{ pkgs , lib , config , nodeName , repoFlake , ... }: let localTcpPorts = [ 22 # syncthing 22000 # iperf3 5201 ]; localUdpPorts = [ # syncthing 22000 21027 ]; in { imports = [ ../../snippets/nix-settings-holo-chain.nix ../../snippets/radicale.nix ../../snippets/sway-desktop.nix ../../snippets/timezone.nix ]; nix.settings = { substituters = [ ]; trusted-public-keys = [ ]; }; nix.distributedBuilds = true; nix.buildMachines = [ { hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; # TODO: make this a reference sshUser = "nix-remote-builder"; protocol = "ssh-ng"; system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [ ]; } { hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; # TODO: make this a reference sshUser = "nix-remote-builder"; protocol = "ssh-ng"; system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; } ]; networking.networkmanager.enable = true; networking.extraHosts = '' ''; networking.bridges."virbr1".interfaces = [ ]; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; prefixLength = 24; } ]; # needed to make wireguard managed by networkmanager route all traffic through it networking.firewall.checkReversePath = false; networking.firewall.enable = true; services.openssh.openFirewall = false; # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; services.fwupd.enable = true; services.fprintd.enable = true; security.pam.services = { login.fprintAuth = true; sudo.fprintAuth = true; }; # virtualization virtualisation = { libvirtd = { enable = true; }; virtualbox.host = { enable = false; addNetworkInterface = false; }; podman = { enable = true; dockerCompat = true; # defaultNetwork.dnsname.enable = true; }; }; services.samba.extraConfig = '' # client min protocol = NT1 ''; security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; hardware.ledger.enable = true; # services.zerotierone = { # enable = false; # joinNetworks = [ # # moved to the service below as it's now secret # ]; # }; # systemd.services.zerotieroneSecretNetworks = { # enable = false; # requiredBy = [ "zerotierone.service" ]; # partOf = [ "zerotierone.service" ]; # serviceConfig.Type = "oneshot"; # serviceConfig.RemainAfterExit = true; # script = # let # secret = config.sops.secrets.zerotieroneNetworks; # in # '' # # include the secret's hash to trigger a restart on change # # ${builtins.hashString "sha256" (builtins.toJSON secret)} # ${config.systemd.services.zerotierone.preStart} # rm -rf /var/lib/zerotier-one/networks.d/*.conf # for network in `grep -v '#' ${secret.path}`; do # touch /var/lib/zerotier-one/networks.d/''${network}.conf # done # ''; # }; sops.secrets.zerotieroneNetworks = { sopsFile = ../../../../secrets/zerotierone.txt; format = "binary"; }; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; }