garage: add reverse proxy for S3 access from outside

TODO: subdomains?

.gitignore

@@ -0,0 +1 @@
+.direnv

configurations.nix

@@ -8,6 +8,7 @@ let
     nur
     colmena
     flake-registry
+    nixos-hypervisor
     nixos-hardware
     nixpkgs-unstable
     srvos
@@ -34,11 +35,18 @@ let
     ./modules/hosts.nix
     ./modules/network.nix
     ./modules/zsh.nix
+    ./modules/ssh-cursed.nix
+    ./modules/buildbot
 
 
     disko.nixosModules.disko
     srvos.nixosModules.server
 
+    srvos.nixosModules.mixins-trusted-nix-caches
+    srvos.nixosModules.mixins-terminfo
+
+    nixos-hypervisor.nixosModules.host
+
     # srvos.nixosModules.mixins-telegraf
     # srvos.nixosModules.mixins-terminfo
 
@@ -47,34 +55,41 @@ let
      , config
      , lib
      , ...
-     }: let
-       sopsFile = ./. + "/hosts/${config.networking.hostName}.yml";
-    in {
-      nix.nixPath = [
-        "home-manager=${home-manager}"
-        "nixpkgs=${pkgs.path}"
-        "nur=${nur}"
-      ];
-      # TODO: share nixpkgs for each machine to speed up local evaluation.
-      #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system};
+     }:
+      let
+        sopsFile = ./. + "/hosts/${config.networking.hostName}.yml";
+      in
+      {
+        nix.nixPath = [
+          "home-manager=${home-manager}"
+          "nixpkgs=${pkgs.path}"
+          "nur=${nur}"
+        ];
+        # TODO: share nixpkgs for each machine to speed up local evaluation.
+        #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system};
+
+        #users.withSops = builtins.pathExists sopsFile;
+        #sops.secrets = lib.mkIf (config.users.withSops) {
+        #  root-password-hash.neededForUsers = true;
+        #};
+        # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile;
 
-      #users.withSops = builtins.pathExists sopsFile;
-      #sops.secrets = lib.mkIf (config.users.withSops) {
-      #  root-password-hash.neededForUsers = true;
-      #};
-      # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile;
+        nix.extraOptions = ''
+          flake-registry = ${flake-registry}/flake-registry.json
+          builders-use-substitutes = true
+        '';
 
-      nix.extraOptions = ''
-        flake-registry = ${flake-registry}/flake-registry.json
-      '';
+        nix.registry = {
+          home-manager.flake = home-manager;
+          nixpkgs.flake = nixpkgs;
+          nur.flake = nur;
+        };
+        time.timeZone = "UTC";
 
-      nix.registry = {
-        home-manager.flake = home-manager;
-        nixpkgs.flake = nixpkgs;
-        nur.flake = nur;
-      };
-      time.timeZone = "UTC";
-    })
+        environment.systemPackages = [
+          pkgs.kitty.terminfo
+        ];
+      })
   ];
 in
 {
@@ -87,12 +102,15 @@ in
         ++ [
           ./hosts/epyc.nix
         ];
-      };
     };
+  };
 
   flake.colmena = {
     meta.nixpkgs = import nixpkgs {
       system = "x86_64-linux";
+      overlays = [
+        nixos-hypervisor.overlays.default
+      ];
     };
     epyc = {
       imports =
@@ -100,6 +118,6 @@ in
         ++ [
           ./hosts/epyc.nix
         ];
-      };
+    };
   };
 }

