Add hetznix02 via nixos-anywhere

modules/hosts/nixos/hetznix01/default.nix

@@ -93,7 +93,7 @@
     extraGroups = [ "networkmanager" "wheel" ];
     linger = true;
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
     ];
   };

modules/hosts/nixos/hetznix02/default.nix

@@ -0,0 +1,89 @@
+{ pkgs, username,  ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./post-install
+  ];
+
+  system.stateVersion = "24.05";
+
+  boot = {
+    loader.grub = {
+      # no need to set devices, disko will add all devices that have a
+      # EF02 partition to the list already
+      # devices = [ ];
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    # podman-tui # status of containers in the terminal
+    # podman-compose
+  ];
+
+  networking = {
+    # Open ports in the firewall.
+    firewall.allowedTCPPorts = [
+      22   # ssh
+    ];
+    # firewall.allowedUDPPorts = [ ... ];
+    # Or disable the firewall altogether.
+    # firewall.enable = false;
+
+    hostId = "89bbb3e6"; # head -c4 /dev/urandom | od -A none -t x4
+
+    networkmanager.enable = false;
+    useNetworkd = true;
+  };
+
+  programs.mtr.enable = true;
+
+  services = {
+    fail2ban.enable = true;
+    logrotate.enable = true;
+    udev.extraRules = ''
+      ATTR{address}=="96:00:03:ae:45:aa", NAME="eth0"
+    '';
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      matchConfig.Name = "enp1s0";
+      address = [
+        "195.201.224.89/32"
+        "2a01:4f8:1c1e:aa68::1/64"
+        "fe80::9400:3ff:feae:45aa/64"
+      ];
+      dns = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+      routes = [
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
+        { routeConfig.Gateway = "fe80::1"; }
+      ];
+      # make the routes on this interface a dependency for network-online.target
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "Gene Liverman";
+    extraGroups = [ "networkmanager" "wheel" ];
+    linger = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
+    ];
+  };
+
+  zramSwap.enable = true;
+}

modules/hosts/nixos/hetznix02/disk-config.nix

@@ -0,0 +1,42 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

modules/hosts/nixos/hetznix02/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+      kernelModules = [ "nvme" ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = lib.mkForce "/dev/disk/by-uuid/D005-6C65";
+      fsType = "vfat";
+    };
+    "/" = {
+      device = lib.mkForce "/dev/sda1";
+      fsType = "ext4";
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

modules/hosts/nixos/hetznix02/post-install/default.nix

@@ -0,0 +1,20 @@
+{ username, ... }: {
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
+    };
+  };
+}
+

modules/hosts/nixos/hetznix02/secrets.yaml

@@ -0,0 +1,23 @@
+local_git_config: ENC[AES256_GCM,data:iA21ugn3r8VOyDS0T6/MiyDEP0j9wSWIE55AQ55neG9YiRER+dwJbIA=,iv:Tyksa16llda//qiZpiHp8SPQQpdl4bbu6ytO3N/NK68=,tag:lk+TCIK8xpG7Cdgx3bX2/Q==,type:str]
+local_private_env: ENC[AES256_GCM,data:Vfbw+jRsrqB1oJUtMwu6imzu6UTzQ1Yirb//o4mAuTJeAZ72qgxjXcqYCP82/7IP4hHnoQ1+YFPQxvekEQ==,iv:+7sxEbsz7tT/daAqR7xYPbBpamo9sLcGUGLiclKMV8A=,tag:ckxeQeeiHlxVOa9BfEEkaw==,type:str]
+tailscale_key: ENC[AES256_GCM,data:8/ZqHv/XqL9ACkw3HQfK6DCRs/w+2d4NJxEsP7/D8aZyuc99PL3MV6kDM4q1b792CthiioQrHnc=,iv:wfi1RS8PTwazMOUNc64Njoj7NylYUN0R/bx0Ggod+yc=,tag:Y359/pOlYTuykP0oOFUrfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaC95bVRMQ2F0aTlaeGNL
+            QlJuNDZnQ3MwVmRVdmhQQ2hrcDVKYXhJSldzCkdaY0JRK3NGVE5OQXJwMVNjeEZK
+            djFjU1BJY2lVVVA2bFlWRm40d0o0SDQKLS0tIE5WdVo4c09DbjN4Q1ZSUkd0VFdE
+            K3NIVTBXdlVjbGZoSTdwUHYvMzRCUWMKixJlZliRrsKOQVGYwwINSmHDZm7zsLRM
+            k0aGV0MJUafukPMYRbT/2H7dh/yhZx/Tn0fVFHbSeLvpf9ig3x8jkQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-07T01:44:24Z"
+    mac: ENC[AES256_GCM,data:xB0CvralCxv3oHUha4PEdmolKGMxJYaOsIomN3V0J64Wyq/UnCicFel/uraED/LKbMBprQRsXjkh3vB9ncINUI3vYr1Cm61XnL4WEfxaUYLso0Xn1gc8rJP6qXGDSShpCaZQj+oRi4tPzNXYc1v90IKZboukjBHWF0D4zEP1rWQ=,iv:1So597QQyyrVwXXkjXRe7hgyPgghdNgr/fpdaxYjUls=,tag:6X1Ds4mfy8LjHuJKIGKmMQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1