From a670d5289903cd6236c3203fb1283f4e664e604c Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Thu, 11 Jan 2024 04:39:50 +0900
Subject: feat(systems/v-nanode1): init

---
 systems/v-nanode1/default.nix                | 95 ++++++++++++++++++++++++++++
 systems/v-nanode1/hardware-configuration.nix | 33 ++++++++++
 systems/v-nanode1/secrets/secrets.yaml       | 30 +++++++++
 3 files changed, 158 insertions(+)
 create mode 100644 systems/v-nanode1/default.nix
 create mode 100644 systems/v-nanode1/hardware-configuration.nix
 create mode 100644 systems/v-nanode1/secrets/secrets.yaml

diff --git a/systems/v-nanode1/default.nix b/systems/v-nanode1/default.nix
new file mode 100644
index 0000000..beba6ae
--- /dev/null
+++ b/systems/v-nanode1/default.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  ipv4 = {
+    address = "172.233.66.103";
+    gateway = "172.233.66.1";
+    netmask = "255.255.255.0";
+    prefixLength = 24; # https://www.pawprint.net/designresources/netmask-converter.php
+  };
+  ipv6 = {
+    address = "2400:8905::f03c:94ff:fe92:daa6";
+    gateway = "fe80::1";
+    prefixLength = 64;
+  };
+  networkInterface = "eth0";
+  hostName = "v-nanode1";
+  hostId = "f5201679";
+  hostAddr = "v-nanode1.sefidel.net";
+
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  deployment = {
+    targetHost = hostAddr;
+    targetPort = 22;
+    targetUser = "root";
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  networking.hostId = hostId;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  
+  # Linode tweaks
+  boot.loader.timeout = 10; # Compensate for LISH
+  # LISH
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+  networking.usePredictableInterfaceNames = false;
+
+  boot.kernelParams = [
+  # LISH
+  "console=ttyS0,19200n8"
+    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
+    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+    # The server ip refers to the NFS server -- not needed in this case.
+    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = hostName;
+
+  networking.useDHCP = false;
+  networking.interfaces.${networkInterface} = {
+    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
+    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
+  };
+  networking.defaultGateway = ipv4.gateway;
+  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
+  networking.nameservers = [ "8.8.8.8" ];
+
+  networking.firewall.enable = true;
+
+  time.timeZone = "UTC";
+
+  sops.secrets.root-password.neededForUsers = true;
+
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
+
+  modules = {
+    sops.enable = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
+
diff --git a/systems/v-nanode1/hardware-configuration.nix b/systems/v-nanode1/hardware-configuration.nix
new file mode 100644
index 0000000..5948f96
--- /dev/null
+++ b/systems/v-nanode1/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/24bbf556-6e42-4c02-95ef-0e997d8c40ab";
+      fsType = "ext4";
+    };
+
+  swapDevices = 
+  [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/systems/v-nanode1/secrets/secrets.yaml b/systems/v-nanode1/secrets/secrets.yaml
new file mode 100644
index 0000000..9982f78
--- /dev/null
+++ b/systems/v-nanode1/secrets/secrets.yaml
@@ -0,0 +1,30 @@
+root-password: ENC[AES256_GCM,data:EC9jU0hLZmgChdRjE0rlew8DNmrrcRGt8dS1+r3+ZEBQBrbuUOiDNrPM+o9+Kt8cZtpmX0k9Z7DmlTB7RVO9+5BzVu5JrFbUQA==,iv:pjA87xOkxfQGD9pp2PEns9QkJybFnbE4zuLcd84UkAw=,tag:YlQjT0HaKNVz6vI4DlUEiw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbE1CVEFaWXQ4M0lxR1dH
+            c2dJMGFxTS85ZDhlamRyQWl2Y3VxcXhVdm5RCml3MWl4dkZQK1Z5T3JqTnBLaVU1
+            R25PdXJBVWczMGt6RkNWWllXOFJicDAKLS0tIElJYytrUHhzb2xHeTJTRy82bFJR
+            bm11bEpUaFJjcHB0c2pRendiakRpS2cKNa9ZrFkOLfOqEEN9ATktvrQgANceDj2c
+            mkUjhxPfti4jNE2c6gsq3DegJT/08QpFJYYuAx/sO2R8wld3kFVyrQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14a2amn7memzvctf2nnrt6uj458x3g4jpcvs04tlkww2z02p05syqawxrwh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TEpsUmRQNUxDUU00VENS
+            MTgxN2ZjM0NYOEdaem5yaW1XaHdlandsQmtNCk5YSzdHdTFqa1BOSkZnajJJenhY
+            SFdnKzI2WmhONnJ2UWJjRWNGNUhuT0kKLS0tIHNRcVo2VXJEY0tSVUEwVkF0Z2l6
+            cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM
+            OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-10T19:18:52Z"
+    mac: ENC[AES256_GCM,data:/VlqXi+ySt+CXsMnU2Qt+cfC9ftTnZgupPTH6VrBmsn3Cp6JpjXrIb3knQj/9i5d+LF3clPtDVG1jH8Y1uYMh2hJi+WAHzm3/K9MhVpPb+hAR+8VudN6tHtII7aoq7c7w94bjEXZWJwcVCkxgMVkI3qQvhiBdjrTtLscqD+bJ18=,iv:ZEM63Y1xnIphfcK7Jgea6f2jdulcTNa/M0pfVsCdS9s=,tag:RHoASwpbW3UFWPK1Yw9Ydw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
-- 
cgit 1.4.1