From 57f77543b4d6c8c2a0a2bd67027d5a0bec529284 Mon Sep 17 00:00:00 2001
From: Moritz 'e1mo' Fromm <git@e1mo.de>
Date: Sun, 11 Dec 2022 16:53:35 +0100
Subject: [PATCH] Initial goldberg (dev server) version

---
 .sops.yaml                         |  8 +++++
 flake.nix                          |  6 ++++
 hosts/goldberg/configuration.nix   | 27 +++++++++++++++
 hosts/goldberg/hardware-config.nix | 43 ++++++++++++++++++++++++
 secrets/all/secrets.yaml           | 43 ++++++++++++++----------
 secrets/goldberg/secrets.yaml      | 54 ++++++++++++++++++++++++++++++
 6 files changed, 164 insertions(+), 17 deletions(-)
 create mode 100644 hosts/goldberg/configuration.nix
 create mode 100644 hosts/goldberg/hardware-config.nix
 create mode 100644 secrets/goldberg/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 062c97f..9caeea5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -6,14 +6,22 @@ keys:
 
   # Servers
   - &shirley age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
+  - &goldberg age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm
 creation_rules:
   - path_regex: secrets\/all\/*
     key_groups:
       - pgp: [ *e1mo, *n0emis ]
         age:
         - *shirley
+        - *goldberg
   - path_regex: secrets\/shirley\/*
     key_groups:
       - pgp: [ *e1mo, *n0emis ]
         age:
         - *shirley
+  - path_regex: secrets\/goldberg\/*
+    key_groups:
+      - pgp: [ *e1mo, *n0emis ]
+        age:
+        - *shirley
+        - *goldberg
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 1a2d777..913bdd0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,6 +31,12 @@
           ./hosts/shirley/configuration.nix
         ];
       };
+      goldberg = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = defaultModules ++ [
+          ./hosts/goldberg/configuration.nix
+        ];
+      };
     };
 
     colmena = {
diff --git a/hosts/goldberg/configuration.nix b/hosts/goldberg/configuration.nix
new file mode 100644
index 0000000..4820f1c
--- /dev/null
+++ b/hosts/goldberg/configuration.nix
@@ -0,0 +1,27 @@
+{ lib, pkgs, baseDomain, ... }: {
+  _module.args.baseDomain = "dev.chaos.jetzt";
+
+  imports = [
+    ./hardware-config.nix
+    ../../services/mumble.nix
+    ../../services/website.nix
+  ];
+
+  system.stateVersion = "23.05";
+  networking.hostName = "goldberg";
+  # Fallback / for the monitoring v(x)lan
+  networking.useDHCP = true;
+
+  # We need to configure IPv6 statically, and if we start with that we can just also do it for IPv4
+  networking.interfaces.ens3.useDHCP = false;
+  networking.interfaces.ens3.ipv4.addresses = [ { address = "5.75.181.252"; prefixLength = 32; } ];
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:1c1e:9e75::1"; prefixLength = 64; } ];
+  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+  networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
+
+  services.murmur = {
+    registerPassword = lib.mkForce "";
+    environmentFile = lib.mkForce null;
+  };
+}
diff --git a/hosts/goldberg/hardware-config.nix b/hosts/goldberg/hardware-config.nix
new file mode 100644
index 0000000..511bd8a
--- /dev/null
