Ayo the pizza here (restructuring)

hosts/marisa/boot.nix

@@ -0,0 +1,15 @@
+{config, ...}:
+{
+  boot = {
+    initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "usbhid" "uas" "pcie-brcmstb"];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable= true;
+      raspberryPi= {
+        version = 4;
+        firmwareConfig = "dtparam=sd_poll_once=on";
+        enable = true;  
+      };
+    };
+  };
+}

hosts/marisa/default.nix

@@ -0,0 +1,12 @@
+{config, pkgs, ...}:
+{
+  imports = 
+  [
+    ./networking.nix
+    ./hardware.nix
+    ./boot.nix
+    ./services.nix
+  ];
+  programs.gnupg.agent.enable = pkgs.lib.mkForce false;
+  system.stateVersion = "21.05";
+}

hosts/marisa/hardware.nix

@@ -0,0 +1,28 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  fileSystems."/nix/store" =
+    { device = "/nix/store";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      priority = 0;
+      size = 10240;
+    }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.firmware = [ pkgs.raspberrypiWirelessFirmware ];
+}

hosts/marisa/networking.nix

@@ -0,0 +1,39 @@
+{config, pkgs, ...}:
+{
+  networking = {
+    hostName = "Marisa";
+    firewall = {
+      allowedTCPPorts = [ 22 80 6060 5001 8800 8888 ];
+      allowedUDPPorts = [ 17840 ];
+    };
+    wireless = {
+      enable = false;
+      iwd.enable = true;
+    };
+    interfaces = {
+      wlan0 = {
+        useDHCP = false;
+        ipv4.addresses = [ {
+          prefixLength = 24;
+          address = "192.168.0.159";
+        } ];
+      };
+    };
+    wireguard.interfaces.wg0 = {
+      ips = [ "10.55.0.2/24" ];
+      listenPort = 17840;
+      privateKeyFile = "/var/wg";
+      peers = [
+        {
+          #Oracle VM1
+          publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
+          allowedIPs = [ "10.55.0.0/24" ];
+          endpoint = "weirdnatto.in:17840";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+    defaultGateway = "192.168.0.1";
+    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+  };
+}

hosts/marisa/services.nix

@@ -0,0 +1,100 @@
+{lib, config, pkgs, ...}:
+{
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "yes";
+    };
+    vault = {
+      package = pkgs.vault-bin; enable = true;
+      tlsCertFile = "/var/certs/cert.pem";
+      tlsKeyFile = "/var/certs/key.pem";
+      address = "0.0.0.0:8800";
+      extraSettingsPaths = [ /var/vault/vault.hcl ];
+      storageBackend = "postgresql";
+      extraConfig = ''
+        api_addr = "https://127.0.0.1:8800"
+        ui = true
+      '';
+    };
+    vault-agent = {
+      enable = true;
+      settings = {
+        vault = {
+          address = "https://10.55.0.2:8800";
+          client_cert = "/var/vault/cert.pem";
+          client_key = "/var/vault/key.pem";
+        };
+        auto_auth = {
+          method = [
+            {
+              "cert" = {
+                name = "Marisa";
+              };
+            }
+          ];
+        };
+        template = [
+          {
+            source = pkgs.writeText "gitea.tpl" ''
+              {{ with secret "kv/systems/Marisa/gitea" }}{{ .Data.data.gitea }}{{ end }}
+            '';
+            destination = "/var/secrets/gitea.key";
+          }
+          {
+            source = pkgs.writeText "wg.tpl" ''
+              {{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }}
+            '';
+            destination = "/var/secrets/wg.key";
+          }
+        ];
+      };
+    };
+    postgresql = {
+      enable = true;
+      port = 6060;
+      enableTCPIP = true;
+      authentication = ''
+        local gitea all ident map=gitea-map
+        host vault all 10.55.0.2/32 md5
+        host all all 192.168.0.110/32 md5
+        '';
+      identMap = ''
+        gitea-map gitea gitea
+        '';
+    };
+    gitea = {
+      enable = true;
+      appName = "Natto Tea";
+      rootUrl = "https://git.weirdnatto.in/";
+      cookieSecure = true;
+      httpPort = 5001;
+      database = rec {
+        createDatabase = false;
+        port = 6060;
+        name = "gitea";
+        user = name;
+        passwordFile = "/var/secrets/gitea.key";
+        type = "postgres";
+      };
+      settings = {
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+        };
+        ui = {
+          DEFAULT_THEME="arc-green";
+        };
+        security = {
+          LOGIN_REMEMBER_DAYS = 50;
+        };
+      };
+    };
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK06ZUa9BKmZ6m+xapBjOAm10OCLzxIm8ais20wQC47m"
+  ];
+  security.pki.certificateFiles = [ ../../cert.pem ];
+}