julian/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Start migration to using flake-parts

Browse Source
This commit is contained in:
Julian Mutter
2026-03-23 20:34:48 +01:00
parent ba56618049
commit 6cbe60c784
158 changed files with 1935 additions and 1830 deletions
Download Patch File Download Diff File Expand all files Collapse all files

636
hosts/builder/default.nix
View File

@@ -2,352 +2,362 @@
# or
# deploy .#builder
{
config,
pkgs,
inputs,
self,
...
}: {
imports = [
./hardware-configuration.nix
../common/global/fish.nix # fish for admin
../common/global/locale.nix
../common/global/nix.nix
../common/global/sops.nix
../common/global/root.nix
];
networking.hostName = "builder";
system.stateVersion = "23.11";
networking.networkmanager.enable = true;
networking.nameservers = [
"192.168.3.252"
"172.30.20.10"
"1.1.1.1"
];
users.mutableUsers = false;
users.users.nix = {
isNormalUser = true;
description = "Nix";
extraGroups = [
"networkmanager"
"wheel"
"docker"
flake.nixosConfigurations.builder = inputs.nixpkgs.lib.nixosSystem {
modules = [
self.nixosModules.hosts.builder
];
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
"https://hyprland.cachix.org"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
flake.nixosModules.hosts.builder = {
config,
pkgs,
...
}: {
imports = [
../common/global/fish.nix # fish for admin
../common/global/locale.nix
../common/global/nix.nix
../common/global/sops.nix
../common/global/root.nix
];
trusted-users = ["nix"];
max-jobs = "auto";
cores = 0;
networking.hostName = "builder";
system.stateVersion = "23.11";
# Ensure we can still build when missing-server is not accessible
fallback = true;
};
# system.autoUpgrade = {
# enable = true;
# flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
# flags = [
# "--recreate-lock-file" # update lock file
# ];
# dates = "02:13";
# };
# optimize store by hardlinking store files
nix.optimise.automatic = true;
nix.optimise.dates = ["03:15"];
# nix.gc.automatic = true;
# nix.gc.dates = "daily";
# nix.gc.options = "--delete-old";
# nix.settings.keep-derivations = false;
# nix.settings.keep-outputs = true;
# Garbage collect up to 100 GiB when only 20 GiB storage left
nix.extraOptions = ''
min-free = ${toString (20 * 1024 * 1024 * 1024)}
max-free = ${toString (100 * 1024 * 1024 * 1024)}
'';
nix.nrBuildUsers = 64;
# prevent memory to get filled
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "90%";
OOMScoreAdjust = 500;
};
# Ollama used by open-webui as llm backend
services.ollama = {
enable = true;
# acceleration = "rocm";
openFirewall = true;
};
services.nextjs-ollama-llm-ui = {
enable = true;
hostname = "192.168.3.118";
port = 3001;
};
# services.open-webui = {
# enable = true;
# port = 8080;
# openFirewall = true;
# host = "builder.julian-mutter.de";
# };
networking.firewall.allowedTCPPorts = [
80
3001 # ollama-ui
];
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
# Add older algorithms for jenkins ssh-agents-plugin to be compatible
settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
networking.networkmanager.enable = true;
networking.nameservers = [
"192.168.3.252"
"172.30.20.10"
"1.1.1.1"
];
settings.KexAlgorithms = [
"diffie-hellman-group-exchange-sha1"
"diffie-hellman-group14-sha1"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
];
users.users."nix".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
];
# security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
services.hydra = {
enable = true;
hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
port = 3000;
notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
# buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
minimumDiskFree = 5; # in GB
minimumDiskFreeEvaluator = 4; # in GB
};
# add builder itself as build machine so system emulation is properly supported
# nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "localhost";
protocol = null;
# sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
users.mutableUsers = false;
users.users.nix = {
isNormalUser = true;
description = "Nix";
extraGroups = [
"networkmanager"
"wheel"
"docker"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
"https://hyprland.cachix.org"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
];
}
];
# Uris allowed as flake inputs, otherwise hydra does not fetch them
nix.settings.allowed-uris = [
"github:"
"gitlab:"
"git+https://github.com/hyprwm/Hyprland"
"https://github.com/hyprwm/Hyprland"
"https://github"
"https://gitlab"
"https://gitlab.julian-mutter.de"
"git+https://gitlab.julian-mutter.de"
];
trusted-users = ["nix"];
max-jobs = "auto";
cores = 0;
services.nginx = {
enable = true;
recommendedProxySettings = true;
# recommendedTlsSettings = true;
# other Nginx options
virtualHosts."hydra.julian-mutter.de" = {
# enableACME = true;
# forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig =
# # required when the target is also TLS server with multiple hosts
# "proxy_ssl_server_name on;" +
# # required when the server wants to use HTTP Authentication
# "proxy_pass_header Authorization;"
# ;
# Ensure we can still build when missing-server is not accessible
fallback = true;
};
# system.autoUpgrade = {
# enable = true;
# flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
# flags = [
# "--recreate-lock-file" # update lock file
# ];
# dates = "02:13";
# };
# optimize store by hardlinking store files
nix.optimise.automatic = true;
nix.optimise.dates = ["03:15"];
# nix.gc.automatic = true;
# nix.gc.dates = "daily";
# nix.gc.options = "--delete-old";
# nix.settings.keep-derivations = false;
# nix.settings.keep-outputs = true;
# Garbage collect up to 100 GiB when only 20 GiB storage left
nix.extraOptions = ''
min-free = ${toString (20 * 1024 * 1024 * 1024)}
max-free = ${toString (100 * 1024 * 1024 * 1024)}
'';
nix.nrBuildUsers = 64;
# prevent memory to get filled
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "90%";
OOMScoreAdjust = 500;
};
# Ollama used by open-webui as llm backend
services.ollama = {
