feat: add new host

hosts/sausebiene/default.nix

@@ -0,0 +1,44 @@
+{
+  globals,
+  inputs,
+  nodes,
+  ...
+}:
+{
+  imports = [
+    inputs.nixos-hardware.nixosModules.common-cpu-intel
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+
+    ../../config
+    ../../config/hardware/intel.nix
+    ../../config/hardware/physical.nix
+    ../../config/optional/zfs.nix
+
+    ./fs.nix
+    ./net.nix
+  ];
+
+  topology.self.hardware.info = "Intel N100, 16GB RAM";
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  boot.mode = "efi";
+
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip authentication
+  networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
+    globals.services.influxdb.domain
+  ];
+  meta.telegraf = {
+    enable = true;
+    influxdb2 = {
+      inherit (globals.services.influxdb) domain;
+      organization = "machines";
+      bucket = "telegraf";
+      node = "sire-influxdb";
+    };
+  };
+}

hosts/sausebiene/fs.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.repo.secrets.local) disks;
+in
+{
+  disko.devices = {
+    disk = {
+      m2-ssd = {
+        type = "disk";
+        device = "/dev/disk/by-id/${disks.m2-ssd}";
+        content = {
+          type = "gpt";
+          partitions = {
+            efi = lib.disko.gpt.partEfi "1G";
+            swap = lib.disko.gpt.partSwap "16G";
+            rpool = lib.disko.gpt.partLuksZfs disks.m2-ssd "rpool" "100%";
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = lib.disko.zfs.mkZpool {
+        datasets = lib.disko.zfs.impermanenceZfsDatasets // {
+          "safe/guests" = lib.disko.zfs.unmountable;
+        };
+      };
+    };
+  };
+}

hosts/sausebiene/net.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  globals,
+  ...
+}:
+{
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+
+  # FIXME: aaaaaaaaa
+  # globals.monitoring.ping.sausebiene = {
+  #   hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv4;
+  #   hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv6;
+  #   network = "home-lan.vlans.services";
+  # };
+
+  boot.initrd.availableKernelModules = [ "8021q" ];
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {
+      inherit (config.systemd.network.networks) "10-lan";
+    };
+  };
+
+  systemd.network.networks = {
+    "10-lan" = {
+      address = [ "192.168.1.6/24" ];
+      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
+      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+      networkConfig = {
+        IPv6PrivacyExtensions = "yes";
+        MulticastDNS = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  networking.nftables.firewall = {
+    zones.untrusted.interfaces = [ "lan" ];
+  };
+
+  # Allow accessing influx
+  wireguard.proxy-sentinel.client.via = "sentinel";
+}

hosts/sausebiene/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOZ2/shbByexe15RqevukRr/ZYhGvo3H7aWeqwEwbRJ

hosts/sausebiene/secrets/local.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 FHDjxeYsy2SeiUd6qwEjZHeC3Z6usSyN8zJND6E8ig8
+ki3Tg/NopVqXqJlByi6YwnHm/qcrNtx+bPKgJVl6+Wo
+-> piv-p256 xqSe8Q A+wwCAkKZpha/eaKJtlWlLsC2R4Jp+Xaj313d0AYTZ1W
+hwg+vOJ+8V6lQ401c6QlTIvG+BD8cPVoN8PPT6Xq4c0
+-> 8MAV){6T-grease F()\
+6or/fJD/g3vChdeqgB9MGpzp72S9lbsZbMiSb0Z7p9N+lYFPM0ydobZWfrxr8ptj
+628oaPN6SIqgNn4bKCaxInyKQuBEcXz17QbrYrAWYBKF8O96qg
+--- xm0ao0zoO8amQMmPcbDm053OZ/KdNNJPXAbcmV93BLM
+M­Y/\¦…\Ÿ~#<»ص’ƒ ï
+ÏRמ)»ÙÅDAÔÀwž�í§¨sÊ@Ü
ÊiºòÎ5
}ĘhÂAò¯šLuEm~‘n��/�²5Õ€VK §Jƒa¦!~&ù.ÿDØ	\c�ò–Wg8PçÃ.¤Bû X.³	Y¤õÜ¥a·�ËJaÃu`¿`ÇH†’i曳ò$Öåàd^àŒ€=xk–O€êÖÚgA_\éüVÒ†Jõ=Ô¿F'‡~FÑsÂÙ…ÝC³­¨$/

