feat(systems/v-proton-jp43): init

4 files changed, 176 insertions, 0 deletions

diff --git a/systems/.sops.yaml b/systems/.sops.yaml
index 673fb87..8ee1233 100644
--- a/systems/.sops.yaml
+++ b/systems/.sops.yaml
@@ -5,6 +5,7 @@ keys:
   - &host_v_coord1 age15d6jezemfjt9g7snmw6pgwyw99nld4jhlqfrnfhc8lym9qw7cu2s0av95t
   - &host_v_nanode1 age1qqkh0r2k4fztl29wmhfq6ayhy9fe3t508tf2qcllf29vdkm235xq7x6frr
   - &host_v_conoha1 age1trapu56vpu4rq9eh87dqv4hs0hxnntevy3xr3qv8pfxujyzvj3csf6dfxg
+  - &host_v_proton_jp43 age1qqkh0r2k4fztl29wmhfq6ayhy9fe3t508tf2qcllf29vdkm235xq7x6frr
 creation_rules:
   - path_regex: cobalt/secrets/[^/]+\.yaml$
     key_groups:
@@ -26,3 +27,8 @@ creation_rules:
     - age:
       - *sefidel
       - *host_v_conoha1
+  - path_regex: v-proton-jp43/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *sefidel
+      - *host_v_proton_jp43
diff --git a/systems/v-proton-jp43/default.nix b/systems/v-proton-jp43/default.nix
new file mode 100644
index 0000000..5b9c10e
--- /dev/null
+++ b/systems/v-proton-jp43/default.nix
@@ -0,0 +1,106 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "172.233.74.234";
+    gateway = "172.233.74.1";
+    netmask = "255.255.255.0";
+    prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2400:8905::7ab1:59eb:d315:b252";
+    gateway = "fe80::1";
+    prefixLength = 64;
+  };
+  networkInterface = "eth0";
+  hostName = "v-proton-jp43";
+  hostId = "3185b70b";
+  hostAddr = "172-233-74-234.ip.linodeusercontent.com";
+
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  
+  # Linode tweaks
+  boot.loader.timeout = 10; # Compensate for LISH
+  # LISH
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+  networking.usePredictableInterfaceNames = false;
+
+  boot.kernelParams = [
+  # LISH
+  "console=ttyS0,19200n8"
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.pvpn-private-key = { };
+
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  nix.flakes.enable = true;
+
+  modules = {
+    security.enable = true;
+    persistence.enable = false;
+    cachix.enable = true;
+
+    sops.enable = true;
+
+    services.tailscale.enable = true;
+  };
+
+  networking.networkmanager.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+
diff --git a/systems/v-proton-jp43/hardware-configuration.nix b/systems/v-proton-jp43/hardware-configuration.nix
new file mode 100644
index 0000000..5948f96
--- /dev/null
+++ b/systems/v-proton-jp43/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/24bbf556-6e42-4c02-95ef-0e997d8c40ab";
+      fsType = "ext4";
+    };
+
+  swapDevices = 
+  [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/systems/v-proton-jp43/secrets/secrets.yaml b/systems/v-proton-jp43/secrets/secrets.yaml
new file mode 100644
index 0000000..fec154a
--- /dev/null
+++ b/systems/v-proton-jp43/secrets/secrets.yaml
@@ -0,0 +1,31 @@
+root-password: ENC[AES256_GCM,data:1aEw6blCf2YiLJ/6GEPHxEghNk1KEKjGHi8vcv1M8MY0zEm32axwry8hZWCB+/O1hTMp6+mQGas/wXReObX5H4NyRmL/Adf0TA==,iv:W9m737O3u+jEIn7qTdrJ5tk7O0ML5YUtHB5cUGpv1WY=,tag:dEZ2JD/26iFfICTV52zciA==,type:str]
+pvpn-private-key: ENC[AES256_GCM,data:vMHTCQVq+T03IsEU5lgqqjfDpqJsh2dcpYDU8D7bcGJHtxr60n45CNAyRwA=,iv:cMcvAx9B150Pfu4M6uTwZiW3+D7v8gmsyqfw3zu62sU=,tag:st652vH9arn5Nuw5OCFeEA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVmRYVkM4NDhGcE9uU09u
+            ekN2dUZRM2ordjRQa29DTTM4YTBVejNKaGlVClRzT0RiakRxSVBnZCtLdVNXNnpI
+            dFhIVUNtNk1mbHpNWENsUERRZDE5TGsKLS0tIGQwUldqRDByeUpTNUtsK0ZOaFM0
+            ZjBBSkZxWk5iVzE4RDV0WlNjZWdIbGsKi3ipCIPDe8SZOlE+M8aa/lNJH5jUwvtm
+            7xhh4CLBYXU2ZapowLdwIVB7vtplXsMjTGb0kQsMx/JobpPG2E2uLg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qqkh0r2k4fztl29wmhfq6ayhy9fe3t508tf2qcllf29vdkm235xq7x6frr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYlBLazVWYkFmS1RUWWRr
+            SmdGbmxFZDlEZ3NCVXNobURiZSszeVIvRUdzCnZRbkVNS3BrRG0vTHA3eVF0amEx
+            RGFRZjk5aXlFcmliclp2eFdyLzAzbXMKLS0tIHJnZGNlTWFlc2hTZXRUZFZVMHVV
+            dFNLc3J4MnJpYUhQSFE3NkNZNjhaN0UKwgAeoYh7bXlviXfWS1Dv+W/7biNy/wfB
+            hsola2gv80LcAKtGOM8KPGIHjzblFSdE816IQ6frM7LTOyCHHM80gA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-11T16:06:57Z"
+    mac: ENC[AES256_GCM,data:1XP4xUZwOZYsJHtuhoUcqsHWztW9mYBto6OFJfguLE+OSuxYU5I4j3f+hNLkOKvByHLfxGr0/R+xsGTBr0A27OXdzrYhjCeVzzlK9pplSzq0hP3fWjraUfNi7C8H1hCfRI1wtu95DJpA+ccIR99LjTHj1XA581CLUhxHQZMAVXc=,iv:ru/OjfAq3QdSfqXqJN2a7yLA0RJzew7q5LzM34exjFI=,tag:ZDooUSmqi5r5VEmWCy85HQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1