From 3fc1143a04da49a92c3663813c6a0c1e8ccd477f Mon Sep 17 00:00:00 2001
From: Griffin Smith <grfn@gws.fyi>
Date: Tue, 29 Sep 2020 23:42:59 -0400
Subject: feat(gs/system): Init mugwump

Init the config for mugwump, a NUC that I bought from ncl and which I'm
going to use as a simple home server and ssh bastion box. Since this is
the first time I've set up a server using my nixos config, this also
moves a bunch of desktop (xserver, audio, etc.) related config out of
modules/common.nix and into a new modules/desktop.nix.

Coming soon: nixos-rebuild switch --target, but in the depot!

Change-Id: I67bd5ba6e3c26f80f77058af186fd41cc245d5d2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2016
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
---
 .../system/system/machines/mugwump.nix             | 74 ++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 users/glittershark/system/system/machines/mugwump.nix

(limited to 'users/glittershark/system/system/machines/mugwump.nix')

diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix
new file mode 100644
index 0000000000..9521f57884
--- /dev/null
+++ b/users/glittershark/system/system/machines/mugwump.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    ../modules/common.nix
+    ../modules/tvl.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  networking.hostName = "mugwump";
+
+  boot = {
+    loader.systemd-boot.enable = true;
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [
+        "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"
+      ];
+
+      postDeviceCommands = pkgs.lib.mkBefore ''
+        mkdir -m 0755 -p /key
+        sleep 2
+        mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key
+      '';
+
+      luks.devices."cryptroot" = {
+        device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d";
+        keyFile = "/key/keyfile";
+        preLVM = false;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7D74-0E4B";
+      fsType = "vfat";
+    };
+  };
+
+  networking.interfaces = {
+    enp0s25.useDHCP = false;
+    wlp2s0.useDHCP = false;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  security.sudo.extraRules = [{
+    groups = ["wheel"];
+    commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+  }];
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "172.16.0.0/16"
+    ];
+  };
+
+  services.openssh = {
+    allowSFTP = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+}
-- 
cgit 1.4.1