-08 20:53:22 +01:00			`disko.devices = let`
			`disk = id: {`
			`type = "disk";`
			`device = "/dev/${id}";`
			`content = {`
			`type = "gpt";`
			`partitions = {`
			`boot = {`
			`size = "1M";`
			`type = "EF02"; # for grub MBR`
			`};`
			`mdadm = {`
			`size = "100%";`
			`content = {`
			`type = "mdraid";`
			`name = "raid0";`
			`};`
			`};`
			`};`
			`};`
			`};`
			`in {`
			`disk = {`
			`sda = disk "sda";`
			`sdb = disk "sdb";`
			`};`
			`mdadm = {`
			`raid0 = {`
			`type = "mdadm";`
			`level = 0;`
update README 2023-11-23 16:03:07 +01:00			`content = {`
			`type = "gpt";`
			`partitions = {`
nix fmt 2024-02-08 20:53:22 +01:00			`primary = {`
update README 2023-11-23 16:03:07 +01:00			`size = "100%";`
			`content = {`
nix fmt 2024-02-08 20:53:22 +01:00			`type = "filesystem";`
			`format = "btrfs";`
			`mountpoint = "/";`
update README 2023-11-23 16:03:07 +01:00			`};`
			`};`
			`};`
			`};`
			`};`
			`};`
nix fmt 2024-02-08 20:53:22 +01:00			`};`
update README 2023-11-23 16:03:07 +01:00
add sj-bm-hostkey0, bump steveej-t14, rework NIX_PATH and zsh 2023-11-23 17:14:15 +01:00			`system.stateVersion = "23.11";`
update README 2023-11-23 16:03:07 +01:00
			`boot.kernelPackages = pkgs.linuxPackages_latest;`
			`boot.initrd.includeDefaultModules = true;`
			`boot.initrd.kernelModules = [`
			`"dm-raid"`
			`"dm-integrity"`
			`"xhci_pci_renesas"`
			`];`

			`hardware.enableRedistributableFirmware = true;`

			`environment.systemPackages = [`
			`pkgs.hdparm`
feat(sj-bm-hostkey0): enable fuse, docker, podman, caddy as s3 reverse-proxy 2024-04-18 17:38:24 +02:00			`pkgs.fuse`
update README 2023-11-23 16:03:07 +01:00			`];`
nix fmt 2023-11-23 17:52:21 +01:00
feat(sj-bm-hostkey0): enable fuse, docker, podman, caddy as s3 reverse-proxy 2024-04-18 17:38:24 +02:00			`programs.fuse.userAllowOther = true;`

			`services.caddy.enable = true;`
			`services.caddy.email = "mail@stefanjunker.de";`
			`services.caddy.globalConfig = ''`
			`auto_https disable_redirects`
			`'';`
			`services.caddy.virtualHosts = let`
			`holochainDomain = "dev.infra.holochain.org";`
			`in {`
			`"${nodeName}.${holochainDomain}" = {`
			`extraConfig = ''`
			`handle_path /s3/* {`
			`reverse_proxy http://127.0.0.1:9000`
			`}`
			`'';`
			`};`
			`};`

add sj-bm-hostkey0, bump steveej-t14, rework NIX_PATH and zsh 2023-11-23 17:14:15 +01:00			`# home-manager.users.steveej = _: {`
			`# imports = [`
			`# ../../../home-manager/configuration/text-minimal.nix`
			`# ];`

			`# home.sessionVariables = {`
			`# };`

			`# home.packages = with pkgs; [`
			`# ];`
			`# };`
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00
			`virtualisation.libvirtd.enable = true;`
feat(sj-bm-hostkey0): enable fuse, docker, podman, caddy as s3 reverse-proxy 2024-04-18 17:38:24 +02:00			`virtualisation.docker.enable = true;`

			`virtualisation.podman.enable = true;`
			`virtualisation.podman.autoPrune.enable = true;`
			`# virtualisation.podman.dockerSocket.enable = true;`
workaround elctron issues, fix firewall for syncthing, set uphostkey0 as builder to steveej-t14 2023-12-17 23:25:24 +01:00
			`boot.binfmt.emulatedSystems = [`
			`"aarch64-linux"`
			`];`
feat(sj-bm-hostkey0): add zerotier 2024-04-18 17:28:17 +02:00
			`steveej.holo-zerotier = {`
			`enable = true;`
			`autostart = false;`
			`};`
update README 2023-11-23 16:03:07 +01:00			`}`