dotfiles/nixos/systems/altra/default.nix
magic_rb e45cb64f8e
Re-add acme-sh but standalone
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-04-20 15:01:41 +02:00

90 lines
2 KiB
Nix

# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
mkForce
;
config' = config;
in {
flake.nixosConfigurations.altra = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {
config' = config';
inputs' = inputs;
secret = lib'.loadSecrets inputs.secret;
};
modules =
singleton
({
pkgs,
config,
...
}: {
imports = [
# ./consul.nix
# ./nomad.nix
# ./vault-agent.nix
# ./u2t.nix
./grub.nix
./networking.nix
./nixpkgs.nix
./hardware.nix
./filesystems.nix
./users.nix
./http-synapse-proxy.nix
../../common/remote_access.nix
inputs.self.nixosModules.acme-sh
config'.flake.nixosModules.hashicorp
inputs.disko.nixosModules.disko
];
environment.defaultPackages = mkForce [];
nix.settings.allowed-users = ["@wheel"];
security.sudo.execWheelOnly = true;
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-a exit,always -F arch=b64 -S execve"
];
environment.etc."audit/auditd.conf".text = ''
write_logs = no
dispatcher = ${pkgs.audit}/bin/audispd
space_left = 1
'';
_module.args.nixinate = {
host = "altra.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
environment.systemPackages = [
pkgs.git
];
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
};
}