fra1-b

2024-07-30 23:06:33 +03:00 · 2024-07-30 23:06:33 +03:00 · 1ae8bcb293
commit 1ae8bcb293
parent eb8f07c704
2 changed files with 140 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -246,6 +246,32 @@
          } // inputs;
        };

+        fra1-b = nixpkgs.lib.nixosSystem {
+          system = "aarch64-linux";
+          modules = [
+            { nixpkgs.overlays = overlays; }
+            agenix.nixosModules.default
+            home-manager.nixosModules.home-manager
+
+            ./hosts/fra1-b/configuration.nix
+            ./modules
+
+            #{
+            #  age.secrets = {
+            #    zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
+            #    borgbackup-password.file = ./secrets/fra1-a/borgbackup-password.age;
+            #    motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
+            #    root-passwd-hash.file = ./secrets/root_passwd_hash.age;
+            #    sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+            #  };
+            #}
+          ];
+
+          specialArgs = {
+            inherit myData;
+          } // inputs;
+        };
+
        fra1-a = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@ -0,0 +1,114 @@
+{ myData, modulesPath, ... }:
+let
+  disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_50294864";
+in
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    loader.systemd-boot.enable = true;
+    initrd = {
+      kernelModules = [ "usb_storage" ];
+      availableKernelModules = [
+        "xhci_pci"
+        "virtio_scsi"
+        "sr_mod"
+      ];
+    };
+  };
+
+  fileSystems."/" = {
+    device = "${disk}-part1";
+    fsType = "btrfs";
+  };
+
+  swapDevices = [ { device = "${disk}-part2"; } ];
+
+  mj = {
+    stateVersion = "24.05";
+    timeZone = "UTC";
+    username = "motiejus";
+
+    base = {
+      users = {
+        enable = true;
+        root.initialPassword = "live";
+        user.initialPassword = "live";
+        #root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
+        #user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
+      };
+
+      unitstatus = {
+        enable = true;
+        email = "motiejus+alerts@jakstys.lt";
+      };
+
+    };
+
+    services = {
+      node_exporter.enable = true;
+      sshguard.enable = true;
+      tailscale.enable = true;
+
+      remote-builder.server = {
+        enable = true;
+        uidgid = myData.uidgid.remote-builder;
+        sshAllowSubnet = myData.subnets.tailscale.sshPattern;
+        publicKeys = map (h: myData.hosts.${h}.publicKey) [
+          "vno1-oh2.servers.jakst"
+          "fwminex.motiejus.jakst"
+          "mtworx.motiejus.jakst"
+        ];
+      };
+
+      #postfix = {
+      #  enable = true;
+      #  saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      #};
+
+      deployerbot = {
+        follower = {
+          publicKeys = [
+            myData.hosts."vno1-oh2.servers.jakst".publicKey
+            myData.hosts."fwminex.motiejus.jakst".publicKey
+          ];
+
+          enable = true;
+          sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
+          uidgid = myData.uidgid.updaterbot-deployee;
+        };
+      };
+
+    };
+  };
+
+  services = {
+    nsd = {
+      enable = true;
+      interfaces = [
+        "0.0.0.0"
+        "::"
+      ];
+      zones = {
+        "jakstys.lt.".data = myData.jakstysLTZone;
+        "11sync.net.".data = myData.e11syncZone;
+      };
+    };
+  };
+
+  networking = {
+    hostName = "fra1-b";
+    domain = "servers.jakst";
+    useDHCP = true;
+    firewall = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [
+        22
+        53
+      ];
+    };
+  };
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+}