zaphyra's git: nixfiles

zaphyra's nixfiles

commit 95e3d3415951e780379baf2b89dc8f559c85582d
parent ecb0d6a4140c404305457f18eefe1f24b8cea468
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Mon, 29 Sep 2025 18:49:33 +0200

hosts: add `pratorum`

2 files changed, 194 insertions(+), 0 deletions(-)
A
hosts/pratorum/default.nix
|
145
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
hosts/pratorum/dn42.nix
|
49
+++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/hosts/pratorum/default.nix b/hosts/pratorum/default.nix
@@ -0,0 +1,145 @@
+{
+
+  system = "x86_64-linux";
+  nixpkgsStable = true;
+
+  domain = "infra.zaphyra.eu";
+
+  sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEMrPGa6PIx0UpVnbVYWR+TTbNyZPd8htTTzjQ5NBI3";
+
+  hardware = {
+    cpuVendor = "amd";
+    allowHibernation = false;
+  };
+
+  networking = {
+    ip4IsPrivate = true;
+    ip4Address = "192.168.2.110";
+    ip4PrefixLength = 24;
+    defaultGateway4 = "192.168.2.1";
+
+    ip6IsPrivate = true;
+    ip6Address = "2a03:4000:4d:5e:acab::3";
+    ip6PrefixLength = 112;
+
+    hasDN42 = true;
+    dn42Address = "fd6b:6174:6a61::10";
+  };
+
+  configuration =
+    {
+      config,
+      lib,
+      hostConfig,
+      ...
+    }:
+    {
+
+      imports = [
+        ./dn42.nix
+      ];
+
+      boot.initrd.systemd.emergencyAccess = true;
+      boot.initrd.availableKernelModules = [
+        "nvme"
+        "ehci_pci"
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      boot.kernelModules = [ "kvm-amd" ];
+      boot.extraModulePackages = [ ];
+      boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/e6ad3c7a-f1a5-4e10-a9f6-53e39297b1a3";
+
+      fileSystems."/" = {
+        device = "/dev/disk/by-uuid/d9856f85-c995-4d85-a614-cb2977fea1de";
+        fsType = "btrfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/2B4A-D88C";
+        fsType = "vfat";
+        options = [
+          "fmask=0022"
+          "dmask=0022"
+        ];
+      };
+
+      nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+      hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+      systemd.network = {
+        netdevs."10-wg-novus" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-novus";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path;
+            ListenPort = 51820;
+            FirewallMark = 51820;
+          };
+
+          wireguardPeers = [
+            {
+              Endpoint = "novus.infra.zaphyra.eu:51820";
+              PublicKey = "J+kRRNU65JGc0yk04v6P3tFwHSQOIfq8EkfD2gFupg4=";
+              AllowedIPs = [ "2a03:4000:4d:5e:acab::3/112" ];
+              PersistentKeepalive = 10;
+            }
+          ];
+        };
+
+        networks."10-wg-novus" = {
+          matchConfig.Name = "wg-novus";
+
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          address = [
+            "${hostConfig.networking.ip6Address}/${toString hostConfig.networking.ip6PrefixLength}"
+          ];
+        };
+
+        networks."5-enp3s0f0" = {
+          enable = true;
+          name = "enp3s0f0";
+          dns = [
+            "1.1.1.1"
+            "8.8.8.8"
+            "9.9.9.9"
+          ];
+          gateway = [
+            hostConfig.networking.defaultGateway4
+          ];
+          address = [
+            "${hostConfig.networking.ip4Address}/${toString hostConfig.networking.ip4PrefixLength}"
+          ];
+          networkConfig.IPv6AcceptRA = true;
+        };
+      };
+
+      modules = {
+        presets = {
+          base.enable = true;
+          zaphyra = {
+            enable = true;
+            syncthing.enable = true;
+          };
+        };
+
+        websites = {
+          "music.zaphyra.dn42".enable = true;
+        };
+
+        users.zaphyra.enable = true;
+      };
+
+      system.stateVersion = "25.05";
+      home-manager.users.zaphyra.home.stateVersion = "25.05";
+    };
+
+}

diff --git a/hosts/pratorum/dn42.nix b/hosts/pratorum/dn42.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+
+{
+
+  sops.secrets."dn42/wgPrivateKey" = {
+    owner = "systemd-network";
+    group = "systemd-network";
+  };
+
+  systemd.network = {
+    netdevs."20-dn42" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "dn42";
+        MTUBytes = 1280;
+      };
+
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path;
+        ListenPort = 1718;
+        FirewallMark = 1718;
+      };
+
+      wireguardPeers = [
+        {
+          PublicKey = "MRXPP//j+BDCiUyrYHdXtdULAsCZyfgumas8pxp6oiE=";
+          Endpoint = "router-a.dn42.zaphyra.eu:1718";
+          AllowedIPs = [ "fd00::/8" ];
+          PersistentKeepalive = 10;
+        }
+      ];
+    };
+
+    networks."20-dn42" = {
+      matchConfig.Name = "dn42";
+      linkConfig.RequiredForOnline = false;
+      routes = [
+        {
+          Destination = "::/0";
+          Table = "1234";
+        }
+      ];
+      address = [
+        "fd6b:6174:6a61::10/128"
+      ];
+    };
+  };
+
+}