1  { inputs, config, pkgs, lib, modulesPath, hostname, modulespath, ... }:
 2  
 3  {
 4    imports = [
 5      ../../modules/virtualization/lxc/proxmox-lxc.nix
 6    ];
 7  
 8    home-manager = import ../../home-manager;
 9  
10    systemd = {
11      timers.rad-merge = {
12        description = "merge inventory patches";
13        wantedBy = [ "timers.target" ];
14        requires = [ "network-online.target" ];
15        timerConfig = {
16          OnBootSec = "5min";
17          OnCalendar = "*:0/1";
18          Persistent = true;
19        };
20      };
21      services.rad-merge = {
22        description = "merge inventory patches";
23        script = ''
24          if test -f /home/enroll/enrollment-inventory/.scripts/merge-all.sh
25          then
26            cd /home/enroll/enrollment-inventory/.scripts
27            ${pkgs.su}/bin/su enroll -c "bash -x /home/enroll/enrollment-inventory/.scripts/merge-all.sh"
28          fi
29        '';
30        serviceConfig = {
31          Type = "oneshot";
32          TTYPath = "/dev/tty2";
33          WorkingDirectory = "/home/enroll";
34          NoNewPrivileges = true;
35          ProtectControlGroups = true;
36          ProtectKernelTunables = true;
37          ProtectKernelModules = true;
38          ProtectKernelLogs = true;
39          ProtectHostname = true;
40          ProtectClock = true;
41          ProtectSystem = "full";
42          RestrictSUIDSGID = true;
43          RestrictRealtime = true;
44          LockPersonality = true;
45          PrivateTmp = true;
46          ProcSubset = "pid";
47        };
48        wantedBy = [ "multi-user.target" ];
49      };
50    };
51  
52    networking = {
53      hostName = hostname;
54      nameservers = [
55        "192.168.10.112"
56        "192.168.10.114"
57      ];
58      firewall = {
59        enable = true;
60        allowedTCPPorts = [ 80 443 ];
61        allowedUDPPorts = [ 443 ];
62      };
63    };
64  }