Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop

2024-09-29 15:01:14 +02:00 · 2024-09-29 15:01:14 +02:00 · 41483f5ffc
commit 41483f5ffc
parent bbad415a38 4be9ce6185
17 changed files with 374 additions and 52 deletions
--- a/common/hardware/laptop.nix
+++ b/common/hardware/laptop.nix
@ -26,9 +26,7 @@ in
        wootility
      ];
-    services.udev.packages = with pkgs; [ 
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
      yubikey-personalization
    ];
    hardware.i2c.enable = true;
    services.libinput.enable = true;
--- a/common/network/default.nix
+++ b/common/network/default.nix
@ -26,6 +26,11 @@ in
      enable = true;
      allowPing = true;
    };
    networking.nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];
  };
  imports = [ ./bluetooth.nix ];
--- a/common/tooling/default.nix
+++ b/common/tooling/default.nix
@ -96,7 +96,7 @@ in
    services.dbus.implementation = "broker";
    boot.tmp.cleanOnBoot = true;
-    zramSwap.enable = true;
+    zramSwap.enable = false;
    #programs.ssh = {
    #  # startAgent = true;
--- a/common/tooling/ranger.nix
+++ b/common/tooling/ranger.nix
@ -7,7 +7,12 @@
 }:
 let
  inherit (config.grimmShared) enable tooling;
-  inherit (lib) mkIf mapAttrs' concatLines attrNames;
+  inherit (lib)
    mkIf
    mapAttrs'
    concatLines
    attrNames
    ;
  plugins = {
    ranger_udisk_menu = inputs.ranger_udisk_menu;
  };
@ -20,10 +25,12 @@ in
    };
    environment.systemPackages = [ pkgs.ranger ];
-    environment.etc = (mapAttrs' (n: v: {
+    environment.etc =
      (mapAttrs' (n: v: {
        name = "ranger/plugins/${n}";
        value.source = v;
-    }) plugins) // {
+      }) plugins)
      // {
        "ranger/commands.py".text = concatLines (map (n: "from plugins.${n} import *") (attrNames plugins));
      };
  };
--- a/configuration.nix
+++ b/configuration.nix
@ -10,7 +10,7 @@
  # Bootloader.
  boot = {
    loader.efi.canTouchEfiVariables = true;
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+    # kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
  };
  services.logrotate.checkConfig = false; # fixme: actually needed?
--- a/fake_flake.nix
+++ b/fake_flake.nix
@ -36,9 +36,9 @@ let
    #}
  ];
  # enable ccache for lix if ccache is enabled
  # enable_lix_ccache = true;
 in
 # enable ccache for lix if ccache is enabled
 # enable_lix_ccache = true;
 {
  imports = [
    "${nivSources.agenix}/modules/age.nix"
@ -51,7 +51,7 @@ in
    (builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
    # (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
    # (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
-  ] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
+  ] ++ host_modules.grimmauld-nixos-server; # ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
  system.nixos = {
    distroId = "lixos";
@ -131,14 +131,16 @@ in
    inputs = nivSources;
  };
  nix.package = pkgs.lix;
  nix.settings.extra-substituters = [
-    "https://cache.lix.systems"
+    #    "https://cache.lix.systems"
    "https://nyx.chaotic.cx/"
    "https://ezkea.cachix.org"
  ];
  nix.settings.trusted-public-keys = [
-    "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+    #    "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
    "nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
    "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
    "ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI="
--- a/modules/default.nix
+++ b/modules/default.nix
@ -5,21 +5,22 @@ let
 in
 {
  imports = [
    ./wireguard.nix
    ./matrix.nix
    ./puffer.nix
    ./gitea.nix
    ./grafana.nix
    ./nextcloud.nix
-    # ./prometheus.nix
+    ./prometheus.nix
    # ./mjolnir.nix
-    ./fail2ban.nix
+#    ./fail2ban.nix
    ./email.nix
-    ./discord-matrix-bridge.nix
+    # ./discord-matrix-bridge.nix
    ./mastodon.nix
    ./nix_cache.nix
-    ./auth.nix
+    # ./auth.nix
    ./hedgedoc.nix
-    ./factorio.nix
+    # ./factorio.nix
  ];
  options.serverConfig =
@ -169,8 +170,9 @@ in
          accessType = "proxy";
        };
        matrix_host = {
-          accessType = "redirect";
+          # accessType = "redirect";
          host = "matrix.${domain}";
          # port = 8008;
        };
        prometheus_host = {
          host = "prometheus.${domain}";
--- a/modules/discord-matrix-bridge.nix
+++ b/modules/discord-matrix-bridge.nix
@ -17,8 +17,8 @@ in
      };
      bridge = {
        enableSelfServiceBridging = true;
-        domain = config.services.matrix-synapse-next.settings.server_name;
+        domain = config.services.matrix-synapse.settings.server_name;
-        homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
+        homeserverUrl = config.services.matrix-synapse.settings.public_baseurl;
        disablePresence = true;
        disableTypingNotifications = true;
      };
--- a/modules/factorio.nix
+++ b/modules/factorio.nix
@ -1,13 +1,27 @@
-{ pkgs, config, lib, ...}: {
+{
  pkgs,
  config,
  lib,
  ...
