From dacbde58ea97891a32ce4d874aba0fc09328c1d5 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sat, 11 Jan 2025 08:43:06 +0300
Subject: [PATCH] feat(ops/machines): add system configuration for bugry

WIP

Change-Id: Icac44225ca340cc57505bbd85e117334af42ad68
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12968
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
---
 default.nix                    |   1 +
 ops/machines/bugry/default.nix | 146 +++++++++++++++++++++++++++++++++
 ops/nixos.nix                  |   3 +-
 3 files changed, 149 insertions(+), 1 deletion(-)
 create mode 100644 ops/machines/bugry/default.nix

diff --git a/default.nix b/default.nix
index 4a564ff5b..653ea57c2 100644
--- a/default.nix
+++ b/default.nix
@@ -32,6 +32,7 @@ let
       # 1. User SSH keys are set in //users.
       # 2. Some personal websites or demo projects are served from it.
       [ "ops" "machines" "whitby" ]
+      [ "ops" "machines" "bugry" ]
 
       # Due to evaluation order this also affects these targets.
       # TODO(tazjin): Can this one be removed somehow?
diff --git a/ops/machines/bugry/default.nix b/ops/machines/bugry/default.nix
new file mode 100644
index 000000000..2f28b39f8
--- /dev/null
+++ b/ops/machines/bugry/default.nix
@@ -0,0 +1,146 @@
+{ depot, lib, pkgs, ... }: # readTree options
+{ config, ... }: # passed by module system
+
+let
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
+in
+{
+  imports = [
+    (mod "tvl-cache.nix")
+    (mod "tvl-users.nix")
+  ];
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  boot = {
+    tmp.useTmpfs = true;
+    kernelModules = [ "kvm-intel" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelParams = [
+      "ip=91.199.149.239::91.199.149.1:255.255.255.0:bugry:enp6s0:none"
+    ];
+
+    initrd = {
+      availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "e1000e" ];
+
+      # initrd SSH for disk unlocking
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 2222;
+          authorizedKeys =
+            depot.users.tazjin.keys.all
+            ++ depot.users.lukegb.keys.all
+            ++ depot.users.sterni.keys.all;
+
+          hostKeys = [
+            /etc/secrets/initrd_host_ed25519_key
+          ];
+        };
+
+        # this will launch the zfs password prompt on login and kill the
+        # other prompt
+        postCommands = ''
+          echo "zfs load-key -a && killall zfs" >> /root/.profile
+        '';
+      };
+    };
+
+    kernel.sysctl = {
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
+
+    loader.grub = {
+      enable = true;
+      device = "/dev/disk/by-id/wwn-0x5002538ec0ae4c93";
+    };
+
+    zfs.requestEncryptionCredentials = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "tank/root";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/70AC-4B48";
+      fsType = "vfat";
+    };
+
+    "/nix" = {
+      device = "tank/nix";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "tank/home";
+      fsType = "zfs";
+    };
+  };
+
+  networking = {
+    hostName = "bugry";
+    domain = "tvl.fyi";
+    hostId = "8425e349";
+    useDHCP = false;
+
+    interfaces.enp6s0.ipv6.addresses = [{
+      address = "91.199.149.239";
+      prefixLength = 24;
+    }];
+
+    defaultGateway = "91.199.149.1";
+
+    nameservers = [
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  # Generate an immutable /etc/resolv.conf from the nameserver settings
+  # above (otherwise DHCP overwrites it):
+  environment.etc."resolv.conf" = with lib; {
+    source = pkgs.writeText "resolv.conf" ''
+      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
+      options edns0
+    '';
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  services.fail2ban.enable = true;
+
+  programs.mtr.enable = true;
+  programs.mosh.enable = true;
+
+  time.timeZone = "UTC";
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  # Join TVL Tailscale network at net.tvl.fyi
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+
+  security.sudo.extraRules = [
+    {
+      groups = [ "wheel" ];
+      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
+    }
+  ];
+
+  zramSwap.enable = true;
+
+  system.stateVersion = "24.11";
+}
diff --git a/ops/nixos.nix b/ops/nixos.nix
index 1442d89b3..082d8d786 100644
--- a/ops/nixos.nix
+++ b/ops/nixos.nix
@@ -62,6 +62,7 @@ in rec {
   # Systems that should be built in CI
   whitbySystem = (nixosFor depot.ops.machines.whitby).system;
   sandunySystem = (nixosFor depot.ops.machines.sanduny).system;
+  bugrySystem = (nixosFor depot.ops.machines.bugry).system;
   nixeryDev01System = (nixosFor depot.ops.machines.nixery-01).system;
-  meta.ci.targets = [ "sandunySystem" "whitbySystem" "nixeryDev01System" ];
+  meta.ci.targets = [ "sandunySystem" "whitbySystem" "bugrySystem" "nixeryDev01System" ];
 }