Cradicle Explorer
home
/ systems / hosts / demeter.nix
demeter.nix
 1  { pkgs, lib, ... }:
 2  
 3  with lib;
 4  let
 5    hostname = "demeter";
 6    secretPath = ../../secrets/machines.nix;
 7    secretCondition = (builtins.pathExists secretPath);
 8    
 9    ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
10    ips = lists.optionals secretCondition ([ "${ip}/24" ]);
11    endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
12    endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
13    endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
14  
15    metadata = importTOML ../../ops/hosts.toml;
16  in
17  {
18    imports = [
19      (import ../../users/vincent)
20      (import ../../users/root)
21    ];
22  
23    boot = {
24      kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
25      initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
26      loader = {
27        grub.enable = false;
28        generic-extlinux-compatible.enable = true;
29      };
30    };
31  
32    fileSystems = {
33      "/" = {
34        device = "/dev/disk/by-label/NIXOS_SD";
35        fsType = "ext4";
36        options = [ "noatime" ];
37      };
38    };
39  
40    networking = {
41      hostName = hostname;
42      firewall.enable = false; # we are in safe territory :D
43      # bridges.br1.interfaces = [ "enp0s31f6" ];
44      # useDHCP = false;
45      # interfaces.br1 = {
46      #   useDHCP = true;
47      # };
48    };
49  
50    core.boot.systemd-boot = lib.mkForce false;
51    # boot.cleanTmpDir = lib.mkForce false;
52    # boot.loader.systemd-boot.enable = lib.mkForce false;
53    # profiles.base.systemd-boot = lib.mkForce true;
54    # 
55    modules = {
56      profiles.home = true;
57      services = {
58        bind.enable = true;
59        #     syncthing = {
60        #       enable = true;
61        #       guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
62        #     };
63        avahi.enable = true;
64        ssh.enable = true;
65      };
66    };
67  
68    services = {
69      prometheus.exporters = {
70        node = {
71  	enable = true;
72  	port = 9000;
73  	enabledCollectors = [ "systemd" "processes" ];
74  	extraFlags = ["--collector.ethtool" "--collector.softirqs" "--collector.tcpstat"];
75        };
76        bind = { enable = true; port = 9009; };
77      };
78      wireguard = {
79        enable = true;
80        ips = ips;
81        endpoint = endpointIP;
82        endpointPort = endpointPort;
83        endpointPublicKey = endpointPublicKey;
84      };
85    };
86    security.apparmor.enable = true;
87    security.pam.enableSSHAgentAuth = true;
88  }