 }:
 {
  networking.firewall.allowedTCPPorts = [
    34197
    34198
  ];
  networking.firewall.allowedUDPPorts = [
    34198
    34197
  ];
  services.prometheus.scrapeConfigs = [
    {
      job_name = "clusterio-trangar";
      static_configs = [ { targets = [ "trang.ar:8080" ]; } ];
    }
  ];
  systemd.services.clusterio-trangar = {
    description = "clusterio pulling its config from trang.ar";
@ -19,9 +33,11 @@
    #serviceConfig.Group = "users";
    serviceConfig.WorkingDirectory = "/home/grimmauld/clusterio";
    script = ''
-      ${lib.getExe' config.nix.package "nix-shell"} -I nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos /home/grimmauld/clusterio/shell.nix
+      export NIXPKGS_ALLOW_UNFREE=1
      ${lib.getExe' config.nix.package "nix-shell"} -I nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos /home/grimmauld/clusterio-nonfhs/shell.nix --run "cd /home/grimmauld/clusterio-nonfhs/install && nice -19 bash run-host.sh"
      # /home/grimmauld/clusterio/shell.nix
    '';
-    wantedBy = ["multi-user.target"]; # starts after login
+    wantedBy = [ "multi-user.target" ]; # starts after login
    enable = true;
  };
 }
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -1,7 +1,8 @@
 { config, ... }:
 let
  inherit (config.serverConfig) vhosts;
-in {
+in
 {
  services.hedgedoc = {
    enable = true;
    settings = {
--- a/modules/matrix_legacy.nix
+++ b/modules/matrix_legacy.nix
@ -0,0 +1,240 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  inherit (config.networking) domain;
  inherit (config.serverConfig) vhosts;
  fqdn = vhosts.matrix_host.host;
  base_url = "https://${fqdn}";
  clientConfig."m.homeserver" = {inherit base_url; }; # = "https://${vhosts.matrix_host.host}";
  serverConfig."m.server" = "${vhosts.matrix_host.host}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
  synapse_backend = "http://[::1]:8008";
 in
 {
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "synapse" ];
    ensureUsers = [
      {
        name = "synapse";
        passFile = config.age.secrets.synapse_db_pass.path;
        ensureDBOwnership = true;
      }
    ];
  };
  services.matrix-synapse = {
    enable = true;
    settings.server_name = domain;
    # The public base URL value must match the `base_url` value set in `clientConfig` above.
    # The default value here is based on `server_name`, so if your `server_name` is different
    # from the value of `fqdn` above, you will likely run into some mismatched domain names
    # in client applications.
    settings.public_baseurl = base_url;
    settings.listeners = [
      { port = 8008;
        bind_addresses = [ "::1" ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [ {
          names = [ "client" "federation" ];
          compress = true;
        } ];
      }
    ];
    settings.database = {
      name = "psycopg2";
      args = { user="synapse"; database= "synapse"; };
    };
    settings.log_config = ./matrix_synapse_log_config.yaml;
    settings.enable_registration = false;
    configureRedisLocally = true;
    settings.redis.enabled = true;
