{ hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh ]; config = { nixpkgs = { system = "x86_64-linux"; }; networking.hostId = "1e7ddd78"; environment.etc."machine-id".text = "1e7ddd784c525bba2a03d7c160c5da4e"; boot = { loader.grub = { enable = true; version = 2; device = "/dev/disk/by-id/ata-SuperMicro_SSD_SMC0515D95019BDF4083"; }; kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ "kvm-intel" ]; kernelParams = [ "ip=10.141.0.1:::255.255.255.0::eno1:static" ]; tmpOnTmpfs = true; initrd = { supportedFilesystems = [ "zfs" ]; availableKernelModules = [ "ehci_pci" "ahci" "nvme" "isci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "drbg" "rtsx_pci_sdmmc" "libsas" "scsi_transport_sas" "e1000e" ]; kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; luks.devices = { nvm0.device = "/dev/disk/by-label/${hostName}-nvm0"; nvm1.device = "/dev/disk/by-label/${hostName}-nvm1"; hdd0.device = "/dev/disk/by-label/${hostName}-hdd0"; hdd1.device = "/dev/disk/by-label/${hostName}-hdd1"; hdd2.device = "/dev/disk/by-label/${hostName}-hdd2"; hdd3.device = "/dev/disk/by-label/${hostName}-hdd3"; hdd4.device = "/dev/disk/by-label/${hostName}-hdd4"; hdd5.device = "/dev/disk/by-label/${hostName}-hdd5"; }; network.flushBeforeStage2 = false; }; supportedFilesystems = [ "zfs" ]; zfs = { enableUnstable = true; }; }; fileSystems = { "/" = { fsType = "tmpfs"; options = [ "mode=0755" ]; }; }; services.timesyncd.enable = false; services.chrony = { enable = true; servers = []; extraConfig = '' allow 10.141.1.0/24 local pool time.cloudflare.com iburst nts pool nts.ntp.se iburst nts server nts.sth1.ntp.se iburst nts server nts.sth2.ntp.se iburst nts server ptbtime1.ptb.de iburst nts server ptbtime2.ptb.de iburst nts server ptbtime3.ptb.de iburst nts leapsectz right/UTC makestep 0.1 3 cmdport 0 ''; }; services.openssh = { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' AllowGroups ssh ''; }; users.groups."ssh" = { members = ["root"]; }; security.sudo.extraConfig = '' Defaults lecture = never ''; nix = { daemonCPUSchedPolicy = "batch"; daemonIOSchedClass = "idle"; gc = { automatic = true; options = "--delete-older-than 30d"; }; }; powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; }; services.nginx = { enable = true; upstreams.grafana = { servers = { "unix:${config.services.grafana.socket}" = {}; }; }; virtualHosts = { ${config.services.grafana.domain} = { locations."/" = { proxyPass = "http://grafana"; proxyWebsockets = true; }; }; }; }; users.users.nginx.extraGroups = ["grafana"]; services.grafana = { enable = true; analytics.reporting.enable = false; domain = "grafana.vidhar.yggdrasil"; security.adminPasswordFile = config.sops.secrets."grafana-admin-password".path; security.secretKeyFile = config.sops.secrets."grafana-secret-key".path; protocol = "socket"; }; sops.secrets."grafana-admin-password" = { format = "binary"; sopsFile = ./grafana-admin-password; owner = "grafana"; }; sops.secrets."grafana-secret-key" = { format = "binary"; sopsFile = ./grafana-secret-key; owner = "grafana"; }; }; }