1 files changed, 303 insertions, 0 deletions

diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
new file mode 100644
index 0000000..0a5cfe0
--- /dev/null
+++ b/systems/cobalt/default.nix
@@ -0,0 +1,303 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "95.216.74.104";
+    gateway = "95.216.74.65";
+    netmask = "255.255.255.192";
+    prefixLength = 26; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2a01:4f9:2b:a98::";
+    gateway = "fe80::1";
+    prefixLength = 64;
+  };
+  networkInterface = "eth0";
+  hostName = "cobalt";
+  hostId = "712ae82a";
+  hostAddr = "cobalt.exotic.sh";
+
+  poorObfuscation = y: x: "${x}@${y}";
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  boot.supportedFilesystems = [ "zfs" ];
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = false;
+  # boot.loader.grub.device = "nodev";
+
+  # This should be done automatically, but explicitly declare it just in case.
+  boot.loader.grub.copyKernels = true;
+  # Make sure that you've listed all of the boot partitions here.
+  boot.loader.grub.mirroredBoots = [
+    { path = "/boot"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GW7G" ]; }
+    { path = "/boot-fallback"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GWB2" ]; }
+  ];
+
+  # Boot normally when one of the boot partitions are missing
+  fileSystems."/boot".options = [ "nofail" ];
+  fileSystems."/boot-fallback".options = [ "nofail" ];
+
+  # Erase your darlings
+  # boot.initrd.postDeviceCommands = lib.mkAfter ''nix systemd environ
+  # zfs rollback -r rpool/local/root@blank
+  # '';
+
+  # NOTE: replace these to boot.initrd.availableKernelModules?
+  boot.kernelModules = [ "e1000e" ];
+  boot.initrd.kernelModules = [ "e1000e" ];
+
+  boot.kernelParams = [
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+
+    # Using the same port as the actual SSH will cause clients to throw errors
+    # related to host key mismatch.
+    port = 2222;
+
+    # This takes 'path's, not 'string's.
+    hostKeys = [
+      /boot/initrd-ssh-key
+      /boot-fallback/initrd-ssh-key
+    ];
+
+    # Public ssh key to log into the initrd ssh
+    authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  };
+  boot.initrd.network.postCommands = ''
+    cat <<EOF > /root/.profile
+    if pgrep -x "zfs" > /dev/null
+    then
+      zfs load-key -a
+      killall zfs
+    else
+      echo "ZFS is not running -- this could be a sign of failure."
+    fi
+    EOF
+  '';
+
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  users.users.root.initialHashedPassword = ""; # FIXME: use proper secret
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  services.openssh.enable = true;
+  services.openssh.settings.permitRootLogin = "prohibit-password";
+
+  services.openssh.hostKeys = [
+    {
+      path = "/persist/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+    {
+      path = "/persist/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+  ];
+
+  # impermanence requirement
+  fileSystems."/persist".neededForBoot = true;
+
+  environment.systemPackages = with pkgs; [
+    bsd-finger
+  ];
+
+  sops.secrets.acme-envs = {
+    owner = "acme";
+  };
+  sops.secrets.matrix-server-key = { };
+  sops.secrets.dendrite-envs = { };
+  sops.secrets.sliding-sync-secret = { };
+  sops.secrets.mjolnir-password = { owner = "mjolnir"; };
+  sops.secrets.mautrix-telegram-envs = { };
+  sops.secrets.turn-secret = { };
+  # sops.secrets.openldap-admin-key = {
+  # owner = "openldap";
+  # };
+
+  modules = {
+    sops.enable = true;
+
+    services.metrics = {
+      enable = true;
+      domain = "status.exotic.sh";
+      tls.acmeHost = "exotic.sh";
+    };
+
+    services.coredns.enable = false;
+    services.nginx.enable = true;
+    services.acme = {
+      enable = true;
+      email = poorObfuscation "exotic.sh" "postmaster";
+
+      certs = {
+        "exotic.sh" = {
+          subDomains = [
+            "git"
+            "matrix"
+            "*.labs"
+            "social"
+            "bouncer"
+            "meet"
+            "chat"
+            "turn"
+            "status"
+            "mail"
+            "todo"
+          ];
+        };
+        "nand.moe" = {
+          subDomains = [ ];
+        };
+        "sefidel.net" = {
+          subDomains = [ ];
+        };
+      };
+
+      secrets.acme-credentials = config.sops.secrets.acme-envs.path;
+    };
+
+    services.gitolite = {
+      enable = true;
+      adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11";
+    };
+    services.gitDaemon.enable = true;
+    services.cgit = {
+      enable = true;
+      domain = "exotic.sh";
+      realHost = "git.exotic.sh";
+      settings.description = "Exotic place.";
+    };
+    services.fail2ban.enable = true;
+    services.postgresql.enable = true;
+    services.dendrite = {
+      enable = true;
+      domain = "exotic.sh";
+      realHost = "matrix.exotic.sh";
+      slidingSyncHost = "slidingsync.labs.exotic.sh";
+      turn = {
+        enable = true;
+        domain = "turn.exotic.sh";
+        shared_secret = "$TURN_SECRET"; # dendrite envs
+      };
+      secrets = {
+        matrix-server-key = config.sops.secrets.matrix-server-key.path;
+        dendrite-envs = config.sops.secrets.dendrite-envs.path;
+        sliding-sync-secret = config.sops.secrets.sliding-sync-secret.path;
+      };
+    };
+    services.coturn = {
+      enable = true;
+      domain = "turn.exotic.sh";
+      tls.acmeHost = "exotic.sh";
+      shared_secret = config.sops.secrets.turn-secret.path;
+    };
+    services.matrix-moderation = {
+      enable = true;
+      domain = "exotic.sh";
+      secrets.userPassword = config.sops.secrets.mjolnir-password.path;
+    };
+    services.matrix-bridge = {
+      enable = true;
+      domain = "exotic.sh";
+      secrets.mautrix-envs = config.sops.secrets.mautrix-telegram-envs.path;
+    };
+    services.element-web = {
+      enable = true;
+      hostName = "chat.exotic.sh";
+      matrix = {
+        baseUrl = "https://matrix.exotic.sh";
+        serverName = "exotic.sh";
+      };
+      tls.acmeHost = "exotic.sh";
+      jitsi.domain = "meet.exotic.sh";
+    };
+    services.akkoma = {
+      enable = true;
+      domain = "exotic.sh";
+      realHost = "social.exotic.sh";
+      instanceName = "exotic.sh social";
+    };
+    services.misskey = {
+      enable = true;
+      domain = "nand.moe";
+      realHost = "nand.moe";
+    };
+    services.soju = {
+      enable = true;
+      hostName = "bouncer.exotic.sh";
+      tls.enable = true;
+      tls.acmeHost = "exotic.sh";
+    };
+    services.vikunja = {
+      enable = true;
+      domain = "exotic.sh";
+      realHost = "todo.exotic.sh";
+    };
+
+
+    services.nixos-mailserver.enable = true; # TODO: replace with dovecot.nix?
+
+    services.jitsi = {
+      enable = true;
+      hostName = "meet.exotic.sh";
+      tls.acmeHost = "exotic.sh";
+    };
+
+    services.ldap = {
+      enable = false;
+      dc = "exotic";
+      tld = "sh";
+      tls.acmeHost = "exotic.sh";
+      secrets.rootPass = config.sops.secrets.openldap-admin-key.path;
+    };
+    services.pubnix.enable = false;
+    services.userweb = {
+      enable = false;
+      domain = "exotic.sh";
+    };
+
+    services.sefidel-web.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
+