{ pkgs, lib, config, nodeName, repoFlake, ... }: let passwords = import ../../../variables/passwords.crypt.nix; in { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" "https://cache.holo.host/" ]; trusted-public-keys = [ "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" ]; extra-experimental-features = ["impure-derivations"]; system-features = ["recursive-nix" "big-parallel"]; }; networking.extraHosts = '' ''; networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; prefixLength = 24; } ]; networking.firewall.enable = true; services.openssh.openFirewall = false; # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` networking.firewall.interfaces."eth+".allowedTCPPorts = [ 22 # syncthing 22000 # iperf3 5201 ]; networking.firewall.interfaces."eth+".allowedUDPPorts = [ # syncthing 22000 21027 ]; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; services.fwupd.enable = true; services.fprintd.enable = true; security.pam.services = { login.fprintAuth = true; sudo.fprintAuth = true; }; # virtualization virtualisation = { libvirtd = {enable = true;}; virtualbox.host = { enable = false; addNetworkInterface = false; }; podman = { enable = true; dockerCompat = true; # defaultNetwork.dnsname.enable = true; }; }; services.samba.extraConfig = '' # client min protocol = NT1 ''; security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" Option "SuspendTime" "0" Option "OffTime" "0" ''; time.timeZone = lib.mkForce passwords.timeZone.stefan; hardware.ledger.enable = true; services.zerotierone = { enable = true; joinNetworks = [ # moved to the service below as it's now secret ]; }; systemd.services.zerotieroneSecretNetworks = { enable = true; requiredBy = ["zerotierone.service"]; partOf = ["zerotierone.service"]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; script = let secret = config.sops.secrets.zerotieroneNetworks; in '' # include the secret's hash to trigger a restart on change # ${builtins.hashString "sha256" (builtins.toJSON secret)} ${config.systemd.services.zerotierone.preStart} rm -rf /var/lib/zerotier-one/networks.d/*.conf for network in `grep -v '#' ${secret.path}`; do touch /var/lib/zerotier-one/networks.d/''${network}.conf done ''; }; sops.secrets.zerotieroneNetworks = { sopsFile = ../../../../secrets/zerotierone.txt; format = "binary"; }; sops.secrets.nomad-holochain-agent-ca = { sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; sops.secrets.nomad-holochain-cli-cert = { sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; sops.secrets.nomad-holochain-cli-key = { sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; owner = config.users.extraUsers.steveej.name; }; }