From 3fc1143a04da49a92c3663813c6a0c1e8ccd477f Mon Sep 17 00:00:00 2001
From: Griffin Smith <grfn@gws.fyi>
Date: Tue, 29 Sep 2020 23:42:59 -0400
Subject: feat(gs/system): Init mugwump

Init the config for mugwump, a NUC that I bought from ncl and which I'm
going to use as a simple home server and ssh bastion box. Since this is
the first time I've set up a server using my nixos config, this also
moves a bunch of desktop (xserver, audio, etc.) related config out of
modules/common.nix and into a new modules/desktop.nix.

Coming soon: nixos-rebuild switch --target, but in the depot!

Change-Id: I67bd5ba6e3c26f80f77058af186fd41cc245d5d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2016
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
---
 users/glittershark/system/home/modules/common.nix  | 19 ++++++
 users/glittershark/system/system/default.nix       |  8 +++
 .../system/system/machines/chupacabra.nix          | 12 ++++
 .../system/system/machines/mugwump.nix             | 74 ++++++++++++++++++++++
 .../glittershark/system/system/modules/common.nix  | 67 ++------------------
 .../glittershark/system/system/modules/desktop.nix | 25 ++++++++
 6 files changed, 144 insertions(+), 61 deletions(-)
 create mode 100644 users/glittershark/system/system/machines/mugwump.nix
 create mode 100644 users/glittershark/system/system/modules/desktop.nix

diff --git a/users/glittershark/system/home/modules/common.nix b/users/glittershark/system/home/modules/common.nix
index 5d3d485bc0..b28b2dbca6 100644
--- a/users/glittershark/system/home/modules/common.nix
+++ b/users/glittershark/system/home/modules/common.nix
@@ -45,4 +45,23 @@
     nix-review
     cachix
   ];
+
+  programs.ssh = {
+    enable = true;
+
+    matchBlocks = {
+      "dobharchu" = {
+        host = "dobharchu";
+        hostname = "172.16.0.4";
+        forwardAgent = true;
+        user = "griffin";
+      };
+
+      "mugwump" = {
+        host = "mugwump";
+        hostname = "172.16.0.5";
+        forwardAgent = true;
+      };
+    };
+  };
 }
diff --git a/users/glittershark/system/system/default.nix b/users/glittershark/system/system/default.nix
index 12cde445fe..2223f33ce3 100644
--- a/users/glittershark/system/system/default.nix
+++ b/users/glittershark/system/system/default.nix
@@ -7,11 +7,19 @@ rec {
     configuration = chupacabra;
   }).system;
 
+  mugwump = import ./machines/mugwump.nix;
+
+  mugwumpSystem = (pkgs.nixos {
+    configuration = mugwump;
+  }).system;
+
   iso = import ./iso.nix args;
 
   # Build chupacabra in CI
   meta.targets = [
     "chupacabraSystem"
+    "mugwumpSystem"
+
     "iso"
   ];
 
diff --git a/users/glittershark/system/system/machines/chupacabra.nix b/users/glittershark/system/system/machines/chupacabra.nix
index 5d94143096..242c286560 100644
--- a/users/glittershark/system/system/machines/chupacabra.nix
+++ b/users/glittershark/system/system/machines/chupacabra.nix
@@ -7,6 +7,7 @@
     ../modules/tvl.nix
     ../modules/urbint.nix
     ../modules/fcitx.nix
+    ../modules/rtlsdr.nix
     ../../../../../ops/nixos/v4l2loopback.nix
   ];
 