flake.lock

@@ -9,11 +9,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684153753,
-        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "lastModified": 1690228878,
+        "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
         "type": "github"
       },
       "original": {
@@ -22,21 +22,43 @@
         "type": "github"
       }
     },
-    "colmena": {
+    "attic": {
       "inputs": {
+        "crane": "crane",
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1689457600,
+        "narHash": "sha256-1XLn2ZZMaqQx+Ys3eel5hQRkgUn3DeHcVb2JT8WYU0A=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "4902d57f5dae8ec660ee9ee14c45c2192f9fe8b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs"
         ],
         "stable": "stable"
       },
       "locked": {
-        "lastModified": 1685163780,
-        "narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=",
+        "lastModified": 1688224393,
+        "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=",
         "owner": "zhaofengli",
         "repo": "colmena",
-        "rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf",
+        "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd",
         "type": "github"
       },
       "original": {
@@ -45,6 +67,36 @@
         "type": "github"
       }
     },
+    "crane": {
+      "inputs": {
+        "flake-compat": [
+          "attic",
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "attic",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1677892403,
+        "narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "105e27adb70a9890986b6d543a67761cbc1964a2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -74,11 +126,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685970051,
-        "narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=",
+        "lastModified": 1690739034,
+        "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d",
+        "rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
         "type": "github"
       },
       "original": {
@@ -88,6 +140,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1650374568,
@@ -110,11 +178,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1685662779,
-        "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
+        "lastModified": 1690933134,
+        "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
+        "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixos-hypervisor",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687762428,
+        "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
         "type": "github"
       },
       "original": {
@@ -126,11 +215,11 @@
     "flake-registry": {
       "flake": false,
       "locked": {
-        "lastModified": 1682423975,
-        "narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=",
+        "lastModified": 1689333397,
+        "narHash": "sha256-g1Nn0sgH/hR/gEAQ1q6bloU+Q+V+Y4HlBBH6CBxC0HM=",
         "owner": "NixOS",
         "repo": "flake-registry",
-        "rev": "8054bfa00d60437297d670ab3296a117e7059a10",
+        "rev": "5d8dc3eb692809ffd9a2f22cdb8015aa11972905",
         "type": "github"
       },
       "original": {
@@ -140,6 +229,21 @@
       }
     },
     "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
       "locked": {
         "lastModified": 1659877975,
         "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
@@ -182,27 +286,27 @@
         ]
       },
       "locked": {
-        "lastModified": 1667907331,
-        "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
+        "lastModified": 1687871164,
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
         "owner": "rycee",
         "repo": "home-manager",
-        "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
         "type": "github"
       },
       "original": {
         "owner": "rycee",
-        "ref": "release-22.05",
+        "ref": "release-23.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1684899633,
-        "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
+        "lastModified": 1690957133,
+        "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
+        "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a",
         "type": "github"
       },
       "original": {
@@ -211,29 +315,68 @@
         "type": "github"
       }
     },
+    "nixos-hypervisor": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1688428885,
+        "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=",
+        "ref": "main",
+        "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc",
+        "revCount": 2,
+        "type": "git",
+        "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1685952468,
-        "narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=",
+        "lastModified": 1686519857,
+        "narHash": "sha256-VkBhuq67aXXiCoEmicziuDLUPPjeOTLQoj6OeVai5zM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a",
+        "rev": "6b1b72c0f887a478a5aac355674ff6df0fc44f44",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1685004253,
+        "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1685938391,
-        "narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=",
+        "lastModified": 1691003216,
+        "narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed",
+        "rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f",
         "type": "github"
       },
       "original": {
@@ -243,13 +386,29 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1691083802,
+        "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nur": {
       "locked": {
-        "lastModified": 1685980073,
-        "narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=",
+        "lastModified": 1691109630,
+        "narHash": "sha256-NkltnE+ZMABNP7pJVj7ftu/58aTGa5PXxICLr8fjkI4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09",
+        "rev": "dcd922e7738fc027c73cd2cc110015d38fba9651",
         "type": "github"
       },
       "original": {
@@ -261,18 +420,47 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "attic": "attic",
         "colmena": "colmena",
         "disko": "disko",
         "flake-parts": "flake-parts",
         "flake-registry": "flake-registry",
         "home-manager": "home-manager_2",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixos-hypervisor": "nixos-hypervisor",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
         "srvos": "srvos"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "attic",
+          "crane",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "attic",
+          "crane",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1675391458,
+        "narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "srvos": {
       "inputs": {
         "nixpkgs": [
@@ -280,11 +468,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685966850,
-        "narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=",
+        "lastModified": 1690557184,
+        "narHash": "sha256-KMGPz3pP7OoUZaUhgcuYG84CtVaJOQw6RK8J0fAtKt0=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623",
+        "rev": "ceed433086a85e5540bd73cff46497af5a09e36f",
         "type": "github"
       },
       "original": {
@@ -308,6 +496,27 @@
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos-hypervisor",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,13 +1,6 @@
 {
   description = "NixOS configuration with flakes";
 
