Add heptifili

peterablehmann · Jun 18, 2024 · 1dd6350 · 1dd6350
1 parent a2fae8e
commit 1dd6350
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 20 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
   - &system_mns age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
   - &system_sync age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
   - &system_ymir age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q
+  - &system_heptifili age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav
 
 creation_rules:
   - path_regex: secrets/common.(yaml|json|env|ini)$
@@ -12,6 +13,7 @@ creation_rules:
       - *system_mns
       - *system_sync
       - *system_ymir
+      - *system_heptifili
 
   - path_regex: secrets/mns.(yaml|json|env|ini)$
     key_groups:
@@ -30,3 +32,9 @@ creation_rules:
     - age:
       - *peter
       - *system_ymir
+
+  - path_regex: secrets/heptifili.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *peter
+      - *system_heptifili
diff --git a/flake.nix b/flake.nix
@@ -87,6 +87,16 @@
       } // builtins.mapAttrs (name: value: { imports = value._module.args.modules; }) conf;
 
       nixosConfigurations = {
+        heptifili = nixpkgs.lib.nixosSystem {
+          specialArgs = { inherit inputs outputs; };
+          system = "x86_64-linux";
+          extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];
+          modules = [
+            ./nodes/heptifili
+            self.nixosModules.common
+            nix-topology.nixosModules.default
+          ];
+        };
         mns = nixpkgs.lib.nixosSystem {
           specialArgs = { inherit inputs outputs; };
           system = "x86_64-linux";

