From 946585d1caab9a2f7e3c52e9845b3080b5ccec45 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski <hensoko@gssws.de> Date: Wed, 29 May 2024 14:08:59 +0200 Subject: [PATCH] initial commit of tankstelle --- flake.nix | 4 ++ hosts/default.nix | 10 ++++ hosts/tankstelle/backups.nix | 13 +++++ hosts/tankstelle/configuration.nix | 17 +++++++ hosts/tankstelle/default.nix | 12 +++++ hosts/tankstelle/hardware-configuration.nix | 39 +++++++++++++++ hosts/tankstelle/networking.nix | 39 +++++++++++++++ hosts/tankstelle/wireguard.nix | 54 +++++++++++++++++++++ 8 files changed, 188 insertions(+) create mode 100644 hosts/tankstelle/backups.nix create mode 100644 hosts/tankstelle/configuration.nix create mode 100644 hosts/tankstelle/default.nix create mode 100644 hosts/tankstelle/hardware-configuration.nix create mode 100644 hosts/tankstelle/networking.nix create mode 100644 hosts/tankstelle/wireguard.nix diff --git a/flake.nix b/flake.nix index d97687a9..0f6d830c 100644 --- a/flake.nix +++ b/flake.nix @@ -122,6 +122,10 @@ hostname = "10.7.6.2"; sshUser = username; }; + tankstelle = { + hostname = "80.244.242.5"; + sshUser = username; + }; }; }; }; diff --git a/hosts/default.nix b/hosts/default.nix index c17b5cc3..429730cf 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -58,6 +58,16 @@ self.nixosModules.loki ]; }; + + tankstelle = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./tankstelle + self.nixosModules.overlays + self.nixosModules.core + ]; + }; }; }; } diff --git a/hosts/tankstelle/backups.nix b/hosts/tankstelle/backups.nix new file mode 100644 index 00000000..c5bf79b8 --- /dev/null +++ b/hosts/tankstelle/backups.nix @@ -0,0 +1,13 @@ +{ flake, ... }: +{ + age.secrets."restic-repo-droppie" = { + file = "${flake.self}/secrets/restic-repo-droppie.age"; + mode = "400"; + owner = "root"; + }; + age.secrets."restic-repo-storagebox" = { + file = "${flake.self}/secrets/restic-repo-storagebox.age"; + mode = "400"; + owner = "root"; + }; +} diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix new file mode 100644 index 00000000..73f3b907 --- /dev/null +++ b/hosts/tankstelle/configuration.nix @@ -0,0 +1,17 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + imports = + [ + ./hardware-configuration.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + system.stateVersion = "23.11"; +} diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix new file mode 100644 index 00000000..845d466c --- /dev/null +++ b/hosts/tankstelle/default.nix @@ -0,0 +1,12 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/tankstelle/hardware-configuration.nix b/hosts/tankstelle/hardware-configuration.nix new file mode 100644 index 00000000..b1e302a5 --- /dev/null +++ b/hosts/tankstelle/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AF98-AA5C"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/tankstelle/networking.nix b/hosts/tankstelle/networking.nix new file mode 100644 index 00000000..83d60e13 --- /dev/null +++ b/hosts/tankstelle/networking.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking = { + hostName = "tankstelle"; + domain = "pub.solar"; + enableIPv6 = true; + defaultGateway = { + address = "80.244.242.1"; + interface = "enp1s0"; + }; + defaultGateway6 = { + address = "2001:4d88:1ffa:26::1"; + interface = "enp1s0"; + }; + nameservers = [ "95.129.51.51" "80.244.244.244" ]; + interfaces."enp1s0" = { + ipv4.addresses = [ + { + address = "80.244.242.5"; + prefixLength = 29; + } + ]; + ipv6.addresses = [ + { + address = "2001:4d88:1ffa:26::5"; + prefixLength = 64; + } + ]; + }; + }; + + # TODO: ssh via wireguard only + services.openssh.openFirewall = true; +} diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix new file mode 100644 index 00000000..0eef6975 --- /dev/null +++ b/hosts/tankstelle/wireguard.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + { + # nachtigall.pub.solar + endpoint = "138.201.80.102:51820"; + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = "10.7.6.3"; + port = 22; + } + { + addr = "[fd00:fae:fae:fae:fae:3::]"; + port = 22; + } + ]; +}