-  nixConfig.extra-substituters = [
-    "https://newtype.cachix.org"
-  ];
-  nixConfig.extra-trusted-public-keys = [
-    "newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0="
-  ];
-
   # To update all inputs:
   # $ nix flake update --recreate-lock-file
   inputs = {
@@ -23,7 +16,7 @@
     nixos-hardware.url = "github:NixOS/nixos-hardware";
     nur.url = "github:nix-community/NUR";
 
-    home-manager.url = "github:rycee/home-manager/release-22.05";
+    home-manager.url = "github:rycee/home-manager/release-23.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     agenix.url = "github:ryantm/agenix";
@@ -32,10 +25,17 @@
     colmena.url = "github:zhaofengli/colmena";
     colmena.inputs.nixpkgs.follows = "nixpkgs";
 
+    attic.url = "github:zhaofengli/attic";
+
     srvos.url = "github:numtide/srvos";
     # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
+    # Ryan's experimental hypervisor based on cloud-hypervisor
+    # Private repository, you need a valid SSH key to access it
+    nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main";
+    nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs";
+
     flake-registry.url = "github:NixOS/flake-registry";
     flake-registry.flake = false;
   };
@@ -83,19 +83,19 @@
             ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd;
           };
           packages = {
-          #  netboot = pkgs.callPackage ./modules/netboot/netboot.nix {
-          #    # this nixosSystem is built for x86_64 machines regardless of the host machine
-          #    pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
-          #    inherit (inputs.nixpkgs.lib) nixosSystem;
-          #    extraModules = [
-          #      self.inputs.nur.nixosModules.nur
-          #      { _module.args.inputs = self.inputs; }
-          #    ];
-          #  };
+            #  netboot = pkgs.callPackage ./modules/netboot/netboot.nix {
+            #    # this nixosSystem is built for x86_64 machines regardless of the host machine
+            #    pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
+            #    inherit (inputs.nixpkgs.lib) nixosSystem;
+            #    extraModules = [
+            #      self.inputs.nur.nixosModules.nur
+            #      { _module.args.inputs = self.inputs; }
+            #    ];
+            #  };
 
-          #  netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix {
-          #    inherit (self'.packages) netboot;
-          #  };
+            #  netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix {
+            #    inherit (self'.packages) netboot;
+            #  };
           };
         };
         flake = {

hosts/epyc.nix

@@ -1,13 +1,53 @@
+{ lib, ... }:
+let
+  gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ]
+    ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
+in
 {
   imports = [
     ../modules/ipmi-supermicro.nix
     ../modules/hardware/supermicro-H12SSL-i.nix
+    ../modules/iperf-server.nix
+    ../modules/hypervisor.nix
+    ../modules/hydra/coordinator.nix
+    ../modules/android-cache.nix
+    ../modules/garage.nix
+    ../modules/users/friends.nix
   ];
 
   networking.hostName = "epyc";
+
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  # Open public access to our PostgreSQL.
+  services.postgresql.enableTCPIP = true;
+  services.postgresql.authentication = ''
+  host  hydra-nixos-org hydra_ro  ::/0  trust
+  '';
+  networking.firewall.allowedTCPPorts = [ 5432 ];
+
+  virtualisation.nvisor.vms = {
+    vm01 = {
+      config = { pkgs, ... }: {
+        environment.systemPackages = [ pkgs.hello ];
+      };
+    };
+  };
+
+  nix.buildMachines = [
+    { hostName = "localhost";
+      systems = [
+        "x86_64-linux"
+        "riscv64-linux"
+      ];
+      supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3";
+      maxJobs = 2;
+    }
+  ];
+
+  boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ];
+
   simd.arch = "znver3";
   system.stateVersion = "23.05";
 }

modules/android-cache.nix

@@ -0,0 +1,14 @@
+{ lib, ... }:
+let
+  mirrors = {
+    "https://android.googlesource.com" = "/var/lib/src/aosp/mirror";
+    "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS";
+    "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets";
+  };
+in
+{
+  nix.envVars.ROBOTNIX_GIT_MIRRORS = lib.concatStringsSep "|" (lib.mapAttrsToList (local: remote: "${local}=${remote}") mirrors);
+
+  # Also add local mirrors to nix sandbox exceptions
+  nix.sandboxPaths = lib.attrValues mirrors;
+}

