From 658f05fa040b222355334e2a386affbbece71da8 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Wed, 19 Oct 2022 13:16:24 +0200
Subject: [PATCH] add bobi

---
 flake.lock                                    |  8 +-
 flake.nix                                     | 19 ++++-
 images/usb-init-configuration.nix             |  2 +-
 nixos/assets/tinc/bobi_host_file              | 14 ++++
 nixos/components/network/tinc/private.nix     |  4 +
 nixos/machines/bobi/configuration.nix         | 81 +++++++++++++++++++
 .../machines/bobi/hardware-configuration.nix  | 47 +++++++++++
 nixos/machines/bobi/syncthing.nix             | 42 ++++++++++
 nixos/machines/bobi/tinc.nix                  | 14 ++++
 9 files changed, 225 insertions(+), 6 deletions(-)
 create mode 100644 nixos/assets/tinc/bobi_host_file
 create mode 100644 nixos/machines/bobi/configuration.nix
 create mode 100644 nixos/machines/bobi/hardware-configuration.nix
 create mode 100644 nixos/machines/bobi/syncthing.nix
 create mode 100644 nixos/machines/bobi/tinc.nix

diff --git a/flake.lock b/flake.lock
index a807ac8..dccaf39 100644
--- a/flake.lock
+++ b/flake.lock
@@ -881,11 +881,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1663876023,
-        "narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
+        "lastModified": 1666166753,
+        "narHash": "sha256-Gev83ZYEkEEXKcz+ChNajNzzuqPodjVbSlgdHLHXtVs=",
         "ref": "main",
-        "rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
-        "revCount": 38,
+        "rev": "c5c4fad9987a0aaab4d2b072fe40ec55f15462d2",
+        "revCount": 39,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index b0b65b9..3c73a7d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -202,10 +202,27 @@
           };
 
           robi = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}";
+            deployment.targetHost = "${name}.private";
             deployment.tags = [ "server" "online" "private" ];
             imports = [ ];
           };
+
+          bobi = { name, nodes, pkgs, ... }: {
+            #deployment.targetHost = "${name}.private";
+            deployment.targetHost = "localhost";
+            deployment.targetPort = 2222;
+            deployment.tags = [ "desktop" "usb" "private" ];
+            imports = [
+              grocy-scanner.nixosModule
+            ];
+            home-manager.users.mainUser = {
+              imports = [
+                doom-emacs-nix.hmModule
+                home-manager-utils.hmModule
+              ];
+            };
+          };
+
           mobi = { name, nodes, pkgs, ... }: {
             deployment.targetHost = "${name}.private";
             deployment.tags = [ "desktop" "usb" "private" ];
diff --git a/images/usb-init-configuration.nix b/images/usb-init-configuration.nix
index f73fe58..b26053a 100644
--- a/images/usb-init-configuration.nix
+++ b/images/usb-init-configuration.nix
@@ -16,7 +16,7 @@
   # -----------------
   boot.loader.grub.enable = true;
   boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.device = "/dev/sdb";
   boot.loader.grub.efiInstallAsRemovable = true;
   boot.tmpOnTmpfs = true;
 
