# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; machineSecrets = secrets.machineSpecific.clouvider-lon01; in { imports = [ ../lib/zfs.nix ../lib/bgp.nix ]; boot.initrd = { availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" "igb" ]; network = { enable = true; ssh = { enable = true; hostKeys = ["/persist/etc/ssh/ssh_host_ed25519_key"]; authorizedKeys = map builtins.readFile config.users.users.lukegb.openssh.authorizedKeys.keyFiles; }; postCommands = '' echo "zfs load-key -a; killall zfs" >> /root/.profile ''; }; }; boot.kernelParams = [ "ip=185.198.188.29::185.198.188.28:255.255.255.254:clouvider-lon01:enp1s0f0:none" ]; boot.kernelModules = [ "kvm-intel" ]; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; fileSystems = let zfs = device: { device = device; fsType = "zfs"; }; in { "/" = zfs "tank/local/root"; "/nix" = zfs "tank/local/nix"; "/persist" = zfs "tank/safe/persist"; "/home" = zfs "tank/safe/home"; "/boot1" = { device = "/dev/disk/by-partlabel/boota"; fsType = "vfat"; }; "/boot2" = { device = "/dev/disk/by-partlabel/bootb"; fsType = "vfat"; }; }; nix.maxJobs = lib.mkDefault 8; # Use GRUB, so we can have mirrored bootloaders. boot.loader.efi.canTouchEfiVariables = true; boot.loader.grub = { enable = true; version = 2; zfsSupport = true; efiSupport = true; mirroredBoots = map (path: { inherit path; devices = ["nodev"]; efiSysMountPoint = path; }) ["/boot1" "/boot2"]; }; # Networking! networking = { hostName = "clouvider-lon01"; domain = "as205479.net"; hostId = "29aaa324"; nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" "8.8.8.8" "8.8.4.4" ]; useDHCP = false; defaultGateway = { address = "185.198.188.28"; interface = "br-ext"; }; defaultGateway6 = { address = "2a0a:54c0:0:17::1"; interface = "br-ext"; }; bridges.br-ext.interfaces = ["enp1s0f0"]; interfaces.br-ext = { ipv4.addresses = [{ address = "185.198.188.29"; prefixLength = 31; }]; ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }]; }; firewall.allowPing = true; firewall.allowedTCPPorts = [ 80 443 # HTTP/nginx 6697 # znc ]; }; my.ip.tailscale = "100.79.173.25"; services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "/persist/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; users.users = { lukegb.extraGroups = [ "bird2" ]; }; users.groups = { znc-acme = { members = [ "znc" "nginx" ]; }; }; services.lukegbgp = let local = { asn = 205479; }; in { enable = true; config = { local = { routerID = "185.198.188.29"; }; peering = { clouvider = { local = local // { v4 = "185.198.188.29"; v6 = "2a0a:54c0:0:17::2"; }; remote = { asn = 62240; export_community = 3000; routers = [{ v4 = "185.198.188.28"; v6 = "2a0a:54c0:0:17::1"; }]; }; }; }; }; }; services.znc = { enable = true; mutable = true; dataDir = "/persist/etc/znc"; useLegacyConfig = false; }; security.acme = { acceptTerms = true; email = "letsencrypt@lukegb.com"; certs."znc.lukegb.com" = { webroot = "/var/lib/acme/.challenges"; group = "znc-acme"; extraDomainNames = ["akiichiro.lukegb.com"]; }; }; services.nginx = { enable = true; virtualHosts = { "clouvider-lon01.as205479.net" = { locations."/.well-known/acme-challenge" = { root = "/var/lib/acme/.challenges"; }; locations."/" = { return = "301 https://$host$request_uri"; }; }; }; }; system.stateVersion = "20.09"; }