{ hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0.device = "/dev/disk/by-label/${hostName}-nvm0"; nvm1.device = "/dev/disk/by-label/${hostName}-nvm1"; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; supportedFilesystems = [ "zfs" ]; zfs = { enableUnstable = true; }; }; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; }; services.timesyncd.enable = false; services.chrony = { enable = true; servers = []; extraConfig = '' allow 10.141.1.0/24 local pool time.cloudflare.com iburst nts pool nts.ntp.se iburst nts server nts.sth1.ntp.se iburst nts server nts.sth2.ntp.se iburst nts server ptbtime1.ptb.de iburst nts server ptbtime2.ptb.de iburst nts server ptbtime3.ptb.de iburst nts leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; security.sudo.extraConfig = '' Defaults lecture = never ''; nix = { daemonCPUSchedPolicy = "batch"; daemonIOSchedClass = "idle"; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedProxySettings = true; upstreams.grafana = { servers = { "unix:${config.services.grafana.socket}" = {}; }; }; virtualHosts = { ${config.services.grafana.domain} = { locations."/" = { proxyPass = "http://grafana/"; proxyWebsockets = true; }; }; }; }; users.users.nginx.extraGroups = ["grafana"]; services.grafana = { enable = true; analytics.reporting.enable = false; domain = "grafana.vidhar.yggdrasil"; security.adminPasswordFile = config.sops.secrets."grafana-admin-password".path; security.secretKeyFile = config.sops.secrets."grafana-secret-key".path; protocol = "socket"; }; sops.secrets."grafana-admin-password" = { format = "binary"; sopsFile = ./grafana-admin-password; owner = "grafana"; }; sops.secrets."grafana-secret-key" = { format = "binary"; sopsFile = ./grafana-secret-key; owner = "grafana"; }; services.loki = { enable = true; configuration = { auth_enabled = false; server = { http_listen_port = 9094; grpc_listen_port = 9095; }; common_config = { storage.filesystem = {}; }; schema_config.configs = [ store = "boltdb-shipper"; object_store = "filesystem"; schema = "v11"; index = { prefix = "index_"; period = "24h"; }; ]; }; }; services.promtail = { enable = true; configuration = { server = { http_listen_port = 9080; grpc_listen_port = 0; }; clients = [ { url = "http://localhost:9094/loki/api/v1/push"; } ]; scrape_configs = [ { job_name = "system"; journal = { json = true; }; } ]; }; }; }; }