feat(machines): Init vault01

.forgejo/workflows/eval.yaml

@@ -29,6 +29,16 @@ jobs:
           # Enter the shell
           nix-shell --run 'colmena build --on storage01'
 
+  build_vault01:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build vault01
+        run: |
+          # Enter the shell
+          nix-shell --run 'colmena build --on vault01'
+
   build_web01:
     runs-on: nix
     steps:

machines/vault01/_configuration.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+    "dgn-fail2ban"
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    dgn-fail2ban.jails =
+      lib.extra.enableAttrs' "enabled" [ "sshd-bruteforce" "sshd-timeout" ];
+
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}

machines/vault01/_hardware-configuration.nix

@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules =
+        [ "xhci_pci" "megaraid_sas" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+    kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/cfa2a9fd-f053-42ce-9d9a-65cdd773272d";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/33AE-7115";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/954ecb9c-ccd1-4e98-9eb6-3514bd3c01d1"; }];
+}

machines/vault01/secrets/secrets.nix

@@ -0,0 +1,6 @@
+let
+  lib = import ../../../lib { };
+  publicKeys = lib.getNodeKeys "vault01";
+
+in lib.setDefault { inherit publicKeys; } [
+]

meta/infrastructure.nix

@@ -7,6 +7,11 @@
     "storage01"
   ];
 
+  # Jourdan
+  par02 = [
+    "vault01"
+  ];
+
   # VMs du SPI/NPS/Whatever
   dmi01 = [
     "web01"

meta/network.nix

@@ -60,6 +60,20 @@ builtins.mapAttrs mkNet {
     hostId = "d4e7c369";
   };
 
+  vault01 = {
+    interfaces = {
+      enp130s0f0 = {
+        ipv4 = [
+          { address = "129.199.210.85"; prefixLength = 24; }
+        ];
+
+        gateways = [ "129.199.210.254" ];
+      };
+    };
+
+    hostId = "e83b600d";
+  };
+
   web01 = {
     interfaces = {
       ens3 = {

meta/nodes.nix

@@ -37,4 +37,8 @@ builtins.mapAttrs mkNode {
   storage01 = {
     stateVersion = "23.11";
   };
+
+  vault01 = {
+    stateVersion = "23.11";
+  };
 }

modules/dgn-console.nix

@@ -71,7 +71,8 @@ in {
     hardware.enableRedistributableFirmware = true;
 
     environment.systemPackages = (with pkgs; [ neovim wget kitty.terminfo ])
-      ++ lib.optional (config.services.postgresql.package != cfg.pg-upgrade-to)
+      ++ lib.optional (config.services.postgresql.enable
+        && config.services.postgresql.package != cfg.pg-upgrade-to)
       (pkgs.writeScriptBin "upgrade-pg-cluster" ''
         set -eux
         # XXX it's perhaps advisable to stop all services that depend on postgresql

npins/sources.json

@@ -127,8 +127,8 @@
     "nixos-23.11": {
       "type": "Channel",
       "name": "nixos-23.11",
-      "url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.2596.c1be43e8e837/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.2728.6723fa4e4f1a/nixexprs.tar.xz",
-      "hash": "036ghzm8r0s5xn7492k3ld0pf46mw7bjnmbal42csqk8k2cj0mxh"
+      "hash": "1iv40b5kiyajhdf6psf4fzajgn7mgb3a4m2hrdmllas1h2xdxh38"
     },
     "nixpkgs": {
       "type": "Channel",