diff options
Diffstat (limited to 'machines/nixos/x86_64-linux/rivendell.nix')
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell.nix | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix new file mode 100644 index 0000000..dc0205d --- /dev/null +++ b/machines/nixos/x86_64-linux/rivendell.nix @@ -0,0 +1,86 @@ +{ + lib, + config, + modulesPath, + inputs, + ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series + ../../../profiles/disk/btrfs-on-luks.nix + ../../../profiles/defaults.nix + ../../../profiles/server.nix + ../../../profiles/cgroups.nix + ../../../profiles/forgejo.nix + ../../../profiles/keycloak.nix + ../../../profiles/tailscale.nix + ]; + + age = { + secrets = { + wireguard = { + file = ../../../secrets/rivendell/wireguard.age; + }; + }; + }; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usbhid" + "usb_storage" + "sd_mod" + "r8169" # ethernet driver + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + networking.hostName = "rivendell"; + networking.useDHCP = lib.mkDefault true; + systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; + + users.users.builder = { + openssh.authorizedKeys.keys = [ + # my personal key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + # remote builder ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" + ]; + isNormalUser = true; + group = "nogroup"; + }; + + nix.settings.trusted-users = [ "builder" ]; + + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.allowedUDPPorts = [ 51871 ]; + + my.modules.hardware.baremetal.enable = true; + my.modules.remote-unlock.enable = true; + + system.stateVersion = "23.11"; # Did you read the comment? +} |