lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add base hosting-02

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-09-09 22:34:34 +02:00
parent be802e3bf4
commit d2dbaff941
Signed by: lander
GPG key ID: 0142722B4B0C536F
6 changed files with 140 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -3,6 +3,7 @@ keys:
- &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
- &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
- &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
- &hosting-02 age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt
- &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
creation_rules: creation_rules:
@ -23,6 +24,7 @@ creation_rules:
- age: - age:
- *db-01 - *db-01
- *hosting-01 - *hosting-01
- *hosting-02
- *mail-01 - *mail-01
pgp: pgp:
- *lander - *lander

7
flake.nix
View file

@ -98,6 +98,13 @@
./hosts/hosting-01 ./hosts/hosting-01
]; ];
}; };
hosting-02 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/hosting-02
];
};
mail-01 = nixpkgs.lib.nixosSystem { mail-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = { inherit inputs outputs; };

15
hosts/common/servers/hetzner.nix
View file

@ -14,6 +14,21 @@
boot.initrd.kernelModules = [ "virtio_gpu" ]; boot.initrd.kernelModules = [ "virtio_gpu" ];
boot.kernelParams = [ "console=tty" ]; boot.kernelParams = [ "console=tty" ];
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks = {
"30-wan" = {
matchConfig.Name = "enp1s0";
networkConfig.DHCP = "ipv4";
routes = [
{ Gateway = "fe80::1"; }
];
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

