Cradicle Explorer
home
/ systems / hosts / aomi.nix
aomi.nix
  1  { sources ? import ../../nix
  2  , lib ? sources.lib
  3  , pkgs ? sources.pkgs { }
  4  , ...
  5  }:
  6  
  7  with lib;
  8  let
  9    hostname = "aomi";
 10    secretPath = ../../secrets/machines.nix;
 11    secretCondition = (builtins.pathExists secretPath);
 12  
 13    ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
 14    ips = lists.optionals secretCondition ([ "${ip}/24" ]);
 15    endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
 16    endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
 17    endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
 18    metadata = importTOML ../../ops/hosts.toml;
 19  in
 20  {
 21    imports = [
 22      ../hardware/lenovo-p1.nix
 23      (import ../../users/vincent)
 24      (import ../../users/root)
 25    ];
 26  
 27    # FILESYSTEM
 28    boot.initrd.luks.devices = {
 29      root = {
 30        device = "/dev/disk/by-uuid/91b05f64-b97d-4405-8405-8785699ada8f";
 31        preLVM = true;
 32        allowDiscards = true;
 33        keyFile = "/dev/disk/by-id/mmc-SD08G_0x704a5a38";
 34        keyFileSize = 4096;
 35        fallbackToPassword = true;
 36      };
 37    };
 38  
 39    fileSystems."/" = {
 40      # device = "/dev/disk/by-uuid/6bedd234-3179-46f7-9a3f-feeffd880791";
 41      device = "/dev/mapper/root";
 42      fsType = "ext4";
 43      options = [ "noatime" "discard" ];
 44    };
 45  
 46    fileSystems."/boot" = {
 47      device = "/dev/disk/by-uuid/32B9-94CC";
 48      fsType = "vfat";
 49    };
 50  
 51    swapDevices = [{ device = "/dev/disk/by-uuid/24da6a46-cd28-4bff-9220-6f449e3bd8b5"; }];
 52  
 53    networking = {
 54      hostName = hostname;
 55      firewall.enable = false; # we are in safe territory :D
 56    };
 57  
 58    # modules = {
 59    #   desktop.enable = true; # defaults to wayland
 60    #   hardware = {
 61    #     laptop = true; # infers bluetooth and yubikey
 62    #   };
 63    #   dev = {
 64    #     enable = true; # infers containers by default, one would have to disable it
 65    #     containers = {
 66    #       buildkit = {
 67    #         enable = true;
 68    #         grpcAddress = [
 69    #           "unix:///run/buildkit/buildkitd.sock"
 70    #           "tcp://aomi.home:1234"
 71    #           "tcp://${metadata.hosts.aomi.addrs.v4}:1234"
 72    #           "tcp://${metadata.hosts.aomi.wireguard.addrs.v4}:1234"
 73    #         ];
 74    #       };
 75    #       image-mirroring = {
 76    #         enable = true;
 77    #         targets = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ];
 78    #         settings = {
 79    #           "docker.io" = {
 80    #             "images" = {
 81    #               # sync latest and edge tags
 82    #               "alpine" = [ "latest" "edge" ];
 83    #             };
 84    #             "images-by-tag-regex" = {
 85    #               # sync all "3.x" images"
 86    #               "alpine" = "^3\.[0-9]+$";
 87    #             };
 88    #           };
 89    #         };
 90    #       };
 91    #     };
 92    #     profiles = {
 93    #       home = true; # with laptop, infers avahi
 94    #       work.redhat = true; # rename this probably
 95    #     };
 96    #     services = {
 97    #       ssh.enable = true;
 98    #       # syncthing is inferred
 99    #     };
100    #   };
101    # };
102  
103    # Below this line, migrate
104  
105    # extract this from desktop
106    networking.networkmanager = {
107      enable = true;
108      unmanaged = [
109        "interface-name:br-*"
110        "interface-name:ve-*"
111        "interface-name:veth*"
112        "interface-name:wg0"
113        "interface-name:docker0"
114        "interface-name:virbr*"
115      ];
116      packages = with pkgs; [ networkmanager-openvpn ];
117    };
118  
119    boot = {
120      loader.systemd-boot.netbootxyz.enable = true;
121      kernelPackages = pkgs.linuxPackages_latest;
122      tmpOnTmpfs = true;
123    };
124  
125    services.hardware.bolt.enable = true;
126  
127    modules = {
