feat(systems/v-coord1): init

3 files changed, 149 insertions, 0 deletions

diff --git a/systems/v-coord1/default.nix b/systems/v-coord1/default.nix
new file mode 100644
index 0000000..9cb711b
--- /dev/null
+++ b/systems/v-coord1/default.nix
@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "138.248.67.57";
+    gateway = "138.248.67.1";
+    netmask = "255.255.255.0";
+    prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2001:ce8:77:f::2e27:0";
+    gateway = "2001:ce8:77:f::1";
+    prefixLength = 112;
+  };
+  networkInterface = "ens3";
+  hostName = "v-coord1";
+  hostId = "8b0a9354";
+  hostAddr = "v-coord1.sefidel.net";
+
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  boot.kernelParams = [
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  sops.secrets.root-password.neededForUsers = true;
+
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  modules = {
+    sops.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+
diff --git a/systems/v-coord1/hardware-configuration.nix b/systems/v-coord1/hardware-configuration.nix
new file mode 100644
index 0000000..529a188
--- /dev/null
+++ b/systems/v-coord1/hardware-configuration.nix
@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/c524db60-5af1-4b04-b86d-4697e235049f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/720C-8DAB";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/systems/v-coord1/secrets/secrets.yaml b/systems/v-coord1/secrets/secrets.yaml
new file mode 100644
index 0000000..7533b87
--- /dev/null
+++ b/systems/v-coord1/secrets/secrets.yaml
@@ -0,0 +1,30 @@
+root-password: ENC[AES256_GCM,data:un7dq8JK2/dzapuT4Ke1zIP6eT32iquZWwp00vrUtP44vwTEKRuaAl7lI2gyvbBu4fIFL0kzn855Umy9xXXrbg5EBHJPFr6J5Q==,iv:mLvwFdtnVyQsrmOK5IKv1VgTHfNr2Lu7I3fWVDaM0i4=,tag:rktJjITTn6CjjlcOxOixrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbE1CVEFaWXQ4M0lxR1dH
+            c2dJMGFxTS85ZDhlamRyQWl2Y3VxcXhVdm5RCml3MWl4dkZQK1Z5T3JqTnBLaVU1
+            R25PdXJBVWczMGt6RkNWWllXOFJicDAKLS0tIElJYytrUHhzb2xHeTJTRy82bFJR
+            bm11bEpUaFJjcHB0c2pRendiakRpS2cKNa9ZrFkOLfOqEEN9ATktvrQgANceDj2c
+            mkUjhxPfti4jNE2c6gsq3DegJT/08QpFJYYuAx/sO2R8wld3kFVyrQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14a2amn7memzvctf2nnrt6uj458x3g4jpcvs04tlkww2z02p05syqawxrwh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TEpsUmRQNUxDUU00VENS
+            MTgxN2ZjM0NYOEdaem5yaW1XaHdlandsQmtNCk5YSzdHdTFqa1BOSkZnajJJenhY
+            SFdnKzI2WmhONnJ2UWJjRWNGNUhuT0kKLS0tIHNRcVo2VXJEY0tSVUEwVkF0Z2l6
+            cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM
+            OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-09T17:17:21Z"
+    mac: ENC[AES256_GCM,data:M9PQJI7xFzFBf21T8FRQ6ui7aji0Ln987/KRkOEDI8tEKER16TCAY4qVVrZ0mltLpjYMBZajbtgipwh3yAz/6INEWHuS0Ao4hN8XALLhVK9PbYLLk+9YxKQ2n/8navv6dZdKt8vBDqX8Rc+BZmWbU9l8ogNbdA0YgpvTjaNyaaE=,iv:v8GJjZQfgdjx9tJFSkfsIytt55lYxmTwaRcg9MTgSWg=,tag:NVrdbkvT+5RGRskteB8iDA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1