{ hostName, flake, config, pkgs, lib, ... }: with lib; { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest tmpfs-root zfs initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; configurationLimit = 420; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0 = { device = "/dev/disk/by-label/${hostName}-nvm0"; bypassWorkqueues = true; }; nvm1 = { device = "/dev/disk/by-label/${hostName}-nvm1"; bypassWorkqueues = true; }; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; }; services.timesyncd.enable = false; services.chrony = { enable = true; enableNTS = true; servers = []; extraConfig = '' allow 10.141.1.0/24 local pool time.cloudflare.com iburst nts pool nts.netnod.se prefer iburst nts server ptbtime1.ptb.de prefer iburst nts server ptbtime2.ptb.de prefer iburst nts server ptbtime3.ptb.de prefer iburst nts server ptbtime4.ptb.de prefer iburst nts authselectmode require minsources 3 nocerttimecheck 1 leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; nix = { daemonCPUSchedPolicy = "batch"; daemonIOSchedClass = "idle"; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; systemd.services."nix-daemon".serviceConfig = { CPUQuota = "1200%"; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; log_format main '$remote_addr "$remote_user" ' '"$host" "$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '$gzip_ratio'; access_log syslog:server=unix:/dev/log main; error_log syslog:server=unix:/dev/log info; client_body_buffer_size 16m; client_body_temp_path /run/nginx-client-bodies; ''; upstreams.grafana = { servers = { "unix:${config.services.grafana.settings.server.socket}" = {}; }; }; virtualHosts = { ${config.services.grafana.settings.server.domain} = { forceSSL = true; sslCertificate = ./selfsigned.crt; sslCertificateKey = "/run/credentials/nginx.service/selfsigned.key"; locations."/" = { proxyPass = "http://grafana/"; proxyWebsockets = true; }; }; }; }; users.users.nginx.extraGroups = ["grafana"]; services.grafana = { enable = true; settings = { analytics.reporting_enabled = false; server.protocol = "socket"; server.domain = "grafana.vidhar.yggdrasil"; security.admin_password = "$__file{${config.sops.secrets."grafana-admin-password".path}}"; security.secret_key = "$__file{${config.sops.secrets."grafana-secret-key".path}}"; }; }; sops.secrets."grafana-admin-password" = { format = "binary"; sopsFile = ./grafana-admin-password; owner = "grafana"; }; sops.secrets."grafana-secret-key" = { format = "binary"; sopsFile = ./grafana-secret-key; owner = "grafana"; }; sops.secrets."selfsigned.key" = { format = "binary"; sopsFile = ./selfsigned.key; }; systemd.services.nginx = { preStart = mkForce config.services.nginx.preStart; serviceConfig = { ExecReload = mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; LoadCredential = [ "selfsigned.key:${config.sops.secrets."selfsigned.key".path}" ]; RuntimeDirectory = mkForce [ "nginx" "nginx-client-bodies" ]; RuntimeDirectoryMode = "0750"; }; }; services.loki = { enable = true; configuration = { auth_enabled = false; server = { http_listen_port = 9094; grpc_listen_port = 9095; }; common = { path_prefix = config.services.loki.dataDir; storage.filesystem = { chunks_directory = "${config.services.loki.dataDir}/chunks"; rules_directory = "${config.services.loki.dataDir}/rules"; }; replication_factor = 1; ring = { instance_addr = "127.0.0.1"; kvstore = { store = "inmemory"; }; }; }; ruler = { enable_api = true; storage = { type = "local"; local.directory = "${config.services.loki.dataDir}/rules"; }; rule_path = "${config.services.loki.dataDir}/rules-temp"; remote_write = { enabled = true; client.url = "http://localhost:9090/api/v1/write"; }; ring.kvstore.store = "inmemory"; }; schema_config.configs = [ { from = "2022-01-01"; store = "boltdb-shipper"; object_store = "filesystem"; schema = "v11"; index = { prefix = "index_"; period = "24h"; }; } ]; }; }; systemd.services.loki = { preStart = let rulesYaml = generators.toYAML {} { groups = [ { name = "power-failures"; rules = [ { record = "apcupsd_power_failures:per_day"; expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400"; } { record = "apcupsd_power_failures:per_week"; expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800"; } ]; } ]; }; in '' ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml ''; serviceConfig.Environment = [ "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19" ]; }; services.promtail = { enable = true; configuration = { server = { http_listen_port = 9080; grpc_listen_port = 0; }; clients = [ { url = "http://localhost:9094/loki/api/v1/push"; } ]; scrape_configs = [ { job_name = "journal"; journal = { json = true; max_age = "12h"; path = "/var/log/journal"; labels = { job = "systemd-journal"; }; }; relabel_configs = [ { source_labels = ["__journal__systemd_unit"]; target_label = "unit"; } { source_labels = ["__journal__hostname"]; target_label = "nodename"; } ]; } ]; }; }; systemd.services.promtail.serviceConfig.Environment = [ "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19" ]; services.apcupsd = { enable = true; configText = '' UPSNAME ups01 UPSCABLE usb UPSTYPE usb DEVICE NISIP 127.0.0.1 BATTERYLEVEL 10 MINUTES 5 POLLTIME 1 ONBATTERYDELAY 0 NOLOGON disable ''; }; services.atftpd = { enable = true; extraOptions = [ "--bind-address=10.141.1.1" ]; }; systemd.user.targets = { basic.wants = ["systemd-tmpfiles-setup.service"]; timers.wants = ["systemd-tmpfiles-clean.timer"]; }; services.smartd = { enable = true; autodetect = false; defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)"; devices = map (dev: { device = "/dev/disk/by-path/${dev}"; }) [ "pci-0000:00:1f.2-ata-1" "pci-0000:00:1f.2-ata-3" "pci-0000:00:1f.2-ata-4" "pci-0000:00:1f.2-ata-5" "pci-0000:00:1f.2-ata-6" "pci-0000:02:00.0-nvme-1" "pci-0000:05:00.0-sas-phy0-lun-0" "pci-0000:05:00.0-sas-phy1-lun-0" "pci-0000:06:00.0-nvme-1" ]; notifications = { test = false; mail.enable = false; x11.enable = false; wall.enable = false; }; }; zramSwap = { enable = true; algorithm = "zstd"; }; environment.systemPackages = with pkgs; [iotop vmtouch]; system.stateVersion = "21.05"; }; }