fuuko: Init

machines/default.nix

@@ -18,4 +18,10 @@ lib.mapAttrs
   vueko = {
     target = "root@vueko.sbruder.de";
   };
+  fuuko = {
+    # FIXME: Since the unlock script forces IPv4 connectivity (since only that
+    # can be guarenteed), I have to use an internal IP address for now. This
+    # can be changed once DNS has an A record too.
+    target = "root@192.168.100.61";
+  };
 }

machines/fuuko/README.md

@@ -0,0 +1,27 @@
+# fuuko
+
+## Hardware
+
+HP MicroServer Gen8 with an [Intel Xeon E3-1220L
+v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html)
+and 8 GiB ECC RAM (1600 MHz). It isn’t the best choice, but I already had it
+lying around and it is acceptable after changing the CPU from the original
+Celeron.  I decided not to use another consumer-grade computer for this, since
+the server offers ECC memory and therefore should be more reliable.
+
+The SSD (Crucial BX500 240GB) is connected to the first drive slot in a 3.5 ″
+adapter. I originally wanted to connect it to the internal ODD SATA port, but
+since it only supports SATA2 (3Gbit/s) and does not support booting from it,
+requiring an additional boot drive, I decided against this.
+
+For storage it has two Hard drives (Seagate Exos E 7E8 ST8000NM000A and WD
+Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and
+3th bay. Bay 3 is only SATA2, but that should not be the bottleneck.
+
+## Purpose
+
+It is my main server handling most long-runing tasks and services.
+
+## Name
+
+Fuuko Ibuki is a student in *Clannad* who carves starfish out of wood.

machines/fuuko/configuration.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+    ../../users/simon
+  ];
+
+  sbruder = {
+    wireguard.home.enable = true;
+    nginx.hardening.enable = true;
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."fuuko.home.sbruder.de" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  networking.hostName = "fuuko";
+
+  system.stateVersion = "20.09";
+}

machines/fuuko/hardware-configuration.nix

@@ -0,0 +1,106 @@
+{ config, lib, modulesPath, pkgs, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+      <nixos-hardware/common/cpu/intel>
+      <nixos-hardware/common/pc/ssd>
+    ];
+
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log
+    extraModulePackages = [ ];
+    supportedFilesystems = [ "btrfs" ];
+    kernelParams =
+      let
+        mainInterface = config.systemd.network.networks.eno1;
+        first = lib.flip lib.elemAt 0;
+      in
+      [
+        "ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}"
+      ];
+    initrd = {
+      availableKernelModules = [
+        "aesni_intel" # hardware crypto for luks
+        "ahci"
+        "ehci_pci"
+        "sd_mod"
+        "tg3" # network interface
+        "uhci_hcd"
+        "usb_storage"
+        "usbhid"
+        "xhci_pci"
+      ];
+      kernelModules = [ ];
+      network.enable = true; # remote unlocking
+      luks.devices = {
+        root = {
+          name = "root";
+          device = "/dev/disk/by-uuid/72b59109-8df1-4fca-9b2e-d9dc973fce75";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+    };
+    loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52";
+  };
+
+  krops.secrets.luks-data = { };
+
+  environment.etc.crypttab.text =
+    let
+      keyfile = config.krops.secrets.luks-data.source; # path is not yet available
+    in
+    ''
+      data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 ${keyfile} luks
+      data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a ${keyfile} luks
+    '';
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/c45b49b9-bc3c-4e53-85ae-0d430ba1cafb";
+      fsType = "ext4";
+      options = [ "discard" "noatime" ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/a1ceeabf-fe24-42ce-9ffc-99ebe7b97d5c";
+      fsType = "ext2";
+    };
+    "/data" = {
+      device = "/dev/mapper/data0";
+      fsType = "btrfs";
+      options = [ "compress=zstd" ];
+    };
+  };
+
+  services.btrfs.autoScrub = {
+    enable = true;
+    fileSystems = [ "/data" ];
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/e62d8794-aff9-44d0-8080-06cf4c128306";
+      randomEncryption.enable = true;
+    }
+  ];
+
+  powerManagement.cpuFreqGovernor = "performance";
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      eno1 = {
+        name = "eno1";
+        dns = [ "192.168.100.1" ];
+        domains = [ "home.sbruder.de" ];
+        address = [ "192.168.100.61/24" ];
+        gateway = [ "192.168.100.1" ];
+      };
+    };
+  };
+  services.resolved.enable = false;
+}