From 26dd3d4db198c8fe37c2576d9a22981501d67cc1 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Thu, 2 Mar 2023 13:09:07 +0300
Subject: [PATCH] machines: add new host

---
 Makefile                                    |   3 +-
 flake.nix                                   |   5 ++-
 machines/canigou/default.nix                |  22 +++++++++++++
 machines/canigou/hardware-configuration.nix |   9 ++++++
 machines/canigou/networking.secret.nix      | Bin 0 -> 932 bytes
 machines/default.nix                        |  19 ++++++++++-
 machines/magenta/default.nix                |  13 ++------
 machines/magenta/networking.nix             |  33 --------------------
 machines/magenta/networking.secret.nix      | Bin 0 -> 878 bytes
 machines/modules/fail2ban.nix               |  12 +++++++
 machines/modules/networking.secret.nix      | Bin 199 -> 231 bytes
 11 files changed, 70 insertions(+), 46 deletions(-)
 create mode 100644 machines/canigou/default.nix
 create mode 100644 machines/canigou/hardware-configuration.nix
 create mode 100644 machines/canigou/networking.secret.nix
 delete mode 100644 machines/magenta/networking.nix
 create mode 100644 machines/magenta/networking.secret.nix
 create mode 100644 machines/modules/fail2ban.nix

diff --git a/Makefile b/Makefile
index b4f9c0a..92bb2db 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,8 @@ MACHINES := \
 	asus-gl553vd
 
 VPS := \
-	magenta
+	magenta \
+	canigou
 
 help:
 	cat Makefile
diff --git a/flake.nix b/flake.nix
index 3944923..d79c119 100644
--- a/flake.nix
+++ b/flake.nix
@@ -114,7 +114,10 @@
               RULES = "./.agenix_config.nix";
             };
             tools = pkgs.mkShell {
-              packages = [ pkgs.gucharmap ];
+              packages = with pkgs; [
+                gucharmap
+                wireguard-tools
+              ];
             };
           };
         })
diff --git a/machines/canigou/default.nix b/machines/canigou/default.nix
new file mode 100644
index 0000000..24ee8dc
--- /dev/null
+++ b/machines/canigou/default.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+let
+  data = import ../../data.nix;
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.secret.nix # generated at runtime by nixos-infect
+
+    ../modules/common.nix
+    ../modules/fail2ban.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+
+  networking.hostName = "canigou";
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
+}
diff --git a/machines/canigou/hardware-configuration.nix b/machines/canigou/hardware-configuration.nix
new file mode 100644
index 0000000..e54b5c4
--- /dev/null
+++ b/machines/canigou/hardware-configuration.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}
diff --git a/machines/canigou/networking.secret.nix b/machines/canigou/networking.secret.nix
new file mode 100644
index 0000000000000000000000000000000000000000..44d2df4abf96a355a7e87f2ab818a74e02e7dd67
GIT binary patch
literal 932
zcmV;V16%w6M@dveQdv+`0Ki(<Oc)1QLN>r<$2?7>6=*l>d0Rby7JZ^)kQxx1^ZtG$
zW^ghw;ZqSJd-QCNEoPXm*>!Ww{vmZp?hJPq*(b#24n1*~iwQPD4=C!&U+s*EEMEWt
zn9aER{|FZMNGIbiLe+x<*!c{ZDitIYMTTHCP_i!!CE|{8(i!KBWX@=Z_hlZeKPPEj
zG1_tJ>qVxtF01`&q_bxgChy|<jQ3+IhR=rv4zUTDK^HoCEmZ~=4(U3pGV2pHAxNN-
zx+4TcDsC0jFtIyDWV!7u&CJc1p^;G20iRxo1=Rk675c1$6>m$a-OQ5)i5UC~??3#f
zIp3|s`jYq3rZ#%Q2@`)^2XwM;Zd{D|XQ>MX2S%4_iCb=YA%ttu;sJ)+#5?mu<t~>Y
zDfN*ReWxo6{v{$L1KI>%XMF}MJ8!!!gHz{#O6x09(^Y+u#i008A6XKK1VY67mX{6U
zmz$rL4V#5%H$^>DZhOrP?&E$FR<={P;ZVdIM6w^<tx|B3`qpTJH<8dS|DcT+7i?}5
zhE9fKI$D=r2}r+wE#i^zFUDryDzr_YdU?!b@q13mxUaYHYcIcyA?@KCaiL|~=X<E8
zY$Y9qMl{3D2qu=qc|Gqw`dRp^@dr0EJ0BZt(o|vPy1Afjq~VvUQ$L^4y~VZTJ*cZi
zip0Zpq0ZMqt3aBsl#ioaOlg^XE<D(IM&kSfut1rdW6p<1t;Y&bLVI0I3y~7q^<!0w
z1aXfz{A+s?u3l|Nus&XDh0yQJ-xvz(IU*@-&B)NTzxKL%TiHE}3}(3eAom<Rl{@Hq
z<7D;bDj3ikHoV7eV>kky{x32m`k|iK=1sSXB|A{Vb*oRBcu$k{Pv<tD9C2foMcMC$
zdKn&_pKxHV<HGO>!=fQwNB{=@=LS&wS?-gv1Pb|;@psa9JIH;%0npBP#i1vjt+g<c
zAJffZ{mwt;!ef{%a1;v!TJdF)cmki*1y~B(v2Yx8X?bdQeI!-P8E@sv0YT)~!iR$H
zOE9=AbZO1Zqq_H<ZW(vJ4o=zG9m)Ln5Hdci>BvVm6(K)IUnbEz?G$4DN$W!c@@(ZE
zu&O<9PJ<{4VV^D;=q4N&Ohcy_!E4UIM8x&N!MY_R{EXFnEv>l%*<^p4d^`?rK9s7~
zq&McNoyYL(aU-%O0Ui@;AIDt8F#J|Dl{P={0MqeR1iDk48MZwEM79G<&+Q2dTZ14O
GLEU4vIK8m|

