{ config, lib, pkgs, ... }: let shinobi-port = "7080"; shinobi-od-port = "7082"; state-dir = "/state"; # This must be a string! in { boot.loader.grub.copyKernels = true; networking = { interfaces = { enp3s0f0.useDHCP = false; enp3s0f1.useDHCP = false; enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; intif0.useDHCP = true; }; }; fudo.secrets = { host-secrets.lambda = { host-keytab = { source-file = /state/secrets/kerberos/lambda.keytab; target-file = "/etc/krb5.keytab"; user = "root"; }; }; secret-group = "fudo-secrets"; secret-users = [ "niten" ]; secret-paths = [ "/state/secrets" ]; }; systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - ${state-dir}/user/root/gnupg" # "L /root/.emacs.d - - - - ${state-dir}/user/root/emacs.d" "L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts" ]; environment.etc = { "ssh/ssh_host_rsa_key" = { source = "${state-dir}/ssh/ssh_host_rsa_key"; user = "root"; group = "root"; mode = "0400"; }; "ssh/ssh_host_rsa_key.pub" = { source = "${state-dir}/ssh/ssh_host_rsa_key.pub"; user = "root"; group = "root"; mode = "0444"; }; "ssh/ssh_host_ed25519_key" = { source = "${state-dir}/ssh/ssh_host_ed25519_key"; user = "root"; group = "root"; mode = "0400"; }; "ssh/ssh_host_ed25519_key.pub" = { source = "${state-dir}/ssh/ssh_host_ed25519_key.pub"; user = "root"; group = "root"; mode = "0444"; }; "machine-id".source = "${state-dir}/host/machine-id"; }; security.sudo.extraConfig = '' # Due to rollback, sudo will lecture after every reboot Defaults lecture = never ''; # virtualisation = { # docker = { # enable = true; # enableOnBoot = true; # autoPrune = { enable = true; }; # }; # oci-containers = { # containers = { # shinobi = { # image = "shinobisystems/shinobi:latest"; # ports = [ "${shinobi-port}:8080" ]; # volumes = [ # "/state/shinobi/plugins:/home/Shinobi/plugins" # "/state/shinobi/config:/home/Shinobi/config" # "/state/shinobi/videos:/home/Shinobi/videos" # "/state/shinobi/db-data:/var/lib/mysql" # "/etc/localtime:/etc/localtime:ro" # ]; # }; # # shinobi-od = { # # image = "shinobisystems/shinobi-tensorflow:latest"; # # volumes = # # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; # # ports = [ "${shinobi-od-port}:8082" ]; # # environment = { # # PLUGIN_HOST = "panopticon.sea.fudo.org"; # # PLUGIN_PORT = shinobi-port; # # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; # # }; # # }; # # photoprism = { image = "photoprism/photoprism"; }; # }; # }; # }; # services.nginx = { # enable = true; # recommendedGzipSettings = true; # recommendedOptimisation = true; # recommendedProxySettings = true; # virtualHosts = { # "panopticon.sea.fudo.org" = { # locations."/" = { # proxyPass = "http://localhost:${shinobi-port}"; # extraConfig = '' # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "Upgrade"; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-By $server_addr:$server_port; # proxy_set_header X-Forwarded-For $remote_addr; # proxy_set_header X-Forwarded-Proto $scheme; # ''; # }; # }; # # "panopticon-od.sea.fudo.org" = { # # locations."/" = { # # proxyPass = "http://localhost:${shinobi-od-port}"; # # extraConfig = '' # # proxy_http_version 1.1; # # proxy_set_header Upgrade $http_upgrade; # # proxy_set_header Connection "Upgrade"; # # ''; # # }; # # }; # }; # }; }