path: root/machines/nixos/x86_64-linux/rivendell.nix


      
{
  lib,
  config,
  adminUser,
  ...
}:
{
  imports = [
    ../../../profiles/authelia.nix
    ../../../profiles/cgroups.nix
    ../../../profiles/defaults.nix
    ../../../profiles/disk/btrfs-on-luks.nix
    ../../../profiles/git-server.nix
    ../../../profiles/hardware/framework-desktop.nix
    ../../../profiles/home-manager.nix
    ../../../profiles/miniflux.nix
    ../../../profiles/remote-unlock.nix
    ../../../profiles/restic-backup.nix
    ../../../profiles/server.nix
  ];

  age = {
    secrets = {
      wireguard = {
        file = ../../../secrets/rivendell/wireguard.age;
      };
    };
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

  networking.hostName = "rivendell";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  users.users.builder = {
    openssh.authorizedKeys.keys = [
      # my personal key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
      # remote builder ssh key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
    ];
    isNormalUser = true;
    group = "nogroup";
  };

  nix.settings.trusted-users = [ "builder" ];

  networking.wireguard = {
    enable = true;
    interfaces.wg0 = {
      ips = [ "10.100.0.60/32" ];
      listenPort = 51871;
      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        {
          # argonath
          publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
          allowedIPs = [ "10.100.0.51/32" ];
          endpoint = "157.230.146.234:51871";
          persistentKeepalive = 25;
        }
      ];
    };
  };

  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.firewall.allowedUDPPorts = [ 51871 ];

  services.website = {
    enable = true;
    openFirewall = true;
  };

  home-manager = {
    users.${adminUser.name} = {
      imports = [
        ../../../home/profiles/minimal.nix
      ];
      inherit (adminUser) userinfo;
    };
  };

  system.stateVersion = "23.11"; # Did you read the comment?
}
{
  lib,
  config,
  adminUser,
  ...
}:
{
  imports = [
    ../../../profiles/authelia.nix
    ../../../profiles/cgroups.nix
    ../../../profiles/defaults.nix
    ../../../profiles/disk/btrfs-on-luks.nix
    ../../../profiles/git-server.nix
    ../../../profiles/hardware/framework-desktop.nix
    ../../../profiles/home-manager.nix
    ../../../profiles/miniflux.nix
    ../../../profiles/remote-unlock.nix
    ../../../profiles/restic-backup.nix
    ../../../profiles/server.nix
  ];

  age = {
    secrets = {
      wireguard = {
        file = ../../../secrets/rivendell/wireguard.age;
      };
    };
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

  networking.hostName = "rivendell";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  users.users.builder = {
    openssh.authorizedKeys.keys = [
      # my personal key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
      # remote builder ssh key
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
    ];
    isNormalUser = true;
    group = "nogroup";
  };

  nix.settings.trusted-users = [ "builder" ];

  networking.wireguard = {
    enable = true;
    interfaces.wg0 = {
      ips = [ "10.100.0.60/32" ];
      listenPort = 51871;
      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        {
          # argonath
          publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
          allowedIPs = [ "10.100.0.51/32" ];
          endpoint = "157.230.146.234:51871";
          persistentKeepalive = 25;
        }
      ];
    };
  };

  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.firewall.allowedUDPPorts = [ 51871 ];

  services.website = {
    enable = true;
    openFirewall = true;
  };

  home-manager = {
    users.${adminUser.name} = {
      imports = [
        ../../../home/profiles/minimal.nix
      ];
      inherit (adminUser) userinfo;
    };
  };

  system.stateVersion = "23.11"; # Did you read the comment?
}