dotfiles/nixos/systems/blowhole/default.nix

94 lines
2.4 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
flip
mapAttrs
singleton;
config' = config;
in
{
flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
config' = config';
inputs' = inputs;
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
imports = [
./bind.nix
./consul.nix
./filesystems.nix
./firewall.nix
./grub.nix
./hardware.nix
./hostapd.nix
./ical2org.nix
./klipper.nix
./monitoring.nix
./nas.nix
./networking.nix
./nfs.nix
./nomad.nix
./uterranix.nix
./vault-agent.nix
./vault.nix
./watchdog.nix
./nixpkgs.nix
./users.nix
../../common/remote_access.nix
inputs.serokell-nix.nixosModules.acme-sh
config'.flake.nixosModules.hashicorp
config'.flake.nixosModules.hashicorp-envoy
config'.flake.nixosModules.telegraf
config'.flake.nixosModules.grafana
];
_module.args.nixinate = {
host = "blowhole.hosts.in.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
systemd.services.vault-unsealed = {
description = "Check whether the local Vault instance is unsealed and fail if not.";
path = with pkgs; [ getent vault ];
unitConfig = {
StartLimitInterval = 0;
};
serviceConfig = {
Restart = "always";
RestartSec = 30;
};
script = ''
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
do
sleep 30
done
exit 2
'';
};
system.stateVersion = "21.05";
});
};
}