+++ b/hosts/goldberg/hardware-config.nix
@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a2ddb17b-a6cc-416e-8033-45790a6f4012";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens10.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml
index aee7f63..c6ee60b 100644
--- a/secrets/all/secrets.yaml
+++ b/secrets/all/secrets.yaml
@@ -9,35 +9,44 @@ sops:
         - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBia0lkeWRnRGxpNmpRdzh5
-            NGZDYkh1RDNGMXF6UGxMMXo1TFhmQytndUEwCm5YalBFZHF5MDV6WTFNWWEvaGxK
-            YVVoL2JUaTVrVTNMSURIcGF0Uno2SDQKLS0tIE95SzYrMEpCeFQ3bVI5ckRNVXcw
-            K0Z4RGdWakQwb01iek51ek5JNkc1b0kKK+lyOKzhkRLgKG9XtnNqdnsAPbEShAF3
-            GQDhanhdVKmhyythXz+a0B6FrJmCppy7ZuNSucewqIx2ZCnLaSuUXw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGLzhsU0FEYTNwS3VQZ2lw
+            VWN6cVEvSzBsQ2J5aG5NbXI1SHFZM3JRSmxRCnd6TkFRb3ByRGV1b2V0czlLTzBp
+            WDBhQzFEUjhVOTd2aUQ2WjQwY0ZmYWcKLS0tIFBHK1Ztd1I3ZDlPdU1Nam4rRWdv
+            M1hKMjJhZjR1Z285Q3VvQVl4MlZMSkEKeFTZdkt74RbG5FTg/MesJF/+WOvZJMvI
+            djjlEYfdL9bDaXpxpFUK5i+v5QL/2i+IZaxjQLymSk1TLpP5xZXhQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbWtRbW5Rb3RFMHMxbisz
+            UGd5bUROTnEzc0VJOEFtbllyUHRHQnYyTTBzCkx0b3h5WUEyQVd2N0liU05CaDB0
+            dGhyR2lWNy9nNXp1L25wWEd5UjM0c1kKLS0tIEtFdXVsRUlQaGRWL3V2bTlySVpz
+            NHNGaGtwcWE0RnFOdEcyY1VOQytTN2cKEAOBHsCuhtGO6OJElLD4AACfyeGGFYMs
+            or79LXMXaLaNXdmhHpbl9kNt8UdBEVe2RcgZa+jZDMBinlABNmNc9w==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2022-11-27T21:53:46Z"
     mac: ENC[AES256_GCM,data:8rzaM8lDGLwwMbgcqaB3zj73l3mV0OFeshrHGRVw+akk9ipz0WKnhKHPGbGcaktWd61cg52/F2Fz573PWHthqoI/v0NJc7bpOKG3HreKyJyJ5AbZ+eFYrSLSNKaOXvKmwWHRMnFASOd97QaSYxQaHCDhQObf0XBXEnRktX9NtXs=,iv:j5E/YS1yI/Tgqq9Dio/b7EKrPwcJFBnVDtry91suym0=,tag:Hev9lYgsMxKFxcfozX+VdA==,type:str]
     pgp:
-        - created_at: "2022-12-11T10:48:10Z"
+        - created_at: "2022-12-11T15:31:51Z"
           enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hF4DOnsoj685gdcSAQdAbaU5s15Yn2pvSi74qur3WF9+1GeQCN4jXeDH8iSLrmAw
-            nup2BZX10Kk+xeX9s0W+1HBE5kCLecbkWx/VJPplajHrz296Kb5Z7/9etbDo/ij3
-            0l4Bab4RQ4tD/xfJblCSp+pjTRKoyHptZTFK3MYg1TWEP7BlXkNfkvbtG4soq38O
-            iJZJGIo/pdkfTSxUz0vAXkKQO46XHW26eNVkOVTkpGHCfIBTMudR1cE/AwoXS96T
-            =27WM
+            hF4DOnsoj685gdcSAQdAQsDa5qj1XAnVKEiE6Zc8QbFyfDpKcAvbA+bf4aWp420w
+            7Vfh4T4epxnxOPaJ0IVs1uJT6TCB9AjbvdDbmnfPdJnXOYzTRkSDhLsjFa2QnJ67
+            0l4B9J56nHh7soMtSDVmhmfj4gp2qrjJf3/8Xw+gEP1oRC0cis785cQi2mHxgTNe
+            SiAUshN8ZzICXD77eJfcLxIDt1z1qS08c2mhIsjdjXKy6A7uNK+rZksRN+bwHr6x
+            =5t5x
             -----END PGP MESSAGE-----
           fp: "0x6D617FD0A85BAADA"
-        - created_at: "2022-12-11T10:48:10Z"
+        - created_at: "2022-12-11T15:31:51Z"
           enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hF4D6iFd6webPCUSAQdAcYhXFsMoghf0Hg6FP1DslsjmbaXJrBdnQhDbuLUpx2cw
-            HWvyvqwyqKTLY1tPudoNQlkMjD/SiIy8vmQXMSsw0IicV+5hmigKKv1U3PkG9qbB
-            0l4BRBmuJIn/zaGKxOHa/oxSvuLXOd8sCBh/gU7jv9MhWecfnz83SAIcv5zsMWs3
