From f4f6933ec3eca074b3a041815131970cad6c9fc1 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Sat, 24 Feb 2024 02:33:59 +0100
Subject: [PATCH] add alpha

---
 flake.nix                              |  6 ++++
 hosts/alpha/default.nix                | 47 ++++++++++++++++++++++++++
 hosts/alpha/hardware.nix               | 41 ++++++++++++++++++++++
 modules/base/ssh.nix                   |  1 +
 modules/desktop/ssh.nix                |  4 +++
 secrets/secrets.nix                    |  3 +-
 secrets/users-hashed-password-file.age | 14 ++++----
 7 files changed, 109 insertions(+), 7 deletions(-)
 create mode 100644 hosts/alpha/default.nix
 create mode 100644 hosts/alpha/hardware.nix

diff --git a/flake.nix b/flake.nix
index 13814a5..4f25014 100644
--- a/flake.nix
+++ b/flake.nix
@@ -61,6 +61,12 @@
         specialArgs = inputs; # pass flake inputs to modules
         modules = [ ./hosts/mu ];
       };
+      # Hetzner VPS
+      alpha = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        specialArgs = inputs; # pass flake inputs to modules
+        modules = [ ./hosts/alpha ];
+      };
       # Tor relay
       tor = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix
new file mode 100644
index 0000000..f195532
--- /dev/null
+++ b/hosts/alpha/default.nix
@@ -0,0 +1,47 @@
+{ ... }: {
+  imports = [
+    ../../overlays
+    ../../modules/base
+    ../../modules/server
+    ./hardware.nix
+  ];
+
+  networking.hostName = "alpha";
+  systemd.network.networks = {
+    "10-lan" = {
+      name = "enp1s0";
+      networkConfig.DHCP = "ipv4";
+      address = [
+        "2a01:4f8:c2c:71c0::/64"
+      ];
+      routes = [
+        { routeConfig = { Gateway = "fe80::1"; }; }
+      ];
+    };
+  };
+
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted";
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+  # This value determines the Home Manager release that your
+  # configuration is compatible with. This helps avoid breakage
+  # when a new Home Manager release introduces backwards
+  # incompatible changes.
+  # You can update Home Manager without changing this value. See
+  # the Home Manager release notes for a list of state version
+  # changes in each release.
+  home-manager.users.caspervk.home.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/hosts/alpha/hardware.nix b/hosts/alpha/hardware.nix
new file mode 100644
index 0000000..3cefce8
--- /dev/null
+++ b/hosts/alpha/hardware.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  # https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" "virtio_gpu" ];
+  boot.kernelParams = [ "console=tty" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+  };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nix";
+    neededForBoot = true;
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {
+      device = "/nix/persist/swapfile";
+      size = 4 * 1024; # 4 GiB
+    }
+  ];
+
+  # Enables DHCP on all ethernet and wireless LAN interfaces.
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
+
diff --git a/modules/base/ssh.nix b/modules/base/ssh.nix
index acdb011..e6d3360 100644
--- a/modules/base/ssh.nix
+++ b/modules/base/ssh.nix
@@ -18,6 +18,7 @@
 
   # ssh-keyscan -t ed25519 -p 222 alpha.caspervk.net
   programs.ssh.knownHosts = {
+    "alpha.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0OmbNKuMGIOEUxqNDgUN9lz1LSw7xvZ6Tu/BkQyRoy";
     "delta.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0x9oImZjIhoPEwLlHVixIh7y1Kwn+SX17xffrdRzvv";
     "git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
     "lambda.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
diff --git a/modules/desktop/ssh.nix b/modules/desktop/ssh.nix
index 4db1074..07b2b6a 100644
--- a/modules/desktop/ssh.nix
+++ b/modules/desktop/ssh.nix
@@ -10,6 +10,10 @@
       # one. This is especially useful when using SCP.
       controlMaster = "yes";
       matchBlocks = {
+        "alpha" = {
+          hostname = "alpha.caspervk.net";
+          port = 222;
+        };
         "delta" = {
           hostname = "delta.caspervk.net";
           port = 222;
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index addc371..143c7c4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,6 +7,7 @@ let
   # Get a system's public key using:
   # > cat /etc/ssh/ssh_host_ed25519_key.pub
   # If you change or add a key, all secrets need to be `agenix --rekey`'ed.
+  alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0OmbNKuMGIOEUxqNDgUN9lz1LSw7xvZ6Tu/BkQyRoy root@alpha";
   mu = "todo";
   omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
   tor = "todo";
@@ -16,7 +17,7 @@ let
   # > agenix -i $AGE_KEY_FILE -e foo.age
   recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
 
-  all = [ omega recovery ];
+  all = [ alpha omega recovery ];
 in
 {
   "users-hashed-password-file.age".publicKeys = all;
diff --git a/secrets/users-hashed-password-file.age b/secrets/users-hashed-password-file.age
index 3986bca..8b16042 100644
--- a/secrets/users-hashed-password-file.age
+++ b/secrets/users-hashed-password-file.age
@@ -1,7 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 fY+XUg ThWnidSUv20sqdMebPW0aV512ascEV4WyDia72vhTnI
-fbFAnyqqqpp9fEct2EiLG1wWw//U8kWcpf0QnbSh33Y
--> X25519 ZbC+v0St7P+W/AHq1Afst7ylmZUFA7OIhiElfexTHgg
-2DbCqyjULhmDji3E1HrPuO8WW74dIia1GFOSCaeGliU
---- 6W7LaM4dc6tJONcmtVAwhI/NcOE8EUYPrg75K6Qpynw
-%?ó4k=/ýä_ƒ½a#]Éào>Ÿ¬¨tVÆ°EªW“õµŽåRþÃ·~¾8­Ñ;më¬"˜€&Ë¹ÏGŠ]ïsAN¦pÀŸõW²ƒŽÅNKø„Æ‰˜™p¿ƒªóP$8e
\ No newline at end of file
+-> ssh-ed25519 VPTtjA n8925Pjsx9niaBYV/VGNXjFA6JvyKqSnMS2KIGRmyFI
+1lexU/9gXg7E0m8M4gQvN/UkiLydIf+v++aWwpZ4Dus
+-> ssh-ed25519 fY+XUg A5VnCLLJpMWZO6zf4E97+R0G5ZcLmxEdPnswrYMFXzk
+oho1CsNawBTo2Zm9o75z5++kW/HP8jnuZkgY/F46zh8
+-> X25519 wRjzI510elgd0prOeWifJ7qgxNF+vADU1ghY4CKsxls
+KtUd3pONn9P2muRRf8BPN9h9Z3lQCHM3YyZCHYZHVlE
+--- +Phw1BDecOqiTKuNXuA4xIvPxUWeZspB2C8Fk1FkWDQ
+TgVÓ´òRÑØåèI÷¿¬¨³ðlÖ¥~º‘âý\ïÂàšŒ¾RúfÀ£™^rŒ	QÔ´@PNÎ-Þ9&ª,Ì’¨Äû…¥Šâ2Üzôtq*"kGXúqþ “j:mK,4 Òe—
\ No newline at end of file