# SPDX-FileCopyrightText: 2023 Richard Brežák # # SPDX-License-Identifier: LGPL-3.0-or-later { system = "x86_64-linux"; name = "blowhole"; module = { pkgs, config, lib, secret, roots, inputs, ... }: with lib; { imports = [ (roots.nixos + "/profiles/vps.nix") (roots.nixos + "/systems/blowhole/consul.nix") (roots.nixos + "/systems/blowhole/nomad.nix") (roots.nixos + "/systems/blowhole/vault.nix") (roots.nixos + "/systems/blowhole/bind.nix") (roots.nixos + "/systems/blowhole/vault-agent.nix") (roots.nixos + "/systems/blowhole/nas.nix") (roots.nixos + "/systems/blowhole/firewall.nix") (roots.nixos + "/systems/blowhole/ical2org.nix") (roots.nixos + "/systems/blowhole/hostapd.nix") (roots.nixos + "/systems/blowhole/klipper.nix") (roots.nixos + "/systems/blowhole/monitoring.nix") (roots.nixos + "/systems/blowhole/uterranix.nix") ]; home-manager.users."main" = {...}: { home.stateVersion = "21.05"; }; magic_rb = { grub = { enable = true; devices = [ "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_072124E3712B7287-0:0" ]; }; hardware.blowhole = true; sshdEmacs.enable = true; }; _module.args.nixinate = { host = "10.64.0.2"; sshUser = "main"; buildOn = "local"; substituteOnTarget = true; hermetic = false; nixOptions = [ "--override-input secret path://$HOME/dotfiles/secret" ]; }; systemd.services.nfs-mountd.serviceConfig = { LimitNOFILE = 8192; }; systemd.watchdog.runtimeTime = "60s"; systemd.watchdog.rebootTime = "120s"; systemd.watchdog.kexecTime = "120s"; systemd.services."emergency".serviceConfig.ExecStartPre = "/bin/sh -c \"read -t 30 || /bin/systemctl reboot\""; services.nfs.server = { enable = true; lockdPort = 4001; mountdPort = 4002; statdPort = 4000; exports = '' /var/nfs/jellyfin/cache 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt) /var/nfs/jellyfin/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt) /var/nfs/jellyfin/media 10.64.2.1/32(rw,subtree_check,async,no_root_squash,crossmnt) /var/nfs/gitea-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/gitea-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/hydra-data 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/hydra-nix 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/hydra-db 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/minecraft/atm6 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/ingress-letsencrypt 10.64.0.1(rw,subtree_check,async,no_root_squash) /var/nfs/Magic_RB 10.64.2.129(rw,subtree_check,async) /mnt/cartman 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt) /mnt/kyle 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt) /mnt/stan 10.64.0.8/32(rw,subtree_check,async,no_root_squash,crossmnt) 10.64.2.129(rw,subtree_check,async,crossmnt) /var/nfs/home-assistant_hass 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/home-assistant_db 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/home-assistant_mosquitto 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/home-assistant_zigbee2mqtt 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/syncthing/data 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/syncthing/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/syncthing/storage 10.64.2.1/32(rw,subtree_check,async,crossmnt) /var/nfs/dovecot/maildir 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash) /var/nfs/getmail/getmail.d 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash) /var/nfs/mail-configuration 10.64.0.8/32(rw,subtree_check,async,no_root_squash) 10.64.2.1/32(rw,subtree_check,async,no_root_squash) 10.64.3.20/32(rw,subtree_check,async,no_root_squash) /var/nfs/baikal/specific 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/baikal/config 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/matrix/synapse 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/matrix/postgresql 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/matrix/mautrix-facebook 10.64.2.1/32(rw,subtree_check,async,no_root_squash) /var/nfs/matrix/registrations 10.64.2.1/32(rw,subtree_check,async,no_root_squash) ''; }; # systemd.tmpfiles.rules = singleton "d /run/cfg/vault 0750 vault vault 1d"; networking = { hostName = "blowhole"; useDHCP = false; interfaces.enp7s0f1.useDHCP = true; firewall = { enable = true; allowedTCPPorts = [ 80 ## Nomad 4646 4647 4648 ## Consul 8600 # DNS 8500 # HTTP 8502 # gRPC 8300 # server 8301 # LAN serf 8302 # WAN serf ## Vault 8200 ## NFS 111 2049 4000 4001 4002 20048 ]; allowedTCPPortRanges = [ { from = 21000; to = 21999; } ]; allowedUDPPorts = [ ## Consul 8600 # DNS 8301 # LAN serf 8302 # WAN serf ## NFS 111 2049 4000 4001 4002 20048 ]; allowedUDPPortRanges = [ { from = 21000; to = 21999; } ]; }; hostId = "2cb135ac"; }; system.stateVersion = "21.05"; }; }