theon: add host

2024-02-11 22:33:15 +00:00 · 2024-02-11 22:33:15 +00:00 · 89dade473a
commit 89dade473a
parent d7398e38df
5 changed files with 114 additions and 1 deletions
--- a/hosts/theon.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/theon.storage.ts.hillion.co.uk/default.nix
@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ../../modules/common/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  config = {
+    system.stateVersion = "23.11";
+
+    networking.hostName = "theon";
+    networking.domain = "storage.ts.hillion.co.uk";
+
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+
+    ## Custom Services
+    custom = {
+      locations.autoServe = true;
+    };
+
+    ## Networking
+    systemd.network.enable = true;
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedTCPPorts = lib.mkForce [
+        22 # SSH
+      ];
+      allowedUDPPorts = lib.mkForce [ ];
+      interfaces = {
+        end0 = {
+          allowedTCPPorts = lib.mkForce [ ];
+          allowedUDPPorts = lib.mkForce [ ];
+        };
+      };
+    };
+
+    ## Tailscale
+    age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
+      ipv4Addr = "100.104.142.22";
+      ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16";
+    };
+
+    ## Packages
+    environment.systemPackages = with pkgs; [
+      scrub
+      smartmontools
+    ];
+  };
+}
--- a/hosts/theon.storage.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/theon.storage.ts.hillion.co.uk/hardware-configuration.nix
@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "usbhid" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/hosts/theon.storage.ts.hillion.co.uk/system
+++ b/hosts/theon.storage.ts.hillion.co.uk/system
@ -0,0 +1 @@
+aarch64-linux
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -20,7 +20,10 @@ let
            parents = { microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver"; };
            strangervm = { vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm"; };
            terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
-            storage = { tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin"; };
+            storage = {
+              tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
+              theon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf root@theon";
+            };
          };
        };
      };
@ -40,6 +43,7 @@ in
  "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
  "tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.parents.microserver ];
  "tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
+  "tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
  "tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
  "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];

--- a/secrets/tailscale/theon.storage.ts.hillion.co.uk.age
+++ b/secrets/tailscale/theon.storage.ts.hillion.co.uk.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+PbIoYTLjFIqRoDRLerINlVGT3cAakwHPMDgQ9DCQw2Hpf0PuyKuVRJ3mNn4yxLjZ
+wW/7XC1qjP0qZusSRDpvrE1fP0+hC8CUUgbUfmtRSfeElzOofzro8E1NO3mQcfMb
+3m1XjITU2BAh56PZZIpoddhnTa2g6T5C/Csoor2vbz4H6DwiO9NRg4UyRXPVko7e
+jzRO8ezusAj88wmRD3VpZJ8HEN/gFxmeq4mm9FDgmk9u7K3W5RdGe5wEUMxaagG1
+IOaWwKHBYk0ZxfWFal3hXpgESJBAKiXm0TZE6tE2rO2R+KqHD4ylnLTJ4PZAOYTW
+bNFzcy7RrG01qm8pL5JJqg
+-> ssh-rsa K9mW1w
+PhYhNlRRprjlUvdez3aMOLlcGAHLpbyeZj2LCaBq3GzyLa8oOAbOUFD5D/R/ciX7
+K2M+ce34FBEsscqohuswXaKgoJYmp9dP3HGZOoqcIm6H8J5FS5SgzSDgFHn8uFzL
+lsMfEoX/43T6fhEnSFZuFlbNPT6V7uVYFKnggPSqz/k76rZd0O6X8Ragm8cPAerF
+M2f7zKDI48HhpQsymKJ7sFgmYWGDBXJixmkdSjonjed1GMQduWe6qFOxNyHrrjMD
+QPqo16rHlpkBZKbmoDJmrSqD25zSPqWxqcaIXhAOP2fpSOHKBViAxha/5yLwpTEv
+CWy8V0n/Jezu1K03G/T6Tw
+-> ssh-ed25519 7BDG9A aPLGHCgQu1s1T2VsbsR3SrdsZfSGGBu53p+1Zk6SXUw
+H5wp6cwozBKWg5OjuU9Z/fcFL+M47CDq//uJTUrWhYI
+--- +M8iL1TV9vJ77ICrEj9hZboRsJ1Se7yZIBvrt8eDX2U
+EŠŠ¸S~F9-µxàÇpJàÀoQ—%e\Äkã\,
+,[<5B>ð|“Ú<E2809C>\‡–<E280A1>ùjÍÈÙ[`‹· 	¾:	É°ó~²A‰‚ÚÓw<C393>AçüÝÿÂ;´?&<26>Y›þÏÿ{