From 581ef98c3d8c0d9c186775c7766f1000757cbd6a Mon Sep 17 00:00:00 2001
From: Jonni Liljamo <jonni@liljamo.com>
Date: Thu, 5 Sep 2024 19:50:18 +0300
Subject: [PATCH] feat: add alderaan

---
 .sops.yaml                         |  7 ++++++
 hosts/alderaan/default.nix         | 17 +++++++++++++++
 secrets/alderaan/secrets.yaml      | 34 ++++++++++++++++++++++++++++++
 systems/hosts/alderaan/default.nix | 27 ++++++++++++++++++++++++
 systems/hosts/default.nix          |  5 +++++
 5 files changed, 90 insertions(+)
 create mode 100644 hosts/alderaan/default.nix
 create mode 100644 secrets/alderaan/secrets.yaml
 create mode 100644 systems/hosts/alderaan/default.nix

diff --git a/.sops.yaml b/.sops.yaml
index 9a31b20..845d5b5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   - &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
   - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
     # LXCs
+  - &alderaan age1h57c3pw5y450yeex3yhlarkaeur5n3le09lm4frf8d3q3qpagfzqdqxm83
   - &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4
   - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
   - &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05
@@ -23,6 +24,12 @@ creation_rules:
       age:
       - *alice
 
+  - path_regex: secrets/alderaan/[^/]+\.yaml$
+    key_groups:
+    - pgp:
+      - *liljamo_gpg
+      age:
+      - *alderaan
   - path_regex: secrets/auth/[^/]+\.yaml$
     key_groups:
     - pgp:
diff --git a/hosts/alderaan/default.nix b/hosts/alderaan/default.nix
new file mode 100644
index 0000000..d840393
--- /dev/null
+++ b/hosts/alderaan/default.nix
@@ -0,0 +1,17 @@
+{config, ...}: {
+  sops.secrets.rootPwd.neededForUsers = true;
+  sops.secrets.liljamoPwd.neededForUsers = true;
+
+  roles.base = {
+    root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+    primaryUser = {
+      username = "liljamo";
+      hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+    };
+  };
+
+  roles.tailscale = {
+    enable = true;
+    enableSSH = true;
+  };
+}
diff --git a/secrets/alderaan/secrets.yaml b/secrets/alderaan/secrets.yaml
new file mode 100644
index 0000000..e2603d4
--- /dev/null
+++ b/secrets/alderaan/secrets.yaml
@@ -0,0 +1,34 @@
+rootPwd: ENC[AES256_GCM,data:OS9UCh+udl5QZYra5fRcc3K/Am5DGoWQCkZrTSvcIWtOa91oDKmw2TrZgA0XPwaNJ2ITey5Vuv70mECUDoK7/sp+DjG7MVSQD3s6voGgY0dqejhTHa3QxlctYZOgm56iDtX2ZnhYccN/gQ==,iv:oUkGiow2INe2PCAM+ESAV8wSG+K42KA8uaCKHMi5bT4=,tag:RX9Q0Wv2aEViqh2Jz4DTPw==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:b2+rZmgDR5CEH4iMZxHR8MOslHPlm1jEEEX7Jllxu76wT0++cJOXIBJpOit4otiP4wC88fL+Fzu156+EfQg/mP5r6nuf9Khqaopj89nhekRugX1HEcF75h9rz1h5FfNyIqLfVi2zS7Xo7Q==,iv:aJZEVWRcn70zQlLOvsWPPqlvjYMGule+li6U7Word3k=,tag:shJIG0arysR8ioVaSiqw9Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h57c3pw5y450yeex3yhlarkaeur5n3le09lm4frf8d3q3qpagfzqdqxm83
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTmVCVkdNQzN6ODRrVHdL
+            NVVYSEhOejhnSENvOUpGN2duenZNNURuYm53ClFPVVBxek1TZkdvVWxORitQMEw4
+            ay9Nc2FYYVpXc1poZjFWazdYY3JCam8KLS0tIHk0TVJFQlVwcjdmRzNLK3NiSThW
+            Y2JlckFMRTY2V1cwbXFOUkdJY0lHYTgK1woaffGvotjBZ9N71vt9JHScT8NLV57x
+            o6xlyMw4+RaJS7XXKJBLDQrp18eiWDKX+gZXl5x8T4IQS2X58LmJOQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-05T16:21:41Z"
+    mac: ENC[AES256_GCM,data:S+8vu/q2HtjUkN8h8gGIO/REm73fW8Pxu8S23l4CFbTaV92PB+Cqf9r77QLn4bgZ5BOsfjXOaP+ocPkvi+H7IyIoN56BsS1GfEjzsXL4sYZZqhTXalk3+JpBhGn+n+yOB5lc8s42ZF1wfk9N2Nas2Ko6x+JZSdm88l3QCwbI34E=,iv:doN8qm/1O/+d/FNbQhNsGV2xKd4GUotIfzIHfwac81w=,tag:VYRLuqyNt04MKstCmOaCCg==,type:str]
+    pgp:
+        - created_at: "2024-09-05T16:20:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D8ab0ENzkR4wSAQdAGMh9/JmFqPuYr6FIVm7IbbZvHrpcp5v+xADwZrHoM30w
+            JqBOy+uQnrEtgcl0lXEBIVGI6p2wx820UxgXIhh2P/nK5JZUWaLh5k0PgkrU3Rai
+            1GgBCQIQr252MQFyU5YooUGx/6qRB++Vr2U6ODBrUe3j5o7HMFvvJcbRaWALrQjA
+            xlcgjVWI1MphkMVzTW6/qvzDqOzepMKL67VODIT2vReTeG4/1iyeAEVB2U9mQIpd
+            PPc/XFh8gKYNag==
+            =pHOu
+            -----END PGP MESSAGE-----
+          fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/hosts/alderaan/default.nix b/systems/hosts/alderaan/default.nix
new file mode 100644
index 0000000..8619757
--- /dev/null
+++ b/systems/hosts/alderaan/default.nix
@@ -0,0 +1,27 @@
+{...}: let
+  conduitPort = 6167;
+in {
+  networking.firewall.allowedTCPPorts = [conduitPort];
+
+  services = {
+    matrix-conduit = {
+      enable = true;
+      settings = {
+        global = {
+          server_name = "alderaan.fi";
+          database_backend = "rocksdb";
+          port = conduitPort;
+          max_request_size = 50000000;
+          allow_registration = false;
+          allow_federation = true;
+          allow_check_for_updates = false;
+          enable_lightning_bolt = false;
+          trusted_servers = ["matrix.org"];
+          address = "0.0.0.0";
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix
index b767fa6..ac7f86f 100644
--- a/systems/hosts/default.nix
+++ b/systems/hosts/default.nix
@@ -17,6 +17,11 @@
   };
 
   # LXCs
+  alderaan = {
+    system = "x86_64-linux";
+    profile = lxc;
+    modules = [];
+  };
   auth = {
     system = "x86_64-linux";
     profile = lxc;
-- 
2.44.1