# SPDX-FileCopyrightText: 2022 Richard Brežák # # SPDX-License-Identifier: LGPL-3.0-or-later { inputs, lib', config, ... }: let inherit (lib') flip mapAttrs singleton loadSecrets mkAfter ; config' = config; in { flake.nixosConfigurations.omen = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; lib = lib'; specialArgs = { config' = config'; inputs' = inputs; secret = loadSecrets inputs.secret; }; modules = singleton ({ pkgs, lib, config, secret, ... }: { imports = [ ./uk3s.nix ../../common/steam.nix ../../common/sound.nix ../../common/remote_access.nix ./xserver.nix ./grub.nix ./networking.nix ./filesystems.nix ./hardware.nix ./users.nix ./nixpkgs.nix ./firewall.nix ./microvm.nix ./impermenance.nix ./numen.nix ../../../overlays/ifstate/module.nix # ./test-vm.nix inputs.microvm.nixosModules.host inputs.notnft.nixosModules.default inputs.self.nixosModules.notnft inputs.self.nixosModules.microvm-extras-host inputs.impermenance.nixosModules.impermanence ]; _module.args.nixinate = { host = secret.network.ips.omen.vpn or ""; sshUser = "main"; buildOn = "local"; substituteOnTarget = true; hermetic = false; nixOptions = [ "--override-input secret path://$HOME/dotfiles/secret" ]; }; services.fwupd.enable = true; services.syncthing = { enable = true; user = "main"; group = "main"; }; services.sshd.enable = true; # Makes QEMU recompile https://github.com/NixOS/nixpkgs/issues/221056 boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" "armv6l-linux" "armv7l-linux" ]; environment.systemPackages = [ # (pkgs.man-pages.overrideAttrs (old: rec { # version = "6.05.01"; # src = pkgs.fetchurl { # url = "mirror://kernel/linux/docs/man-pages/${old.pname}-${version}.tar.xz"; # hash = "sha256-uWq2tEpojJHRtXLlL+zlGeHP0rtMM/5wFPw/0e8/nK4="; # }; # nativeBuildInputs = with pkgs; [ # git # (pkgs.callPackage inputs.nixpkgs-272363.legacyPackages.${pkgs.stdenv.system}.groff.override {}) # ]; # })) # (pkgs.man-pages-posix.overrideAttrs (old: rec { # version = "2021-02-14"; # src = pkgs.fetchurl { # url = "mirror://kernel/linux/docs/man-pages/man-pages-posix/${old.pname}-${version}.tar.xz"; # hash = ""; # }; # })) pkgs.man-pages-posix ]; documentation.dev.enable = true; systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/${toString config.users.users.main.uid}/gnupg/S.gpg-agent.ssh"; systemd.services.nix-daemon.environment.NIX_SSHOPTS = "-o ControlMaster=auto -o ControlPath=/tmp/nix-daemon-controlmasters/%%r@%%h:%%p -o ControlPersist=300s"; time.timeZone = "Europe/Amsterdam"; system.stateVersion = "23.05"; security.pam.services.sshd.rules.session.pam_exec = let sudoLogin = pkgs.writeShellScript "sudologin" '' echo TESTING > /tmp/pamtest ''; in { modulePath = "pam_exec.so"; args = [(toString sudoLogin)]; control = "optional"; order = config.security.pam.services.sshd.rules.session.limits.order + 10; }; security.pam.services.sudo.rules.session.pam_exec = let sudoLogin = pkgs.writeShellScript "sudologin" '' echo TESTING > /tmp/pamtest ''; in { modulePath = "pam_exec.so"; args = [(toString sudoLogin)]; control = "optional"; order = config.security.pam.services.sudo.rules.session.limits.order + 10; }; virtualisation.podman.enable = true; virtualisation.podman.defaultNetwork.settings.subnets = [ { gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; } ]; virtualisation.podman.dockerCompat = true; }); }; }