From bdc5cbc197c5b48538aff61eee5eb8995c2f3768 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Wed, 21 Feb 2024 01:44:48 +0100
Subject: [PATCH 1/2] feat(infra): init rescue01

---
 machines/rescue01/_configuration.nix          | 23 +++++++++++
 machines/rescue01/_hardware-configuration.nix | 41 +++++++++++++++++++
 machines/rescue01/secrets/secrets.nix         |  5 +++
 meta/infrastructure.nix                       |  3 ++
 meta/network.nix                              | 21 ++++++++++
 meta/nodes.nix                                |  4 ++
 6 files changed, 97 insertions(+)
 create mode 100644 machines/rescue01/_configuration.nix
 create mode 100644 machines/rescue01/_hardware-configuration.nix
 create mode 100644 machines/rescue01/secrets/secrets.nix

diff --git a/machines/rescue01/_configuration.nix b/machines/rescue01/_configuration.nix
new file mode 100644
index 0000000..f11afbf
--- /dev/null
+++ b/machines/rescue01/_configuration.nix
@@ -0,0 +1,23 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+    "dgn-fail2ban"
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
+      "sshd-bruteforce"
+      "sshd-timeout"
+    ];
+
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
diff --git a/machines/rescue01/_hardware-configuration.nix b/machines/rescue01/_hardware-configuration.nix
new file mode 100644
index 0000000..5593e39
--- /dev/null
+++ b/machines/rescue01/_hardware-configuration.nix
@@ -0,0 +1,41 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    # hack to avoid intel_kvm that is set in dgn-hardware
+    kernelModules = lib.mkForce [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/ed02dfb7-7071-4852-9bb6-f3bd965e0234";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/5781-E6CA";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/machines/rescue01/secrets/secrets.nix b/machines/rescue01/secrets/secrets.nix
new file mode 100644
index 0000000..47020b5
--- /dev/null
+++ b/machines/rescue01/secrets/secrets.nix
@@ -0,0 +1,5 @@
+let
+  lib = import ../../../lib { };
+  publicKeys = lib.getNodeKeys "rescue01";
+in
+lib.setDefault { inherit publicKeys; } [ ]
diff --git a/meta/infrastructure.nix b/meta/infrastructure.nix
index 3f1944f..8968307 100644
--- a/meta/infrastructure.nix
+++ b/meta/infrastructure.nix
@@ -14,6 +14,9 @@
     "vault01"
   ];
 
+  # Luj's infra
+  par03 = [ "rescue01" ];
+
   # VMs du SPI/NPS/Whatever
   dmi01 = [
     "web01"
diff --git a/meta/network.nix b/meta/network.nix
index 8b4595e..479d1d5 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -188,4 +188,25 @@ builtins.mapAttrs mkNet {
 
     hostId = "b431ca10";
   };
+
+  rescue01 = {
+    interfaces = {
+      ens18 = {
+        ipv6 = [
+          {
+            address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728";
+            prefixLength = 64;
+          }
+        ];
+        ipv4 = [
+          {
+            address = "192.168.0.232";
+            prefixLength = 21;
+          }
+        ];
+        gateways = [ "192.168.0.1" ];
+      };
+    };
+    hostId = "007f0200";
+  };
 }
diff --git a/meta/nodes.nix b/meta/nodes.nix
index 16ac0ad..b823393 100644
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@@ -62,4 +62,8 @@ builtins.mapAttrs mkNode {
     stateVersion = "24.05";
     nixpkgs = "unstable";
   };
+
+  rescue01 = {
+    stateVersion = "23.11";
+  };
 }
-- 
2.46.1


From a99078a3b250cc78b88d654c3f6db78073a19b3a Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Wed, 21 Feb 2024 01:48:29 +0100
Subject: [PATCH 2/2] feat(infra): add ci for rescue01

---
 .forgejo/workflows/eval.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.forgejo/workflows/eval.yaml b/.forgejo/workflows/eval.yaml
index 0072899..b5cbf0a 100644
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@@ -58,3 +58,13 @@ jobs:
         run: |
           # Enter the shell
           nix-shell --run 'colmena build --on web02'
+
+  build_rescue01:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build rescue01
+        run: |
+          # Enter the shell
+          nix-shell --run 'colmena build --on rescue01'
-- 
2.46.1