1 files changed, 61 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/bree.nix b/machines/nixos/x86_64-linux/bree.nix
new file mode 100644
index 0000000..7c8a661
--- /dev/null
+++ b/machines/nixos/x86_64-linux/bree.nix
@@ -0,0 +1,61 @@
+{
+  lib,
+  adminUser,
+  config,
+  ...
+}:
+{
+  imports = [
+    ../../../profiles/cgroups.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/home-manager.nix
+    ../../../profiles/server.nix
+  ];
+
+  age.secrets.wireguard.file = ../../../secrets/bree/wireguard.age;
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "bree";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # argonath
+          publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
+          allowedIPs = [ "10.100.0.51/32" ];
+          endpoint = "157.230.146.234:51871";
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  home-manager = {
+    users.${adminUser.name} = {
+      imports = [
+        ../../../home/profiles/minimal.nix
+      ];
+    };
+  };
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}