From 946585d1caab9a2f7e3c52e9845b3080b5ccec45 Mon Sep 17 00:00:00 2001
From: Hendrik Sokolowski <hensoko@gssws.de>
Date: Wed, 29 May 2024 14:08:59 +0200
Subject: [PATCH] initial commit of tankstelle

---
 flake.nix                                   |  4 ++
 hosts/default.nix                           | 10 ++++
 hosts/tankstelle/backups.nix                | 13 +++++
 hosts/tankstelle/configuration.nix          | 17 +++++++
 hosts/tankstelle/default.nix                | 12 +++++
 hosts/tankstelle/hardware-configuration.nix | 39 +++++++++++++++
 hosts/tankstelle/networking.nix             | 39 +++++++++++++++
 hosts/tankstelle/wireguard.nix              | 54 +++++++++++++++++++++
 8 files changed, 188 insertions(+)
 create mode 100644 hosts/tankstelle/backups.nix
 create mode 100644 hosts/tankstelle/configuration.nix
 create mode 100644 hosts/tankstelle/default.nix
 create mode 100644 hosts/tankstelle/hardware-configuration.nix
 create mode 100644 hosts/tankstelle/networking.nix
 create mode 100644 hosts/tankstelle/wireguard.nix

diff --git a/flake.nix b/flake.nix
index d97687a9..0f6d830c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -122,6 +122,10 @@
               hostname = "10.7.6.2";
               sshUser = username;
             };
+            tankstelle = {
+              hostname = "80.244.242.5";
+              sshUser = username;
+            };
           };
         };
     };
diff --git a/hosts/default.nix b/hosts/default.nix
index c17b5cc3..429730cf 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -58,6 +58,16 @@
           self.nixosModules.loki
         ];
       };
+
+      tankstelle = self.nixos-flake.lib.mkLinuxSystem {
+        imports = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./tankstelle
+          self.nixosModules.overlays
+          self.nixosModules.core
+        ];
+      };
     };
   };
 }
diff --git a/hosts/tankstelle/backups.nix b/hosts/tankstelle/backups.nix
new file mode 100644
index 00000000..c5bf79b8
--- /dev/null
+++ b/hosts/tankstelle/backups.nix
@@ -0,0 +1,13 @@
+{ flake, ... }:
+{
+  age.secrets."restic-repo-droppie" = {
+    file = "${flake.self}/secrets/restic-repo-droppie.age";
+    mode = "400";
+    owner = "root";
+  };
+  age.secrets."restic-repo-storagebox" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+    mode = "400";
+    owner = "root";
+  };
+}
diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix
new file mode 100644
index 00000000..73f3b907
--- /dev/null
+++ b/hosts/tankstelle/configuration.nix
@@ -0,0 +1,17 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  system.stateVersion = "23.11";
+}
diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix
new file mode 100644
index 00000000..845d466c
--- /dev/null
+++ b/hosts/tankstelle/default.nix
@@ -0,0 +1,12 @@
+{ flake, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    #./wireguard.nix
+    #./backups.nix
+  ];
+}
diff --git a/hosts/tankstelle/hardware-configuration.nix b/hosts/tankstelle/hardware-configuration.nix
new file mode 100644
index 00000000..b1e302a5
--- /dev/null
+++ b/hosts/tankstelle/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/AF98-AA5C";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/tankstelle/networking.nix b/hosts/tankstelle/networking.nix
new file mode 100644
index 00000000..83d60e13
--- /dev/null
+++ b/hosts/tankstelle/networking.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  networking = {
+    hostName = "tankstelle";
+    domain = "pub.solar";
+    enableIPv6 = true;
+    defaultGateway = {
+      address = "80.244.242.1";
+      interface = "enp1s0";
+    };
+    defaultGateway6 = {
+      address = "2001:4d88:1ffa:26::1";
+      interface = "enp1s0";
+    };
+    nameservers = [ "95.129.51.51" "80.244.244.244" ];
+    interfaces."enp1s0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.5";
+          prefixLength = 29;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2001:4d88:1ffa:26::5";
+          prefixLength = 64;
+        }
+      ];
+    };
+  };
+
+  # TODO: ssh via wireguard only
+  services.openssh.openFirewall = true;
+}
diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix
new file mode 100644
index 00000000..0eef6975
--- /dev/null
+++ b/hosts/tankstelle/wireguard.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "10.7.6.3/32"
+        "fd00:fae:fae:fae:fae:3::/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+        {
+          # nachtigall.pub.solar
+          endpoint = "138.201.80.102:51820";
+          publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
+          allowedIPs = [
+            "10.7.6.1/32"
+            "fd00:fae:fae:fae:fae:1::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = "10.7.6.3";
+      port = 22;
+    }
+    {
+      addr = "[fd00:fae:fae:fae:fae:3::]";
+      port = 22;
+    }
+  ];
+}