{ config, lib, pkgs, ... }: with lib; let hostname = "nostromo"; in { networking = { interfaces = { eno1.useDHCP = false; eno2.useDHCP = false; eno3.useDHCP = false; eno4.useDHCP = false; enp33s0f0.useDHCP = false; enp33s0f1.useDHCP = false; enp9s0f0.useDHCP = false; enp9s0f1.useDHCP = false; intif0 = { useDHCP = true; }; }; firewall.enable = false; }; # Hopefully this'll help with NFS... boot.kernelModules = [ "rpcsec_gss_krb5" ]; services = { murmur.enable = true; nfs = { # See ../user-config.nix for the user@REALM -> user mapping server = { enable = true; createMountPoints = false; exports = let exportList = [ "/export/documents 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=10,sec=krb5p)" "/export/downloads 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=11,sec=krb5i)" "/export/projects 10.0.0.0/24(rw,sync,no_root_squash,no_subtree_check,fsid=12,sec=krb5p)" ]; in '' ${concatStringsSep "\n" exportList} ''; }; }; }; systemd = { tmpfiles.rules = [ "d /state/services 0755 root root - -" ]; services = { nfs-server = { # Don't start on boot wantedBy = mkForce [ "sea-store.target" ]; # Only start after filesystem mounts are available after = [ "export-documents.mount" "export-downloads.mount" "export-projects.mount" ]; }; grafana = { requires = [ "postgresql.service" ]; bindsTo = [ "postgresql.service" ]; }; }; }; fudo = let grafana-database-passwd-file = pkgs.lib.passwd.stablerandom-passwd-file "grafana-database-nostromo-password" "grafana-database-nostromo-password-${config.instance.build-seed}"; host-secrets = config.fudo.secrets.host-secrets.${hostname}; in { secrets.host-secrets.${hostname} = { grafana-database-password = { source-file = grafana-database-passwd-file; target-file = "/run/services/grafana/db.passwd"; user = config.systemd.services.grafana.serviceConfig.User; }; postgres-grafana-password = { source-file = grafana-database-passwd-file; target-file = "/run/services/postgres/db.passwd"; user = config.services.postgresql.superUser; }; pricebot-auth-token = { source-file = config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token"; target-file = "/run/services/pricebot/auth.token"; user = "root"; }; }; pricebot = { enable = true; mattermost-url = "https://chat.fudo.org"; mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file; monitors = { btc = { mattermost-channel-id = "3m4bsxcrwbrmpqd4yawwh98q8o"; notify-user = "niten"; }; }; }; services = { logging.loki.state-directory = "/state/services/loki"; metrics.grafana = { state-directory = "/state/services/grafana"; smtp.hostname = "mail.fudo.org"; database = { user = "grafana"; password-file = host-secrets.grafana-database-password.target-file; }; ldap.base-dn = "dc=fudo,dc=org"; }; }; postgresql = { enable = true; local-networks = config.instance.local-networks; state-directory = "/state/services/postgresql"; databases.grafana.users = config.instance.local-admins; users.grafana = { password-file = host-secrets.postgres-grafana-password.target-file; databases.grafana = { entity-access = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; "ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES"; }; }; }; }; }; imports = [ ./nostromo/factorio.nix ./nostromo/minecraft.nix ]; ## Until I can figure out how to use one common host API, forget this # fudo.ipfs = { # enable = true; # users = [ "niten" ]; # api-address = "/ip4/0.0.0.0/tcp/5001"; # }; }