    settings.app_service_config_files = [
      # The registration file is automatically generated after starting the
      # appservice for the first time.
      # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
      #   /var/lib/matrix-synapse/
      # chown matrix-synapse:matrix-synapse \
      #   /var/lib/matrix-synapse/telegram-registration.yaml
      # "/var/lib/matrix-synapse/discord-registration.yaml"
    ];
  };
 #  services.matrix-synapse-next = {
 #    enable = true;
 #
 #    workers.federationSenders = 1;
 #    workers.federationReceivers = 1;
 #    workers.initialSyncers = 1;
 #    workers.normalSyncers = 1;
 #    workers.eventPersisters = 2;
 #    workers.useUserDirectoryWorker = true;
 #    mainLogConfig = ./matrix_synapse_log_config.yaml;
 #
 #    enableNginx = true;
 #    enableSlidingSync = false;
 #
 #    settings = {
 #      suppress_key_server_warning = true;
 #      server_name = domain;
 #      public_baseurl = "https://${domain}";
 #      enable_registration = true;
 #      registration_requires_token = true;
 #      registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
 #      # enable_registration_without_verification = true;
 #      # mainLogConfig = ./matrix_synapse_log_config.yaml;
 #
 #      # registrations_require_3pid = [ "email" ];
 #
 #      database = {
 #        name = "psycopg2";
 #        args = {
 #          host = "localhost";
 #          port = config.services.postgresql.settings.port;
 #          dbname = "synapse";
 #          user = "synapse";
 #          cp_min = 5;
 #          cp_max = 10;
 #          client_encoding = "auto";
 #          passfile = config.age.secrets.synapse_db_pass_prepared.path;
 #        };
 #      };
 #    };
 #  };
  services.redis.servers."".enable = true;
  age.secrets.synapse_db_pass = {
    file = ../secrets/synapse_db_pass.age;
    owner = "postgres";
    group = "postgres";
  };
  age.secrets.synapse_db_pass_prepared = {
    file = ../secrets/synapse_db_pass_prepared.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
    mode = "0600";
  };
  age.secrets.synapse_registration_shared_secret = {
    file = ../secrets/synapse_registration_shared_secret.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
    mode = "0600";
  };
  environment.systemPackages = with pkgs; [
    matrix-synapse-tools.synadm
    matrix-synapse
  ];
    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      virtualHosts."${domain}" = {
        enableACME = true;
        forceSSL = true;
        # This section is not needed if the server_name of matrix-synapse is equal to
        # the domain (i.e. example.org from @foo:example.org) and the federation port
        # is 8448.
        # Further reference can be found in the docs about delegation under
        # https://element-hq.github.io/synapse/latest/delegate.html
        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
        # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
        # Further reference can be found in the upstream docs at
        # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
      };
      virtualHosts."${fqdn}" = {
        enableACME = true;
        forceSSL = true;
        locations."/_matrix" = {
          proxyPass = synapse_backend;
          #extraConfig = ''
          #  add_header X-debug-backend ${synapse_backend};
          #  add_header X-debug-group $synapse_uri_group;
          #  client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
          #  proxy_read_timeout 10m;
          #'';
        };
        locations."/_synapse/client".proxyPass = synapse_backend;
      };    
    };
