infra/nix/os/devices/steveej-t480s-work/system.nix

{ pkgs
, lib
, config
, ... }:

let
  keys = import ../../../variables/keys.nix;
in {

  # TASK: new device
  networking.hostName = "steveej-t480s-work"; # Define your hostname.

  # Used for testing local Openshift clusters
  environment.etc."NetworkManager/dnsmasq.d/openshift.conf".text =
    let
      openshiftClusterName = "openshift-steveej";
      openshiftDomain = "openshift.testing";
      openshiftSubnetBase = "192.168.126";
    in ''
      server=/${openshiftDomain}/${openshiftSubnetBase}.1
      address=/.apps.${openshiftClusterName}.${openshiftDomain}/${openshiftSubnetBase}.51
  '';
  networking.firewall.enable = lib.mkForce false;
  networking.firewall.checkReversePath = false;

  networking.bridges."virbr1".interfaces = [];
  networking.interfaces."virbr1".ipv4.addresses = [
      { address = "10.254.254.254"; prefixLength = 24; }
  ];

  services.printing = {
    enable = true;
    drivers = with pkgs; [
      hplip
      mfcl3770cdw.driver
      mfcl3770cdw.cupswrapper
    ];
  };

  services.fprintd.enable = true;
  security.pam.services = {
    login.fprintAuth = true;
    sudo.fprintAuth = true;
  };

  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];

  # virtualization
  virtualisation = {
    libvirtd = {
      enable = true;
    };

    virtualbox.host = {
      enable = false ;
      addNetworkInterface = false;
    };

    docker = {
      enable = true;
      extraOptions = "--experimental";
    };
  };


  boot.initrd.network = {
    enable = true;
    useDHCP = true;
    udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ];

    ssh = {
      enable = true;
      authorizedKeys = keys.users.steveej.openssh;
      hostKeys = [
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
    };
  };

  security.pki.certificateFiles = [
    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
    ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt
  ];

  services.xserver.videoDrivers = [ "modesetting" ];
  services.xserver.serverFlagsSection = ''
    Option "BlankTime" "0"
    Option "StandbyTime" "0"
    Option "SuspendTime" "0"
    Option "OffTime" "0"
  '';

  # the default profile uses linuxPackages_latest
  # boot.kernelPackages = lib.mkForce pkgs.linuxPackages;

  krb5 = {
    enable = true;
    config = let
      pkinit_crt = pkgs.fetchurl {
        url = "https://password.corp.redhat.com/ipa.crt";
        sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd";
      };
    in ''
      [libdefaults]
      default_realm = IPA.REDHAT.COM
      dns_lookup_realm = true
      dns_lookup_kdc = true
      rdns = false
      dns_canonicalize_hostname = true
      ticket_lifetime = 24h
      forwardable = true
      udp_preference_limit = 0
      default_ccache_name = KEYRING:persistent:%{uid}

      [realms]
        REDHAT.COM = {
            default_domain = redhat.com
            dns_lookup_kdc = true
            master_kdc = kerberos.corp.redhat.com
            admin_server = kerberos.corp.redhat.com
        }

        #make sure to save the IPA CA cert
        #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt
        IPA.REDHAT.COM = {
           pkinit_anchors = FILE:${pkinit_crt}
           pkinit_pool = FILE:${pkinit_crt}
           default_domain = ipa.redhat.com
           dns_lookup_kdc = true
           # Trust tickets issued by legacy realm on this host
           auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
           auth_to_local = DEFAULT
        }
      '';
  };

  hardware.ledger.enable = true;
}