about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--systems/.sops.yaml6
-rw-r--r--systems/v-conoha1/default.nix91
-rw-r--r--systems/v-conoha1/hardware-configuration.nix29
-rw-r--r--systems/v-conoha1/secrets/secrets.yaml30
4 files changed, 156 insertions, 0 deletions
diff --git a/systems/.sops.yaml b/systems/.sops.yaml
index c6319cf..673fb87 100644
--- a/systems/.sops.yaml
+++ b/systems/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   - &host_cobalt age14a2amn7memzvctf2nnrt6uj458x3g4jpcvs04tlkww2z02p05syqawxrwh
   - &host_v_coord1 age15d6jezemfjt9g7snmw6pgwyw99nld4jhlqfrnfhc8lym9qw7cu2s0av95t
   - &host_v_nanode1 age1qqkh0r2k4fztl29wmhfq6ayhy9fe3t508tf2qcllf29vdkm235xq7x6frr
+  - &host_v_conoha1 age1trapu56vpu4rq9eh87dqv4hs0hxnntevy3xr3qv8pfxujyzvj3csf6dfxg
 creation_rules:
   - path_regex: cobalt/secrets/[^/]+\.yaml$
     key_groups:
@@ -20,3 +21,8 @@ creation_rules:
     - age:
       - *sefidel
       - *host_v_nanode1
+  - path_regex: v-conoha1/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *sefidel
+      - *host_v_conoha1
diff --git a/systems/v-conoha1/default.nix b/systems/v-conoha1/default.nix
new file mode 100644
index 0000000..c07da7a
--- /dev/null
+++ b/systems/v-conoha1/default.nix
@@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "157.7.86.101";
+    gateway = "157.7.86.1";
+    netmask = "255.255.254.0";
+    prefixLength = 23; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2400:8500:1302:3157:157:7:86:101";
+    gateway = "2400:8500:1302:3157::1";
+    prefixLength = 64;
+  };
+  networkInterface = "ens3";
+  hostName = "v-conoha1";
+  hostId = "586eb5d0";
+  hostAddr = "v-conoha1.sefidel.net";
+
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  boot.kernelParams = [
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  sops.secrets.root-password.neededForUsers = true;
+
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  nix.flakes.enable = true;
+
+  modules = {
+    security.enable = true;
+    persistence.enable = false;
+    cachix.enable = true;
+
+    sops.enable = true;
+
+    services.tailscale.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+
diff --git a/systems/v-conoha1/hardware-configuration.nix b/systems/v-conoha1/hardware-configuration.nix
new file mode 100644
index 0000000..260d354
--- /dev/null
+++ b/systems/v-conoha1/hardware-configuration.nix
@@ -0,0 +1,29 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/vda2";
+      fsType = "ext4";
+    };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/systems/v-conoha1/secrets/secrets.yaml b/systems/v-conoha1/secrets/secrets.yaml
new file mode 100644
index 0000000..3ed1445
--- /dev/null
+++ b/systems/v-conoha1/secrets/secrets.yaml
@@ -0,0 +1,30 @@
+root-password: ENC[AES256_GCM,data:ISLJfLoJPr+sf0VI6mwOGCSaojjGg5DldLIEvvpUXwZMpxQO7ihxqZQ30ldfCJAc/Uek7WgMd7BXrky+4lVr70DId/TUls37AQ==,iv:kkI6J9ZRtkqynz+mANjspXebvm9Wwdx6y9o0ndSnXGs=,tag:h2TV8UaHywzKUn5ki4CbqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybGh0VWgwRVNkdnptSHND
+            WUl0TmMxSTJNRXpoSHlOQUJKOVZhVE9KbFFZCllXeGZ2bXJ5WmMxejFmdE9xQkhx
+            WVBuZVRBSVhRQkxGd0JTVVZGcXJvdU0KLS0tIFN6SVRsMjIxY0RJVTloTzMzcVd1
+            SGFUV3lMa1dGdEorWDh5S0NkNG5ZMDgK9+3DusNE/DirwSaneuHKeqbVy0zFl1XK
+            sUXtpeFw0uyJsNuPXYav97fOlTpwDPE5GtSzV4NQvWDUPquQ4e5BFQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1trapu56vpu4rq9eh87dqv4hs0hxnntevy3xr3qv8pfxujyzvj3csf6dfxg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVHVaWG5US1FTNnV2WTQz
+            Y0ZUMXhMcTBhckQ3bVRxcnRVWSs1cTdOYVdJClRnNmtQWVJ5M0lzbzh6T2U2TXMw
+            TjBpU3l0OEt2TjNzazYybHlFSExJaUEKLS0tIGF0K3Bkd05LWUxsb2NERU1QQldH
+            WU44b2JNbThKMkVNWWYvUHQxMVBPTUkKPmbcKu6acm9hA1SAqoDX8gx+2jYNrhUx
+            Ge+QeWTQPhVouIbO5tZmc5HLJXOW1rho2h6FdmPJQB2W4/2Y8AFerA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-11T15:13:23Z"
+    mac: ENC[AES256_GCM,data:JEyCm6qvybpX9q3UBxTsaI/YcPp8k1At+a1LVR0te8FDzTMVMHB3n31S1+RWiXqrX7lkTwrUK/1OV9ZMjcdt7ZJEIxI6ajKqRiUE9vPH7OSRDmioh5blrg3OGaeO0kXFflGkiUS0t/SJKJ+rhJhCJun6Q3l1xd42IwxfAGlVXmk=,iv:j8OYhbLkynbFp/C5Djc7/Ir9fy8nEQAqz6w1wUzWJ5U=,tag:itM6lm89IDhmKtqO5CA37Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1