128      core.binfmt.enable = true;
129      editors.emacs.enable = true;
130      editors.neovim.enable = true;
131      hardware = {
132        yubikey = { enable = true; u2f = true; };
133        laptop.enable = true;
134        bluetooth.enable = true;
135      };
136      desktop = {
137        wayland.sway.enable = true;
138      };
139      dev = {
140        enable = true;
141        containers = {
142          enable = true;
143          docker = {
144            enable = true;
145            package = pkgs.docker_27;
146          };
147          podman.enable = true;
148          buildkit = {
149            enable = true;
150            grpcAddress = [
151              "unix:///run/buildkit/buildkitd.sock"
152              "tcp://aomi.home:1234"
153              "tcp://${metadata.hosts.aomi.addrs.v4}:1234"
154              "tcp://${metadata.hosts.aomi.wireguard.addrs.v4}:1234"
155            ];
156          };
157          image-mirroring = {
158            enable = true;
159            targets = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ];
160            settings = {
161              "docker.io" = {
162                "images" = {
163                  # sync latest and edge tags
164                  "alpine" = [ "latest" "edge" ];
165                };
166                "images-by-tag-regex" = {
167                  # sync all "3.x" images"
168                  "alpine" = "^3\.[0-9]+$";
169                };
170              };
171            };
172          };
173        };
174      };
175      profiles = {
176        work.redhat = true;
177      };
178      services = {
179        avahi.enable = true;
180        ssh.enable = true;
181        syncthing = {
182          enable = true;
183          guiAddress = "${metadata.hosts.aomi.wireguard.addrs.v4}:8384";
184        };
185      };
186      virtualisation.libvirt = { enable = true; nested = true; };
187    };
188  
189    modules.profiles = {
190      # externalbuilder.enable = true;
191      home = true;
192    };
193  
194    environment.systemPackages = with pkgs; [
195      virt-manager
196      catt
197      go-org-readwise
198      vscode
199      age-plugin-tpm
200    ];
201  
202    services.udev.extraRules = ''
203      # STM32 rules for the Moonlander and Planck EZ
204      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \
205          MODE:="0666", \
206          SYMLINK+="stm32_dfu"
207  
208      # Suspend the system when battery level drops to 5% or lower
209      SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
210    '';
211  
212    services = {
213      ollama = {
214        enable = true;
215        # acceleration = "cuda"; # no nivida :D
216      };
217      geoclue2.enable = true;
218      # automatic login is "safe" as we ask for the encryption passphrase anyway..
219      getty.autologinUser = "vincent";
220      logind.extraConfig = ''
221        HandleLidSwitch=ignore
222        HandleLidSwitchExternalPower=ignore
223        HandleLidSwitchDocked=ignore
224      '';
225      prometheus.exporters.node = {
226        enable = true;
227        port = 9000;
228        enabledCollectors = [ "systemd" "processes" ];
229        extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" ];
230      };
231      smartd = {
232        enable = true;
233        devices = [{ device = "/dev/nvme0n1"; }];
234      };
235      wireguard = {
236        enable = true;
237        ips = [ "${metadata.hosts.aomi.wireguard.addrs.v4}/24" ];
238        endpoint = endpointIP;
239        endpointPort = endpointPort;
240        endpointPublicKey = endpointPublicKey;
241      };
242    };
243  
244    # Move this to a "builder" role
245    users.extraUsers.builder = {
246      isNormalUser = true;
247      uid = 1018;
248      extraGroups = [ ];
249      openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ];
250    };
251    nix.trustedUsers = [ "root" "vincent" "builder" ];
252  
253    security = {
254      tpm2 = {
255        enable = true;
256        pkcs11.enable = true;
257      };
258      pam.enableSSHAgentAuth = true;
259    };
260  }