57
hosts/common/servers/secrets.yaml
View file

@ -1,45 +1,54 @@
tailscale-authkey: ENC[AES256_GCM,data:qXgDw5Ua+J7XinLap+sco/9lVM/NMaj4Tpy6hlUJ+tcRoiSFVV1dQB1w20tt8/Rg,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:J3hI/0BP99yjw6juYX/JSw==,type:str] tailscale-authkey: ENC[AES256_GCM,data:5gGzPfdHWB8dYJ0/pyy1ZLXgpTy0Vb3J+RDcRnSPBp9aS11iZJHBp+drNmrKGIzM,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:XSTe6iLDWwPQG7ohCTjHIQ==,type:str]
sops: sops:
age: age:
- recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVVNJRFc4S2NOVTdVZGFu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TUNKT0JtZEs3M0hEUjVt
VjVPSXlJcytGTUdSZ2RhZ0UraElweVVVTUZZClF6SWs2NkdnVUdDVmFPUXhDeGE3 WWJRUkFNSm9pVjRlVkk3RzVPeVZkNytUYVJRCnhzd0syd25HLzBTTFRBN3pXQUVW
RFJaV1c5QVQ4NEFjWVowU21hL2IyRFUKLS0tIE5rZVQzY1FSYmRWT1JaNDgzZXB1 VXJxakRZdzdGL3U0aFNrVEdTRVNBZUkKLS0tIDFrOC8ySVVYV3pLbDlDakpRZHhh
bHlYRWF1TWVkTTZ2SzdXbENPc1U2VmcKTPJ3SeHHoA5FOvOUMiWJdcKYGr9aXriZ SzlLWGwrYjVNcGFLVGNTTmhleXNZMEEKabv69KbHpVEGpknnuEO+1OgdWCtvdkP6
DuW/ijGrVV5zELOgXc/vAOSrsE9ZYW83QDXB80NRvOUnRNGyaax5Sg== fP55S4jIHjkONG1upwIxHj3YJO55nI5kA4XAx+5AOSntwN1iAXRciA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSHZNazl3WVJIL2N6dUx6 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGFJTE5oU2tUcU1XcTVy
cUVZZCtpZWVnVklkU0FnL2REYkZuc0JPREgwCnFIZ2lyMW1HdjZLNDRpRTczMmJC ZDBiSTQ5bGppOGRjUEV4WG9lc2xFN1RIQTNzCmZuelNkUjhyZWtqSTNZWHhIRjhT
eDJLSkw2S0dyWXBSNlpPOTRJU0ZNQ28KLS0tIHErZENXUkJnektyazdFS2FNQ1JU UEpyeE9wdC9wSVZLckVzMVdQSXlhOTAKLS0tIGRBeXlWNHRyQkFpS2l2WlJHTnBI
ZFhhRm92SFpCc042U1p2VkE1a0dOZDAKFZuxY5YkAeINQRX/kcxAxIQMSEa7FATx WVRHWmE0QU1qK0NpT1QyL1ZZWXpmc3cK4UKRpOatiXqt2DvJmMlB2D+En4ufBXhe
8v8eFMZLCpHH3wS2+CgtAzxxDX4bIMsPhwDa4C1bvtWkGmUg/2R86Q== vdxhnMZgMlMhN0F+KkOEt8JD1jrbOQ0fn1KdDcsjqO4MBJJK1smB9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZGNYQW9pbEVQdTl3WEo2
ZWtHOHZzRmRMNkZHS1FjN1UrN0VGc0swc0JZClN3ckNrcXZoWTBpRGpGa0NSMkVY
K2ZVSmhuaHlQWUtqakRNTGVacDhScUkKLS0tIDl3czNRYUpra3Y2enlkMkRxUzlN
cDdhVlUyZGhsdHMzZ0E5andLVHVoNkkKocZp5EicX0pu1xaX+wYFfLqMoXxn5KiL
DsNPjAG//EslXpYq2UxXnWYaUKBq8fUr4moMG8omaoZ6KWgG8u1PeQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnhqOGtXS1RMY3BaRjdz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdkpsYUlwVlFJVjBRQjJn
M2ViM3c2QzhCbTMvejdaOU9sRHd6M0ZzRHdRCnVmd0xiSUNqOHBaZGFkcmpaRU95 TWhpZlluTEYwV0I2cDVUYytUZisrL0lWWTBnCnc3THNqT1BzeGkraDUyV0dMWGFr
cW5oMHNycjZJN0RCc25tanJSQ1Q0TmMKLS0tIG9KeTdjdTJ2Vk43Um5BWmZVYlJ0 NEo0aEtkUGVxVmttc09RMXJjblRNQUUKLS0tIENIN0hFbVFsbnIwRnYxdmVqVHlN
SnBFVkJBMk5DdDR0YlpjbHFDVlFDTHMKtjJMgkybidVzSvSCjrdUVgAXjLzhWBv/ ZWFpdkxVVFpOUzRnUUFYYkIvcG0xa00Ktrrn8R69OF8wwsz9RuvKAiVtS+thbbNp
x7nYJp7O5PqKZRcWdmpDp6bNG4+ENrtnMBXw1AwR2iWvlZC9YOtmdw== 5DnmezbVOr6g3bNLnRQ/GDfesHqvCWTQ+Lv2t8tnXXbjXrNWcxOTgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-02T21:02:01Z" lastmodified: "2025-09-09T21:18:09Z"
mac: ENC[AES256_GCM,data:oxLmFXvuLNbdiLFC8BCh8jb1gMctbdJeS88xuv27etLgn0P38KI2G4OFg7T03s/QK26lWvwt/0FSGc6o51p6FZ2KJLL8FtB96x2Q1QaJqNIUmU5WWnaJhQfRxiE+IDJgS4DkFYs8FMQhMorr1X8iVhQhoxpB5qKs7kVARAyF1FU=,iv:qhxdpeZCzEMoKJw5oVI6S1Y2OqpHRo67oI1guC1iRdM=,tag:F/YhPTth3NNtCZ/RVlQF1g==,type:str] mac: ENC[AES256_GCM,data:+GzVY/9R89YOL1dm0q1q3VSdsBa8krphFk8vOup+0XRn2BaLjwCIvOXQMBycVuRgMUHf77p1ETgpoj9quTDwJK8JDcP8pT6gfa/1mLuFz1I34cVk5f7Vx2BnX2Oh0LN+PXiMggbuySiNk3huOhgnrVCwwukT6PfvOXlYY5DVPPg=,iv:mp07YVgO0Xpp/XtOvD70hF+4ZGQJbn5EXxwPh2fXPMQ=,tag:dVwF6Y73DFeaNlYWLrqJWw==,type:str]
pgp: pgp:
- created_at: "2025-07-02T21:01:46Z" - created_at: "2025-09-09T21:20:01Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAVK+ifhksSiXmYzGNYQcv2dZbhYrgQQSsqmIKMfyYuk4w hF4DARdpY4woM6wSAQdAqzNqNtPjbYWAx9XIB+bdZjhIIfCTOm1hUrpCu7emwgMw
SEEGAA7mcqg9j4Cd2ozLnsX/3p5q41cdRapC0r4Tx/pW5dhE53g+K1OWkKNoq/1f WKfVFLeKJg+d/3PrR5hBoEfsj/IFUXiXDNrlpfr+VQCwd0XLMAM0WvFeod2gPe+1
0l4BG9rFb0AiidaQU/A2WcOZ7Idgy4CuimDCVW1j6Th6k3QHkVDdCv4oQRTVc48P 0l4BXxWsyWzDdukiLzqtHelEvaJk8UU3LfhqsmdmQoApbx0AkLGUAQLgiHWtDkj6
48VQ2A1jp0gyRQHFbjE1dwUSSvLrFaJu3O7kGz7WuCwAZH25HonUx9ParK18nB+j w+QeYq0CJbO5kCLO+kNCVSNoWDyGOokKqcMxglyaIjlkjodf/Xw56HAeF1BuxPmV
=jICO =BwAM
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

31
hosts/hosting-02/default.nix Normal file
View file

@ -0,0 +1,31 @@
{ ... }:
{
imports = [
./disk-config.nix
{
_module.args.disks = [ "/dev/sda" ];
}
../common/servers
];
time.timeZone = "Europe/Berlin";
networking.hostName = "hosting-02";
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
systemd.network.networks."30-wan".address = [
"2a01:4f8:c013:7fc0::/64"
];
security.acme.defaults.email = "landervandenbulcke@gmail.com";
security.acme.acceptTerms = true;
system.stateVersion = "25.05";
}

52
hosts/hosting-02/disk-config.nix Normal file
View file

@ -0,0 +1,52 @@
{
lib,
disks ? [ "/dev/sda" ],
...
}:
{
disko.devices = {
disk = lib.genAttrs disks (disk: {
device = disk;
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
main = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # override existing partition
subvolumes = {
"/" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};
};
};
};
};
});
};
}