 #  services.nginx = {
 #    enable = true;
 #    virtualHosts."${domain}" = {
 #      forceSSL = true;
 #      enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
 #      useACMEHost = domain;
 #      locations."/.well-known/matrix/server" = {
 #        return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'";
 #        extraConfig = ''
 #          default_type application/json;
 #          add_header Access-Control-Allow-Origin *;
 #          add_header Accept-Ranges bytes;'';
 #      };
 #      locations."/.well-known/matrix/client" = {
 #        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'";
 #        extraConfig = ''
 #          add_header Access-Control-Allow-Origin *;
 #          default_type application/json;
 #        '';
 #      };
 #      locations."/_matrix" = {
 #        proxyPass = "http://$synapse_backend";
 #        extraConfig = ''
 #          add_header X-debug-backend $synapse_backend;
 #          add_header X-debug-group $synapse_uri_group;
 #          client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
 #          proxy_read_timeout 10m;
 #        '';
 #      };
 #      locations."/_synapse/client" = {
 #        proxyPass = "http://$synapse_backend";
 #      };
 #      locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
 #        proxyPass = "http://$synapse_backend";
 #        extraConfig = ''
 #          proxy_read_timeout 1h;
 #        '';
 #      };
 #      locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
 #        proxyPass = "http://synapse_worker_initial_sync";
 #        extraConfig = ''
 #          proxy_read_timeout 1h;
 #        '';
 #      };
 #      locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
 #        proxyPass = "http://synapse_worker_initial_sync";
 #        extraConfig = ''
 #          proxy_read_timeout 1h;
 #        '';
 #      };
 #      #      locations."/.well-known/matrix" = {
 #        proxyPass = "http://$synapse_backend";
 #      };
 #    };
 #  };
  #  networking.firewall.allowedTCPPorts = [ 8448 8008 ];
 }
--- a/modules/prometheus.nix
+++ b/modules/prometheus.nix
@ -14,17 +14,24 @@ in
          {
            targets =
              let
-                inherit (lib) filter isAttrs attrValues;
+                inherit (lib)
                  filter
                  isAttrs
                  attrValues
                  filterAttrs
                  ;
              in
              map (v: "127.0.0.1:${builtins.toString v.port}") (
-                filter (v: (isAttrs v) && v.enable) (attrValues config.services.prometheus.exporters)
+                filter (v: (isAttrs v) && v.enable) (
                  attrValues (filterAttrs (n: v: n != "minio") config.services.prometheus.exporters)
                )
              );
          }
        ];
      }
    ];
    exporters = {
-      nginx.enable = true;
+      #      nginx.enable = true;
      redis.enable = true;
      domain.enable = true;
      postgres.enable = true;
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -0,0 +1,36 @@
 {pkgs, ...}: {
  # enable NAT
  networking.nat.enable = true; networking.nat.externalInterface = "eth0"; 
  networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall = {
    allowedUDPPorts = [ 51820 ];
  };
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface 
    # arbitrarily.}
    wg0 = {
      privateKeyFile = "/home/grimmauld/wireguard.priv";
      # Determines the IP address and subnet of the server's end of the tunnel 
      # interface.
      ips = [ "10.100.0.1/24" ];
      # The port that WireGuard listens to. Must be accessible by the client.
      listenPort = 51820;
      # This allows the wireguard server to route your traffic to the internet and 
      # hence be like a VPN For this to work you have to set the dnsserver IP of 
      # your router (or dnsserver of choice) in your clients
      postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
      '';
      # This undoes the above command
      postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
      '';
      generatePrivateKeyFile = true;
      peers = [
        {
 publicKey="2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk=";
 allowedIPs = [ "10.100.0.2/32"  ];
 } ];
    };
  };
  environment.systemPackages = with pkgs; [ wireguard-tools ];
 }
--- a/modules/wireguard.nix.save
+++ b/modules/wireguard.nix.save
@ -0,0 +1,2 @@
 {
--- a/nix/sources.json
+++ b/nix/sources.json
@ -5,10 +5,10 @@
        "homepage": null,
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "f27ebcdcaf296f24b7a662facefec6b4d492b5c5",
+        "rev": "5a1bc8dcc6a73e1d64b9291c9c466a637746e6cf",
-        "sha256": "15mshy4nc956nlzfq1rcaaglwsi500p3rk0nbghqbwipg0cij9f7",