modules/buildbot/default.nix

@@ -0,0 +1,59 @@
+{ lib, pkgs, config, inputs, ... }:
+with lib;
+let
+  cfg = config.luj.buildbot;
+  port = "1810";
+  package = pkgs.buildbot-worker;
+  python = package.pythonModule;
+  home = "/var/lib/buildbot-worker";
+  buildbotDir = "${home}/worker";
+in
+{
+  #buildbot worker
+
+  #  nix.settings.allowed-users = [ "buildbot-worker" ];
+  nix.settings.trusted-users = [ "buildbot-worker" ];
+  users.users.buildbot-worker = {
+    description = "Buildbot Worker User.";
+    isSystemUser = true;
+    createHome = true;
+    home = "/var/lib/buildbot-worker";
+    group = "buildbot-worker";
+    useDefaultShell = true;
+  };
+  users.groups.buildbot-worker = { };
+
+  systemd.services.buildbot-worker = {
+    reloadIfChanged = true;
+    description = "Buildbot Worker.";
+    after = [ "network.target" "buildbot-master.service" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [
+      pkgs.nix-eval-jobs
+      pkgs.git
+      pkgs.gh
+      pkgs.nix
+      pkgs.nix-output-monitor
+      inputs.attic.packages.x86_64-linux.attic
+    ];
+    environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}";
+    environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989'';
+    environment.BUILDBOT_DIR = buildbotDir;
+    environment.WORKER_PASSWORD_FILE = "/var/lib/buildbot-worker/password.txt";
+
+    serviceConfig = {
+      Type = "simple";
+      User = "buildbot-worker";
+      Group = "buildbot-worker";
+      WorkingDirectory = home;
+
+      # Restart buildbot with a delay. This time way we can use buildbot to deploy itself.
+      ExecReload = "+${pkgs.systemd}/bin/systemd-run --on-active=60 ${pkgs.systemd}/bin/systemctl restart buildbot-worker";
+      ExecStart = "${python.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${./worker.py}";
+    };
+  };
+
+}
+
+
+

modules/buildbot/worker.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+
+import multiprocessing
+import os
+import socket
+from io import open
+
+from buildbot_worker.bot import Worker
+from twisted.application import service
+
+
+def require_env(key: str) -> str:
+    val = os.environ.get(key)
+    assert val is not None, "val is not set"
+    return val
+
+
+def setup_worker(application: service.Application, id: int) -> None:
+    basedir = f"{require_env('BUILDBOT_DIR')}-{id}"
+    os.makedirs(basedir, mode=0o700, exist_ok=True)
+
+    master_url = require_env("MASTER_URL")
+    hostname = socket.gethostname()
+    workername = f"{hostname}-{id}"
+
+    with open(
+        require_env("WORKER_PASSWORD_FILE"), "r", encoding="utf-8"
+    ) as passwd_file:
+        passwd = passwd_file.read().strip("\r\n")
+    keepalive = 600
+    umask = None
+    maxdelay = 300
+    numcpus = None
+    allow_shutdown = None
+
+    s = Worker(
+        "2a01:e34:ec2a:8e60:8ec7:b5d2:f663:a67a",
+        9989,
+        workername,
+        passwd,
+        basedir,
+        keepalive,
+        umask=umask,
+        maxdelay=maxdelay,
+        numcpus=numcpus,
+        allow_shutdown=allow_shutdown,
+    )
+    s.setServiceParent(application)
+
+
+# note: this line is matched against to check that this is a worker
+# directory; do not edit it.
+application = service.Application("buildbot-worker")
+
+for i in range(14):
+    setup_worker(application, i)
+
+

modules/builder.nix

@@ -3,7 +3,8 @@
     isNormalUser = true;
     home = "/home/nix";
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE raito@thorkell"
     ];
     uid = 5001;
   };

