snowfield/machines/akhaten/default.nix

{ inputs, profiles, ... }:
{
  imports = [
    ./hardware.nix
    ./home-julien.nix
    ./stalwart.nix
    ./nsd.nix
  ];

  machine.meta = {
    arch = "x86_64-linux";
    nixpkgs_version = inputs.unstable;
    hm_version = inputs.home-manager-unstable;
    ips = {
      public.ipv4 = "163.172.91.82";
      public.ipv6 = "2001:0bc8:3d24::45";
      vpn.ipv4 = "100.100.45.33";
    };
    profiles = with profiles; [ server ];
  };

  disko = import ./disko.nix;

  environment.persistence."/persistent" = {
    hideMounts = true;
    directories = [
      "/var/lib"
      "/var/log"
      "/srv"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
  };

  fileSystems."/srv".neededForBoot = true;
  fileSystems."/persistent".neededForBoot = true;

  services.fail2ban.enable = true;

  networking.useNetworkd = true;
  systemd.network = {
    enable = true;
    config.networkConfig.IPv4Forwarding = true;

    networks = {
      "10-wan" = {
        matchConfig.Name = "enp0s20";
        networkConfig = {
          DHCP = "ipv6";
          IPv6AcceptRA = true;
        };
        addresses = [
          { Address = "163.172.91.82/24"; }
          { Address = "2001:0bc8:3d24::45/64"; }
        ];
        routes = [
          {
            Gateway = "163.172.91.1";
            Destination = "0.0.0.0/0";
          }
        ];
        dhcpV6Config = {
          DUIDRawData = "00:01:62:7c:0e:d3:27:5b";
          DUIDType = "link-layer";
          UseAddress = "no";
          WithoutRA = "solicit";
        };
        ipv6AcceptRAConfig = {
          DHCPv6Client = "always";
          UseOnLinkPrefix = false;
          UseAutonomousPrefix = false;
        };

        linkConfig.RequiredForOnline = "routable";
      };

      "30-wg0" = {
        matchConfig.Name = "wg0";
        address = [
          "10.100.45.1/24"
          "fc00::1/64"
        ];
        networkConfig.IPMasquerade = "ipv4";
      };
    };

    netdevs = {
      "10-wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
          MTUBytes = "1300";
        };
        wireguardConfig = {
          PrivateKeyFile = "/srv/wg-private";
          ListenPort = 51821;
        };
        wireguardPeers = [
          {
            PublicKey = "axigTezuClSoQlxWvpdzXKXUDjrrQlswE50ox0uDLR0=";
            AllowedIPs = [ "10.100.45.2/32" ];
          }
          {
            PublicKey = "ElVrxNiYvV13hEDtqZNw4kLF7UiPTXziz8XgqABB0AU=";
            AllowedIPs = [ "10.100.45.3/32" ];
          }
        ];
      };
    };

  };

  networking.firewall.allowedUDPPorts = [
    51821
  ];
  networking.firewall.allowedTCPPorts = [
    51821
  ];

  system.stateVersion = "24.11";
}
feat: setup arkheon 2024-09-02 16:42:35 +02:00			`{ inputs, profiles, ... }:`
chore: init lisanew 2024-07-10 00:36:37 +02:00			`{`
			`imports = [`
			`./hardware.nix`
			`./home-julien.nix`
chore: rename lisanew 2024-08-01 20:25:37 +02:00			`./stalwart.nix`
feat: deploy nsd on akhaten 2024-08-14 13:13:52 +02:00			`./nsd.nix`
chore: init lisanew 2024-07-10 00:36:37 +02:00			`];`

chore: use meta module 2024-08-10 17:56:30 +02:00			`machine.meta = {`
			`arch = "x86_64-linux";`
			`nixpkgs_version = inputs.unstable;`
			`hm_version = inputs.home-manager-unstable;`
chore: rewrite ips meta 2024-08-12 18:12:00 +02:00			`ips = {`
			`public.ipv4 = "163.172.91.82";`
feat: enable ipv6 for akhaten 2024-08-24 02:12:38 +02:00			`public.ipv6 = "2001:0bc8:3d24::45";`
chore: rewrite ips meta 2024-08-12 18:12:00 +02:00			`vpn.ipv4 = "100.100.45.33";`
chore: use meta module 2024-08-10 17:56:30 +02:00			`};`
feat: setup arkheon 2024-09-02 16:42:35 +02:00			`profiles = with profiles; [ server ];`
chore: use meta module 2024-08-10 17:56:30 +02:00			`};`

