dotfiles/nixos/systems/blowhole/default.nix

164 lines
4.6 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
;
config' = config;
in {
flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
config' = config';
inputs' = inputs;
secret = lib'.loadSecrets inputs.secret;
};
modules =
singleton
({
secret,
pkgs,
config,
...
}: {
_module.args.pkgs-hashicorp = import inputs.nixpkgs-hashicorp {
system = pkgs.stdenv.system;
config.allowUnfreePredicate = pkg:
builtins.elem (lib'.getName pkg) [
"consul"
"vault-bin"
"vault"
];
};
imports = [
./bind.nix
./consul.nix
./filesystems.nix
./firewall.nix
./grub.nix
./hardware.nix
# ./hostapd.nix
./ical2org.nix
./klipper.nix
# ./monitoring.nix
./nas.nix
./networking.nix
./nfs.nix
./nomad.nix
./uterranix.nix
./vault-agent.nix
./vault.nix
./watchdog.nix
./nixpkgs.nix
./users.nix
./disk_monitoring.nix
./sol.nix
../../common/remote_access.nix
./microvms.nix
./ssh-machine-access.nix
../../modules/notify-login.nix
./kubernetes.nix
inputs.serokell-nix.nixosModules.acme-sh
inputs.notnft.nixosModules.default
inputs.self.nixosModules.notnft
inputs.microvm.nixosModules.host
inputs.self.nixosModules.microvm-extras-host
config'.flake.nixosModules.hashicorp
config'.flake.nixosModules.hashicorp-envoy
config'.flake.nixosModules.telegraf
config'.flake.nixosModules.grafana
];
services.notify-login.ssh = {
enable = true;
method = "matrix";
settings = {
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
markdown = true;
};
};
_module.args.nixinate = {
host = "blowhole.hosts.in.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
systemd.services.vault-unsealed = {
description = "Check whether the local Vault instance is unsealed and fail if not.";
path = with pkgs; [getent vault];
unitConfig = {
StartLimitInterval = 0;
};
serviceConfig = {
Restart = "always";
RestartSec = 30;
};
script = ''
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
do
sleep 30
done
exit 2
'';
};
system.stateVersion = "21.05";
systemd.services.home-assistant-pyscript = {
wantedBy = ["multi-user.target"];
restartIfChanged = true;
path = [pkgs.rsync];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
mkdir -p /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript
rsync --chown 403:403 --chmod Du=rwx,Dgo=rx,Fu=rw,Fgo=r -arvc --delete ${secret.pyscript or ""}/. /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript/
'';
};
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.udev.extraRules = let
devPath = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
zigbeeScript = pkgs.writeShellScript "zigbeeScript" ''
touch /dev/ttyZigbee
${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \
"$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \
/dev/ttyZigbee
'';
in ''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}"
'';
});
};
}