enable = true;
# acceleration = "rocm";
openFirewall = true;
};
services.nextjs-ollama-llm-ui = {
enable = true;
hostname = "192.168.3.118";
port = 3001;
};
# services.open-webui = {
# enable = true;
# port = 8080;
# openFirewall = true;
# host = "builder.julian-mutter.de";
# };
networking.firewall.allowedTCPPorts = [
80
3001 # ollama-ui
];
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
# Add older algorithms for jenkins ssh-agents-plugin to be compatible
settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
settings.KexAlgorithms = [
"diffie-hellman-group-exchange-sha1"
"diffie-hellman-group14-sha1"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
];
users.users."nix".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
];
# security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
services.hydra = {
enable = true;
hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
port = 3000;
notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
# buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
minimumDiskFree = 5; # in GB
minimumDiskFreeEvaluator = 4; # in GB
};
# add builder itself as build machine so system emulation is properly supported
# nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "localhost";
protocol = null;
# sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
}
];
# Uris allowed as flake inputs, otherwise hydra does not fetch them
nix.settings.allowed-uris = [
"github:"
"gitlab:"
"git+https://github.com/hyprwm/Hyprland"
"https://github.com/hyprwm/Hyprland"
"https://github"
"https://gitlab"
"https://gitlab.julian-mutter.de"
"git+https://gitlab.julian-mutter.de"
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
# recommendedTlsSettings = true;
# other Nginx options
virtualHosts."hydra.julian-mutter.de" = {
# enableACME = true;
# forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig =
# # required when the target is also TLS server with multiple hosts
# "proxy_ssl_server_name on;" +
# # required when the server wants to use HTTP Authentication
# "proxy_pass_header Authorization;"
# ;
};
};
virtualHosts."binarycache.julian-mutter.de" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
clientMaxBodySize = "2G";
virtualHosts."cache.julian-mutter.de" = {
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
virtualHosts."binarycache.julian-mutter.de" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# =========== Gitea actions ==========
services.gitea-actions-runner.instances."builder" = {
enable = true;
url = "https://gitlab.julian-mutter.de";
name = "builder";
tokenFile = config.sops.secrets."gitea_token".path;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# devenv
"devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
# provide native execution on the host
"nixos:host"
];
};
clientMaxBodySize = "2G";
virtualHosts."cache.julian-mutter.de" = {
locations."/".proxyPass = "http://127.0.0.1:8080";
virtualisation.docker.enable = true;
# TODO: podman fails with: "cannot resolve hostname"
# virtualisation.podman = {
# enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
sops.secrets."gitea_token" = {
owner = config.users.users.nix.name;
sopsFile = ./secrets.yaml;
};
};
# =========== Gitea actions ==========
services.gitea-actions-runner.instances."builder" = {
enable = true;
url = "https://gitlab.julian-mutter.de";
name = "builder";
tokenFile = config.sops.secrets."gitea_token".path;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# devenv
"devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
# provide native execution on the host
"nixos:host"
];
};
# =========== Binary Cache ==========
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
virtualisation.docker.enable = true;
# =========== Binary Cache with attic ==========
sops.secrets."attic_token".sopsFile = ./secrets.yaml;
# TODO: podman fails with: "cannot resolve hostname"
# virtualisation.podman = {
# enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic_token".path;
settings = {
listen = "[::]:8080";
sops.secrets."gitea_token" = {
owner = config.users.users.nix.name;
sopsFile = ./secrets.yaml;
};
jwt = {};
# =========== Binary Cache ==========
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
# =========== Binary Cache with attic ==========
sops.secrets."attic_token".sopsFile = ./secrets.yaml;
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic_token".path;
settings = {
listen = "[::]:8080";
jwt = {};
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
# Data chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
};
services.gitlab-runner.enable = true;
# runner for everything else
#
sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
services.gitlab-runner.services.default = {
# File should contain at least these two variables:
authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
dockerImage = "alpine:latest";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
};
services.gitlab-runner.enable = true;
# runner for everything else
#
sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
services.gitlab-runner.services.default = {
# File should contain at least these two variables:
authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
dockerImage = "alpine:latest";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
};
### Jenkins node
users.users.jenkins = {
createHome = true;
home = "/var/lib/jenkins";
group = "jenkins";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
];
packages = with pkgs; [
git
devenv
];
extraGroups = [
"docker"
];
};
### Jenkins node
users.users.jenkins = {
createHome = true;
home = "/var/lib/jenkins";
group = "jenkins";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
];
packages = with pkgs; [
git
devenv
];
extraGroups = [
"docker"
];
};
users.groups.jenkins = {};
programs.java = {
enable = true;
package = pkgs.jdk21; # Same as jenkins version on home
users.groups.jenkins = {};
programs.java = {
enable = true;
package = pkgs.jdk21; # Same as jenkins version on home
};
};
}

