2023-06-12 23:25:40 +02:00
|
|
|
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
|
|
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: LGPL-3.0-or-later
|
2024-03-02 22:05:30 +01:00
|
|
|
{
|
|
|
|
|
inputs,
|
|
|
|
|
lib',
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}: let
|
|
|
|
|
inherit
|
|
|
|
|
(lib')
|
2023-06-12 23:25:40 +02:00
|
|
|
flip
|
|
|
|
|
mapAttrs
|
2024-03-02 22:05:30 +01:00
|
|
|
singleton
|
|
|
|
|
;
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
|
config' = config;
|
2024-03-02 22:05:30 +01:00
|
|
|
in {
|
2024-06-02 17:26:00 +02:00
|
|
|
flake.nixosConfigurations.blowhole = inputs.nixpkgs-stable.lib.nixosSystem {
|
2023-06-12 23:25:40 +02:00
|
|
|
system = "x86_64-linux";
|
|
|
|
|
|
|
|
|
|
specialArgs = {
|
|
|
|
|
config' = config';
|
|
|
|
|
inputs' = inputs;
|
2023-06-18 20:07:47 +02:00
|
|
|
secret = lib'.loadSecrets inputs.secret;
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
modules =
|
|
|
|
|
singleton
|
|
|
|
|
({
|
|
|
|
|
secret,
|
|
|
|
|
pkgs,
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}: {
|
|
|
|
|
imports = [
|
|
|
|
|
./bind.nix
|
|
|
|
|
./consul.nix
|
|
|
|
|
./filesystems.nix
|
|
|
|
|
./firewall.nix
|
|
|
|
|
./grub.nix
|
|
|
|
|
./hardware.nix
|
|
|
|
|
./klipper.nix
|
2024-10-08 23:28:43 +02:00
|
|
|
./monitoring.nix
|
2024-03-02 22:05:30 +01:00
|
|
|
./nas.nix
|
|
|
|
|
./networking.nix
|
|
|
|
|
./nfs.nix
|
|
|
|
|
./nomad.nix
|
|
|
|
|
./uterranix.nix
|
|
|
|
|
./vault-agent.nix
|
|
|
|
|
./vault.nix
|
|
|
|
|
./watchdog.nix
|
|
|
|
|
./nixpkgs.nix
|
|
|
|
|
./users.nix
|
|
|
|
|
./disk_monitoring.nix
|
|
|
|
|
./sol.nix
|
|
|
|
|
../../common/remote_access.nix
|
|
|
|
|
./ssh-machine-access.nix
|
|
|
|
|
../../modules/notify-login.nix
|
2024-04-07 10:37:17 +02:00
|
|
|
./uk3s.nix
|
2024-04-21 19:38:47 +02:00
|
|
|
./buildbot.nix
|
2024-09-17 23:11:24 +02:00
|
|
|
|
2024-04-20 15:01:23 +02:00
|
|
|
inputs.self.nixosModules.acme-sh
|
2024-03-02 22:05:30 +01:00
|
|
|
|
|
|
|
|
inputs.notnft.nixosModules.default
|
|
|
|
|
inputs.self.nixosModules.notnft
|
|
|
|
|
inputs.microvm.nixosModules.host
|
2024-04-06 19:20:08 +02:00
|
|
|
inputs.uk3s-nix.nixosModules.helmCharts
|
2024-03-02 22:05:30 +01:00
|
|
|
|
|
|
|
|
config'.flake.nixosModules.hashicorp
|
|
|
|
|
config'.flake.nixosModules.hashicorp-envoy
|
|
|
|
|
config'.flake.nixosModules.telegraf
|
|
|
|
|
config'.flake.nixosModules.grafana
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
services.notify-login.ssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
method = "matrix";
|
|
|
|
|
settings = {
|
|
|
|
|
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
|
|
|
|
|
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
|
|
|
|
|
markdown = true;
|
2024-02-09 19:38:04 +01:00
|
|
|
};
|
2024-03-02 22:05:30 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
_module.args.nixinate = {
|
|
|
|
|
host = "blowhole.hosts.in.redalder.org";
|
|
|
|
|
sshUser = "main";
|
|
|
|
|
buildOn = "local";
|
|
|
|
|
substituteOnTarget = true;
|
|
|
|
|
hermetic = false;
|
|
|
|
|
nixOptions = [
|
|
|
|
|
"--override-input secret path://$HOME/dotfiles/secret"
|
2023-06-12 23:25:40 +02:00
|
|
|
];
|
2024-03-02 22:05:30 +01:00
|
|
|
};
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
systemd.services.vault-unsealed = {
|
|
|
|
|
description = "Check whether the local Vault instance is unsealed and fail if not.";
|
|
|
|
|
path = with pkgs; [getent vault];
|
2023-12-23 20:01:59 +01:00
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
unitConfig = {
|
|
|
|
|
StartLimitInterval = 0;
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
serviceConfig = {
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = 30;
|
2023-06-28 14:23:08 +02:00
|
|
|
};
|
|
|
|
|
|
2024-03-02 22:05:30 +01:00
|
|
|
script = ''
|
|
|
|
|
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
|
|
|
|
|
|
|
|
|
|
while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
|
|
|
|
|
do
|
|
|
|
|
sleep 30
|
|
|
|
|
done
|
|
|
|
|
exit 2
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
system.stateVersion = "21.05";
|
|
|
|
|
|
|
|
|
|
systemd.services.home-assistant-pyscript = {
|
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
|
restartIfChanged = true;
|
|
|
|
|
path = [pkgs.rsync];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = "yes";
|
2024-01-22 00:44:17 +01:00
|
|
|
};
|
2024-03-02 22:05:30 +01:00
|
|
|
script = ''
|
|
|
|
|
mkdir -p /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript
|
|
|
|
|
rsync --chown 403:403 --chmod Du=rwx,Dgo=rx,Fu=rw,Fgo=r -arvc --delete ${secret.pyscript or ""}/. /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript/
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
|
|
|
|
|
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
|
|
|
|
|
services.udev.extraRules = let
|
|
|
|
|
devPath = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
|
|
|
|
|
zigbeeScript = pkgs.writeShellScript "zigbeeScript" ''
|
|
|
|
|
touch /dev/ttyZigbee
|
|
|
|
|
${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \
|
|
|
|
|
"$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \
|
|
|
|
|
/dev/ttyZigbee
|
|
|
|
|
'';
|
|
|
|
|
in ''
|
|
|
|
|
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}"
|
|
|
|
|
'';
|
|
|
|
|
});
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
|
}
|
