# SPDX-FileCopyrightText: 2022 Richard Brežák # # SPDX-License-Identifier: LGPL-3.0-or-later { inputs, lib', config, ... }: let inherit (lib') flip mapAttrs singleton; config' = config; in { flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { config' = config'; inputs' = inputs; secret = lib'.loadSecrets inputs.secret; }; modules = singleton ({ pkgs, config, ... }: { imports = [ ./bind.nix ./consul.nix ./filesystems.nix ./firewall.nix ./grub.nix ./hardware.nix # ./hostapd.nix ./ical2org.nix ./klipper.nix ./monitoring.nix ./nas.nix ./networking.nix ./nfs.nix ./nomad.nix ./uterranix.nix ./vault-agent.nix ./vault.nix ./watchdog.nix ./nixpkgs.nix ./users.nix ../../common/remote_access.nix inputs.serokell-nix.nixosModules.acme-sh config'.flake.nixosModules.hashicorp config'.flake.nixosModules.hashicorp-envoy config'.flake.nixosModules.telegraf config'.flake.nixosModules.grafana ]; _module.args.nixinate = { host = "blowhole.hosts.in.redalder.org"; sshUser = "main"; buildOn = "local"; substituteOnTarget = true; hermetic = false; nixOptions = [ "--override-input secret path://$HOME/dotfiles/secret" ]; }; systemd.services.vault-unsealed = { description = "Check whether the local Vault instance is unsealed and fail if not."; path = with pkgs; [ getent vault ]; unitConfig = { StartLimitInterval = 0; }; serviceConfig = { Restart = "always"; RestartSec = 30; }; script = '' export VAULT_ADDR="https://vault.in.redalder.org:8200/" while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ] do sleep 30 done exit 2 ''; }; system.stateVersion = "21.05"; boot.kernel.sysctl."fs.inotify.max_user_instances" = 256; }); }; }