dotfiles/nixos/systems/omen/default.nix

159 lines
4.4 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
loadSecrets
mkAfter
;
config' = config;
in {
flake.nixosConfigurations.omen = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
lib = lib';
specialArgs = {
config' = config';
inputs' = inputs;
secret = loadSecrets inputs.secret;
};
modules =
singleton
({
pkgs,
lib,
config,
secret,
...
}: {
imports = [
./uk3s.nix
../../common/steam.nix
../../common/sound.nix
../../common/remote_access.nix
./xserver.nix
./grub.nix
./networking.nix
./filesystems.nix
./hardware.nix
./users.nix
./nixpkgs.nix
./firewall.nix
./microvm.nix
./impermenance.nix
./numen.nix
../../../overlays/ifstate/module.nix
# ./test-vm.nix
inputs.microvm.nixosModules.host
inputs.notnft.nixosModules.default
inputs.self.nixosModules.notnft
inputs.self.nixosModules.microvm-extras-host
inputs.impermenance.nixosModules.impermanence
];
_module.args.nixinate = {
host = secret.network.ips.omen.vpn or "";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
services.fwupd.enable = true;
services.syncthing = {
enable = true;
user = "main";
group = "main";
};
services.sshd.enable = true;
# Makes QEMU recompile https://github.com/NixOS/nixpkgs/issues/221056
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"riscv64-linux"
"armv6l-linux"
"armv7l-linux"
];
environment.systemPackages = [
# (pkgs.man-pages.overrideAttrs (old: rec {
# version = "6.05.01";
# src = pkgs.fetchurl {
# url = "mirror://kernel/linux/docs/man-pages/${old.pname}-${version}.tar.xz";
# hash = "sha256-uWq2tEpojJHRtXLlL+zlGeHP0rtMM/5wFPw/0e8/nK4=";
# };
# nativeBuildInputs = with pkgs; [
# git
# (pkgs.callPackage inputs.nixpkgs-272363.legacyPackages.${pkgs.stdenv.system}.groff.override {})
# ];
# }))
# (pkgs.man-pages-posix.overrideAttrs (old: rec {
# version = "2021-02-14";
# src = pkgs.fetchurl {
# url = "mirror://kernel/linux/docs/man-pages/man-pages-posix/${old.pname}-${version}.tar.xz";
# hash = "";
# };
# }))
pkgs.man-pages-posix
];
documentation.dev.enable = true;
systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/${toString config.users.users.main.uid}/gnupg/S.gpg-agent.ssh";
systemd.services.nix-daemon.environment.NIX_SSHOPTS = "-o ControlMaster=auto -o ControlPath=/tmp/nix-daemon-controlmasters/%%r@%%h:%%p -o ControlPersist=300s";
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
security.pam.services.sshd.rules.session.pam_exec = let
sudoLogin = pkgs.writeShellScript "sudologin" ''
echo TESTING > /tmp/pamtest
'';
in {
modulePath = "pam_exec.so";
args = [(toString sudoLogin)];
control = "optional";
order = config.security.pam.services.sshd.rules.session.limits.order + 10;
};
security.pam.services.sudo.rules.session.pam_exec = let
sudoLogin = pkgs.writeShellScript "sudologin" ''
echo TESTING > /tmp/pamtest
'';
in {
modulePath = "pam_exec.so";
args = [(toString sudoLogin)];
control = "optional";
order = config.security.pam.services.sudo.rules.session.limits.order + 10;
};
virtualisation.podman.enable = true;
virtualisation.podman.defaultNetwork.settings.subnets = [
{
gateway = "10.88.0.1";
subnet = "10.88.0.0/16";
}
];
virtualisation.podman.dockerCompat = true;
});
};
}