init

flake.nix

@@ -0,0 +1,67 @@
+{
+    description = "LaSuite Federez Deployment";
+
+    inputs = {
+        # General sources
+        deploy-rs.url = "github:serokell/deploy-rs";
+        agenix.url = "github:ryantm/agenix";
+        nixpkgs-25-05.url = "github:NixOS/nixpkgs/nixos-25.05";
+        nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    };
+
+    outputs = { self, nixpkgs-25-05, nixpkgs-unstable, deploy-rs, agenix }: let
+        system = "x86_64-linux";
+
+        # Unmodified nixpkgs
+        pkgs-25-05 = import nixpkgs-25-05 { inherit system; };
+        pkgs-unstable = import nixpkgs-unstable { inherit system; };
+
+        # nixpkgs with deploy-rs overlay but force the nixpkgs package
+        deployPkgs-25-05 = import nixpkgs-25-05 {
+            inherit system;
+            overlays = [
+                deploy-rs.overlay.default
+                (self: super: { deploy-rs = { inherit (pkgs-25-05) deploy-rs; lib = super.deploy-rs.lib; }; })
+            ];
+        };
+        deployPkgs-unstable = import nixpkgs-unstable {
+            inherit system;
+            overlays = [
+                deploy-rs.overlay.default
+                (self: super: { deploy-rs = { inherit (pkgs-unstable) deploy-rs; lib = super.deploy-rs.lib; }; })
+            ];
+        };
+
+        nodes = import ./shared/nodes.nix;
+
+        defaultModules = [
+            ./shared/users.nix
+            ./shared/commons.nix
+        ];
+    
+    in {
+        deploy = {
+            user = "root";
+            autoRollback = true;
+            magicRollback = true;
+            remoteBuild = true;
+            nodes = builtins.mapAttrs (name: config: {
+                "${name}" = {
+                    hostname = builtins.head (builtins.split "/" config.ip4);
+                    profilesOrder = [ "system" ];
+                    profiles = {
+                        system = {
+                            path = "deployPkgs-${config.ver}".deploy-rs.lib.activate.nixos "nixpkgs-${config.ver}".lib.nixosSystem {
+                                system = config.system;
+                                modules = config.modules ++ defaultModules;
+                            };
+                        };
+                    };
+                };
+            }) nodes;
+        };
+
+        # This is highly advised, and will prevent many possible mistakes
+        checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+    };
+}

nodes.nix

@@ -0,0 +1,14 @@
+{
+    "bastion.mtz.lasuite.federez" = {
+        system = "x86_64-linux";
+        ver = "25.05";
+        modules = [
+            ./shared/bastion.nix
+        ];
+        
+        ip4 = "193.48.225.150/24";
+        gIp4 = "193.48.225.254/24";
+
+        dev = "ens18";
+    };
+}

shared/bastion.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+    # Import dependencies
+    imports = [
+        ./bastion/wireguard.nix
+    ];
+}

shared/bastion/wireguard.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+    # TODO
+}

shared/commons.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+    # Import dependencies
+    imports = [
+        ./commons/basics.nix
+        ./commons/ssh.nix
+        ./commons/sudo.nix
+        ./commons/networking.nix
+    ];
+}

shared/commons/basics.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+    # Global packages
+    environment.systemPackages = with pkgs; [
+        #(callPackage "${builtins.fetchTarball {url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";}}/pkgs/agenix.nix" {})
+        bmon
+        tcpdump
+        htop
+        conntrack-tools
+        mtr
+        dig
+        molly-guard
+        fastfetch
+    ];
+
+}

shared/commons/networking.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+let
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myNode = nodes."${config.hostName}";
+
+    supportsIPv4 = nd: lib.hasAttr "ip4" nd;
+    supportsIPv6 = nd: lib.hasAttr "ip6" nd;
+
+    # configure addresses including subnet mask
+    addr4 = if supportsIPv4 myNode then [ myNode.ip4 ] else [];
+    addr6 = if supportsIPv6 myNode then [ myNode.ip6 ] else [];
+
+    # And routes, the gateway is assumed to be in subnet, otherwise GatewayOnLink is required
+    route4 = if supportsIPv4 myNode then [{ Gateway = myNode.gIp4; }] else [];
+    route6 = if supportsIPv6 myNode then [{ Gateway = myNode.gIp6; }] else [];
+in
+{
+    systemd.network.enable = true;
+    networking.useNetworkd = true;
+    networking.useDHCP = false;
+    systemd.network = {
+        networks."10-wan" = {
+            # match the interface by name
+            matchConfig.Name = myNode.dev;
+            address = addr4 ++ addr6;
+            routes = route4 ++ route6;
+            # DNS
+            dns = [ "1.1.1.1" ];
+            # make the routes on this interface a dependency for network-online.target
+            linkConfig.RequiredForOnline = "routable";
+        };
+        
+        config.addRouteTablesToIPRoute2 = true;
+        config.routeTables = {
+            # Act as a route bin
+            off = 999;
+        };
+    };
+    networking.firewall.enable = true;
+}

