hosts/hina: init

Signed-off-by: Amneesh Singh <natto@weirdnatto.in>
2023-08-16 13:44:42 +05:30
parent e281e912d8
commit d4554d43ae
11 changed files with 167 additions and 8 deletions
--- a/hosts/README.org
+++ b/hosts/README.org
@@ -1,3 +1,4 @@
 + satori is my home laptop
 + marisa is my Raspberry Pi 4 (B)
 + remilia is my cloud VM
+ hina is another cloud VM I use for ZNC
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -45,5 +45,17 @@ in
      ++ commonModules
      ++ serverModules;
    };
+
+    #Oracle Cloud VM
+    hina = nixpkgs.lib.nixosSystem rec {
+      system = "x86_64-linux";
+      modules = [
+        ./hina
+        ./modules/x86builder.nix
+        { nixpkgs.pkgs = self.legacyPackages.${system}; }
+      ]
+      ++ commonModules
+      ++ serverModules;
+    };
  };
 }
--- a/hosts/hina/boot.nix
+++ b/hosts/hina/boot.nix
@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  boot = {
+    kernel.sysctl."net.ipv4.ip_forward" = 1;
+    initrd.kernelModules = [ "bochs" ];
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" ];
+    kernelModules = [ "kvm-amd" ];
+    kernelParams = [ "console=ttyS0" "console=tty1" "nvme.shutdown_timeout=10" "libiscsi.debug_libiscsi_eh=1" ];
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+}
--- a/hosts/hina/default.nix
+++ b/hosts/hina/default.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, lib', ... }:
+{
+  imports = [
+    ./networking.nix
+    ./hardware.nix
+    ./boot.nix
+    ./services.nix
+  ];
+
+  time.timeZone = "Asia/Kolkata";
+
+  users.users.spin = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    home = "/home/spin";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = lib'.network.commonSSHKeys;
+  };
+  programs.zsh.enable = true;
+
+  system.stateVersion = "21.11";
+}
--- a/hosts/hina/hardware.nix
+++ b/hosts/hina/hardware.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/d91adce2-9059-4a8a-86e7-dee6ecc85b2b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 7168;
+      priority = 0;
+    }
+  ];
+}
--- a/hosts/hina/networking.nix
+++ b/hosts/hina/networking.nix
@@ -0,0 +1,35 @@
+{ lib, config, lib', pkgs, ... }:
+{
+  networking = {
+    useDHCP = false;
+    hostName = "hina";
+    firewall =
+      {
+        interfaces = {
+          ens3 = {
+            allowedTCPPorts = [ 9898 80 443 ];
+          };
+        };
+      };
+    interfaces = {
+      ens3 = {
+        useDHCP = true;
+      };
+    };
+
+    wireguard.interfaces.wg0 = with lib'.network.addresses.wireguard.ips; {
+      ips = [ hina ];
+      listenPort = 17840;
+      privateKeyFile = "/var/secrets/wg.key";
+      peers = [
+        {
+          #Oracle VM1
+          publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
+          allowedIPs = [ remilia ];
+          endpoint = "${lib'.network.addresses.domain.natto}:17840";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/hina/services.nix
+++ b/hosts/hina/services.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, lib', ... }:
+let
+  domain = lib'.network.addresses.domain.natto;
+in
+{
+  services = {
+    cron.enable = true;
+
+    openssh = {
+      enable = true;
+      permitRootLogin = "yes";
+      ports = [ 22 ];
+    };
+
+    znc = {
+      enable = true;
+      mutable = true;
+      useLegacyConfig = false;
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = with lib'.network.addresses.wireguard.ips; {
+        "znc.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "https://${hina}:9898";
+          };
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = lib.mapAttrs (n: _: { email = "natto@${domain}"; })
+      (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
+  };
+  security.pki.certificateFiles = [ ../../cert.pem ];
+}
+
--- a/hosts/remilia/networking.nix
+++ b/hosts/remilia/networking.nix
@@ -68,6 +68,10 @@
            publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU=";
            allowedIPs = [ ips.satori ];
          }
+          {
+            publicKey = "IHYIan9Xq2PBTSzcMdHpzx4PM67l09WdsGa6s+siyH0=";
+            allowedIPs = [ ips.hina ];
+          }
        ];
      };
    };
--- a/hosts/remilia/services.nix
+++ b/hosts/remilia/services.nix
@@ -10,11 +10,6 @@ in
      permitRootLogin = "yes";
      ports = [ 22 22002 ];
    };
-    znc = {
-      enable = true;
-      mutable = true;
-      useLegacyConfig = false;
-    };
    nginx = {
      enable = true;
      clientMaxBodySize = "512m";
@@ -52,7 +47,6 @@ in
            };
            serverAliases = [ "www.${domain}" ];
          };
-          "znc.weirdnatto.in" = genericHttpRProxy { addr = "https://${remilia}:9898"; };
          # "vault.${domain}" = genericHttpRProxy { addr = "https://${marisa}:8800"; };
          # "consul.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8500"; };
          "f.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8000"; };