nix/systems/nixos-he4/default.nix

{ config
, lib
, pkgs
, modulesPath
, system
, inputs
, ...
}: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.nixos-hardware.nixosModules.common-cpu-amd
    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
    ../../os-mods/cachix
    ../../os-mods/common
    ../../os-mods/netdata
    ../../os-mods/network
    ../../os-mods/virt
    ./disko.nix
  ];

  config = {
    system.stateVersion = "23.11";

    environment.systemPackages = with pkgs; [
      cryptsetup
    ];

    users.groups.git = {
      gid = 974;
    };
    users.users = {
      root.openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHowJtKj3ohrYjyeWwQ8Lj6UMSPI390SwLRuVIlojcGM tristand@nixos-desk"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4fBDj1/He/uimO97RgjGWZLAimTrLmIlYS2ekD73GC tristan@arch-pulse"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDP8ztBIgQsYh7LefSKtuDRYDWNheZWbmIr51T/Np/jc tristand@nixos-pulse"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/tkVxnPZB+C6sK9A12pUsB38OhXieMNaij6pC3foSH admin@vault81.de"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuH8L7mQDg86uJME6jndOu4niwLMASuJKpdbJU8Hfet tristan+desktop@vault81.de"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKokTPK/Gm30kqFAd+u5AT0BL7bG/eNt6pmGf40U8j03 arch-h1"
      ];

      git = {
        uid = 974;
        group = "git";
        isSystemUser = true;
        homeMode = "700";
        createHome = true;
        home = "/home/git";
        shell = "/home/git/ssh-shell";
      };
      tristand = {
        isNormalUser = true;
        description = "tristand";
        extraGroups = [ "docker" "networkmanager" "wheel" ];
        hashedPassword = "$6$Wj.XY8JgH5EWuog4$HnbtPJXDEqKXFrzkPVEjih3PytcpBCrkfL7TAwkXd0IFced7kGMlZNliNsAqQ3XqfyUzAYiiKTIqoPVJEk.s..";
        shell = pkgs.fish;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHowJtKj3ohrYjyeWwQ8Lj6UMSPI390SwLRuVIlojcGM tristand@nixos-desk"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4fBDj1/He/uimO97RgjGWZLAimTrLmIlYS2ekD73GC tristan@arch-pulse"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDP8ztBIgQsYh7LefSKtuDRYDWNheZWbmIr51T/Np/jc tristand@nixos-pulse"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/tkVxnPZB+C6sK9A12pUsB38OhXieMNaij6pC3foSH admin@vault81.de"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuH8L7mQDg86uJME6jndOu4niwLMASuJKpdbJU8Hfet tristan+desktop@vault81.de"
        ];
      };

      taq = {
        isNormalUser = true;
        description = "taq";
        extraGroups = [ "docker" "networkmanager" "wheel" ];
        hashedPassword = "$6$rkCVbHd2sV36Y38p$e5WTTK58ha7RDDYnfjxAdbzYyNJ2miMD2tkE9.8BHCGyb5vjPNYslClrzYIhxOmujEOllmREXcIgGiUpiMv8Y.";
        shell = pkgs.fish;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKokTPK/Gm30kqFAd+u5AT0BL7bG/eNt6pmGf40U8j03 arch-h1"
        ];
      };
    };

    home-manager = {
      useUserPackages = true;
      useGlobalPkgs = true;
      users.tristand = import ../../users/admin-shell.nix {
        username = "tristand";

        inherit pkgs config inputs system lib;
      };
      users.git = {
        home = {
          stateVersion = "23.11";
          username = "git";
          homeDirectory = "/home/git";
          file."ssh-shell" = {
            enable = true;
            executable = true;
            text = ''
              #!/bin/sh
              shift
              ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@"
            '';
          };
        };
      };
    };

    nix.settings.system-features = [
      "benchmark"
      "big-parallel"
      "kvm"
      "nixos-test"
      # "gccarch-x86-64-v3"
      # "gccarch-znver3"
    ];
    boot = {
      kernelPackages = pkgs.linuxPackages_latest;
      extraModulePackages = [ ];
      kernelParams = [
        # "ip=192.168.1.35::192.168.1.1:255.255.255.0:my-server-initrd:eth0:none"
        "ip=dhcp"
      ];

      supportedFilesystems = [ "bcachefs" ];

      loader = {
        systemd-boot = {
          enable = true;
          configurationLimit = 16;
        };
        efi.canTouchEfiVariables = true;
      };

      initrd = {
        availableKernelModules = [ "ahci" "nvme" "xhci_pci" "sd_mod" ];
        kernelModules = [ "igb" ];
        systemd.enable = true;

        network = {
          enable = true;
          ssh = {
            enable = true;
            port = 22;
            hostKeys = [
              /etc/nixos/ext/ssh/ssh_host_ed25519_key
              /etc/nixos/ext/ssh/ssh_host_rsa_key
            ];
            authorizedKeys = with lib;
              concatLists (mapAttrsToList
                (name: user:
                  if elem "wheel" user.extraGroups
                  then user.openssh.authorizedKeys.keys
                  else [ ])
                config.users.users);
          };
          # postCommands = ''
          #   echo 'cryptsetup-askpass' >> /root/.profile
          # '';
        };
      };
    };

    networking = {
      hostName = "nixos-he4";
      useDHCP = lib.mkDefault true;
    };

    hardware = {
      enableRedistributableFirmware = true;
    };

    services.netdata.config = {
      web = {
        "bind to" = "0.0.0.0";
        "allow connections from" = "172.*";
      };
    };

    zramSwap.enable = true;
  };
}