shared/commons/ssh.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+    # SSH
+    services.openssh = {
+        enable = true;
+        # require public key authentication for better security
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+        settings.PermitRootLogin = "no";
+    };
+}

shared/commons/sudo.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+    security.sudo = {
+        enable = true;
+        extraRules = [
+            # Sudoers wheel can do everything without password
+            {
+                commands = [
+                    {
+                        command = "ALL";
+                        options = [ "NOPASSWD" ];
+                    }
+                ];
+                groups = [ "wheel" ];
+            }
+        ];
+    };
+}

shared/users.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, lib, ... }:
+
+{
+    # Users
+    # Uid 1000 - 1999 are reserved for specific system users that need uid > 999
+
+    # Wheeler
+    users.users.asyncnomi = {
+        isNormalUser = true;
+        uid = 2001;
+        home = "/home/asyncnomi";
+        description = "Sic mundus creatus est";
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC3wkkW58044OeMnwbok+KQJrxNVPLx8Bbh4ukfADkBNFhve0+XDHMdMXRsD8MEheiRW/tlkHOljD2206cYIfW5w/lCJIWnP/EJgOfQ+vSQ5cJMXjP18Wm7HBYsyc4PYdeZLbRS6lFYisWkSwKscO1sy3s5JtftMI5/QXK6al1Xbnr5K2mkeB90w3aiaUCz2pXXe1SiHitTmIeiuEY/4iycEBxkxEupSEivCBHoSO7uBpEhasZcpSxTz/303Ti4+JgWs69xUooyEuIhcwjWH/91a0LV+5yKzOpdDQeJrSv8Cw1EQmmGM0ZJv7wFKKQ3ht9DXZd4lrvPtyWSD+JYOSRSsNCEMy6dPX7uUdcDwkwnrdPaxBOXFOB1InTGQWVnMGBsG0aK7UkwmPuoJXhaordrHFEac9aIcg5P7q1D8S+L6u/DdFq2IGZsymTrSAJsHQJ6q9wnOwGmiLaPw4WBaagzdlTmNz6WODG/9I25vQsC3z+I4Q39NG1u9/d+f465e2Z79D8X3H/pfKkAllgOrMY2eWVqjttZpjCbFo2Ckpat7JRYrvUIQCrzbhWK0uwUlH7+wGDqcPPrtpLYtVfKcWR8G4hFZl7HzN18riNHJ3158Pf4Te4/OzC6kbXa62zFpB9BWXoL8VXfDHaNv/5LB27Ikqd3QsCJfuhUBpFbndiUtlO/WSSx/ryPv3P0tWWlLcZXHTgTAzSjd+Git2FWXnSQd4QY5N48zVZE4jMK92ZBb1sqoDQnsWv5PeBWFiti/fNbJhqUJhraUerNpXgkNgxq6I1CTWG27cq8cA2v8Pf3VTM26NlQU3fR+m5ClbzS2iAeNjnh8dN9jx+q+4f5d/WS4HhsbBE+0l7sOaNp/ahOTPandZcU4wELc1sWkF/8apI1NItFtESU+So5gGs4nCoE8DXGV6kMPHsL4lmOlCVMjqe35AXu6XLQidocAKMr2sZxvaB/57oKPf6w+XjAxN2Aur8J6ocBGiePVK+VOud3NdpJLQ6QNeI4n7NHXBh9NVuS/RTy9r/EtoSXDwibINWNNDSCANLT7WQNorM4LiJRVFFfAcmwaCY1LbYnnr27qrboPTMT+jrOOQn35wZboAC531oD//qt7VP03uQeeXtFlUmZYywAdhStour7YsmwnxdEe8B+FfRmdhFaOlWdoMnUrziNdWHWTuIH0UIiB/DuF8eGLRtAdDBT3cFOHDMekx0LW/a1BYn3dXXuW+p7gTQUtEZXe+NJcgc62dSPFXwVKo8sogjFQzscupkFFXn3FSmfH91iVa8B84AhAZi/bZ5TslccHr3C+333RJ8holOOynOfFxryN5mKPP4ycypF66TNcZ5/b/klpvUt7BitvPZT asyncnomi" ];
+    };
+
+}

shell.nix

@@ -0,0 +1,23 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+let
+    agenixSrc = fetchTarball {
+        url = "https://github.com/ryantm/agenix/archive/main.tar.gz";
+        sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";
+    };
+in
+pkgs.mkShell {
+    buildInputs = [
+        (pkgs.callPackage "${agenixSrc}/pkgs/agenix.nix" {})
+    ];
+    packages = with pkgs; [
+        deploy-rs
+        nano
+    ];
+
+    EDITOR="nano";
+    
+    shellHook = ''
+        echo "Welcome to Federez-LaSuite network deploy-rs shell environment!"
+    '';
+}