From e4a3e449cd964cf565307f8c004fb48e00ebbbb3 Mon Sep 17 00:00:00 2001
From: Mike Vink <mike1994vink@gmail.com>
Date: Wed, 18 Oct 2023 01:48:42 +0200
Subject: add porkbun secret

---
 .sops.yaml             |  6 ++++++
 machines/serber.nix    | 47 +++++++++++++++++++++++++++++++++++------------
 secrets/serber/porkbun | 24 ++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 12 deletions(-)
 create mode 100644 secrets/serber/porkbun

diff --git a/.sops.yaml b/.sops.yaml
index b70f499..dcc4cf5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,5 +1,6 @@
 keys:
   - &ivi age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0
+  - &serber age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m
 creation_rules:
   - path_regex: secrets/[^/]+\.?(yaml|json|env|ini)?$
     key_groups:
@@ -9,3 +10,8 @@ creation_rules:
     key_groups:
     - age:
       - *ivi
+  - path_regex: secrets/serber/[^/]+\.?(yaml|json|env|ini)?$
+    key_groups:
+    - age:
+      - *serber
+      - *ivi
diff --git a/machines/serber.nix b/machines/serber.nix
index 10a15c3..48ccf27 100644
--- a/machines/serber.nix
+++ b/machines/serber.nix
@@ -1,10 +1,38 @@
-{ config, pkgs, sops, ... }: {
-  imports = [
-    ./hardware-configuration.nix
-    ./networking.nix # generated at runtime by nixos-infect
-  ];
+{ modulesPath, config, pkgs, sops, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
-  sops.age.sshKeyPaths = [];
+  networking = {
+    nameservers = [ "8.8.8.8" ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address="65.108.155.179"; prefixLength=32; }
+        ];
+        ipv6.addresses = [
+          { address="2a01:4f9:c010:d2b5::1"; prefixLength=64; }
+          { address="fe80::9400:2ff:fe53:8544"; prefixLength=64; }
+        ];
+        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
+      };
+
+    };
+  };
+
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:02:53:85:44", NAME="eth0"
+  '';
+
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+  sops.age.sshKeyPaths = [/etc/ssh/ssh_host_ed25519_key];
 
   system.stateVersion = "23.05";
   boot.tmp.cleanOnBoot = true;
@@ -13,18 +41,13 @@
   networking.domain = "xyz";
   services.openssh.enable = true;
 
-  sops.secrets.porkbunCredentials = {
-      format = "binary";
-      sopsFile = ../../secrets/credentials/porkbun;
-  };
-
   security.acme = {
     acceptTerms = true;
     defaults = {
       extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
       email = ivi.email;
       dnsProvider = "porkbun";
-      credentialsFile = config.sops.secrets.porkbunCredentials.path;
+      credentialsFile = config.secrets.porkbun.path;
     };
     certs = {
       "vinkland.xyz" = { };
diff --git a/secrets/serber/porkbun b/secrets/serber/porkbun
new file mode 100644
index 0000000..bd610cc
--- /dev/null
+++ b/secrets/serber/porkbun
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:p2Xf9Pnmpus9cL4+lZmLtSQCDROwE+xpqAPx29eWqfgMRGTJGREbF3fqBO76CV1KU/KmY0UxazMGBf2ErkMuCbx49sNskOD2PHFpakG6B31Qn9akIvGOk6rJZuQMtOjtcKsOg4nK8eVy182eCpuSOt91dJUy3XgpxieNhUDSc+SjXfn5vpoJic3SHKK6ZxXFagXxId2FenGYUlCWzwywXCiL4CEJjzHYJnhO3GC7VAYg,iv:K0NdPIGJFaO7Gq2K80tjAUfnp9+KmOCefmVG85nnPgY=,tag:+gPX3MfK4bDdGyhQ6N3Vog==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZ3BXYmNCa0xFL00yQ1pJ\nY2VabkVkdDMvYytvdFM1MFlxVHJPdmJOUUNNCjRERHJrRURyMm5UM1RhQ05nTi8z\ncnpxczl5TFBtbHVRSjdJSjBneThrVE0KLS0tIEpUTmlUVXdTelYxUGhJdWFoTXds\nUDM4bHpmQUJId1M1RE0yeDRKNzlSV3MKbTSttMmQmALfvl4V/HfAtIsXqf0BxEaU\n9cZ1ip+600vmTqifYqCYF7uf4pGlwpkHu68gEsZakBjUX8uSK8JRRQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eG1ZT0Zqd0R6NjZ1S005\nM3ozcm9IbjREV3dnUkhmZndxVjlhalZzY1dNCjlrQncyV2JzbERsbFNrSlJWZDRK\nZ0RSMU41WTk2MWtZVmszQ3FMdGpjcnMKLS0tIGtNU0Q5VGwwMHd3TEJBNlcrNTdY\nSk5xQ0NnUUhyVDAzZGhXdXRvOFhWYjAKfveW9AxWCX1VjlIr6Ung3jMjou2Yiyvn\nP9o1yP9nu1nWdSfoHjuIlv3epDVIkq0s/Xq/Vl0Af4/FACPEUhOeLw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-10-17T23:45:30Z",
+		"mac": "ENC[AES256_GCM,data:MtQ/ILhaNPFkxeEa/3hJV7sZ3S2qRVsYRcrvpvVyQzeBKHaG4Z61qQBlqkdUy1VWVc6te+B8eeMS5oexsP1ztGHsary715U5xUmHW1jiz8mITGfq5KOi91Xh54+v08mAexVZeEzZFxGpqkgyPY/UjFOnmeALGsEZLi0NL923/TQ=,iv:EzHS6yu3bjHNKSyOXqyeXDsQeOPUxpkORrTVVp5uQkg=,tag:gX+mf4S0QWUMkVBfU1R1zg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3