diff --git a/nixos/assets/tinc/bobi_host_file b/nixos/assets/tinc/bobi_host_file
new file mode 100644
index 0000000..0969327
--- /dev/null
+++ b/nixos/assets/tinc/bobi_host_file
@@ -0,0 +1,14 @@
+Ed25519PublicKey = jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEA4N0Pm09nePnlTUtmJLVTxEP41i+9kd4tke6KjG+PIbGI0xrgZJBX
+sP6wK3vf5q3PZp6U3a452SjzSWKQtjXA94Zmr4HaWqYQJPtJlJcsNeWbx/I0WoaA
+918iltvgkLkPKITZ1Gp6iYtKjIn2vxOKv+Pm/YYSRGB4RE3GE5M7TVcitnC89lxm
+bK8GAnUs4xUXE4DWund0h81j7XWJpF6T3N3+rlCrfmEfYYmSYg2DRkprGHvAVP26
+kWzjei9sIfPVgL0iSprOxqfAw/3Sz0uk3Ny6YvsJU+N4e8QTKQTi75XlkAWbG9OF
+P1+1xFDX3d0MdPPNq2c6hHI4VmTMDYVqMPztZNOOKKe+GWBtz/Mlbb55cccNECYA
+eVrAkhgUqjFF2lOFK1j7Ivf8ogETUcYRCEaLEZyf5Q+DuHkGzct1DBVEKn23dR2E
+B8eDm4ap4YxmrZymPbbl5IUyc/d9pmm04MFWMOifDlw5KEH3+ia93ma3ByBI3UjP
+kAg8po3rh3WWjpI26E8icjSjkJ7f1rRsEWmNAf54JwPHkWBZIoUufVxvMNZ9PXn9
+7GdP2Z7z+Tn6zUDA62Z9DRDmRGEnuDio450dNMP6ZNWj6leYBbnkP5JtfpRymVKW
+GVJfpMwSlf/qP00Jd0WQQyICKQOIns+4jzCvRcOLzSaPj7OvgVUnx00CAwEAAQ==
+-----END RSA PUBLIC KEY-----
diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix
index 0a59289..0c96692 100644
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@@ -31,6 +31,10 @@
         tincIp = "10.23.42.23";
         publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
       };
+      bobi = {
+        tincIp = "10.23.42.23";
+        publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
+      };
       robi = {
         realAddress = [ "144.76.13.147" ];
         tincIp = "10.23.42.111";
diff --git a/nixos/machines/bobi/configuration.nix b/nixos/machines/bobi/configuration.nix
new file mode 100644
index 0000000..733e533
--- /dev/null
+++ b/nixos/machines/bobi/configuration.nix
@@ -0,0 +1,81 @@
+{ config, pkgs, lib, ... }: {
+
+  imports = [
+
+    ../../system/desktop
+    ./hardware-configuration.nix
+    ./tinc.nix
+    ./syncthing.nix
+
+  ];
+
+  security.wrappers = {
+    pmount = {
+      source = "${pkgs.pmount}/bin/pmount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+    pumount = {
+      source = "${pkgs.pmount}/bin/pumount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  # fonts
+  # -----
+  programs.custom.urxvt.fontSize = 12;
+  programs.custom.xterm.fontSize = 12;
+  system.custom.fonts.dpi = 100;
+
+  configuration.desktop = {
+    width = 1366;
+    height = 768;
+  };
+
+  # grub configuraton
+  # -----------------
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.tmpOnTmpfs = true;
+
+  networking.networkmanager.enable = true;
+  networking.hostName = "bobi";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    silver-searcher
+  ];
+
+  environment.extraInit = ''
+    # use vi shortcuts
+    # ----------------
+    set -o vi
+    EDITOR=vim
+  '';
+
+  services.openssh.enable = true;
+  component.network.sshd.onlyTincAccess = false;
+
+
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+}
+
diff --git a/nixos/machines/bobi/hardware-configuration.nix b/nixos/machines/bobi/hardware-configuration.nix
new file mode 100644
index 0000000..6707e93
--- /dev/null
+++ b/nixos/machines/bobi/hardware-configuration.nix
@@ -0,0 +1,47 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/AEE5-221F";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
+  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos/machines/bobi/syncthing.nix b/nixos/machines/bobi/syncthing.nix
new file mode 100644
index 0000000..b65be7e
--- /dev/null
+++ b/nixos/machines/bobi/syncthing.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }: {
+
+  #sops.secrets.syncthing_cert = { };
+  #sops.secrets.syncthing_key = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    #cert = toString config.sops.secrets.syncthing_cert.path;
+    #key = toString config.sops.secrets.syncthing_key.path;
+    overrideFolders = true;
+    folders = {
+
+      # on encrypted drive
+      # ------------------
+      private = {
+        enable = true;
+        path = "/home/palo/private";
+      };
+      desktop = {
+        enable = true;
+        path = "/home/palo/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/home/palo/finance";
+      };
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
+    };
+  };
+
+  system.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+}
diff --git a/nixos/machines/bobi/tinc.nix b/nixos/machines/bobi/tinc.nix
new file mode 100644
index 0000000..c1713c3
--- /dev/null
+++ b/nixos/machines/bobi/tinc.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  module.cluster.services.tinc = {
+    "private" = {
+      enable = true;
+      openPort = true;
+      connectTo = [ "robi" ];
+    };
+  };
+
+}