From 3263d11f4bf998a07498fef2953b5d9cca371bc3 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Sat, 23 Dec 2023 15:18:31 +0100
Subject: [PATCH] init core-data

---
 .sops.yaml                         |   3 +
 lib/luj.nix                        |  10 ++
 machines/core-data/default.nix     | 174 +++++++++++++++++++++++++++++
 machines/core-data/hardware.nix    |  39 +++++++
 machines/core-data/home-julien.nix |   4 +
 5 files changed, 230 insertions(+)
 create mode 100644 machines/core-data/default.nix
 create mode 100644 machines/core-data/hardware.nix
 create mode 100644 machines/core-data/home-julien.nix

diff --git a/.sops.yaml b/.sops.yaml
index b961daf..57ef203 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
   - &bin-cache age10d49ptrmad2n7rke6helvmmm86gf06gj9gtfxsh334f3hfr0eewqqa2a7w
   - &core-security age1qedjtr4llnmue2r08ec64mtkl8hpkdsn5mpfh26l3pngmxdm2ymq2tfh80
   - &enigma age109qksyjgdnf7elnk98dh4vtxt0epju7xjemlqng0j0x75st5zg9qm9h3hy
+  - &core-data age133w8dx0wr9z95v0kgrqup7s47q56qdwt2z8szl7mghnpnqqpvpvs3q98kj
 creation_rules:
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
@@ -19,6 +20,7 @@ creation_rules:
       - *bin-cache
       - *core-security
       - *enigma
+      - *core-data
   - key_groups: 
     - age:
       - *macintosh
@@ -29,3 +31,4 @@ creation_rules:
       - *bin-cache
       - *core-security
       - *enigma
+      - *core-data
diff --git a/lib/luj.nix b/lib/luj.nix
index 748f529..34fe7a5 100644
--- a/lib/luj.nix
+++ b/lib/luj.nix
@@ -86,6 +86,16 @@ inputs: lib: with lib; let
 
           };
 
+          core-data =
+            {
+              inherit tld;
+              arch = "x86_64-linux";
+              nixpkgs_version = inputs.nixpkgs;
+              hm_version = inputs.home-manager;
+              ipv4 = { public = "82.67.34.230"; local = "192.168.0.66"; };
+              ipv6 = { public = "2a01:e0a:de4:a0e1:40f0:8cff:fe31:3e94"; };
+            };
+
           nuage = {
             inherit tld;
             subdomains = [ "nuage.malka.family" ];
diff --git a/machines/core-data/default.nix b/machines/core-data/default.nix
new file mode 100644
index 0000000..5cb90d5
--- /dev/null
+++ b/machines/core-data/default.nix
@@ -0,0 +1,174 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware.nix
+      ../../users/default.nix
+      ../../users/julien.nix
+      ./home-julien.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  deployment.targetHost = lib.mkForce "192.168.0.66";
+  deployment.targetPort = lib.mkForce 45;
+
+  security.acme.defaults.email = "julien@malka.sh";
+
+  networking.hostName = "core-data";
+
+  systemd.network.enable = true;
+
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "ens18";
+    networkConfig = {
+      # start a DHCP Client for IPv4 Addressing/Routing
+      DHCP = "ipv4";
+      # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+      IPv6AcceptRA = true;
+    };
+    # make routing on this interface a dependency for network-online.target
+    linkConfig.RequiredForOnline = "routable";
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "fr_FR.UTF-8";
+    LC_IDENTIFICATION = "fr_FR.UTF-8";
+    LC_MEASUREMENT = "fr_FR.UTF-8";
+    LC_MONETARY = "fr_FR.UTF-8";
+    LC_NAME = "fr_FR.UTF-8";
+    LC_NUMERIC = "fr_FR.UTF-8";
+    LC_PAPER = "fr_FR.UTF-8";
+    LC_TELEPHONE = "fr_FR.UTF-8";
+    LC_TIME = "fr_FR.UTF-8";
+  };
+
+  services.xserver = {
+    layout = "fr";
+    xkbVariant = "";
+  };
+  console.keyMap = "fr";
+
+  security.acme.acceptTerms = true;
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    tailscale
+  ];
+
+  services.openssh.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
+
+  networking.firewall.checkReversePath = "loose";
+
+  systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
+  systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
+
+  services.tailscale.enable = true;
+
+
+  # Photoprism
+  services.photoprism = {
+    enable = true;
+    port = 2342;
+    originalsPath = "/data/photos";
+    importPath = "import";
+    address = "0.0.0.0";
+    settings = {
+      PHOTOPRISM_ADMIN_USER = "admin";
+      PHOTOPRISM_DEFAULT_LOCALE = "en";
+      PHOTOPRISM_DATABASE_DRIVER = "mysql";
+      PHOTOPRISM_DATABASE_NAME = "photoprism";
+      PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
+      PHOTOPRISM_DATABASE_USER = "photoprism";
+      PHOTOPRISM_SITE_URL = "http://photos.malka.family:2342";
+      PHOTOPRISM_SITE_TITLE = "My PhotoPrism";
+    };
+  };
+
+  services.mysql = {
+    enable = true;
+    dataDir = "/data/mysql";
+    package = pkgs.mariadb;
+    ensureDatabases = [ "photoprism" ];
+    ensureUsers = [{
+      name = "photoprism";
+      ensurePermissions = {
+        "photoprism.*" = "ALL PRIVILEGES";
+      };
+    }];
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    clientMaxBodySize = "500m";
+    virtualHosts = {
+      "photos.malka.family" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:2342";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host $host;
+            proxy_buffering off;
+            proxy_http_version 1.1;
+          '';
+        };
+      };
+    };
+  };
+
+
+
+  services.openssh.extraConfig = ''
+    HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+    HostKey /etc/ssh/ssh_host_ed25519_key
+    TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
+    MaxAuthTries 20
+  '';
+
+  security.pki.certificates = [
+    ''-----BEGIN CERTIFICATE-----
+MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
+EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
+DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
+TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
+7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
+BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
+mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
+SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
+oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
+-----END CERTIFICATE-----''
+    ''-----BEGIN CERTIFICATE-----
+MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
+MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
+Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
+bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
+BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
+EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
+jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
+VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
+-----END CERTIFICATE-----''
+  ];
+
+
+  system.stateVersion = "23.11";
+
+}
diff --git a/machines/core-data/hardware.nix b/machines/core-data/hardware.nix
new file mode 100644
index 0000000..091faba
--- /dev/null
+++ b/machines/core-data/hardware.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/f2688b7f-1a8b-4060-a20e-db19a0c3a6ff";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/ca603044-0917-4051-a17b-8b12ff8011df";
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/B005-E88F";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/64070c2e-42ba-4f70-a5da-234b4474a1b3"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/machines/core-data/home-julien.nix b/machines/core-data/home-julien.nix
new file mode 100644
index 0000000..fe8d093
--- /dev/null
+++ b/machines/core-data/home-julien.nix
@@ -0,0 +1,4 @@
+{ pkgs, lib, config, ... }:
+{
+  luj.hmgr.julien = { };
+}