+        "sha256": "1h96br2xrxrzf46n6qa7c393qxh335dp6x0qfdzcyb8va7dj42c9",
        "type": "tarball",
-        "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/f27ebcdcaf296f24b7a662facefec6b4d492b5c5.tar.gz",
+        "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5a1bc8dcc6a73e1d64b9291c9c466a637746e6cf.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "agenix": {
@ -29,10 +29,10 @@
        "homepage": "",
        "owner": "nix-community",
        "repo": "authentik-nix",
-        "rev": "0fd076529b40e7fc7304a398618cab76ff7e96c3",
+        "rev": "1138b948d3e1d5bc453e096bac1a510487871415",
-        "sha256": "1ax3rvw66s246dyrcgpshr7bj78qv73db8s6sd3hzvbmn56kwixr",
+        "sha256": "0wbzbya8qkh9gys7am2m4waq8l5b41m7kvyxnxlvgk42xnrxdqxj",
        "type": "tarball",
-        "url": "https://github.com/nix-community/authentik-nix/archive/0fd076529b40e7fc7304a398618cab76ff7e96c3.tar.gz",
+        "url": "https://github.com/nix-community/authentik-nix/archive/1138b948d3e1d5bc453e096bac1a510487871415.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "chaotic": {
@ -41,10 +41,10 @@
        "homepage": "https://nyx.chaotic.cx",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "a803a24630c8d6108d88f2e35cf6c6d801c187b6",
+        "rev": "7ed94bbcc6b28d546169b66b5e881c33ab5e62f4",
-        "sha256": "11wkfs8diw9syg9fcdgxr271rd7dn1zlxlnv9280zlbgxmnhzi3f",
+        "sha256": "14x6p0g2wbs9fc3bbds3yv4j5jgdc37vx282ggqmyx729ifv70m7",
        "type": "tarball",
-        "url": "https://github.com/chaotic-cx/nyx/archive/a803a24630c8d6108d88f2e35cf6c6d801c187b6.tar.gz",
+        "url": "https://github.com/chaotic-cx/nyx/archive/7ed94bbcc6b28d546169b66b5e881c33ab5e62f4.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "glibc-eac": {
@ -68,7 +68,7 @@
    "lix-pkg": {
        "branch": "main",
        "repo": "https://git.lix.systems/lix-project/lix.git",
-        "rev": "5f298f74c92402a8390b01c736463b17b36277e3",
+        "rev": "3f7519526f7e2cd3ede01c3910fbfe2ddf0f051f",
        "type": "git"
    },
    "nixos-mailserver": {
@ -83,10 +83,10 @@
        "homepage": null,
        "owner": "dali99",
        "repo": "nixos-matrix-modules",
-        "rev": "f4e20d03605c21aebb325c936f3283c322d7e975",
+        "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
-        "sha256": "1jj0rxahi3f9ypb3csz3q7jcr556iqbqifb4h9p632hl5prac9rl",
+        "sha256": "150nvzdrmvyy47pyv44rpmv96mwvgcsq4n22b6g5inzqyz334sxm",
        "type": "tarball",
-        "url": "https://github.com/dali99/nixos-matrix-modules/archive/f4e20d03605c21aebb325c936f3283c322d7e975.tar.gz",
+        "url": "https://github.com/dali99/nixos-matrix-modules/archive/ff787d410cba17882cd7b6e2e22cc88d4064193c.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
@ -95,10 +95,10 @@
        "homepage": null,
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9357f4f23713673f310988025d9dc261c20e70c6",
+        "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784",
-        "sha256": "0mr3vfnl8h0214ml7l5hsaq2g9174r3ra0hzcvlqk9kg024siwbf",
+        "sha256": "04kf05809w6bvr4vmbjjc3p8w8ycapx9395v5x3ylmw3lhadxqr7",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/9357f4f23713673f310988025d9dc261c20e70c6.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/1925c603f17fc89f4c8f6bf6f631a802ad85d784.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "ranger_udisk_menu": {
--- a/specific/grimmauld-nixos-server/configuration.nix
+++ b/specific/grimmauld-nixos-server/configuration.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
  imports = [ ./hardware-configuration.nix ];
@ -11,6 +11,7 @@
  services.openssh.enable = true;
  system.stateVersion = "23.11";
  networking.networkmanager.enable = lib.mkForce false;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  #  users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
 }
--- a/specific/grimmauld-nixos-server/hardware-configuration.nix
+++ b/specific/grimmauld-nixos-server/hardware-configuration.nix
@ -14,6 +14,11 @@
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/d6bf7aad-cd46-458c-98e8-a321eb77858a";
    fsType = "ext4";
  };
  environment.sessionVariables = {
    OMP_NUM_THREADS = "8";
  };