1 files changed, 110 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
new file mode 100644
index 0000000..05d4d8c
--- /dev/null
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -0,0 +1,110 @@
+{
+  lib,
+  adminUser,
+  config,
+  self,
+  ...
+}:
+{
+  age = {
+    secrets = {
+      restic_gcs_credentials = {
+        file = "${self}/secrets/restic_gcs_credentials.age";
+      };
+      restic_password = {
+        file = "${self}/secrets/restic_password.age";
+      };
+      cloudflared-tunnel = {
+        file = "${self}/secrets/cloudflared_cragmont.age";
+      };
+      cloudflared-cert = {
+        file = "${self}/secrets/cloudflared_cert.age";
+      };
+      nas_client_credentials = {
+        file = "${self}/secrets/nas_client.age";
+      };
+      wireguard = {
+        file = "${self}/secrets/vm-synology/wireguard.age";
+      };
+    };
+  };
+
+  imports = [
+    "${self}/profiles/home-manager.nix"
+    "${self}/profiles/admin-user/user.nix"
+    "${self}/profiles/admin-user/home-manager.nix"
+    "${self}/profiles/hardware/synology.nix"
+    "${self}/profiles/disk/vm.nix"
+    "${self}/profiles/server.nix"
+    "${self}/profiles/git-server.nix"
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "vm-synology";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  home-manager.users.${adminUser.name} = {
+    imports = [
+      "${self}/home/profiles/minimal.nix"
+    ];
+  };
+
+  my.modules.nas-client = {
+    enable = true;
+    volumes = {
+      data = {
+        server = "192.168.1.68";
+        remotePath = "backups";
+        mountPoint = "/data/backups";
+        uid = adminUser.uid;
+      };
+    };
+  };
+
+  my.modules.backups = {
+    enable = true;
+    passwordFile = config.age.secrets.restic_password.path;
+    remote = {
+      googleProjectId = "fcuny-infra";
+      googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path;
+    };
+  };
+
+  users.users.builder = {
+    openssh.authorizedKeys.keys = [
+      # my personal key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # remote builder ssh key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
+    ];
+    isNormalUser = true;
+    group = "nogroup";
+  };
+
+  nix.settings.trusted-users = [ "builder" ];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}