2024-05-31 14:49:21 +00:00
8 changed files with 188 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -122,6 +122,10 @@
              hostname = "10.7.6.2";
              sshUser = username;
            };
+            tankstelle = {
+              hostname = "80.244.242.5";
+              sshUser = username;
+            };
          };
        };
    };
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -58,6 +58,16 @@
          self.nixosModules.loki
        ];
      };
+
+      tankstelle = self.nixos-flake.lib.mkLinuxSystem {
+        imports = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./tankstelle
+          self.nixosModules.overlays
+          self.nixosModules.core
+        ];
+      };
    };
  };
 }
--- a/hosts/tankstelle/backups.nix
+++ b/hosts/tankstelle/backups.nix
@ -0,0 +1,13 @@
+{ flake, ... }:
+{
+  age.secrets."restic-repo-droppie" = {
+    file = "${flake.self}/secrets/restic-repo-droppie.age";
+    mode = "400";
+    owner = "root";
+  };
+  age.secrets."restic-repo-storagebox" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+    mode = "400";
+    owner = "root";
+  };
+}
--- a/hosts/tankstelle/configuration.nix
+++ b/hosts/tankstelle/configuration.nix
@ -0,0 +1,17 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  system.stateVersion = "23.11";
+}
--- a/hosts/tankstelle/default.nix
+++ b/hosts/tankstelle/default.nix
@ -0,0 +1,12 @@
+{ flake, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    #./wireguard.nix
+    #./backups.nix
+  ];
+}
--- a/hosts/tankstelle/hardware-configuration.nix
+++ b/hosts/tankstelle/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/AF98-AA5C";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/tankstelle/networking.nix
+++ b/hosts/tankstelle/networking.nix
@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  networking = {
+    hostName = "tankstelle";
+    domain = "pub.solar";
+    enableIPv6 = true;
+    defaultGateway = {
+      address = "80.244.242.1";
+      interface = "enp1s0";
+    };
+    defaultGateway6 = {
+      address = "2001:4d88:1ffa:26::1";
+      interface = "enp1s0";
+    };
+    nameservers = [ "95.129.51.51" "80.244.244.244" ];
+    interfaces."enp1s0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.5";
+          prefixLength = 29;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "2001:4d88:1ffa:26::5";
+          prefixLength = 64;
+        }
+      ];
+    };
+  };
+
+  # TODO: ssh via wireguard only
+  services.openssh.openFirewall = true;
+}
--- a/hosts/tankstelle/wireguard.nix
+++ b/hosts/tankstelle/wireguard.nix
@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "10.7.6.3/32"
+        "fd00:fae:fae:fae:fae:3::/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+        {
+          # nachtigall.pub.solar
+          endpoint = "138.201.80.102:51820";
+          publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
+          allowedIPs = [
+            "10.7.6.1/32"
+            "fd00:fae:fae:fae:fae:1::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  services.openssh.listenAddresses = [
+    {
+      addr = "10.7.6.3";
+      port = 22;
+    }
+    {
+      addr = "[fd00:fae:fae:fae:fae:3::]";
+      port = 22;
+    }
+  ];
+}