From a3a764bddf2dfc085f5274daaa05a3ec6107666c Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Thu, 9 Jun 2022 23:20:17 +0200
Subject: [PATCH] newton: init

---
 nixos/.sops.yaml                        |  2 ++
 nixos/configurations.nix                |  6 ++++
 nixos/deploy.nix                        |  8 +++--
 nixos/newton/configuration.nix          | 47 +++++++++++++++++++++++++
 nixos/newton/disks.nix                  | 31 ++++++++++++++++
 nixos/newton/hardware-configuration.nix | 11 ++++++
 nixos/newton/secrets.yaml               | 35 ++++++++++++++++++
 7 files changed, 137 insertions(+), 3 deletions(-)
 create mode 100644 nixos/newton/configuration.nix
 create mode 100644 nixos/newton/disks.nix
 create mode 100644 nixos/newton/hardware-configuration.nix
 create mode 100644 nixos/newton/secrets.yaml

diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index e40cb42..2e2aa08 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
   - &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03
   - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
+  - &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu
 creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
@@ -9,3 +10,4 @@ creation_rules:
       - *admin_felix
       - *thinkman
       - *serverle
+      - *newton
diff --git a/nixos/configurations.nix b/nixos/configurations.nix
index fcf699d..4abd429 100644
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@@ -53,4 +53,10 @@ in
       ./serverle/configuration.nix
     ];
   };
+  newton = nixosSystem {
+    system = "x86_64-linux";
+    modules = defaultModules ++ [
+      ./newton/configuration.nix
+    ];
+  };
 }
diff --git a/nixos/deploy.nix b/nixos/deploy.nix
index 5ca51b6..cd118c3 100644
--- a/nixos/deploy.nix
+++ b/nixos/deploy.nix
@@ -7,14 +7,16 @@ let
     hostname = "${ip}:22";
     fastConnection = fast;
     profiles.system.path =
-      deploy.lib.x86_64-linux.activate.nixos
+      deploy-rs.lib.x86_64-linux.activate.nixos
         self.nixosConfigurations."${server}";
   };
 in
 {
   user = "root";
-  sshUser = "felix";
+  #sshUser = "felix";
+  sshUser = "root";
   nodes = {
-    serverle = mkNode "serverle" "192.167.178.60" true;
+    serverle = mkNode "serverle" "serverle.local" true;
+    newton = mkNode "newton" "buehler.rocks" true;
   };
 }
diff --git a/nixos/newton/configuration.nix b/nixos/newton/configuration.nix
new file mode 100644
index 0000000..538d26c
--- /dev/null
+++ b/nixos/newton/configuration.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+    #../modules/backup.nix
+    ../modules/compression.nix
+    ../modules/development.nix
+    ../modules/docker.nix
+    ../modules/networkdecrypt.nix
+    ../modules/nix.nix
+    ../modules/ssh.nix
+    ../modules/users.nix
+    ../modules/webapps/config.nix
+    ../modules/webapps/homer.nix
+    ../modules/webapps/jellyfin.nix
+    ../modules/webapps/navidrome.nix
+  ];
+  networking.hostName = "newton";
+
+  sops.defaultSopsFile = ./secrets.yaml;
+
+  #environment.noXlibs = true;
+
+  networking.firewall.allowedTCPPorts = [
+  ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  #boot.loader.grub.copyKernels = true;
+
+  services.openssh.permitRootLogin = "yes";
+  users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@thinkman" ];
+
+  # Nix
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-than 30d";
+  };
+
+  system = {
+    stateVersion = "22.05";
+    autoUpgrade.enable = true;
+  };
+}
diff --git a/nixos/newton/disks.nix b/nixos/newton/disks.nix
new file mode 100644
index 0000000..746cc1f
--- /dev/null
+++ b/nixos/newton/disks.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  boot.initrd.luks.devices."luks-drive" = {
+    name = "luks-drive";
+    device = "/dev/disk/by-partlabel/Crypt";
+    preLVM = true;
+    allowDiscards = true;
