hosts: init kaze

hosts/default.nix

@@ -6,6 +6,7 @@ inputs: let
   nix-index-Module = inputs.nix-index-database.hmModules.nix-index;
   anyrunModule = inputs.anyrun.homeManagerModules.default;
   agsModule = inputs.ags.homeManagerModules.default;
+  atticModule = inputs.attic.nixosModules.atticd;
   inherit (inputs.nixpkgs.lib) nixosSystem;
 in {
   tsuki = nixosSystem {
@@ -15,6 +16,7 @@ in {
       ./tsuki
       sopsModule
       hmModule
+      atticModule
       {
         home-manager = {
           useGlobalPkgs = true;
@@ -140,6 +142,7 @@ in {
       ./sora
       sopsModule
       hmModule
+      atticModule
       {
         home-manager = {
           useGlobalPkgs = true;
@@ -193,4 +196,24 @@ in {
       }
     ];
   };
+  kaze = nixosSystem {
+    inherit system;
+    specialArgs = {inherit inputs;};
+    modules = [
+      ./kaze
+      sopsModule
+      hmModule
+      {
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+          users.notoh = {
+            imports = [
+              ./kaze/home.nix
+            ];
+          };
+        };
+      }
+    ];
+  };
 }

hosts/deploy.nix

@@ -70,5 +70,15 @@ inputs: {
       sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
       magicRollback = true;
     };
+    kaze = {
+      hostname = "";
+      profiles.system = {
+        user = "root";
+        path = activate.nixos inputs.self.nixosConfigurations.kaze;
+      };
+      sshUser = "root";
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
+      magicRollback = true;
+    };
   };
 }

hosts/kaze/default.nix

@@ -0,0 +1,33 @@
+{...}: {
+  imports = [
+    ./hardware.nix
+    ./services
+    ./networking.nix
+    ../../modules
+  ];
+
+  boot.loader = {
+    grub = {
+      enable = true;
+      configurationLimit = 5;
+      device = "/dev/vda";
+      useOSProber = true;
+    };
+  };
+
+  networking = {
+    hostName = "kaze";
+  };
+
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  users.users.notoh.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4qfqJNxwNg9ryeT/XbjfQyuDKbBAwRn2Lzq3Iq5kA7 kaze"
+  ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
+  ];
+}

hosts/kaze/hardware.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/9cb414ab-0bb4-4db7-b77e-7d2a8cafd657";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/100a4262-ce57-47a7-b99a-f124a8e369de";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/kaze/home.nix

@@ -0,0 +1,14 @@
+{...}: {
+  imports = [
+    ../../home
+  ];
+
+  systemd.user.startServices = "sd-switch";
+  programs.home-manager.enable = true;
+
+  home = {
+    username = "notoh";
+    homeDirectory = "/home/notoh";
+    stateVersion = "23.05";
+  };
+}

hosts/kaze/networking.nix

@@ -0,0 +1,15 @@
+_: {
+  networking = {
+    networkmanager.enable = true;
+    nameservers = ["1.1.1.1"];
+    firewall = {
+      enable = true;
+    };
+  };
+  environment.etc = {
+    "resolv.conf".text = ''
+      nameserver 1.1.1.1
+      nameserver 1.0.0.1
+    '';
+  };
+}

hosts/kaze/services/default.nix

@@ -0,0 +1,4 @@
+_: {
+  imports = [
+  ];
+}

hosts/kaze/services/minio.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = [pkgs.minio-client];
+  sops.secrets.minio = {
+    owner = "minio";
+    group = "minio";
+    mode = "0600";
+    restartUnits = ["minio.service"];
+  };
+  services.minio = {
+    enable = true;
+    region = "us-east-1";
+    consoleAddress = "100.104.42.96:9006";
+    listenAddress = "100.104.42.96:9005";
+    rootCredentialsFile = config.sops.secrets.minio.path;
+    dataDir = ["/var/lib/mounted/minio/data"];
+    configDir = "/var/lib/mounted/minio/config";
+  };
+}

hosts/kaze/services/tailscale.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.tsauth-kaze = {
+    sopsFile = ../../../secrets/tailscale/secrets.yaml;
+  };
+  environment.systemPackages = [pkgs.jq pkgs.tailscale];
+  services.tailscale = {
+    useRoutingFeatures = lib.mkDefault "client";
+  };
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-kaze.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
+    '';
+  };
+}