kawa/modules/kawa-physical.nix

# KAWA Physical - Configuration pour machine physique CPU
# Usage: imports = [ ./modules/kawa-physical.nix ];

{ pkgs, ... }:

{
  # Hostname FIXE (pas de lecture /sys - mode pur)
  networking.hostName = "kawa-honor-v4";

  # === TAILSCALE - Installation de base ===
  services.tailscale = {
    enable = true;
    package = pkgs.tailscale;
  };

  # Service systemd pour connexion au mesh APRÈS le boot
  systemd.services.kawa-mesh-connect = {
    description = "KAWA Mesh Auto-Connect";
    after = [ "network-online.target" "tailscaled.service" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.tailscale}/bin/tailscale up --login-server=https://headscale.du-senegal.com --authkey=<HEADSCALE_AUTHKEY> --force-reauth";
    };
  };

  # OLLAMA CPU UNIQUEMENT
  services.ollama = {
    enable = true;
    acceleration = null;
    host = "0.0.0.0";
    port = 11434;
  };

  # SSH
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "yes";
      PasswordAuthentication = true;
    };
  };

  # NATS
  services.nats = {
    enable = true;
    settings = {
      port = 4222;
      http_port = 8222;
    };
  };

  # Syncthing
  services.syncthing = {
    enable = true;
    user = "kawa";
    group = "kawa";
  };

  # Utilisateur
  users.users.kawa = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "tailscale" ];
    initialPassword = "<INITIAL_PASSWORD>";
  };

  # Firewall
  networking.firewall = {
    allowedTCPPorts = [ 22 11434 4222 22000 ];
    allowedUDPPorts = [ 41641 22000 ];
    trustedInterfaces = [ "tailscale0" ];
  };

  # Packages
  environment.systemPackages = with pkgs; [
    git vim tailscale ollama nats-cli curl wget htop
  ];
}