secrets/generated/sausebiene/promtail-loki-basic-auth-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 ZmH6m4AQx8wxaJPMUevkmsLQ35rlKt+a2iSJq81fKQg
+WR6GfDdCI+d4mphM8xHwP/UzXPBqfgaoCyt8s+nDpKk
+-> piv-p256 xqSe8Q Awqf0ypLzhT/zHHuXkCAfcP3joODqC8AU6RE+uVFwOdK
+B4OjmQ99uxqFkNs/MhC06hScORtowu9HaLrkrW6K3Dg
+-> +elbHO7-grease
+dg
+--- G7eHSF0eaQ6nv/U7/KXwNEnY9okbXmKSWDDszVBZnu4
+…¹cùñ+Q2Óiø+ûC]·TcMìbký/3�Bü§¢Á®.:´t5Øwe—:aÁ^XGg&¤‚ÔmB§Ê
(hmð›Èaƒˆ 
æoÛÓÝõ‚Ã

secrets/generated/sausebiene/telegraf-influxdb-token.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 OK0YjDoVUwRXX9O/GTE8bNIYA3TLmY7h3an+EHvPnjc
+0WwTbnNSflEwzicZcjMzoMt+UZNrRSyb+HUcKiX/Ybc
+-> piv-p256 xqSe8Q AoBweILdXCIv16ZQQZiLaEGf93bHE1WW3ZBEGM2mU5s4
+3S1zyoSzyDcoDQZJdvrYhujwPIL8Nsgd20NpKvKi0/g
+-> #-grease =
+Gh2UGo3dwqJHeHhmNGPYiFVfVZb6Yvo8L7WKU9KvnuSNFw
+--- cF1S3wS0iy+zI14BtNP5+llcah1S0cfQSQ9t6XcRD/I
+Ê%,e°#p�Κ"
ÆùŒ¡öz^*†‡jÒ©*€Jc<ÿ$iRÇx§§åÕˆ¢l]Û¸™)Ž½j=0²A™�•–�hG”‰²^"´È"ôl·

secrets/rekeyed/sausebiene/02083da3c2e6819322181878fae7553f-promtail-loki-basic-auth-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg YmdgTOgrnPGvk90h8pM+OjfowQzhVo9v5lcCcmnZLQ0
+0CHP+GdcH7Eq2Wu9yp4SCn0bgjY7tKgLbTBHN0i2KdU
+-> K3s5a#V_-grease @ ==f A9yR{~
+M+nuDvAN9JDn6EJWJBSujNTgtC+fU+wfwBaw098p5gx5m8aTm+iVAXayx3GeTw2J
+AUPIG8TiIj6T0L4KyvNO03zuDYc0aYQXCgJ2wHsheWr/kQ
+--- x0kUxYcAenQjbH97L4g11cjO6DW3iWhmTez4wQvoW9I
+¼Ô	^ŸùešÕ
ËVþ�Eö7¢„uYâsJz2˜o®ÝÄOÑ,É60F@D’¯Êdù2@Ó*iU@¶û0Nç²Vè–nÙUôµíÜkhî¤vE

secrets/rekeyed/sausebiene/6990ed2f05dd917e79b312efcbf20391-telegraf-influxdb-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg g14O67KT+fiVFUsYTqwJdNPCNbp8qutFuNgJOvIOmnY
+z+jDxlC7+nfhPyEgtjeplFN7uLSjkWRaVxyQ2qbC2uU
+-> p}-grease M^(
+72hYQ0ZXayKtOOIg9m2NUc15Y8d0LeD0wfoCmo6bJ0Xn+A
+--- eLXnULfh27jeqWR1XV640jyegcG6NMDJvkXZeiCoTuQ
+YëÍÏçÃŽ¾cHé±W1Ò­4.™Z‘óç5¶–—‰ê>EŽÞ”=qç�Y”i÷vÊ�žl˜™KÂùãÄ”µ¦˜åpjè[I¤³=8%ÏNà

secrets/rekeyed/sausebiene/a724df7b1d5ca71e006c0d36be3eceb6-wireguard-proxy-sentinel-priv-sausebiene.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg yx0E7V8G3fg0xkW85OFIthHYmzSb+UtvIHYuwJY5dlo
+9cg6P5noJZgJDSlF+qptsSaundGj/LHxvoKR7a3/EiY
+-> Q[f8ce2C-grease Gk.1J~ a~*? [&:FR2xK
+XGoWkCzzyoLy39XWXz1avKY
+--- fzl38diZoESS+4+Tali0WMZv5vut+PW9qp796IVUW18
+&®¼ÑÐ.�òuÚä^†TŽP[A &àRéH–fgßNÏÛ¦Høœ‹œÐ]ÊÁ>ªQíà¿\½xªÇ·üº‚÷÷õÁt€N!Ž@
+P

