# SPDX-FileCopyrightText: 2022 Richard Brežák # # SPDX-License-Identifier: LGPL-3.0-or-later { inputs, lib', config, ... }: let inherit (lib') flip mapAttrs singleton ; config' = config; in { flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { config' = config'; inputs' = inputs; secret = lib'.loadSecrets inputs.secret; }; modules = singleton ({ secret, pkgs, config, ... }: { _module.args.pkgs-hashicorp = import inputs.nixpkgs-hashicorp { system = pkgs.stdenv.system; config.allowUnfreePredicate = pkg: builtins.elem (lib'.getName pkg) [ "consul" "vault-bin" "vault" ]; }; imports = [ ./bind.nix ./consul.nix ./filesystems.nix ./firewall.nix ./grub.nix ./hardware.nix # ./hostapd.nix ./ical2org.nix ./klipper.nix # ./monitoring.nix ./nas.nix ./networking.nix ./nfs.nix ./nomad.nix ./uterranix.nix ./vault-agent.nix ./vault.nix ./watchdog.nix ./nixpkgs.nix ./users.nix ./disk_monitoring.nix ./sol.nix ../../common/remote_access.nix ./microvms.nix ./ssh-machine-access.nix ../../modules/notify-login.nix ./kubernetes.nix inputs.serokell-nix.nixosModules.acme-sh inputs.notnft.nixosModules.default inputs.self.nixosModules.notnft inputs.microvm.nixosModules.host inputs.self.nixosModules.microvm-extras-host config'.flake.nixosModules.hashicorp config'.flake.nixosModules.hashicorp-envoy config'.flake.nixosModules.telegraf config'.flake.nixosModules.grafana ]; services.notify-login.ssh = { enable = true; method = "matrix"; settings = { secretsFile = "/var/secrets/matrix-notify-login-ssh.json"; stateDirectory = "/var/lib/matrix-commander/notify-login-ssh"; markdown = true; }; }; _module.args.nixinate = { host = "blowhole.hosts.in.redalder.org"; sshUser = "main"; buildOn = "local"; substituteOnTarget = true; hermetic = false; nixOptions = [ "--override-input secret path://$HOME/dotfiles/secret" ]; }; systemd.services.vault-unsealed = { description = "Check whether the local Vault instance is unsealed and fail if not."; path = with pkgs; [getent vault]; unitConfig = { StartLimitInterval = 0; }; serviceConfig = { Restart = "always"; RestartSec = 30; }; script = '' export VAULT_ADDR="https://vault.in.redalder.org:8200/" while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ] do sleep 30 done exit 2 ''; }; system.stateVersion = "21.05"; systemd.services.home-assistant-pyscript = { wantedBy = ["multi-user.target"]; restartIfChanged = true; path = [pkgs.rsync]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; }; script = '' mkdir -p /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript rsync --chown 403:403 --chmod Du=rwx,Dgo=rx,Fu=rw,Fgo=r -arvc --delete ${secret.pyscript or ""}/. /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript/ ''; }; boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; boot.kernel.sysctl."fs.inotify.max_user_instances" = 512; services.udev.extraRules = let devPath = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0"; zigbeeScript = pkgs.writeShellScript "zigbeeScript" '' touch /dev/ttyZigbee ${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \ "$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \ /dev/ttyZigbee ''; in '' ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}" ''; }); }; }