From 15fae309cd044307853a5cae0d047ccd85463e57 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Fri, 22 Sep 2023 14:20:11 +0200
Subject: [PATCH] added actual hardware identifiers & atual network config

---
 nixos/machines/.gitkeep                       |  0
 nixos/machines/nyarlathotep/boot.nix          |  8 +++
 nixos/machines/nyarlathotep/configuration.nix | 10 +++-
 .../nyarlathotep/hardware-configuration.nix   | 24 +++++++++
 nixos/machines/nyarlathotep/mail.nix          |  4 +-
 nixos/machines/nyarlathotep/network.nix       | 15 ++++++
 nixos/roles/admins.nix                        | 30 ++++++++++++
 nixos/roles/default.nix                       | 49 +++++++++++++++++++
 8 files changed, 137 insertions(+), 3 deletions(-)
 delete mode 100644 nixos/machines/.gitkeep
 create mode 100644 nixos/machines/nyarlathotep/boot.nix
 create mode 100644 nixos/machines/nyarlathotep/hardware-configuration.nix
 create mode 100644 nixos/machines/nyarlathotep/network.nix
 create mode 100644 nixos/roles/admins.nix
 create mode 100644 nixos/roles/default.nix

diff --git a/nixos/machines/.gitkeep b/nixos/machines/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/nixos/machines/nyarlathotep/boot.nix b/nixos/machines/nyarlathotep/boot.nix
new file mode 100644
index 0000000..745f410
--- /dev/null
+++ b/nixos/machines/nyarlathotep/boot.nix
@@ -0,0 +1,8 @@
+{
+  imports = [ ];
+  boot.loader.grub = {
+    device = "nodev";
+    enable = true;
+  };
+}
+
diff --git a/nixos/machines/nyarlathotep/configuration.nix b/nixos/machines/nyarlathotep/configuration.nix
index b2714bb..1a0e12a 100644
--- a/nixos/machines/nyarlathotep/configuration.nix
+++ b/nixos/machines/nyarlathotep/configuration.nix
@@ -1,7 +1,15 @@
 flake-inputs:
 {config, pkgs, lib, ... }: {
 
-imports = [(import ./mail.nix flake-inputs)];
+imports = [
+  ./hardware-configuration.nix
+  (import ./mail.nix flake-inputs)
+  ../../roles
+  ./boot.nix
+  ./network.nix
+];
 
 # System configuration here
+
+  system.stateVersion = "23.11";
 }
diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix
new file mode 100644
index 0000000..078d8e1
--- /dev/null
+++ b/nixos/machines/nyarlathotep/hardware-configuration.nix
@@ -0,0 +1,24 @@
+{config, lib, pkgs, modulesPath, ...}: {
+  imports = [ ];
+
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "sr_mod" "xen_bklfront" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0";
+    fsType = "ext4";
+  };
+  fileSystems."/var/mail" = {
+    device = "/dev/disk/by-uuid/23c44c93-5035-4e29-9e46-75c1c08f4cea";
+    fsType = "ext4";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/8bc30d17-3c08-4648-ab18-8c723523be1a"; }];
+
+  nix.settings.max-jobs = lib.mkDefault 4;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/nixos/machines/nyarlathotep/mail.nix b/nixos/machines/nyarlathotep/mail.nix
index ebf1d38..a954a5d 100644
--- a/nixos/machines/nyarlathotep/mail.nix
+++ b/nixos/machines/nyarlathotep/mail.nix
@@ -23,12 +23,12 @@ flake-inputs:
 
     # Fun dovecot stuff :
 
-    # mailDirectory = "/var/vmail/"; # directory to store mail leave at default.
+    mailDirectory = "/var/mail/vmail/"; # directory to store mail
      
     hierarchySeparator = "/"; # seperator for imap mailboxes from client view
 
     # Caching of search indices
-    indexDir = "/var/lib/dovecot/indices";
+    indexDir = "/var/mail/lib/dovecot/indices";
     fullTextSearch = {
       enforced = "body"; # only brute force headers if no search index is available
     };
diff --git a/nixos/machines/nyarlathotep/network.nix b/nixos/machines/nyarlathotep/network.nix
new file mode 100644
index 0000000..3641375
--- /dev/null
+++ b/nixos/machines/nyarlathotep/network.nix
@@ -0,0 +1,15 @@
+# We sohuld put that config somewhere in roles and give it a parameter or something,
+# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways
+# depend on the same thing 
+{
+  imports = [ ];
+  networking = {
+    interfaces.enX0.ipv4.addresses = [ {
+      addresses = "192.168.0.28";
+      prefixLength = 16;
+    } ];
+    defaultGateway = "192.168.0.155";
+    nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"];
+  };
+}
+
diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
new file mode 100644
index 0000000..f5e3c36
--- /dev/null
+++ b/nixos/roles/admins.nix
@@ -0,0 +1,30 @@
+{lib, ...} :
+with lib;
+
+let
+  admins = {
+    nerf = {
+      hashedPassword =
+        "$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/";
+        keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGDe2GHC3ZUxwxWawLlKa3DRSHG1Cer5JL3ctc3GcRn nerf@nerflap2"
+        ];
+    };
+  };
+
+  mkAdmin = name :
+  {hashedPassword, keys}: {
+    "${name}" = {
+      isNormalUser = true;
+      createHome = true;
+      extraGroups = [ "wheel" ];
+      group = "users";
+      home = "/home/${name}";
+      openssh.authorizedKeys = { inherit keys; };
+      inherit hashedPassword;
+    };
+  };
+
+in {
+  users.users = mkMerge (mapAttrsToList mkAdmin admins);
+}
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
new file mode 100644
index 0000000..6a6fe3d
--- /dev/null
+++ b/nixos/roles/default.nix
@@ -0,0 +1,49 @@
+{pkgs, config, lib, ...} : {
+
+imports = [ ./admins.nix ];
+nix = {
+  extraOptions = ''
+    experimental-features = nix-command flakes
+    builders-use-substitutes = true
+  '';
+};
+
+networking = {
+  firewall = { # these shoud be default, but better make sure!
+    enable = true;
+    allowPing = true;
+  };
+  nftables.enable = true;
+  useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
+  # hosts = # TODO write something to autogenerate ip adresses!
+};
+
+users = {
+  mutableUsers = false;
+};
+
+environment = {
+  systemPackages = builtins.attrValues {
+    inherit (pkgs)
+      htop lsof tmux btop;
+  };
+};
+
+services = {
+  journald.extraConfig = "SystemMaxUse=5G";
+
+  nginx = {
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+};
+}