secrets/rekeyed/sentinel/f6bf0b7bd3d2c8815cba951e47ead8fc-wireguard-proxy-sentinel-psks-sausebiene+sentinel.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA TbUU7Qe1joDj9Vz7R0dnhBiTE8/D+EcNF/y7p5lEjn0
+A7kwW/AOVy7wB7RYnSP11QIYxhiOrODgEl7AwAM1hqo
+-> Pa;1-grease wep< ?nNq sM7#ln+- 4U3*y,6>
+9q3AkZ8bOWDiSg
+--- vaag5FKw+gm/7ZZs2TtvCcWym2A5glZrHVmcd5OgPNM
+k=oCnj9¼9ÐwÇzφÑÌ
‡´Ç?Tþÿ5柭VM¶óaÃç¸>¸áÕ9®OõDƒE““ãø�#pgSç ™}-?”o^Ü

secrets/rekeyed/sire-influxdb/e2fc49f34c814de46c73fbf3204423e7-telegraf-influxdb-token-sausebiene.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ iBcbMa5vzu/RqfZBKWzZbxnepo8yNT3+rjU9Htoy3i4
+2hencjJton0PIHsHAmYFmhOlNkGx4jI2UXjsR8SUQuU
+-> u.4,!W-grease |/$-"Ss ;}G]-O*, b+#6
+8oR1X8KI9U5mgJks35+tMzCZ+tlQ5EKu7XY
+--- j8IMlikPntFCmvYEU/CFXzycblXrfFAqqMN3Dw9Ycj8
+X;Ýô¢éÍùçGÇqÑ9ð¦`ú.3}…vEÚßÞ-.šð?ysd4�0Æ6…8=‡wsýðÖÃÙVƒbHräzŠF¡ üœ½˜5KÕó

secrets/wireguard/proxy-sentinel/keys/sausebiene.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 MlhR1dPHJdvcOLPCBqc70K9LuUcMzmOjB6EXLFlmtT8
+kwpynEyGyv0vO1vh9hmSrEVJG4yFm2wAROwr0PkehNA
+-> piv-p256 xqSe8Q As3q1+XwqnvPVnrv7kBAvWvPH9lEusBJ4AKpKF6Ctzwy
+Lv+dzFT1E/E5WQWD7dLgK6InyyzunMQTcRE4njHeA5A
+-> LlHe-grease ~Sw~Jw - R:CL!a ^vUh9K
+gSvLyvHf0kky5uWH8o98wL0zLUhlgEmsD+ainAO/fJLtFICTh2uineNZRFOxZxEW
+296qg1m/sTQA/izSjMXCwrkU9uNBo4TOfjB28pYfBg
+--- Ml2Z0Eejdcqhj6vxIwpF1jCARpknE9ZS+RmlrGcyUqU
+bÔØ1ü»“Éc’˜ÌóÝ.“Ö€øZ²Æ\Þœ,_î
€ªöl	º° µ7“Üá´	ÀÔ¬†HÑ-<Ë®`~œßðùä³8poº8à

secrets/wireguard/proxy-sentinel/keys/sausebiene.pub

@@ -0,0 +1 @@
+QodjkDbHjMe5PH+LxRlU/lR5VJGF6vp2QQB5+DzVOE8=

secrets/wireguard/proxy-sentinel/psks/sausebiene+sentinel.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 TMgljbYm7js7lOMpRoBDu/Nr70XDqHXJRYvBU/GcAzU
+aW22h5pYU4cBTPnXfhyM7YxC4e1QkWNXLYuLmT8lG0g
+-> piv-p256 xqSe8Q Ar41hbT5AjkIrEvm+tvU1Ubn7rdKruuU0k5R15281nyj
+2Owm5MoFybFxy988KQnF5w4bk/JgzMEN0VsuHp4rwLM
+-> r4&-grease ]K
+R5mtPMADcrrZn2N+BTJuESdokdZTCuyJayQitBdteoFz6EYzVxCnOCRU7LJFuKzo
+lvC/na+bpRn40W1LHWgUYJcHLUdalk4dB0d7yQ
+--- STdabhK6cjx5gqt3ahkxoulJKgdqxaF8ldsSZMaEs4g
+M#d' uL碁A顇@KG鷂猦Kpm餪v無𠼻昱鮵_A-;急╪怍矨^fx�\�υ咫Z忁浦O犵X{fm慬