Commit files for public release

nixos-configurations/fulberg/README.md

@@ -0,0 +1 @@
+# fulberg

nixos-configurations/fulberg/applications/default.nix

@@ -0,0 +1 @@
+{ ... }: { }

nixos-configurations/fulberg/backup.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+{
+
+  qois.backup-server = {
+    enable = true;
+    backupStorageRoot = "/mnt/nas/backup";
+  };
+
+  services.borgbackup.repos =
+    let
+      backupRoot = "/mnt/nas/backup";
+      hostBackupRoot = "${backupRoot}/hosts";
+      dataBackupRoot = "${backupRoot}/data";
+    in
+    {
+      "lindberg-nextcloud" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud"
+        ];
+        path = "${hostBackupRoot}/lindberg-nextcloud";
+      };
+      "lindberg-data" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg"
+        ];
+        path = "${dataBackupRoot}/lindberg";
+      };
+      "lindberg-build-system" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAATODOTODOTODONTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build"
+        ];
+        path = "${dataBackupRoot}/lindberg-build-system";
+      };
+    };
+}

nixos-configurations/fulberg/default.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [
+    ../../defaults/base
+    ../../defaults/hardware/apu.nix
+    ../../defaults/meta
+    ./applications
+    ./backup.nix
+    ./filesystems.nix
+    ./networking.nix
+    ./secrets.nix
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like fi:le locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

nixos-configurations/fulberg/filesystems.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+{
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/360a6bc9-fc4e-4803-bd53-69320ac32ac5";
+      fsType = "btrfs";
+      options = [
+        "defaults"
+        "subvol=nixos"
+        "noatime"
+      ];
+    };
+    "/mnt/nas" = {
+      device = "10.1.1.39:/qois";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "soft"
+      ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/73f91e99-d856-4504-b6b2-d60f855d6d95"; } ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+}

nixos-configurations/fulberg/networking.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+let
+  meta = config.qois.meta;
+  plessur-dmz-net = meta.network.physical.plessur-dmz;
+  getCalandaIp4 = net: net.hosts.calanda.v4.ip;
+in
+{
+  networking.hostName = meta.hosts.fulberg.hostName;
+
+  imports = [ ../../defaults/backplane-net ];
+
+  # WWAN is currently not available due to a broken SIM-card.
+  #services.qois.wwan = {
+  #  enable = true;
+  #  apn = "gprs.swisscom.ch";
+  #  networkInterface = "wwp0s19u1u3i12";
+  #};
+
+  networking.interfaces.enp1s0 = {
+    useDHCP = false;
+    ipv4.addresses = [
+      {
+        inherit (plessur-dmz-net.v4) prefixLength;
+        address = plessur-dmz-net.hosts.fulberg.v4.ip;
+      }
+    ];
+  };
+
+  networking.defaultGateway = plessur-dmz-net.v4.gateway;
+  networking.nameservers = plessur-dmz-net.v4.nameservers;
+
+  # Configure this node to be used as an vpn exit node
+  qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "server";
+    authKeyFile = config.sops.secrets."tailscale/key".path;
+    extraUpFlags = [
+      "--login-server=https://vpn.qo.is"
+      "--advertise-exit-node"
+      (
+        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
+      )
+      "--advertise-tags=tag:srv"
+    ];
+  };
+}

nixos-configurations/fulberg/secrets.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  sops.secrets = {
+    "tailscale/key" = {
+      restartUnits = [ "tailscale.service" ];
+    };
+  };
+}