add new baremetal server

targets/web01-old/configuration.nix

@@ -0,0 +1,13 @@
+{ self, ... }:
+let
+  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+in
+{
+  imports = [
+    self.nixosModules.web01
+    self.nixosModules.hcloud
+  ];
+  sops.defaultSopsFile = ./secrets.yaml;
+  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  system.stateVersion = "23.05";
+}

targets/web01-old/nixos-vars.json

@@ -0,0 +1 @@
+{"ipv6_address":"2a01:4f9:c010:ab77::1","ssh_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ==","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuhpzDHBPvn8nv8RH1MRomDOaXyP4GziQm7r3MZ1Syk"]}

targets/web01-old/secrets.auto.tfvars.sops.json

@@ -0,0 +1,24 @@
+{
+	"hetznerdns_token": "ENC[AES256_GCM,data:QMMn/j2Lv0Mz/2PhaYQygBjxEoU6f6hL23D5DrderFo=,iv:lOeXBlx/Lb7adzK2SKDKELxXNjlDNWVWQtLp+Mn6YaI=,tag:zTBP/IFdum6T5zITk+WU9A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYlpjUjk4NzNuRXFLT1dS\nbW1EQXBVQ2NIUys3UVR0UE1mZGI4WVJpTVg4CkZqMlRZbS9vSFBpWXNrVXQ2MGVu\nNjhxMEx4dGZRcjBBdmFxcC9yaHN1ZlkKLS0tIHNSSUJVYUVaVU5ocmpZbVd0R2g3\nMnRzcTc5dXRTS1FvRGYwaWVKK29ZRnMKGRVM6m9Rela5ccZkxpEVtNkO/mC+D5kv\n6Yu8tR9BNY9EOyFGze/gNiQfam10vWZz/z9O0RCiE87TgVo7BUZk2g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bVl2anFPYW1ud2I0bk1K\nU3h1WjcvcWwzUzhJbUdYbWpWMzZ1RUplcFFvClkvZVZrNXpUTjBhNVkrcFZLVldZ\ncitveEtOZCtRRWViRUp2TDBjYXlCMncKLS0tIFZqNE1HR3ArNG9sRDJrOEl1QW15\nVUxpVzFOakR1elo1Z0J1cmpkRVFQNlkKegq9LtnVoD88SKCP13taMAZGQ4uZU+eQ\nZQ//y4E5MZxcz6cl0x91khMqIgXsZ92Qs0gNreC69NB4yt8Gp42oYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-07-13T15:46:42Z",
+		"mac": "ENC[AES256_GCM,data:TYlJZLdIvaWD96RQg5RnUJyNAR69bze0f0+Ai37BfA0G6VEWDZqvc537vRFk7dj4R8kYCe4q79w7yWmSt30UUZ+SXHSjVcUU9WijO4QprrUz/q4r9ezVZfQLe6disaUDdgsqhQvkQSh0AJ5eJtcr1uVChOViVfH/nk/FfJgUc7s=,iv:ulkInzkkD2ZG8uSQW3vrkAjVD1gWExtultU8zhs2+aU=,tag:bxNP152hKrLBh2zKeGM8KA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

