about summary refs log tree commit diff
path: root/systems/v-nanode1/default.nix
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-01-11 04:39:50 +0900
committersefidel <contact@sefidel.net>2024-01-12 00:18:33 +0900
commita670d5289903cd6236c3203fb1283f4e664e604c (patch)
treee89f08114fa36461295663f7993285d2a6b2f5a9 /systems/v-nanode1/default.nix
parentaed96a9526f28238abd4e9275d92f4ce45f09315 (diff)
downloadinfra-a670d5289903cd6236c3203fb1283f4e664e604c.tar.gz
infra-a670d5289903cd6236c3203fb1283f4e664e604c.zip
feat(systems/v-nanode1): init
Diffstat (limited to 'systems/v-nanode1/default.nix')
-rw-r--r--systems/v-nanode1/default.nix95
1 files changed, 95 insertions, 0 deletions
diff --git a/systems/v-nanode1/default.nix b/systems/v-nanode1/default.nix
new file mode 100644
index 0000000..beba6ae
--- /dev/null
+++ b/systems/v-nanode1/default.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "172.233.66.103";
+    gateway = "172.233.66.1";
+    netmask = "255.255.255.0";
+    prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2400:8905::f03c:94ff:fe92:daa6";
+    gateway = "fe80::1";
+    prefixLength = 64;
+  };
+  networkInterface = "eth0";
+  hostName = "v-nanode1";
+  hostId = "f5201679";
+  hostAddr = "v-nanode1.sefidel.net";
+
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  
+  # Linode tweaks
+  boot.loader.timeout = 10; # Compensate for LISH
+  # LISH
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+  networking.usePredictableInterfaceNames = false;
+
+  boot.kernelParams = [
+  # LISH
+  "console=ttyS0,19200n8"
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  sops.secrets.root-password.neededForUsers = true;
+
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  modules = {
+    sops.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+