ashokan: provision new machine

henrikvtcodes · Nov 8, 2024 · a8ea766 · a8ea766
1 parent 63d9a62
commit a8ea766
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 0 deletions.
diff --git a/flake.nix b/flake.nix
@@ -111,6 +111,28 @@
 
     # Config for my servers
     nixosConfigurations = {
+      ashokan = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+
+        specialArgs = {
+          inherit inputs;
+        };
+
+        modules = [
+          # Machine config
+          ./machines/nixos
+          ./machines/nixos/ashokan
+
+          # System was provisioned with nixos-infect, runs on Oracle Cloud
+
+          # Secrets
+          ./secrets
+          agenix.nixosModules.default
+
+          # User config
+          ./users/henrikvt
+        ];
+      };
       barnegat = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
 
@@ -236,6 +258,16 @@
 
       # nodes config
       nodes = {
+        ashokan = {
+          hostname = "ashokan";
+          # sshOpts = [
+          #   "-p"
+          #   "69"
+          # ];
+          profiles.system.path =
+            deployPkgs."x86_64-linux".deploy-rs.lib.activate.nixos
+            self.nixosConfigurations.ashokan;
+        };
         barnegat = {
           hostname = "barnegat";
           sshOpts = [

diff --git a/machines/nixos/ashokan/default.nix b/machines/nixos/ashokan/default.nix
@@ -0,0 +1,48 @@
+{...}: {
+  imports = [
+    ./hardware-config.nix
+  ];
+
+  zramSwap.enable = true;
+  networking = {
+    hostName = "ashokan";
+    domain = "unicycl.ing";
+  };
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # Whitelist RFC1918 addresses
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      # CGNAT (ie Tailscale)
+      "100.64.0.0/10"
+      # UVM
+      "132.198.0.0/16"
+    ];
+  };
+  services.openssh = {
+    # Use nonstandard SSH port for public server
+    listenAddresses = [
+      {
+        addr = "0.0.0.0";
+        port = 69;
+      }
+            {
+        addr = "0.0.0.0";
+        port = 22;
+      }
+    ];
+  };
+
+  # ======================== DO NOT CHANGE THIS ========================
+  system.stateVersion = "23.11";
+  # ======================== DO NOT CHANGE THIS ========================
+}
diff --git a/machines/nixos/ashokan/hardware-config.nix b/machines/nixos/ashokan/hardware-config.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/FF29-457C"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+}