chore: init lisanew 2024-07-10 00:36:37 +02:00			`disko = import ./disko.nix;`

feat(akhaten): enable impermanence 2024-08-21 23:27:25 +02:00			`environment.persistence."/persistent" = {`
			`hideMounts = true;`
			`directories = [`
			`"/var/lib"`
			`"/var/log"`
			`"/srv"`
			`];`
			`files = [`
			`"/etc/machine-id"`
			`"/etc/ssh/ssh_host_ed25519_key"`
			`"/etc/ssh/ssh_host_ed25519_key.pub"`
			`];`
			`};`

			`fileSystems."/srv".neededForBoot = true;`
			`fileSystems."/persistent".neededForBoot = true;`

chore: init lisanew 2024-07-10 00:36:37 +02:00			`services.fail2ban.enable = true;`

			`networking.useNetworkd = true;`
			`systemd.network = {`
			`enable = true;`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`config.networkConfig.IPv4Forwarding = true;`
chore: init lisanew 2024-07-10 00:36:37 +02:00
			`networks = {`
			`"10-wan" = {`
			`matchConfig.Name = "enp0s20";`
			`networkConfig = {`
feat: enable ipv6 for akhaten 2024-08-24 02:12:38 +02:00			`DHCP = "ipv6";`
			`IPv6AcceptRA = true;`
			`};`
			`addresses = [`
			`{ Address = "163.172.91.82/24"; }`
			`{ Address = "2001:0bc8:3d24::45/64"; }`
			`];`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`routes = [`
			`{`
fix(eval): silence some eval warnings 2024-12-01 17:58:31 +01:00			`Gateway = "163.172.91.1";`
			`Destination = "0.0.0.0/0";`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`}`
			`];`
feat: enable ipv6 for akhaten 2024-08-24 02:12:38 +02:00			`dhcpV6Config = {`
			`DUIDRawData = "00:01:62:7c:0e:d3:27:5b";`
			`DUIDType = "link-layer";`
			`UseAddress = "no";`
			`WithoutRA = "solicit";`
			`};`
			`ipv6AcceptRAConfig = {`
			`DHCPv6Client = "always";`
			`UseOnLinkPrefix = false;`
			`UseAutonomousPrefix = false;`
chore: init lisanew 2024-07-10 00:36:37 +02:00			`};`

			`linkConfig.RequiredForOnline = "routable";`
			`};`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00
			`"30-wg0" = {`
			`matchConfig.Name = "wg0";`
			`address = [`
			`"10.100.45.1/24"`
			`"fc00::1/64"`
			`];`
			`networkConfig.IPMasquerade = "ipv4";`
			`};`
chore: init lisanew 2024-07-10 00:36:37 +02:00			`};`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00
			`netdevs = {`
			`"10-wg0" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "wg0";`
			`MTUBytes = "1300";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = "/srv/wg-private";`
			`ListenPort = 51821;`
			`};`
			`wireguardPeers = [`
			`{`
chore(akhaten): fix eval warning 2024-10-13 12:45:47 +02:00			`PublicKey = "axigTezuClSoQlxWvpdzXKXUDjrrQlswE50ox0uDLR0=";`
			`AllowedIPs = [ "10.100.45.2/32" ];`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`}`
			`{`
chore(akhaten): fix eval warning 2024-10-13 12:45:47 +02:00			`PublicKey = "ElVrxNiYvV13hEDtqZNw4kLF7UiPTXziz8XgqABB0AU=";`
			`AllowedIPs = [ "10.100.45.3/32" ];`
feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`}`
			`];`
			`};`
			`};`

chore: init lisanew 2024-07-10 00:36:37 +02:00			`};`

feat: move vpn ip from lisa to akhaten 2024-09-04 15:30:04 +02:00			`networking.firewall.allowedUDPPorts = [`
			`51821`
			`];`
			`networking.firewall.allowedTCPPorts = [`
			`51821`
			`];`

chore: rename lisanew 2024-08-01 20:25:37 +02:00			`system.stateVersion = "24.11";`
chore: init lisanew 2024-07-10 00:36:37 +02:00			`}`