steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
infra/nix/os/devices/steveej-x13s/configuration.nix

280 lines
6.8 KiB
Nix
Raw Blame History

{
repoFlake,
nodeFlake,
pkgs,
lib,
config,
nodeName,
localDomainName,
system,
packages',
...
}: {
nixpkgs.overlays = [
(final: previous: {
# inherit (nodeFlake.inputs.nixpkgs-systemd256.legacyPackages.${system}) systemd systemdMinimal;
})
];
nixos-x13s = {
enable = true;
# TODO: use hardware address
bluetoothMac = "65:9e:7a:8b:86:28";
kernel = "jhovold";
};
services.illum.enable = true;
systemd.services.bluetooth-x13s-mac = lib.mkForce {
enable = true;
path = [
pkgs.systemd
pkgs.util-linux
pkgs.bluez5-experimental
pkgs.expect
];
script = ''
# TODO: this may not be required
while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do
echo Waiting for bluetooth firmware to complete
echo sleep 1
done
(
# best effort
set +e
rfkill block bluetooth
echo $?
btmgmt public-addr ${config.nixos-x13s.bluetoothMac}
echo $?
rfkill unblock bluetooth
echo $?
)
'';
requiredBy = ["bluetooth.service"];
before = ["bluetooth.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# we need a tty, otherwise btmgmt will hang
StandardInput = "tty";
TTYPath = "/dev/tty2";
TTYReset = "yes";
TTYVHangup = "yes";
};
};
imports = [
nodeFlake.inputs.nixos-x13s.nixosModules.default
repoFlake.inputs.sops-nix.nixosModules.sops
nodeFlake.inputs.disko.nixosModules.disko
./disko.nix
../../snippets/nix-settings.nix
../../snippets/nix-settings-holo-chain.nix
../../snippets/mycelium.nix
../../profiles/common/user.nix
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
services.openssh.openFirewall = true;
sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.defaultSopsFormat = "yaml";
users.commonUsers = {
enable = true;
enableNonRoot = true;
};
sops.secrets.builder-private-key = {};
nix.distributedBuilds = true;
nix.buildMachines = [
# test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@sj-bm-hostkey0.dev.infra.holochain.org?ssh-key=/run/secrets/builder-private-key'
{
hostName = "sj-bm-hostkey0.dev.infra.holochain.org";
sshUser = "nix-remote-builder";
sshKey = config.sops.secrets.builder-private-key.path;
protocol = "ssh-ng";
systems = [
"x86_64-linux"
# "aarch64-linux"
];
supportedFeatures = [
"big-parallel"
"kvm"
];
maxJobs = 0;
}
{
hostName = "x64-linux-dev-01.dev.infra.holochain.org";
sshUser = "nix-remote-builder";
sshKey = config.sops.secrets.builder-private-key.path;
protocol = "ssh-ng";
systems = [
"x86_64-linux"
# "aarch64-linux"
];
supportedFeatures = [
"big-parallel"
"kvm"
];
maxJobs = 32;
}
];
}
# TODO: create syncthing os snippet
(let
tcp = [22000];
udp = [
22000
21027
];
in {
# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
networking.firewall.interfaces."en+".allowedTCPPorts = tcp;
networking.firewall.interfaces."en+".allowedUDPPorts = udp;
networking.firewall.interfaces."wl+".allowedTCPPorts = tcp;
networking.firewall.interfaces."wl+".allowedUDPPorts = udp;
networking.firewall.allowedTCPPorts = [
# iperf3
5201
];
})
../../snippets/home-manager-with-zsh.nix
../../snippets/sway-desktop.nix
../../snippets/bluetooth.nix
../../snippets/timezone.nix
../../snippets/radicale.nix
../../snippets/holo-zerotier.nix
# experiment with k3s, nix-snapshotter, and nixos images
{
# (1) Import nixos module.
imports = [
nodeFlake.inputs.nix-snapshotter.nixosModules.default
];
# (2) Add overlay.
nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default];
# (3) Enable service.
virtualisation.containerd = {
enable = true;
k3sIntegration = false;
nixSnapshotterIntegration = true;
# TODO: understand if this has an influence on the systemd LoadCredential issue
settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true;
};
services.nix-snapshotter = {
enable = true;
};
# (4) Add a containerd CLI like nerdctl.
environment.systemPackages = [
pkgs.nerdctl
nodeFlake.inputs.nix-snapshotter.packages.${system}.nix-snapshotter
];
services.k3s = {
enable = false;
setKubeConfig = true;
};
}
];
networking.hostName = nodeName;
networking.firewall.enable = true;
networking.networkmanager.enable = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [
pkgs.sshfs
pkgs.util-linux
pkgs.coreutils
pkgs.vim
pkgs.git
pkgs.git-crypt
];
system.stateVersion = "23.11";
home-manager.users.root = _: {
home.stateVersion = "23.11";
};
home-manager.users.steveej = _: {
home.stateVersion = "23.11";
imports = [
../../../home-manager/configuration/graphical-fullblown.nix
];
home.sessionVariables = {};
home.packages = with pkgs; [
];
# TODO: currently unsupported
services.gammastep.enable = lib.mkForce false;
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = lib.mkForce false;
loader.efi.efiSysMountPoint = "/boot";
blacklistedKernelModules = ["wwan"];
};
hardware.firmware = lib.mkBefore [
packages'.x13s-bt-firmware
packages'.x13s-ath11k-firmware
];
# see https://linrunner.de/tlp/
# TODO: find an equivalent to tlp that supports this machine
services.tlp = {
enable = false;
settings = {
START_CHARGE_THRESH_BAT0 = "80";
STOP_CHARGE_THRESH_BAT0 = "85";
};
};
# android on linux
virtualisation.waydroid.enable = false;
hardware.ledger.enable = true;
virtualisation.containers.enable = true;
virtualisation.podman.enable = true;
nix.settings.substituters = [
"https://nixos-x13s.cachix.org"
];
nix.settings.trusted-public-keys = [
"nixos-x13s.cachix.org-1:SzroHbidolBD3Sf6UusXp12YZ+a5ynWv0RtYF0btFos="
];
steveej.holo-zerotier = {
enable = true;
autostart = false;
};
services.udev.packages = [
pkgs.android-udev-rules
];
programs.adb.enable = true;
nix.settings.sandbox = lib.mkForce "relaxed";
}
Reference in a new issue View git blame Copy permalink