targets/web01-old/secrets.yaml

@@ -0,0 +1,52 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
+harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
+matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
+registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
+gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQjQzUUx2cGtkdEZUUkhq
+            VGNlZTZzWVhYVmo3d1VGaDNkNHJNSDdkdkdjCmV4L0N5dHdDZVN2Sys2cVBqdXg2
+            bDZ2cDdnaGd5WnJaU21Fd0MxV1JGNEEKLS0tIE04ejBWeDRHeWJ1RGpTOWRvQWpt
+            V0wxNW4xQUdldEgzR0xKSERtRXdRdkEKWVDjODXiCfMm4TfmnURJAsX47rz+TC9d
+            T6a5mlGrMOrB9Vlpmw9ZlaXN6aUKLGKw2r3siq8I7RW4HJAYw2aZGA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTWdKNElYcU4rNzFTQjVq
+            c0ZjUjZGay9RMjFGNGFDWm5JaENRQVdoNm1JClZTRXIrTmttNGJLOW5XbnFtRnFM
+            QzFqeVhNQzRHL2xpVm5kNXRRaytpYlkKLS0tIHFmMTZQMWVaV010UVd4a25mTFdX
+            MXVDNGRUd2VsbWhwN25LMFV0a0YrZWcKTQSOjn4l+va5u+8CUrZgD2JlW/pSAgRz
+            RkOoOe1IHNgyG3Z5veZAtWdMtcq63JwkduC5Vf2aIuRlXnZP74wB8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SStJbWNsVFN0cUMvMnp4
+            VCs1ai92MnBkRzd2Qko5NDZMZG15TytoNG5FClRPZEhYTzJ5ZkU3cTBwdjVrdHpF
+            RjZOeGczc08xWE1jUWYxeVUwclJINE0KLS0tIGM1bi9UWmxQelhxSWlMRmRNamFF
+            ci9xdEtzS0ZCUHN6SG1sUUh6aHA4bUUKraj2gMOPis4rQjT3D4qYqScaix4WGgFn
+            reMrrG8bM4XpwuwzY6rQIbb7tj93w0Mn0G2i+qfg1R6LmsqCPruK1w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY1YvVTViWmFQYUlvMHBF
+            aXVPNnltb2RkL3hJYjF6RjNUbVBjaEtHUDN3CjRsQmMyNzY2cDF0RWJ0NGVLUE14
+            SkxYUExTUVZhWk9mOUdPYUNlYWRuY0UKLS0tIGNFV2krZU1PT0RUQ1AvalVwTDRD
+            YzRRV3VqL2V1WU5qOHlveEZERGMwVWcKi+XRZK28XMVKu0GVsKixBlExiGZ85pI2
+            LkM2KzNKMVcUtC6luRxI/hkY5UzAVnzzaMrRHY03rs5wkWJM74Tjlg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-13T14:38:59Z"
+    mac: ENC[AES256_GCM,data:jUKdCKb0Lw2+C+P5GfTt8zBw/LcAsBiyw/ShsJcpBmuokYgnkREJVokbeiVCql06a5IGnV3GBEzZvd+SnhRzKD9cgsu+ekwSzLGdVSv2j8B7il2M+L7IpBbUe/SnBKkQezKHaQ+mN2nJiCNtyjvPJKX16jmHVUx9yGee8tTi2sg=,iv:DwrfwR8BZDfBnG8CVPXZPSCMlBJbT1WFslGm6MM/j5E=,tag:Hqjp+qdhxXfM7O+ASQAcOw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

targets/web01-old/terraform.tf

@@ -0,0 +1,17 @@
+terraform {
+  backend "local" {}
+}
+
+variable "hetznerdns_token" {}
+
+module "web01" {
+  source           = "../../terraform/web01-old"
+  domain           = "clan.lol"
+  nixos_flake_attr = "web01-old"
+  nixos_vars_file  = "${path.module}/nixos-vars.json"
+  hetznerdns_token = var.hetznerdns_token
+  tags = {
+    Terraform = "true"
+    Target    = "web01-old"
+  }
+}

targets/web01-old/tf.sh

@@ -0,0 +1 @@
+../admins/tf.sh

targets/web01/configuration.nix

@@ -1,13 +1,20 @@
-{ self, ... }:
+{ self, config, ... }:
 let
-  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+  admins = builtins.fromJSON (builtins.readFile ../admins/users.json);
 in
 {
   imports = [
     self.nixosModules.web01
-    self.nixosModules.hcloud
+    self.nixosModules.hetzner-ex101
   ];
+  networking.hostName = "web01";
+  systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3080:282a::1";
   sops.defaultSopsFile = ./secrets.yaml;
-  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  users.users.root.openssh.authorizedKeys.keys = builtins.attrValues admins;
+
+  clan.networking.ipv4.address = "65.109.103.5";
+  clan.networking.ipv4.gateway = "65.109.103.1";
+  clan.networking.ipv6.address = config.systemd.network.networks."10-uplink".networkConfig.Address;
+
   system.stateVersion = "23.05";
 }