modules/garage.nix

@@ -0,0 +1,37 @@
+{ pkgs, ... }: {
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_0_8;
+    settings = {
+      db_engine = "lmdb";
+      block_size = (10 * 1024 * 1024); # 10MB
+      replication_mode = "none";
+      rpc_bind_addr = "[::1]:3901";
+      rpc_public_addr = "[::1]:3901";
+      rpc_secret = "f5b8ede0abe0a3d454d96e8b352e29a1d94522b64274d23b256d57482441ccc1";
+
+      s3_api = {
+        s3_region = "garage";
+        api_bind_addr = "[::1]:3900";
+        root_domain = ".s3.infra.newtype.fr";
+      };
+
+      s3_web = {
+        bind_addr = "[::1]:3902";
+        root_domain = ".web.infra.newtype.fr";
+        index = "index.html";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."s3.infra.newtype.fr" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass = "http://[::1]:3900/";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

modules/hydra/coordinator.nix

@@ -0,0 +1,81 @@
+{ pkgs, ... }: {
+  services.hydra = {
+    enable = true;
+    hydraURL = "https://hydra.newtype.fr";
+    notificationSender = "hydra@localhost";
+    buildMachinesFiles = [ "/etc/nix/machines" ];
+    useSubstitutes = true;
+  };
+
+  environment.systemPackages = [ pkgs.nix-prefetch-git ];
+  nix.trustedUsers = [ "hydra" "hydra-www" ];
+
+  services.postgresql = {
+    enableJIT = true;
+    settings = {
+      checkpoint_completion_target = "0.9";
+      default_statistics_target = 100;
+
+      max_connections = 500;
+      work_mem = "20MB";
+      maintenance_work_mem = "2GB";
+
+      shared_buffers = "8GB";
+
+      min_wal_size = "1GB";
+      max_wal_size = "2GB";
+      wal_buffers = "16MB";
+
+      max_worker_processes = 16;
+      max_parallel_workers_per_gather = 8;
+      max_parallel_workers = 16;
+
+      # NVMe related performance tuning
+      effective_io_concurrency = 200;
+      random_page_cost = "1.1";
+
+      # We can risk losing some transactions.
+      synchronous_commit = "off";
+
+      effective_cache_size = "16GB";
+
+      # autovacuum and autoanalyze much more frequently:
+      # at these values vacuum should run approximately
+      # every 2 mass rebuilds, or a couple times a day
+      # on the builds table. Some of those queries really
+      # benefit from frequent vacuums, so this should
+      # help. In particular, I'm thinking the jobsets
+      # pages.
+      autovacuum_vacuum_scale_factor = 0.002;
+      autovacuum_analyze_scale_factor = 0.001;
+
+      shared_preload_libraries = "pg_stat_statements";
+      compute_query_id = "on";
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "ryan@lahfa.xyz";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation =true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+  };
+
+  services.nginx.virtualHosts."hydra.newtype.fr" = {
+    forceSSL = true;
+    enableACME = true;
+    # TODO: remove compression for some locations
+    locations."/".proxyPass = "http://localhost:3000";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

modules/hypervisor.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  virtualisation.nvisor = {
+    enable = true;
+  };
+}

modules/iperf-server.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  services.iperf3 = {
+    enable = true;
+    openFirewall = true;
+  };
+}

modules/nix-daemon.nix

@@ -1,6 +1,7 @@
 { lib
 , config
 , pkgs
+, inputs
 , ...
 }:
 
@@ -24,25 +25,46 @@ in
 
   config = {
     warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ];
+    # Allow more open files for non-root users to run NixOS VM tests.
+    security.pam.loginLimits = [
+      { domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
+    ];
+
+    # Memory accounting techniques
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "225G";
+      MemoryHigh = "220G";
+      MemorySwapMax = "2G";
+      ManagedOOMSwap = "kill";
+      ManagedOOMMemoryPressure = "kill";
+      MemoryPressureWatch = "on";
+    };
 
     nix = {
+      # Garbage-collect often
       gc.automatic = true;
-      gc.dates = "03:15";
-      gc.options = "--delete-older-than 30d";
+      gc.dates = "*:45";
+      gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
 
-      # 2.11, 2.12 suffers from a bug with remote builders…
-      package = pkgs.nixVersions.nix_2_13;
+      # Randomize GC to avoid thundering herd effects.
+      gc.randomizedDelaySec = "1800";
 
