infra/nix/os/devices/steveej-t480s-work/system.nix

{
  pkgs,
  lib,
  config,
  ...
}: let
  keys = import ../../../variables/keys.nix;
in {
  # TASK: new device
  networking.hostName = "steveej-t480s-work"; # Define your hostname.

  # Used for testing local Openshift clusters
  environment.etc."NetworkManager/dnsmasq.d/openshift.conf".text = let
    openshiftClusterName = "openshift-steveej";
    openshiftDomain = "openshift.testing";
    openshiftSubnetBase = "192.168.126";
  in ''
    server=/${openshiftDomain}/${openshiftSubnetBase}.1
    address=/.apps.${openshiftClusterName}.${openshiftDomain}/${openshiftSubnetBase}.51
  '';
  networking.firewall.enable = lib.mkForce false;
  networking.firewall.checkReversePath = false;

  networking.bridges."virbr1".interfaces = [];
  networking.interfaces."virbr1".ipv4.addresses = [
    {
      address = "10.254.254.254";
      prefixLength = 24;
    }
  ];

  services.printing = {
    enable = true;
    drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper];
  };

  services.fprintd.enable = true;
  security.pam.services = {
    login.fprintAuth = true;
    sudo.fprintAuth = true;
  };

  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];

  # virtualization
  virtualisation = {
    libvirtd = {enable = true;};

    virtualbox.host = {
      enable = false;
      addNetworkInterface = false;
    };

    docker = {
      enable = true;
      extraOptions = "--experimental";
    };
  };

  boot.initrd.network = {
    enable = true;
    useDHCP = true;
    udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"];

    ssh = {
      enable = true;
      authorizedKeys = keys.users.steveej.openssh;
      hostKeys = [
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
    };
  };

  security.pki.certificateFiles = [
    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
    ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt
  ];

  services.xserver.videoDrivers = ["modesetting"];
  services.xserver.serverFlagsSection = ''
    Option "BlankTime" "0"
    Option "StandbyTime" "0"
    Option "SuspendTime" "0"
    Option "OffTime" "0"
  '';

  # the default profile uses linuxPackages_latest
  # boot.kernelPackages = lib.mkForce pkgs.linuxPackages;

  krb5 = {
    enable = true;
    config = let
      pkinit_crt = pkgs.fetchurl {
        url = "https://password.corp.redhat.com/ipa.crt";
        sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd";
      };
    in ''
      [libdefaults]
      default_realm = IPA.REDHAT.COM
      dns_lookup_realm = true
      dns_lookup_kdc = true
      rdns = false
      dns_canonicalize_hostname = true
      ticket_lifetime = 24h
      forwardable = true
      udp_preference_limit = 0
      default_ccache_name = KEYRING:persistent:%{uid}

      [realms]
        REDHAT.COM = {
            default_domain = redhat.com
            dns_lookup_kdc = true
            master_kdc = kerberos.corp.redhat.com
            admin_server = kerberos.corp.redhat.com
        }

        #make sure to save the IPA CA cert
        #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt
        IPA.REDHAT.COM = {
           pkinit_anchors = FILE:${pkinit_crt}
           pkinit_pool = FILE:${pkinit_crt}
           default_domain = ipa.redhat.com
           dns_lookup_kdc = true
           # Trust tickets issued by legacy realm on this host
           auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
           auth_to_local = DEFAULT
        }
    '';
  };

  hardware.ledger.enable = true;
}