96
hosts/builder/hardware-configuration.nix
View File

@@ -1,50 +1,52 @@
{lib, ...}: {
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
# boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
boot.kernelModules = [];
boot.extraModulePackages = [];
{
flake.nixosModules.hosts.builder = {lib, ...}: {
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
# boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
fsType = "ext4";
fileSystems."/" = {
device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
fsType = "ext4";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# hardware.graphics = {
# enable = true;
# extraPackages = with pkgs; [
# rocmPackages.clr.icd
# linuxPackages.amdgpu-pro
# ];
# };
# boot.kernelParams = [
# "radeon.si_support=0"
# "radeon.cik_support=1"
# "amdgpu.si_support=0"
# "amdgpu.cik_support=1"
# ];
# boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
# boot.blacklistedKernelModules = [ "radeon" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# Emulated systems used as alternative to cross-compiling
boot.binfmt.emulatedSystems = ["aarch64-linux"];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# hardware.graphics = {
# enable = true;
# extraPackages = with pkgs; [
# rocmPackages.clr.icd
# linuxPackages.amdgpu-pro
# ];
# };
# boot.kernelParams = [
# "radeon.si_support=0"
# "radeon.cik_support=1"
# "amdgpu.si_support=0"
# "amdgpu.cik_support=1"
# ];
# boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
# boot.blacklistedKernelModules = [ "radeon" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# Emulated systems used as alternative to cross-compiling
boot.binfmt.emulatedSystems = ["aarch64-linux"];
}