diff options
Diffstat (limited to 'machines/nixos/x86_64-linux/synology-vm.nix')
| -rw-r--r-- | machines/nixos/x86_64-linux/synology-vm.nix | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/synology-vm.nix b/machines/nixos/x86_64-linux/synology-vm.nix new file mode 100644 index 0000000..702f8b4 --- /dev/null +++ b/machines/nixos/x86_64-linux/synology-vm.nix @@ -0,0 +1,123 @@ +{ + modulesPath, + lib, + adminUser, + config, + ... +}: +{ + age = { + secrets = { + restic_gcs_credentials = { + file = ../../../secrets/restic_gcs_credentials.age; + }; + restic_password = { + file = ../../../secrets/restic_password.age; + }; + nas_client_credentials = { + file = ../../../secrets/nas_client.age; + }; + wireguard = { + file = ../../../secrets/vm-synology/wireguard.age; + }; + }; + }; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ../../../profiles/defaults.nix + ../../../profiles/server.nix + ../../../profiles/cgroups.nix + ../../../profiles/disk/basic-vm.nix + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.enable = true; + + networking.hostName = "synology-vm"; + networking.useDHCP = lib.mkDefault true; + systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; + + my.modules.nas-client = { + enable = true; + volumes = { + data = { + server = "192.168.1.68"; + remotePath = "backups"; + mountPoint = "/data/backups"; + uid = adminUser.uid; + }; + }; + }; + + my.modules.backups = { + enable = true; + passwordFile = config.age.secrets.restic_password.path; + remote = { + googleProjectId = "fcuny-infra"; + googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path; + }; + }; + + users.users.builder = { + openssh.authorizedKeys.keys = [ + # my personal key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + # remote builder ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" + ]; + isNormalUser = true; + group = "nogroup"; + }; + + nix.settings.trusted-users = [ "builder" ]; + + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.40/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + { + # rivendell + publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; + allowedIPs = [ "10.100.0.0/24" ]; + persistentKeepalive = 25; + } + ]; + }; + }; + + services.goget = { + enable = true; + openFirewall = true; + }; + + networking.firewall.allowedUDPPorts = [ 51871 ]; + + system.stateVersion = "23.11"; # Did you read the comment? +} |