-      # should be enough?
-      nrBuildUsers = lib.mkDefault 32;
+      # Inchallah, it works.
+      # package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17;
 
-      # https://github.com/NixOS/nix/issues/719
+      # should be enough?
+      nrBuildUsers = 128;
 
       settings = {
         keep-outputs = true;
         keep-derivations = true;
-        # in zfs we trust
-        fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs");
+        use-cgroups = true;
+        http-connections = 0;
+        auto-allocate-uids = true;
+        cores = 64; # 128 is too much, it will explode the RAM for now. Let's keep it serious.
+        max-jobs = 2; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix.
+        fsync-metadata = true;
         substituters = [
           "https://nix-community.cachix.org"
           "https://tum-dse.cachix.org"
@@ -52,6 +74,14 @@ in
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
           "tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM="
         ];
+        experimental-features = [
+          "auto-allocate-uids"
+          "ca-derivations"
+          "cgroups"
+          "discard-references"
+          "fetch-closure"
+          "impure-derivations"
+        ];
       };
     };
 

modules/packages.nix

@@ -1,10 +1,12 @@
-{ pkgs, ... }: {
+{ pkgs, inputs, ... }: {
   # this extends the list from:
   # https://github.com/numtide/srvos/blob/master/server.nix#L10
   environment.systemPackages = with pkgs; [
     socat
     whois
 
+    nix-output-monitor
+    inputs.attic.packages.x86_64-linux.attic
     jq
     psmisc
     libarchive
@@ -34,6 +36,8 @@
     usbutils
 
     ipmitool
+
+    nix-top
     # tries to default to soft-float due to out-dated cc-rs
   ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich;
 }

modules/ssh-cursed.nix

@@ -0,0 +1,36 @@
+{
+  programs.ssh.extraConfig = ''
+        Host telecom-bastion
+    		HostName ssh.enst.fr
+    		User jmalka
+                IdentityFile /home/luj/.ssh/id_ed25519
+
+        Host lame11
+    		Hostname lame11.enst.fr
+    		User nix-remote-builder
+    		ProxyJump telecom-bastion
+                IdentityFile /home/luj/.ssh/id_ed25519
+        Host lame10
+    		Hostname lame10.enst.fr
+    		User nix-remote-builder
+    		ProxyJump telecom-bastion
+                IdentityFile /home/luj/.ssh/id_ed25519
+        Host lame12
+    		Hostname lame12.enst.fr
+    		User nix-remote-builder
+    		ProxyJump telecom-bastion
+                IdentityFile /home/luj/.ssh/id_ed25519
+        Host lame16
+    		Hostname lame16.enst.fr
+    		User nix-remote-builder
+    		ProxyJump telecom-bastion
+                IdentityFile /home/luj/.ssh/id_ed25519
+        Host lame17
+    		Hostname lame17.enst.fr
+    		User nix-remote-builder
+    		ProxyJump telecom-bastion
+                IdentityFile /home/luj/.ssh/id_ed25519
+
+  '';
+
+}

modules/users/admins.nix

@@ -22,7 +22,8 @@ in
       luj = {
         isNormalUser = true;
         home = "/home/luj";
-        inherit (config.users.users.raito) extraGroups;
+        inherit (config.users.users.raito);
+        extraGroups = extraGroups ++ [ "production-hydra-db" ];
         shell = "/run/current-system/sw/bin/zsh";
         uid = 1001;
         openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ];

modules/users/friends.nix

@@ -0,0 +1,28 @@
+{ ... }:
+let
+  trustedFriendGroups = [
+    "production-hydra-db"
+  ];
+in
+{
+  users.users = {
+    ninjatrappeur = {
+      isNormalUser = true;
+      home = "/home/ninjatrappeur";
+      shell = "/run/current-system/sw/bin/zsh";
+      uid = 2000;
+      extraGroups = trustedFriendGroups;
+      openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ];
+    };
+    linus = {
+      isNormalUser = true;
+      home = "/home/linus";
+      shell = "/run/current-system/sw/bin/zsh";
+      uid = 2001;
+      # Raito: I allowed linus to be root to get some stuff done
+      # on behalf of me.
+      extraGroups = [ "wheel" ] ++ trustedFriendGroups;
+      openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ];
+    };
+  };
+}