-            bEoq5SiRJsdiw7/EtfSvDpsDCXvOvNt3T4wFWknVX0TjO6u65frWLVYdHTTCWKU3
-            =WjCa
+            hF4D6iFd6webPCUSAQdArOIgsg/cp2TKAhUpZ/RSqpx5kXhpS2PIqLb4gY555m4w
+            H9PJDMfztLVWnXYwqaQcCNnMP9bjyTGPQzd5hOGP4ob/f3Ajat6neKU4YEPWKOQX
+            0l4BkYcL+GCoEW0COSPQxIJHSK9rJZfpDavPTXOJ1oToVKLf/tiURQYtSCT419h6
+            FWqlAkZKp78Xpy3ZIvefqCiohOtV0IoS5UhVHCKIiMOcngoSYbB1zVNcORYpDUgg
+            =OCMo
             -----END PGP MESSAGE-----
           fp: "0xE0262A773B824745"
     unencrypted_suffix: _unencrypted
diff --git a/secrets/goldberg/secrets.yaml b/secrets/goldberg/secrets.yaml
new file mode 100644
index 0000000..fa7cc83
--- /dev/null
+++ b/secrets/goldberg/secrets.yaml
@@ -0,0 +1,54 @@
+murmur:
+    #ENC[AES256_GCM,data:ionYo3rz6G1ZhOmwBDleXPO7/reeF6tpgA==,iv:4iQ1FYTvxyyNaQDPxHErV0fevsnU5p55wT27nOwMStM=,tag:ynCgbQsvX5ow4+vc2Qz8MQ==,type:comment]
+    registry_password: ""
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBud3M4T05FWjZSODhhOFFU
+            RFhrcVVoQ3M1S1Z6WlZkK0g5bGVhODBoRWhBCjBMNHJ0dEJWQlNVaEorSjNtZk9s
+            Q2Z4UVEwWHFWUDZIM2FNTEFEOFdIZUUKLS0tIExRbzhYK040SWM3YXMvUHFYcTJy
+            L2ZkU3ZIWndnZk1jRllTWHNLNitjNDgKwbgsoy3xXj6jp7dm5asdTTTHi2fO3vwH
+            Q6mOl7pZQLX+pFduw1KTKgqMkQkp+jAlJL6t0ElRUkuBVMq2i3vNQg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w3wqxt5t00hjv43dcxlr5rjec5mvuzz9ajc8k04azq0gfx0ncgysu6mdmm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkK2UxMkJZbW8wOUR4OHBs
+            WFIraTczOW9LVlMzdm10dStRejdwQ1BtY1JRClFUdE1FZnBacTFrb000VHpQc01L
+            RkxCWHdtUmhJbXNPUG0rWlFSQ3dlQVEKLS0tIEhxQzFuZ09hNkFrMXZlbVNNU1dP
+            RHZYN0JXMElFanc5UWNtN2JSZmhYTE0KaHYt1EviNbs/BcvHs5j3bg1gZHPJgajW
+            GUHkdEhz/WEpZmd5uUxWpKyRIyNF6/hl/57P9MUhWSlu+3kt7nwJ4w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-11T15:34:06Z"
+    mac: ENC[AES256_GCM,data:iAy2NLUrdxfMzfP0A29kvk2gKVfmOkAHbtfynOwdqXo5y4qEVqNCnNr7Lmkcw7rQyqX+cRUWrUy+k5dtmGa1iasm9VjGykZu2YtTyhESDKm3/UY+EVxhzAXXa6cnbZpmX2GcY7FldcQYS+zSOisO4kYnewoROgFAKQUwVeWR0ak=,iv:ufbF+DBJdas+XrrAW8zeb/ZhhJQihxv2hWc7nf3fYug=,tag:/sSxVKv9YtjsefMC/4/Y9g==,type:str]
+    pgp:
+        - created_at: "2022-12-11T15:33:54Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DOnsoj685gdcSAQdA9JjUfb4wCKwVzIl/7ljRvwdCPf8+SDX3DVWt5vY4pX8w
+            bnJ3hAuhNdO4dqeJ4GmT0xMsLFDAopxxJPQob4thHZ6FeMS0I3XEzZ4A7Si0JtHP
+            0l4B4O95Bnr1FGSQf3Vt378U13Jqr5qIMB67Y2d9phlyiJHJ9wNJjp17gKb7rWix
+            HCpfj4x0Kgx6FgmmNK0JC/UyQAKhPzD0f7uVAMA1tyC7c/fWgcsNpeo2D9tbaWoO
+            =YdzC
+            -----END PGP MESSAGE-----
+          fp: "0x6D617FD0A85BAADA"
+        - created_at: "2022-12-11T15:33:54Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D6iFd6webPCUSAQdAij89mphU4WUZ8XS4mp6w9kmsKXRBkaxk1Rxsh3QqrFgw
+            Qyxwnv3ujYbphtXsUwh2oYVA9HBFE0vJlaFR8FWPkJwiwDklS+TilxUAa2V2F97n
+            0l4B1OyxeOLxZG3/WcpL6BpBjcDL0UzhxmOU5uS5KAWDbkF1leVh2rahJL3A1uCC
+            9lgRhPiA/PqHGREiN2EI0fEIvt2MS3A9K7qHQUxdRKgANR9r/M/EoU4scKcxmUn5
+            =TjUy
+            -----END PGP MESSAGE-----
+          fp: "0xE0262A773B824745"
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3