literal 0
HcmV?d00001

diff --git a/machines/default.nix b/machines/default.nix
index d119298..768fbc4 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -2,6 +2,15 @@
 
 let
   hardware = inputs.hardware.nixosModules;
+
+  inherit (inputs.nixpkgs) lib;
+  inherit (builtins) head;
+  getTargetHost = file:
+    let
+      net = import file { inherit lib; };
+      ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses;
+    in
+    (head ipv4addrs).address;
 in
 {
   home = {
@@ -37,10 +46,18 @@ in
   magenta = {
     system = "x86_64-linux";
 
-    targetHost = "45.131.41.215";
+    targetHost =
+      getTargetHost ./magenta/networking.secret.nix;
 
     extraModules = [
       inputs.mailserver.nixosModule
     ];
   };
+
+  canigou = {
+    system = "x86_64-linux";
+
+    targetHost =
+      getTargetHost ./canigou/networking.secret.nix;
+  };
 }
diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix
index a6a2f3b..c58c936 100644
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@@ -6,11 +6,12 @@ in
 {
   imports = [
     ./hardware-configuration.nix
-    ./networking.nix # generated at runtime by nixos-infect
+    ./networking.secret.nix # generated at runtime by nixos-infect
 
     ../modules/common.nix
     ../modules/nix.nix
     ../modules/nginx.nix
+    ../modules/fail2ban.nix
 
     ./services/mailserver.nix
     ./services/gitea.nix
@@ -18,6 +19,7 @@ in
 
   boot.cleanTmpDir = true;
   zramSwap.enable = true;
+
   networking.hostName = "magenta";
 
