infra/nix/os/devices/srv0-dmz0/configuration.nix

{
  modulesPath,
  repoFlake,
  packages',
  pkgs,
  config,
  ...
}: let
  disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051";
in {
  disabledModules = [];
  imports = [
    repoFlake.inputs.disko.nixosModules.disko
    repoFlake.inputs.srvos.nixosModules.server
    (modulesPath + "/profiles/all-hardware.nix")

    repoFlake.inputs.srvos.nixosModules.mixins-terminfo
    repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot

    repoFlake.inputs.sops-nix.nixosModules.sops

    ../../profiles/common/user.nix
  ];

  ## bare-metal machines
  srvos.boot.consoles = ["tty0"];
  boot.loader.grub.enable = false;
  boot.loader.efi.canTouchEfiVariables = false;

  disko.devices.disk.main = {
    device = disk;
    type = "disk";
    content = {
      type = "table";
      format = "gpt";
      partitions = [
        {
          name = "boot";
          start = "0";
          end = "1M";
          part-type = "primary";
          flags = ["bios_grub"];
        }
        {
          name = "ESP";
          start = "1M";
          end = "512M";
          bootable = true;
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        }
        {
          name = "root";
          start = "512M";
          end = "100%";
          part-type = "primary";
          bootable = true;
          content = {
            type = "btrfs";
            extraArgs = ["-f"]; # Override existing partition
            subvolumes = {
              # Subvolume name is different from mountpoint
              "/rootfs" = {
                mountpoint = "/";
              };
              "/nix" = {
                mountOptions = ["noatime"];
              };
            };
          };
        }
      ];
    };
  };

  hardware.enableAllFirmware = true;
  nixpkgs.config.allowUnfree = true;

  hardware.enableRedistributableFirmware = true;
  hardware.cpu.intel.updateMicrocode = true;

  services.openssh.enable = true;

  systemd.network.enable = true;
  systemd.network.networks."10-lan" = {
    matchConfig.Name = "eth*";
    networkConfig = {
      # enable DHCP for IPv4 *and* IPv6
      DHCP = "yes";

      # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
      IPv6AcceptRA = true;
    };
  };
  networking.dhcpcd.enable = false;

  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    22

    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "eth0";
  };

  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];

  # virtualization
  # virtualisation = {docker.enable = true;};

  nix.gc = {automatic = true;};

  containers = {
  };

  sops.secrets.holochain-nomad-agent-ca = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.nomad.name;
    group = config.users.groups.nomad.name;
  };
  sops.secrets.holochain-global-nomad-client-cert = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.nomad.name;
    group = config.users.groups.nomad.name;
  };
  sops.secrets.holochain-global-client-nomad-key = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.nomad.name;
    group = config.users.groups.nomad.name;
  };

  services.nomad = {
    enable = true;
    package = packages'.nomad;
    enableDocker = false;
    dropPrivileges = false;

    extraPackages = [
      pkgs.coreutils
      pkgs.nix
      pkgs.bash
      pkgs.gitFull
      pkgs.cacert
    ];

    settings = {
      server.enabled = false;

      client = {
        enabled = true;
        server_join = {
          retry_join = [
            "infra.holochain.org"
          ];
          retry_interval = "60s";
        };

        node_class = "testing";

        meta = {
          inherit (pkgs.targetPlatform) system;

          features = builtins.concatStringsSep "," [
            "poc-1"
            "poc-2"
            "ipv4-nat"
            "nix"
            "nixos"
            "holoport"
          ];

          machine_type = "baremetal";
        };
      };

      tls = {
        http = true;
        rpc = true;
        ca_file = config.sops.secrets.holochain-nomad-agent-ca.path;
        cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path;
        key_file = config.sops.secrets.holochain-global-client-nomad-key.path;

        verify_server_hostname = true;
        verify_https_client = true;
      };

      plugin.raw_exec.config.enabled = true;
    };
  };

  users.extraUsers.nomad.isNormalUser = true;
  users.extraUsers.nomad.isSystemUser = false;
  users.extraUsers.nomad.group = "nomad";
  users.extraUsers.nomad.home = config.services.nomad.settings.data_dir;
  users.extraUsers.nomad.createHome = true;
  users.groups.nomad.members = ["nomad"];

  systemd.services.nomad.serviceConfig.User = "nomad";
  systemd.services.nomad.serviceConfig.Group = "nomad";

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
}