From d2dbaff941b99da62f810ea6c92cb0af26593496 Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Tue, 9 Sep 2025 22:34:34 +0200 Subject: [PATCH] feat: add base hosting-02 Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 2 ++ flake.nix | 7 ++++ hosts/common/servers/hetzner.nix | 15 ++++++++ hosts/common/servers/secrets.yaml | 57 ++++++++++++++++++------------- hosts/hosting-02/default.nix | 31 +++++++++++++++++ hosts/hosting-02/disk-config.nix | 52 ++++++++++++++++++++++++++++ 6 files changed, 140 insertions(+), 24 deletions(-) create mode 100644 hosts/hosting-02/default.nix create mode 100644 hosts/hosting-02/disk-config.nix diff --git a/.sops.yaml b/.sops.yaml index 7ef9c1a..d58249e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv + - &hosting-02 age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza creation_rules: @@ -23,6 +24,7 @@ creation_rules: - age: - *db-01 - *hosting-01 + - *hosting-02 - *mail-01 pgp: - *lander diff --git a/flake.nix b/flake.nix index 3984512..e2cc3e1 100644 --- a/flake.nix +++ b/flake.nix @@ -98,6 +98,13 @@ ./hosts/hosting-01 ]; }; + hosting-02 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/hosting-02 + ]; + }; mail-01 = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit inputs outputs; }; diff --git a/hosts/common/servers/hetzner.nix b/hosts/common/servers/hetzner.nix index 740127e..2c9e323 100644 --- a/hosts/common/servers/hetzner.nix +++ b/hosts/common/servers/hetzner.nix @@ -14,6 +14,21 @@ boot.initrd.kernelModules = [ "virtio_gpu" ]; boot.kernelParams = [ "console=tty" ]; + networking.useNetworkd = true; + systemd.network = { + enable = true; + + networks = { + "30-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + routes = [ + { Gateway = "fe80::1"; } + ]; + }; + }; + }; + services.openssh = { enable = true; settings.PasswordAuthentication = false; diff --git a/hosts/common/servers/secrets.yaml b/hosts/common/servers/secrets.yaml index 6bccbee..9c57980 100644 --- a/hosts/common/servers/secrets.yaml +++ b/hosts/common/servers/secrets.yaml @@ -1,45 +1,54 @@ -tailscale-authkey: ENC[AES256_GCM,data:qXgDw5Ua+J7XinLap+sco/9lVM/NMaj4Tpy6hlUJ+tcRoiSFVV1dQB1w20tt8/Rg,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:J3hI/0BP99yjw6juYX/JSw==,type:str] +tailscale-authkey: ENC[AES256_GCM,data:5gGzPfdHWB8dYJ0/pyy1ZLXgpTy0Vb3J+RDcRnSPBp9aS11iZJHBp+drNmrKGIzM,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:XSTe6iLDWwPQG7ohCTjHIQ==,type:str] sops: age: - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVVNJRFc4S2NOVTdVZGFu - VjVPSXlJcytGTUdSZ2RhZ0UraElweVVVTUZZClF6SWs2NkdnVUdDVmFPUXhDeGE3 - RFJaV1c5QVQ4NEFjWVowU21hL2IyRFUKLS0tIE5rZVQzY1FSYmRWT1JaNDgzZXB1 - bHlYRWF1TWVkTTZ2SzdXbENPc1U2VmcKTPJ3SeHHoA5FOvOUMiWJdcKYGr9aXriZ - DuW/ijGrVV5zELOgXc/vAOSrsE9ZYW83QDXB80NRvOUnRNGyaax5Sg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TUNKT0JtZEs3M0hEUjVt + WWJRUkFNSm9pVjRlVkk3RzVPeVZkNytUYVJRCnhzd0syd25HLzBTTFRBN3pXQUVW + VXJxakRZdzdGL3U0aFNrVEdTRVNBZUkKLS0tIDFrOC8ySVVYV3pLbDlDakpRZHhh + SzlLWGwrYjVNcGFLVGNTTmhleXNZMEEKabv69KbHpVEGpknnuEO+1OgdWCtvdkP6 + fP55S4jIHjkONG1upwIxHj3YJO55nI5kA4XAx+5AOSntwN1iAXRciA== -----END AGE ENCRYPTED FILE----- - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSHZNazl3WVJIL2N6dUx6 - cUVZZCtpZWVnVklkU0FnL2REYkZuc0JPREgwCnFIZ2lyMW1HdjZLNDRpRTczMmJC - eDJLSkw2S0dyWXBSNlpPOTRJU0ZNQ28KLS0tIHErZENXUkJnektyazdFS2FNQ1JU - ZFhhRm92SFpCc042U1p2VkE1a0dOZDAKFZuxY5YkAeINQRX/kcxAxIQMSEa7FATx - 8v8eFMZLCpHH3wS2+CgtAzxxDX4bIMsPhwDa4C1bvtWkGmUg/2R86Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGFJTE5oU2tUcU1XcTVy + ZDBiSTQ5bGppOGRjUEV4WG9lc2xFN1RIQTNzCmZuelNkUjhyZWtqSTNZWHhIRjhT + UEpyeE9wdC9wSVZLckVzMVdQSXlhOTAKLS0tIGRBeXlWNHRyQkFpS2l2WlJHTnBI + WVRHWmE0QU1qK0NpT1QyL1ZZWXpmc3cK4UKRpOatiXqt2DvJmMlB2D+En4ufBXhe + vdxhnMZgMlMhN0F+KkOEt8JD1jrbOQ0fn1KdDcsjqO4MBJJK1smB9Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZGNYQW9pbEVQdTl3WEo2 + ZWtHOHZzRmRMNkZHS1FjN1UrN0VGc0swc0JZClN3ckNrcXZoWTBpRGpGa0NSMkVY + K2ZVSmhuaHlQWUtqakRNTGVacDhScUkKLS0tIDl3czNRYUpra3Y2enlkMkRxUzlN + cDdhVlUyZGhsdHMzZ0E5andLVHVoNkkKocZp5EicX0pu1xaX+wYFfLqMoXxn5KiL + DsNPjAG//EslXpYq2UxXnWYaUKBq8fUr4moMG8omaoZ6KWgG8u1PeQ== -----END AGE ENCRYPTED FILE----- - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnhqOGtXS1RMY3BaRjdz - M2ViM3c2QzhCbTMvejdaOU9sRHd6M0ZzRHdRCnVmd0xiSUNqOHBaZGFkcmpaRU95 - cW5oMHNycjZJN0RCc25tanJSQ1Q0TmMKLS0tIG9KeTdjdTJ2Vk43Um5BWmZVYlJ0 - SnBFVkJBMk5DdDR0YlpjbHFDVlFDTHMKtjJMgkybidVzSvSCjrdUVgAXjLzhWBv/ - x7nYJp7O5PqKZRcWdmpDp6bNG4+ENrtnMBXw1AwR2iWvlZC9YOtmdw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdkpsYUlwVlFJVjBRQjJn + TWhpZlluTEYwV0I2cDVUYytUZisrL0lWWTBnCnc3THNqT1BzeGkraDUyV0dMWGFr + NEo0aEtkUGVxVmttc09RMXJjblRNQUUKLS0tIENIN0hFbVFsbnIwRnYxdmVqVHlN + ZWFpdkxVVFpOUzRnUUFYYkIvcG0xa00Ktrrn8R69OF8wwsz9RuvKAiVtS+thbbNp + 5DnmezbVOr6g3bNLnRQ/GDfesHqvCWTQ+Lv2t8tnXXbjXrNWcxOTgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-02T21:02:01Z" - mac: ENC[AES256_GCM,data:oxLmFXvuLNbdiLFC8BCh8jb1gMctbdJeS88xuv27etLgn0P38KI2G4OFg7T03s/QK26lWvwt/0FSGc6o51p6FZ2KJLL8FtB96x2Q1QaJqNIUmU5WWnaJhQfRxiE+IDJgS4DkFYs8FMQhMorr1X8iVhQhoxpB5qKs7kVARAyF1FU=,iv:qhxdpeZCzEMoKJw5oVI6S1Y2OqpHRo67oI1guC1iRdM=,tag:F/YhPTth3NNtCZ/RVlQF1g==,type:str] + lastmodified: "2025-09-09T21:18:09Z" + mac: ENC[AES256_GCM,data:+GzVY/9R89YOL1dm0q1q3VSdsBa8krphFk8vOup+0XRn2BaLjwCIvOXQMBycVuRgMUHf77p1ETgpoj9quTDwJK8JDcP8pT6gfa/1mLuFz1I34cVk5f7Vx2BnX2Oh0LN+PXiMggbuySiNk3huOhgnrVCwwukT6PfvOXlYY5DVPPg=,iv:mp07YVgO0Xpp/XtOvD70hF+4ZGQJbn5EXxwPh2fXPMQ=,tag:dVwF6Y73DFeaNlYWLrqJWw==,type:str] pgp: - - created_at: "2025-07-02T21:01:46Z" + - created_at: "2025-09-09T21:20:01Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DARdpY4woM6wSAQdAVK+ifhksSiXmYzGNYQcv2dZbhYrgQQSsqmIKMfyYuk4w - SEEGAA7mcqg9j4Cd2ozLnsX/3p5q41cdRapC0r4Tx/pW5dhE53g+K1OWkKNoq/1f - 0l4BG9rFb0AiidaQU/A2WcOZ7Idgy4CuimDCVW1j6Th6k3QHkVDdCv4oQRTVc48P - 48VQ2A1jp0gyRQHFbjE1dwUSSvLrFaJu3O7kGz7WuCwAZH25HonUx9ParK18nB+j - =jICO + hF4DARdpY4woM6wSAQdAqzNqNtPjbYWAx9XIB+bdZjhIIfCTOm1hUrpCu7emwgMw + WKfVFLeKJg+d/3PrR5hBoEfsj/IFUXiXDNrlpfr+VQCwd0XLMAM0WvFeod2gPe+1 + 0l4BXxWsyWzDdukiLzqtHelEvaJk8UU3LfhqsmdmQoApbx0AkLGUAQLgiHWtDkj6 + w+QeYq0CJbO5kCLO+kNCVSNoWDyGOokKqcMxglyaIjlkjodf/Xw56HAeF1BuxPmV + =BwAM -----END PGP MESSAGE----- fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 unencrypted_suffix: _unencrypted diff --git a/hosts/hosting-02/default.nix b/hosts/hosting-02/default.nix new file mode 100644 index 0000000..fd8e9eb --- /dev/null +++ b/hosts/hosting-02/default.nix @@ -0,0 +1,31 @@ +{ ... }: +{ + imports = [ + ./disk-config.nix + { + _module.args.disks = [ "/dev/sda" ]; + } + + ../common/servers + ]; + + time.timeZone = "Europe/Berlin"; + + networking.hostName = "hosting-02"; + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + ]; + }; + + systemd.network.networks."30-wan".address = [ + "2a01:4f8:c013:7fc0::/64" + ]; + + security.acme.defaults.email = "landervandenbulcke@gmail.com"; + security.acme.acceptTerms = true; + + system.stateVersion = "25.05"; +} diff --git a/hosts/hosting-02/disk-config.nix b/hosts/hosting-02/disk-config.nix new file mode 100644 index 0000000..aa2e1fa --- /dev/null +++ b/hosts/hosting-02/disk-config.nix @@ -0,0 +1,52 @@ +{ + lib, + disks ? [ "/dev/sda" ], + ... +}: +{ + disko.devices = { + disk = lib.genAttrs disks (disk: { + device = disk; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "256M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + main = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # override existing partition + subvolumes = { + "/" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }); + }; +}