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/serverle-root";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/serverle-boot";
+    fsType = "vfat";
+  };
+
+  fileSystems."/srv" = {
+    device = "/dev/disk/by-label/serverle-srv";
+    fsType = "ext4";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/serverle-swap";
+  }];
+}
+
diff --git a/nixos/newton/hardware-configuration.nix b/nixos/newton/hardware-configuration.nix
new file mode 100644
index 0000000..14f6cc5
--- /dev/null
+++ b/nixos/newton/hardware-configuration.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos/newton/secrets.yaml b/nixos/newton/secrets.yaml
new file mode 100644
index 0000000..aefcc16
--- /dev/null
+++ b/nixos/newton/secrets.yaml
@@ -0,0 +1,35 @@
+borgbackup_user: ENC[AES256_GCM,data:9eCWsSi9U2b4XKKc,iv:PDS8TrbmU5XmefLFdi8XIQeu9Rq0y+yJkdGrND6F3ts=,tag:651RHA5y6all5+2rhdjCdg==,type:str]
+borgbackup_host: ENC[AES256_GCM,data:qYwTGE5kdp/jsKK8scVAUCXfOAi787lwiFB3VlntIg==,iv:sFerbhHMCw1lwm9CzAAW7G1JwuZxvTxMzoKP6U5l7bI=,tag:Mi1QFDUo5rWzKXBQ1fsrZg==,type:str]
+borgbackup_dir: ENC[AES256_GCM,data:B8KO2IsfYA==,iv:NjyxpK0xMBio2xFdcmbOj+CoS54A8b7AfXUbAlQqH8A=,tag:PkrlX7XtctsfUmbZCIi/0Q==,type:str]
+borgbackup_password: ENC[AES256_GCM,data:BJReaY2D2vtOKRWBytbieEYIhMKxn3U=,iv:DJv8s1onfO1FAAJYLwcRszkG9SjC+sJMdvqLEwcggFk=,tag:WYJvEuRilMLaOVcvXkDH3w==,type:str]
+borgbackup_private_ssh_key: ENC[AES256_GCM,data:WDVQaAmNMtZP99lCOpeMDnsL26gziDHlDDSnct7QXU9KgveNhDnnh4vGR/DaPlsnp76dVaNKf1vpspsJjtJ+BcEOg4SKU7xyODK5f5tglRJqapmTymASzERNF9joP8Py1lW15zlgGy4s/J9oAQ8gsfwy7aUGMlPr5xafHatbKPXiy+OnxekTTzT+H5eGaMl+q5nPKX8yOwnwBnPwp6DKvK+rTrqBptNsYBxw0MYgdEK1hW1YUxE9d4oZM3Mi7ggklK+ztspuXNpqkbogqc+1XIZN8vMaL9MK5zSJjuCw9lFYsfHctgiBlEuOy5Hn4tyEhu49uWVvoJLb+q7+gNJcbKBrisFd4c9fa7EnaQ4AenP2l1arZqlqjaqLNhD9FWI47o0neXe6TDAv1msIMXHibQVEVyNdktl6LBxQerXiGq33fWe3J5usaUFVi2N4sOF/Pn1Hta25OvuO2N2gUWh1bqi11wYzljS445LOOPBT3jkoceV2m+5R7fpF0soc/beKdj0dP6u5sfKbXFolHk1K,iv:4ZS/6PfyUwXlFaCYxpO0VkjBoH9zM9DJvF5I7fLYR+M=,tag:9m6RHNgr9TunQJp1Q5MqJA==,type:str]
+initrd_ssh_key: ENC[AES256_GCM,data:kt8S7FKIApR8Td4IC57yEODiYn13UoDF+ry73nazi7YZCVPwT415cjIY9iH2/5MoWBwLA7Wd65/NnQQwkkE6ls+d7ra+U5YTKCQPfPEhywkWFn/0s61xyM+HyjOr06O+IYm9fhJloaiag8EBPHULh+3g6Ta05db/eWOYPctYa1xIKKSbXQCrnIrZp5R1SUqA5Lnxj+U9n1ZYLVSunXn4+mtTkyPv6mAAbnk+Kvj0eMIWY/9yu0r4q2Lx7ubf90EIfn29V501X9MArUKtzSfyP6Y3rOrCuq98uYlu9STTauQojdChDeiTreUtpqRnqtRvgK+AfNwxkY+GVQALgsxphbsiK3Y/LRmUBdp8Gqq5zJwzczlEIUkAOy2Wy/ewx0exJj2k9D05iI66kA76Aj6lSIwzoGm6aqqEA1rRWeylUDtVAwV55DE/FKtKc/49Me+Q+3K62t30IeApgY4X+H0gN8LUH6AOTqj8WEd7s7cfjWEzZJfntpToI4q9nQ7SQxTNuyD4GBS/bo/ExT1pgb7Q,iv:LPmxOBkyxpfoZ5YzuO4Nbf2dLXhxXvXOoiG1vYLY7wA=,tag:aDuSCFfFsdk66fi4hlcHhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5STRaTnBIRFptdlBMenh4
+            UnhKdlQ1bDVzQzJqenRHeERWeU1pRU9vT2tRCitBVFhBbXMvQ0p2YUs0b0d2Q2hW
+            aHVxRWVnMWw2dkNIVVBBN1pTaUZIeWcKLS0tIEZZN3haVkVJL2dnRW05WDhtenJI
+            YlZ5RVdyOFBVVkJmRUFIeGFEbW1XdkUKM0U4vXxIbHx31btXdRVB4oXRiEPbDK2L
+            nY/sf0N9AOnR3n+RaoCF+gM7VlykKECKsbW538Lba6nX46FZc+LcCQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdWovR2dKYjNZaFZ1czJ0
+            VFZUMytvb0dKUk5qb3F5ZHpnci9ibUt0QlJjClZ6YUdrZWJLb1d1bEFNNzgwWnRH
+            amVxYldDU21HUk5jUENQV0dSSGtqSE0KLS0tIE12WGFUU1gyM1l5U2ZhM2c1d1JW
+            SkFGQ04yWEhBY3FPSE5RaXZ6N1NmSUkKpLf4gOnPBx1ao5slYIfvK9sShRep2bqO
+            IZvlGcsX1EHP0WB8XT1f9GUjBaEM1ZdIlXfaWRW2DDrDbgs+usQq2A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-06T12:48:22Z"
+    mac: ENC[AES256_GCM,data:5vkt5me5m81mVJQ4X94dFh7jzkNllJTeG8hlVm+nctqrHj5zEUdk6CCTmOQ6w/EMqpNOFX1vpEy8eakmH00+prLYuAuHYEb8IHbAKTA8b2aekUZX8saCust0DLTkwgOGiQ64xNEfrfgwB//TlbrT0Dw6a68KenUy0+riJCDpMP8=,iv:YcOpLsV/4Ahb0Gh5vrlNQL/13UFMxqpH0VPg4b4hU7U=,tag:hmyKAHuCaTw6Y47uP5lIxg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3