   services.openssh.enable = true;
@@ -27,13 +29,4 @@ in
     acceptTerms = true;
     defaults.email = "dmitriy@pleshevski.ru";
   };
-
-  services.fail2ban = {
-    enable = true;
-    bantime-increment = {
-      enable = true;
-      factor = "4";
-      maxtime = "48h";
-    };
-  };
 }
diff --git a/machines/magenta/networking.nix b/machines/magenta/networking.nix
deleted file mode 100644
index 059fbef..0000000
--- a/machines/magenta/networking.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ lib, ... }:
-
-{
-  # This file was populated at runtime with the networking
-  # details gathered from the active system.
-  networking = {
-    nameservers = [
-      "188.93.16.19"
-      "188.93.17.19"
-      "8.8.8.8"
-    ];
-    defaultGateway = "45.131.41.1";
-    defaultGateway6 = "";
-    dhcpcd.enable = false;
-    usePredictableInterfaceNames = lib.mkForce false;
-    interfaces = {
-      eth0 = {
-        ipv4.addresses = [
-          { address = "45.131.41.215"; prefixLength = 24; }
-        ];
-        ipv6.addresses = [
-          { address = "fe80::f816:3eff:fe58:d30a"; prefixLength = 64; }
-        ];
-        ipv4.routes = [{ address = "45.131.41.1"; prefixLength = 32; }];
-        # ipv6.routes = [{ address = ""; prefixLength = 128; }];
-      };
-
-    };
-  };
-  services.udev.extraRules = ''
-    ATTR{address}=="fa:16:3e:58:d3:0a", NAME="eth0"
-  '';
-}
diff --git a/machines/magenta/networking.secret.nix b/machines/magenta/networking.secret.nix
new file mode 100644
index 0000000000000000000000000000000000000000..39074ef14bdebe0729ad0573564bbf8e0e389603
GIT binary patch
literal 878
zcmV-!1CjgyM@dveQdv+`0C@2NjCrT|NyiRinz@DGNZdiD2}eryCr@Y{Rwd7X!<rvt
zjEIY-Em#aqE|wn~CuqN$R{4HNq}N2=F@i0{uLbA>hVhv_%`Qi&KoZM-*5)Hh=OQfv
zvqAQLLaQW1+{$NO5u`8}%Pf|;qyVt&D9*(c0@OR?NjkTrPg@qu70#qYMadRO-977i
zlQNg3Qu$V081zyzd|<ocSRAQ{(_y%dwHq9B&EFpY4{jpKmBat|QJMcD)xwt)E;ZZd
zwV09DGJp=XIKlC4*WnYGZ)&(lv7tf;5P+0U>DL`gvku3D4;{sgK>fP;<SMhYsKw^y
ztBicq{Zm2}R^~+m>8&Or2w_kooi7Kbso+b={MCJ;$c43D703kcP|-<Nud!h~gAy^N
z^gJ#lxheWD5Nf!kqZYsiCcB)iEDGhj#odPQ24U+Q#4vs@{KqAKguz^JtwjATM&`}g
zx26=xadv)Bn_5U>;P<@}M+WkCUC|zW*8;wrwq;yETuZAdq63($<m$88py@mWi9nLf
zsoqeo5CWkLK)WFWnj;e+72IXKL<A}3w7Q~R;4gfu8H!9+Mh&-m)yEwVi|Z48|K#Qv
zuZ~pSR9;}X>M|n{ZR&~xqd`))yM3jSE$0|&nU2U(wCN%GNK~2~ym3eabayoMhkiX&
z1y0O=cz<|hX-Q*bWs@uhB^Sjpt^A-4bP>1hx^FlaCf9Nc6m>IfA&b@~U5vxUcgb99
z&ENvMo``qOtGm#()?#Z@9+ju<fxG(q_$3mfeW=89z8yXvVl<S}6(>%mC5p8Yx3qTx
zKY|>bM<PpdLF&+m8|-BZruY4cDS+t=?OvV@ZNW8F7AA*$)(kk;2Ce7rWrP}XaS-Y9
zoj10Qz4GiFvAUSBCn*R}$h?QNm(XIhh^-xI+5~=Ij;@F8>~OF77YP2t)1F(YOxc=B
z!3r=|eG$(?FP_#Q9rlVZmd!uUYifj5u&u&FzktYqn*cp)N7RuLzM5@rYj&+dm_M{N
zTvG@hJFY7J*OWFn5nb@GmBZ+xYN-ryE1?~*5sq;-EFGz1hC`&xD2B2$UPZ4O-4-~_
z?p0veH8hqfJU@TZ=XtTqVyMy8_{ZjV<=zO9r>fi^@aTB?H(K0~c@TJ_0{vZfg*v-d
E`k{uZS^xk5

literal 0
HcmV?d00001

diff --git a/machines/modules/fail2ban.nix b/machines/modules/fail2ban.nix
new file mode 100644
index 0000000..cf36818
--- /dev/null
+++ b/machines/modules/fail2ban.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    bantime-increment = {
+      enable = true;
+      factor = "4";
+      maxtime = "48h";
+    };
+  };
+}
diff --git a/machines/modules/networking.secret.nix b/machines/modules/networking.secret.nix
index 00bbe781ff04ae541361e0865bc53218ed49a140..b5182eb025b861256546d594782db3db8f400db4 100644
GIT binary patch
literal 231
zcmV<D02u!OM@dveQdv+`0KJo3GoAeGonRQZVb)rO4~Yz<-4Eibca9S=#8*o6R$oxz
z%7(l<+m_3HKmt~&JnUO4WT}Mg9DY!898UY(jCYKYC~9UKS>Bfpp7H#g^Ca)EnR%8!
zV^)T5!tF+YOTW3$3aYq}lDUVifWCwKWV-*|O62mEe!{H0<E+Dlp%FXDHe)5a2$AqO
z(@+}^K`3g_0b&G2Lya5@&5p$?D=-kDXLKI_GF|Q_v0$O-``*#3T5i5epF#&ObUDHl
h;<RCsFmihc%lsSNlu-xYXopBu==E?HW|7#e2U=g+am@e#

literal 199
zcmV;&066~uM@dveQdv+`0I3eYjDA_Bl(67gvW6ie<j?f?@wYd<njJodavmD~AqaG^
zfx}P{jh12)hlz%6W1P-8qtx{2duqGc1!j*mkOc6rXVJ6EoTrPNq1fNI&L}=lJj_!B
z4-t8_6Iww1P2f?f%3?`mtxtwU^afB^yW@87mm?Yyu>`t0xa8D5^bW`x^>PK4be<9^
z2~FyALS)kP9Vf*7SgARRjdBm4+A}zsrL&kz8XT?ZBN!?rgfC@64qtE`hIRDP6kkZb
BU4Z}q