feat: add base hosting-02

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-09 22:34:34 +02:00 · 2025-09-09 22:34:34 +02:00 · a498904134
commit a498904134
parent be802e3bf4
5 changed files with 111 additions and 23 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,7 @@ keys:
  - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
  - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
  - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
+  - &hosting-02 age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt
  - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza

 creation_rules:
@ -23,6 +24,7 @@ creation_rules:
      - age:
          - *db-01
          - *hosting-01
+          - *hosting-02
          - *mail-01
        pgp:
          - *lander
--- a/flake.nix
+++ b/flake.nix
@ -98,6 +98,13 @@
            ./hosts/hosting-01
          ];
        };
+        hosting-02 = nixpkgs.lib.nixosSystem {
+          system = "aarch64-linux";
+          specialArgs = { inherit inputs outputs; };
+          modules = [
+            ./hosts/hosting-02
+          ];
+        };
        mail-01 = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = { inherit inputs outputs; };
--- a/hosts/common/servers/secrets.yaml
+++ b/hosts/common/servers/secrets.yaml
@ -1,45 +1,45 @@
-tailscale-authkey: ENC[AES256_GCM,data:qXgDw5Ua+J7XinLap+sco/9lVM/NMaj4Tpy6hlUJ+tcRoiSFVV1dQB1w20tt8/Rg,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:J3hI/0BP99yjw6juYX/JSw==,type:str]
+tailscale-authkey: ENC[AES256_GCM,data:czmRcSlA38MiC1E6kGkA6YiuisKzfWealW0wzc1EZaR3R9CDaFed+ZzHm3JO4ppd,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:wj1e5uQeVEWh9JxsKAPLAQ==,type:str]
 sops:
    age:
        - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVVNJRFc4S2NOVTdVZGFu
-            VjVPSXlJcytGTUdSZ2RhZ0UraElweVVVTUZZClF6SWs2NkdnVUdDVmFPUXhDeGE3
-            RFJaV1c5QVQ4NEFjWVowU21hL2IyRFUKLS0tIE5rZVQzY1FSYmRWT1JaNDgzZXB1
-            bHlYRWF1TWVkTTZ2SzdXbENPc1U2VmcKTPJ3SeHHoA5FOvOUMiWJdcKYGr9aXriZ
-            DuW/ijGrVV5zELOgXc/vAOSrsE9ZYW83QDXB80NRvOUnRNGyaax5Sg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcFRXUFdhckl1ZDJIdnds
+            RGxtQmhObHE2VU8yK2RVelV0WG8ydThlRWlnCkQvUU1pM245VXZIK09oY2NmZFo3
+            WHArS1pGME8wSVpIcWtldnI3WnBFRzAKLS0tIEtkVk5TZ0ZOZHZabXlhUFN0aXhT
+            ZGxZaGc0UDNpalY0VDZYNFp1ZmdHZE0Kuvf8nxnkTagrF+SFsO87ecf3NG5kTd8O
+            nXJlrQBx2gedRkzDOAITYp9M1r/1ttaTenr70HowuMnXLWbOFw5ZNg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSHZNazl3WVJIL2N6dUx6
-            cUVZZCtpZWVnVklkU0FnL2REYkZuc0JPREgwCnFIZ2lyMW1HdjZLNDRpRTczMmJC
-            eDJLSkw2S0dyWXBSNlpPOTRJU0ZNQ28KLS0tIHErZENXUkJnektyazdFS2FNQ1JU
-            ZFhhRm92SFpCc042U1p2VkE1a0dOZDAKFZuxY5YkAeINQRX/kcxAxIQMSEa7FATx
-            8v8eFMZLCpHH3wS2+CgtAzxxDX4bIMsPhwDa4C1bvtWkGmUg/2R86Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eldYRDZabEVObkY0THkr
+            aXF0NnliNkd1K0QzblluTVdqdTdFcmpBRUQ0CmZoRHRxV2gzTTduSFM2VFNSRDZX
+            cmxtb2VhRE54UnZqV3gzcHVnZWU0NTgKLS0tIGZIOWRaOGlCZXV0NDdMYmR3ejF6
+            eSsvWm1aYlFsYzZXam9CNFgvZ1JHcmsK08Hx2yq97SiGlTtAj9r87evoJ7we497I
+            od2pthSRamNd8AtB5Ag6BTo4i6v4P/cbb2rWJc9ZGVdfPR6h+RzVoQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnhqOGtXS1RMY3BaRjdz
-            M2ViM3c2QzhCbTMvejdaOU9sRHd6M0ZzRHdRCnVmd0xiSUNqOHBaZGFkcmpaRU95
-            cW5oMHNycjZJN0RCc25tanJSQ1Q0TmMKLS0tIG9KeTdjdTJ2Vk43Um5BWmZVYlJ0
-            SnBFVkJBMk5DdDR0YlpjbHFDVlFDTHMKtjJMgkybidVzSvSCjrdUVgAXjLzhWBv/