modules/users/keys/gdd.keys

@@ -1 +1,2 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqnCNhMl5KgERtpFAVUjd11JDsf0uQ/8NY5sj4tnjw5

modules/users/keys/linus.keys

@@ -0,0 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf7hGFfUHhtgYY0G/Dh9isjIxkvUjlAKAMvLIZs5NLXwEfnxDTVZW/ijfF2qDozAmYQHZqbeyhJX7YlO6nYjWRBxqBeqAMHhtu3PkiysSCCUymhJ2uDHUAox+BT8IGE3sCKYIXRdmSFoibgQad9AHsQ6OLoIaNgMV7rspdBcO/CjyCkHN440XhQKz/Sq2SyygI9Qkuz0qDdQOgIraVi//EXDAvij0QXlkmh+3xBJwEqt8Pe1KP9itwvGyzGX/aAheCBSf7HPcLzJUgcWymW6FL4AE0KqNVb8Q8ahaEM5UgbXUCauDON8H4OR1Zngszw128wklwxOr7q5gB++Ks1OQlHMGgiVYZ2wC0DXlx68BKSMNnJRHWCI4r63a3bAWGCqKbcCHpimjPAHisPoaoHffVUaIpj65klj+GkoHAgo/pl0S6o4OqVpOau3Qkn95D1KDbUiE1l0HdgZaRmOKRvTKec1V3tfB2rA83Q1cZCWC5ZSwk3wihYPywMyIo6G8f2M2bFot7k/sS9ZMSle6oZDrc6A8qWnaxMZYbEXdFGy02550vdymshJ9RpSLfK1oBKoKk7yL2hk1UHm6obXYXn/F0KvDr7nAM6gOf9NnOrPHKt14WDb0GsZwNd34g1RCcBUcXewh4ZJOHerzsS2h3D30BNQUNCaF8ZQr6FYXp7v9gnQ==
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3EmXYSXsimS+vlGYtfTkOGuwvkXU0uHd2yYKLOxD2F
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJWYrcu8usyqdLv4XO4i5TPaQhB+lH3Xbu2uz64hQe3
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICDgQA1A1uHJsqLsSLLkuWNlxXrpGRD6Qx11WBbfP+SmAAAAEXNzaDpsaW51c0BiZWl3ZXJr

modules/users/keys/luj.keys

@@ -1,4 +1,5 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoYi9YFzovZfwrY3BUA3QqcyBE8gfNTncbs3qqkLbyY
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR
@@ -8,4 +9,5 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E=

modules/users/keys/ninjatrappeur.keys

@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClF9ko5u4zf0CEvleEeRbo9r6BMNgXEGO/rDNZOEHcKxVaeIi+/xF6ZQ5MZbcmH08lswq32hb1XwXg7Gk+ofUdEvCD/kC/vJijt7IFkardy6BNOSWQJLEf6/BpL3LzDQhi7iZXPF46VYoPVGHBh8fKQaAtOCrhbf/8JutfTwCglEztjoiQxY5b8OMfntjBSl6TJwZPJAoQllbJJz9q90sBetvqx6Y08eqIzsSZw6pznpvivRR+TSKU0EkVYS2y2zBAvPK6oyunj5zi01/FACT+Qn70dUkumZAvcPssbl0hCs/xDLgEL6hCEvoszodyMYVn7HS0KwfUlfiGdNUOFHIl
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzd1XAB7Pc8Tplur5iV3llOXtvlHru8pLtQlbvHzmt1
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOE7oDtq+xt5RuvMigDZMeZQODFr5Otz6HCO8wnI80oo

modules/users/keys/tomate.keys

@@ -1 +1,2 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn thubrecht@dell-xps

modules/zsh.nix

@@ -4,5 +4,13 @@
   programs.zsh.enableGlobalCompInit = false;
   programs.zsh.interactiveShellInit = ''
     source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh
-  '';
+    '';
+  programs.zsh = {
+    autosuggestions.enable = true;
+    promptInit = ''
+      source ${pkgs.grml-zsh-config}/etc/zsh/zshrc
+    '';
+  };
+
+  users.defaultUserShell = pkgs.zsh;
 }