@@ -101,4 +102,15 @@
     libvdpau-va-gl
     intel-media-driver
   ];
+
+  services.udev.extraRules = ''
+    # UDEV rules for Teensy USB devices
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+  '';
+
+  # Necessary to get steam working
+  hardware.opengl.driSupport32Bit = true;
 }
diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix
new file mode 100644
index 0000000000..9521f57884
--- /dev/null
+++ b/users/glittershark/system/system/machines/mugwump.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    ../modules/common.nix
+    ../modules/tvl.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  networking.hostName = "mugwump";
+
+  boot = {
+    loader.systemd-boot.enable = true;
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [
+        "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"
+      ];
+
+      postDeviceCommands = pkgs.lib.mkBefore ''
+        mkdir -m 0755 -p /key
+        sleep 2
+        mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key
+      '';
+
+      luks.devices."cryptroot" = {
+        device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d";
+        keyFile = "/key/keyfile";
+        preLVM = false;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7D74-0E4B";
+      fsType = "vfat";
+    };
+  };
+
+  networking.interfaces = {
+    enp0s25.useDHCP = false;
+    wlp2s0.useDHCP = false;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  security.sudo.extraRules = [{
+    groups = ["wheel"];
+    commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+  }];
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "172.16.0.0/16"
+    ];
+  };
+
+  services.openssh = {
+    allowSFTP = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+}
diff --git a/users/glittershark/system/system/modules/common.nix b/users/glittershark/system/system/modules/common.nix
index 884f0a9a7d..a3f2a06d38 100644
--- a/users/glittershark/system/system/modules/common.nix
+++ b/users/glittershark/system/system/modules/common.nix
@@ -6,30 +6,19 @@ let
 
 in
 
-{
-  imports =
-    [
-      ./xserver.nix
-      ./fonts.nix
-      ./sound.nix
-      ./kernel.nix
-      ./rtlsdr.nix
-    ];
+with lib;
 
+{
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking.useDHCP = false;
   networking.networkmanager.enable = true;
 
-  # Select internationalisation properties.
-  # i18n = {
-  #   consoleFont = "Lat2-Terminus16";
-  #   consoleKeyMap = "us";
-  #   defaultLocale = "en_US.UTF-8";
-  # };
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
 
-  # Set your time zone.
   time.timeZone = "America/New_York";
 
   environment.systemPackages = with pkgs; [
@@ -44,30 +33,11 @@ in
     depot.users.glittershark.system.system.rebuilder
   ];
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  #   pinentryFlavor = "gnome3";
-  # };
-
-  programs.nm-applet.enable = true;
-
-
   services.openssh.enable = true;
 
   programs.ssh.startAgent = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
+  networking.firewall.enable = mkDefault false;
 
   users.mutableUsers = true;
   programs.zsh.enable = true;
@@ -94,20 +64,6 @@ in
 
   nixpkgs.config.allowUnfree = true;
 
-  services.geoclue2.enable = true;
-
-  powerManagement = {
-    enable = true;
-    cpuFreqGovernor = lib.mkDefault "powersave";
-    powertop.enable = true;
-  };
-  # Hibernate on low battery
-  laptop.onLowBattery = {
-    enable = true;
-    action = "hibernate";
-    thresholdPercentage = 5;
-  };
-
   nix = {
     trustedUsers = [ "grfn" ];
     autoOptimiseStore = true;
@@ -139,15 +95,4 @@ in
       options = "--delete-older-than 30d";
     };
   };
-
-  services.udev.extraRules = ''
-    # UDEV rules for Teensy USB devices
-    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
-    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
-    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
-    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
-  '';
-
-  # Necessary to get steam working
-  hardware.opengl.driSupport32Bit = true;
 }
diff --git a/users/glittershark/system/system/modules/desktop.nix b/users/glittershark/system/system/modules/desktop.nix
new file mode 100644
index 0000000000..dc2847a779
--- /dev/null
+++ b/users/glittershark/system/system/modules/desktop.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./xserver.nix
+    ./fonts.nix
+    ./sound.nix
+    ./kernel.nix
+  ];
+
+  programs.nm-applet.enable = true;
+
+  users.users.grfn.extraGroups = [
+    "audio"
+    "video"
+  ];
+
+  services.geoclue2.enable = true;
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = lib.mkDefault "powersave";
+    powertop.enable = true;
+  };
+}
-- 
cgit 1.4.1