-            x7nYJp7O5PqKZRcWdmpDp6bNG4+ENrtnMBXw1AwR2iWvlZC9YOtmdw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVVJiemdJUGNiNnh1b3lQ
+            clUzSnk5NVRnT2dVdG5xUEZ5L3IzTG5KWlQ4Ck82Z3hGL0ZZTUYxelFMMW1mT2tW
+            bUNjOW5abWE2N1A4cDg3U3dML0w0N0kKLS0tIERjZ1ZHZlNxeXlZTDhvRG5oNG9y
+            KzdzdmtMNmdWcDk5bCt4NVo2TzBmbzgK66UVN1CdlY2I6RLUf0TMoiYZK6JatTfn
+            lYEuPzHccil6RhZQz9mCeQdoXHVIIJA+96uuiJOnax7dLLubVkI8pA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-02T21:02:01Z"
-    mac: ENC[AES256_GCM,data:oxLmFXvuLNbdiLFC8BCh8jb1gMctbdJeS88xuv27etLgn0P38KI2G4OFg7T03s/QK26lWvwt/0FSGc6o51p6FZ2KJLL8FtB96x2Q1QaJqNIUmU5WWnaJhQfRxiE+IDJgS4DkFYs8FMQhMorr1X8iVhQhoxpB5qKs7kVARAyF1FU=,iv:qhxdpeZCzEMoKJw5oVI6S1Y2OqpHRo67oI1guC1iRdM=,tag:F/YhPTth3NNtCZ/RVlQF1g==,type:str]
+    lastmodified: "2025-09-09T20:57:45Z"
+    mac: ENC[AES256_GCM,data:BcZfo0ADiU8VdiocsywgfhWCD1qIH5RRYYWNOm9QliFdtUQjaZnguyhSUUS8gtFg44cRByiEWJw/WO83xLtOcZWFwKKtc/YzSPclfCh5XtXmMQ4xFhIXhUFy2liKew5zFtH3lPF68Kro9NmRgDdgQcjzqFsJpIJJX9FBIU8gq6A=,iv:7iiljIwexQxx8Y+1lxFuyxfmccvBeWycf/NUbuCm93g=,tag:+B+XSpuK0N3vOuEsvrtZIQ==,type:str]
    pgp:
        - created_at: "2025-07-02T21:01:46Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DARdpY4woM6wSAQdAVK+ifhksSiXmYzGNYQcv2dZbhYrgQQSsqmIKMfyYuk4w
-            SEEGAA7mcqg9j4Cd2ozLnsX/3p5q41cdRapC0r4Tx/pW5dhE53g+K1OWkKNoq/1f
-            0l4BG9rFb0AiidaQU/A2WcOZ7Idgy4CuimDCVW1j6Th6k3QHkVDdCv4oQRTVc48P
-            48VQ2A1jp0gyRQHFbjE1dwUSSvLrFaJu3O7kGz7WuCwAZH25HonUx9ParK18nB+j
-            =jICO
+            hF4DARdpY4woM6wSAQdArc/Gk5c1Huj1mXQHS03GECj8lAUwi0sYZgquMsV+/yEw
+            QWs45mKkD9KBrgFF6UHMm5l2M0NcsZeKd9b14mcCmnlGBxydyO3NkmLqFtaogBka
+            0lwBBM+J4D7Lt2IaGpPS/AzLDsYKEtLrjv2Y3L22SUStwl8v3wmNaCLGOepOYxwi
+            VPl2Y+yFpXEWTQkmyrkVOW3VBp1IxmAx5wjHK8wkjBCpf06yWLJCnlcnIUiwpA==
+            =XpYk
            -----END PGP MESSAGE-----
          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
    unencrypted_suffix: _unencrypted
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@ -0,0 +1,27 @@
+{ ... }:
+{
+  imports = [
+    ./disk-config.nix
+    {
+      _module.args.disks = [ "/dev/sda" ];
+    }
+
+    ../common/servers
+  ];
+
+  time.timeZone = "Europe/Berlin";
+
+  networking.hostName = "hosting-02";
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+
+  security.acme.defaults.email = "landervandenbulcke@gmail.com";
+  security.acme.acceptTerms = true;
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/hosting-02/disk-config.nix
+++ b/hosts/hosting-02/disk-config.nix
@ -0,0 +1,52 @@
+{
+  lib,
+  disks ? [ "/dev/sda" ],
+  ...
+}:
+{
+  disko.devices = {
+    disk = lib.genAttrs disks (disk: {
+      device = disk;
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "256M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          main = {
+            size = "100%";
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ]; # override existing partition
+              subvolumes = {
+                "/" = {
+                  mountOptions = [ "compress=zstd" ];
+                  mountpoint = "/";
+                };
+                "/home" = {
+                  mountOptions = [ "compress=zstd" ];
+                  mountpoint = "/home";
+                };
+                "/nix" = {
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                  mountpoint = "/nix";
+                };
+              };
+            };
+          };
+        };
+      };
+    });
+  };
+}