feat: add new host

hosts/sausebiene/default.nix

@@ -0,0 +1,44 @@
+{
+  globals,
+  inputs,
+  nodes,
+  ...
+}:
+{
+  imports = [
+    inputs.nixos-hardware.nixosModules.common-cpu-intel
+    inputs.nixos-hardware.nixosModules.common-pc-ssd
+
+    ../../config
+    ../../config/hardware/intel.nix
+    ../../config/hardware/physical.nix
+    ../../config/optional/zfs.nix
+
+    ./fs.nix
+    ./net.nix
+  ];
+
+  topology.self.hardware.info = "Intel N100, 16GB RAM";
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  boot.mode = "efi";
+
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip authentication
+  networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
+    globals.services.influxdb.domain
+  ];
+  meta.telegraf = {
+    enable = true;
+    influxdb2 = {
+      inherit (globals.services.influxdb) domain;
+      organization = "machines";
+      bucket = "telegraf";
+      node = "sire-influxdb";
+    };
+  };
+}

hosts/sausebiene/fs.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.repo.secrets.local) disks;
+in
+{
+  disko.devices = {
+    disk = {
+      m2-ssd = {
+        type = "disk";
+        device = "/dev/disk/by-id/${disks.m2-ssd}";
+        content = {
+          type = "gpt";
+          partitions = {
+            efi = lib.disko.gpt.partEfi "1G";
+            swap = lib.disko.gpt.partSwap "16G";
+            rpool = lib.disko.gpt.partLuksZfs disks.m2-ssd "rpool" "100%";
+          };
+        };
+      };
+    };
+    zpool = {
+      rpool = lib.disko.zfs.mkZpool {
+        datasets = lib.disko.zfs.impermanenceZfsDatasets // {
+          "safe/guests" = lib.disko.zfs.unmountable;
+        };
+      };
+    };
+  };
+}

hosts/sausebiene/net.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  globals,
+  ...
+}:
+{
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+
+  # FIXME: aaaaaaaaa
+  # globals.monitoring.ping.sausebiene = {
+  #   hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv4;
+  #   hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sausebiene.cidrv6;
+  #   network = "home-lan.vlans.services";
+  # };
+
+  boot.initrd.availableKernelModules = [ "8021q" ];
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {
+      inherit (config.systemd.network.networks) "10-lan";
+    };
+  };
+
+  systemd.network.networks = {
+    "10-lan" = {
+      address = [ "192.168.1.6/24" ];
+      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
+      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+      networkConfig = {
+        IPv6PrivacyExtensions = "yes";
+        MulticastDNS = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  networking.nftables.firewall = {
+    zones.untrusted.interfaces = [ "lan" ];
+  };
+
+  # Allow accessing influx
+  wireguard.proxy-sentinel.client.via = "sentinel";
+}

hosts/sausebiene/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOZ2/shbByexe15RqevukRr/ZYhGvo3H7aWeqwEwbRJ

hosts/sausebiene/secrets/local.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 FHDjxeYsy2SeiUd6qwEjZHeC3Z6usSyN8zJND6E8ig8
+ki3Tg/NopVqXqJlByi6YwnHm/qcrNtx+bPKgJVl6+Wo
+-> piv-p256 xqSe8Q A+wwCAkKZpha/eaKJtlWlLsC2R4Jp+Xaj313d0AYTZ1W
+hwg+vOJ+8V6lQ401c6QlTIvG+BD8cPVoN8PPT6Xq4c0
+-> 8MAV){6T-grease F()\
+6or/fJD/g3vChdeqgB9MGpzp72S9lbsZbMiSb0Z7p9N+lYFPM0ydobZWfrxr8ptj
+628oaPN6SIqgNn4bKCaxInyKQuBEcXz17QbrYrAWYBKF8O96qg
+--- xm0ao0zoO8amQMmPcbDm053OZ/KdNNJPXAbcmV93BLM
+M­Y/\¦…\Ÿ~#<»ص’ƒ ï
+ÏRמ)»ÙÅDAÔÀwž�í§¨sÊ@Ü
ÊiºòÎ5
}ĘhÂAò¯šLuEm~‘n��/�²5Õ€VK §Jƒa¦!~&ù.ÿDØ	\c�ò–Wg8PçÃ.¤Bû X.³	Y¤õÜ¥a·�ËJaÃu`¿`ÇH†’i曳ò$Öåàd^àŒ€=xk–O€êÖÚgA_\éüVÒ†Jõ=Ô¿F'‡~FÑsÂÙ…ÝC³­¨$/