diff --git a/nodes/heptifili/default.nix b/nodes/heptifili/default.nix
@@ -0,0 +1,8 @@
+{
+  imports = [
+    # ./backup.nix
+    ./disko.nix
+    ./hardware-configuration.nix
+    ./networking.nix
+  ];
+}
diff --git a/nodes/heptifili/disko.nix b/nodes/heptifili/disko.nix
@@ -0,0 +1,34 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/nvme0n1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              label = "EFI";
+              type = "EF00";
+              size = "100M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              label = "NIXOS";
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/nodes/heptifili/hardware-configuration.nix b/nodes/heptifili/hardware-configuration.nix
@@ -0,0 +1,19 @@
+{ config
+, lib
+, modulesPath
+, ...
+}:
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nodes/heptifili/networking.nix b/nodes/heptifili/networking.nix
@@ -0,0 +1,57 @@
+{ lib
+, config
+, ...
+}:
+let
+  inherit (config.lib.topology) mkConnectionRev;
+  IPv4 = "192.168.10.10";
+  IPv6 = "fd00::10:10";
+in
+{
+  topology.self.interfaces.eth0 = {
+    network = "Internet";
+    physicalConnections = [ (mkConnectionRev "Fritz!Box" "*") ];
+  };
+
+  services.tailscale.extraUpFlags = [ "--advertise-routes 192.168.10.0/23,fd00::/64" ];
+
+  networking = {
+    domains = {
+      enable = true;
+      subDomains."${config.networking.fqdn}" = { };
+      baseDomains."${config.networking.domain}" = {
+        a.data = IPv4;
+        aaaa.data = IPv6;
+      };
+    };
+    useNetworkd = true;
+    useDHCP = false;
+    hostName = "heptifili";
+    usePredictableInterfaceNames = lib.mkDefault true;
+    domain = "xnee.net";
+    nameservers = [
+      #HETZNER
+      "192.168.10.10"
+      "fd00::6b4:feff:feca:b60b"
+    ];
+    dhcpcd.enable = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      networkConfig.DHCP = "no";
+      matchConfig.Name = "enp87s0";
+      address = [
+        "${IPv4}/23"
+        "${IPv6}/64"
+      ];
+      routes = [
+        { Gateway = "fe80::6b4:feff:feca:b60b"; }
+        {
+          Gateway = "192.168.10.1";
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}
diff --git a/secrets/common.yaml b/secrets/common.yaml
@@ -16,38 +16,47 @@ sops:
         - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eUJML25MQnhpZWJBN3lQ
-            amtjNkVtQngzRncyalJJWDhqa0pWc0gxNVI0CnIzU2M3NEpWeWRid1Z1VnNyRFJw
-            RnpMSUFQMmJybVlyTWZqMC96SzRqWk0KLS0tIFg3V3dJa0pzY1NMV2RQdkhwd0Z4
-            b0VCeUJucXU4dHZheVpFRFhxc1k3TDAKY0LOBXp9PDZN4enT6L8/drxCkMeA/O3A
-            Ve3RixsRdwOcgsJdjIUHTAdCAUhNuRjcn8Pjs8UxBhou5fHIaV4aZw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZVBzdzZaSnNXd0dHRWVG
+            eFF2Qzd5TmFLa2wvbWdiVy9jMGlDRjRBR3hFCnJYYzEvSmxkczJTMzdGOU5GMGth
+            T2FEVnM0ZWl5bmJ4RHB0RTF4aDAvRVkKLS0tIEZmRUVET3ZTQnNsdWpRZjdUL0lo
+            MVZBMDdnRXMvaFVobDR4QmVsVEFIQ2sKiwZSJUdlQqv/elJ3Gh58b2xjU1LSxsdZ
+            Ydz0AzeFBlIgVVpfNRez+NYZCQthnP3QT6nT0sAVZWa7hJFzQLjVVQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSCttamJHZkNiUk1rS2la
-            TDhiTzRuRldrT25ZZG16NDBNTEs3OGFEbzBnClhUNmhLYjd2YjNMZlpnMnNTL3k3
-            RVd1M3l6MllCRGdQNlE0cjFQbmE4dVkKLS0tIEcwbm43MnBTNFpIY3lEN2xOdXYy
-            ZWdtZ3VIQWdTK2tUc0hUbzliQWtHazAKdJcZTxBTP1SbTn6pfeiAMjxTzeAlf+rp
-            LpboQI3qPNA+Imqtbx8lacP5jAbgpFoWRkYMxuSFh0QzHoaraxYgQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SmZubjVIWUp0b3FSMEI5
+            cDdYMm85MEN5L0E5YTB4Y3lCWHFiWi81S0U0CldYeGVseEFkUXFiWlhaMjVlR1pD
+            c2VFRDg4TkU1SFRlYlo3TjhoZDduYXcKLS0tIHlaRkN6cWkxUHVGSmpLM0FUeFF5
+            Qk9zMy91VE9KNVRTckRVMDRBY0dXZ3cKrD6N/VcepEEcaXPr00MjTF6cpgMXO7sb
+            YdE1S0EGe5x59jU8TtHELOJ91TJaolp0WD0pvAXhHIAcBfnqEdpKbg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdThDbXBXWFdhRGVCZXJC
-            WWVXa05oSCtKS0VhYytNMGVTVGMrZXljR2tRCkwvQ3h4bENjMFZvRnBtSUFvdnc1
-            cTJWVlVkQVZjOUxZclJNa3ZYaktiYWsKLS0tIFg1QzJUMmJLOTRicnYxOWVXS0JB
-            dE95akkyNUtOUDlnTGN5YVZMaGFQbEUK06k7tnbFA93+pVzLYkpIt4u4aO5WzWi3
-            qtgAgNJZqTqSy02pvbAMtDCArIBgGPZwGhxPuZLhLfEeNjkyoYG8gw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUThrTGFKbmRXNjNUbWZQ
+            R3lKZ2xwUEd6bVlFUGZaY29PRTk0alZhQmpVClNwUi9kdE53endJZ2dCeHdET3c5
+            djltYmdSSmlmQy9iSk1sYmtHVmZJa00KLS0tIHVHSzNaeDlmV1I1eWlHUUVBUkxV
+            N1AzL0JNOE15eUpQVkNKdFNSVWtmQmsKphXeERyM93OKHDtH6Fm9UnB207LVxGt/
+            flSanMWVNYqLVsNLuXQYOdlU7RCowHobH+y+eUKYEutm8SXa30ixKg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMFNNSEZVWUJTYVpsbkxT
-            QXp4Vit5N05oR282OUhPUmd0SzFaUDZ1RDJvCmg5V3RUdFlFWlRNS2lRUHp3bGs5
-            WXQ5Uk1BTDhBaTB6TUwrL20vYXhEbDgKLS0tIGVuM1MvdUxOMy9JalZEVjhCeGlS
-            S2JvMzZya2dCbUtSVzNPOWVITHF1WFUKCxDwdj+hq0mEprx8N5NzYLBE08O8Jfl2
-            H3SPrww3gmQExa4eI6rZ8UtD+OTXXtDDrr7aBKcgqrTH5jb5l16hDw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEblZNTlptbTZxNVk4SG50
+            Q2lyZHRoakdRaktENFVYWU1GaEFTV3dPbDFVCjhHY2FrSzY4aW1pWXc5VFdnb3k4
+            NEc2TGJ4VnJJZ21jKzZnMi9EdEtDSHMKLS0tIFl2U3gxL3liZVpZOTVzbVc4Z1lS
+            WE82VHMyeElrbDhYL0VjZHdQWjY1VmMK+q+tW+HNgG13OvL3VqlkzhKYI2r5ceoG
+            u4x4wpajiiQgCAub1SddFmGPX8iPeyfyCg7ijeUUguFMPpCXHbx2Yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeVlKNmRaVDRKV0xDcWpW
+            MEE4WHJZWnNQSlpURmlVWUZHZ2YxTUhnZEVnCmdYQjVSZ1FZOWkrdkhiUDQ2ME1W
+            MlFnM2ZSZ3NzTTBHbXN5djJsVDJCYWcKLS0tIFJzaFgwL3hzbnVCT0x0YnA1Wk9a
+            MmVwWTNta2JNRDhkRlFLNkNMcS9EUkkKyvKHpErzUGuunZI2p1tWS01XzBQFF3If
+            YnoWAP4iX9OVK5XBP96+cxKNRbhnujGb2PphZcepXk8dUwOvGS13Fg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-18T18:55:54Z"
     mac: ENC[AES256_GCM,data:rT4xvOvSnze3ubMOQNAZ/mJYgCBGL5OnqgCnV6KmsUWCou1nZxeWIyOUCPZpCj1qLRD1+CVlaPWvB1AsHznzaaulBmr0unQsCRVr4KOkisMP1b3VqVEfGcQsIEZ238l1J0YTRhwU+Sgyf8sB53K1b3HtOWJSO9/H7GJrVTJ+/i4=,iv:U0413JJWERZ9E84/YaNkBZOj7D5ODIdtjJUS7XY2krY=,tag:ZuJp8lw0vZ2c9mqO78rF6Q==,type:str]