targets/web01/decrypt.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p coreutils sops openssh
+
+set -euox pipefail
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <host>"
+  exit 1
+fi
+
+HOST=$1
+temp=$(mktemp -d)
+trap 'rm -rf $temp' EXIT
+sops --extract '["cryptsetup_key"]' -d secrets.yaml > "$temp/secret.key"
+
+while ! ping -4 -W 1 -c 1 "$HOST"; do
+  sleep 1
+done
+while ! timeout 4 ssh -p 2222 "root@$HOST" true; do
+  sleep 1
+done
+
+ssh -p 2222 "root@$HOST" "cat > /crypt-ramfs/passphrase" < "$temp/secret.key"

targets/web01/nixos-vars.json

@@ -1 +1 @@
-{"ipv6_address":"2a01:4f9:c010:ab77::1","ssh_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ==","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuhpzDHBPvn8nv8RH1MRomDOaXyP4GziQm7r3MZ1Syk"]}
+{"ipv6_address":"2a01:4f9:3080:282a::1"}

targets/web01/secrets.yaml

@@ -1,4 +1,9 @@
+cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str]
+initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str]
 ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
+ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:k5T5CX56wSm1DADOH47sGb1h65aPk3NSvQR6Rgu7ZzRrq4pF84ofaRMEJU5d9MHnb+Eg92jnibRNwKUH36e5c9PJXtU14aY2f7HzOCyVk7WXd8H0eOuOfzG5ICQ=,iv:CcqwTYnk1NkJpn9q1Rnz4ERxhhnn60h3sXqMd3ILTk4=,tag:LhAIzkeozvT4L7+vJ9ojnQ==,type:str]
+ssh_host_rsa_key: ENC[AES256_GCM,data:/f0EkmRbX9vSlhUmuJIAEJLs5R4ryxrtTN0hqcJlxTU9B0woh3pFK0GrXBbL1l5uvEQo2Vw2p7yeCqFch7ypfhBTRxD8IhWoc2l7trawhKa0bhhiQ8oQU47AW96ZCQHQx4h329PZBmFwjK31gtHoY3nkj862vWoFLucJs0yRkCVQJEgkjehO1KQbPU7PlYgUECPnpOgQW0wtGLSND20QyJyEQFSg0Vk7fWY6ycSiu+Piejg5MZVgdVofqEw/fEWyp0Za0P2SEyf0lyO8Ob/amObS1oHmLrb++bcOXl/BBqLPow+zx79juwmuFvhk/vZfeO1P04J83eg3f40s0HPP3g7SKjJTf0pYgdu3k3uXN3WsDWX0Tg3YfAxhKzIScM8gyrkCY4ju8fORGCRSzCddA1p1DvtsMAK5RmT6rSob3yS9nEYIlVUXeDsYGMtspoOd9vts0nS2QQ3VHIg27OYieixevzOtpCtyfogMIqMYgvwLlEzHt9Xi4uzFPxb5MQh0vt4PTy97pooCx0HHKYueMGeByZk2EMIVZzIBq1t3GEtj2bIiFIuAxPdU5odBCM29eJwBbwDw8Mngo/dF/HnDvx/AJ89wlbv1AtAqaIPPfQDUwdUJBhKW2rnKmef9E3oDiikhmDOq1UEAaf31NgrDL9nDrZ9nhHbkuL6Piets+jQ0yBCXVzP1ymHGqPAshlnYDSukAuZ8ByCPJr2p5LT09zYLyhtMMO04Qqcu7x8AMJ7Ha2iVgKDzukNcWEtNF5k2XmZ/lUidb7GZvdUsymkRxqAyZeWmP8DzjP7L+8LQhJhY4WixYsXQkVD8eTQyo+hHwQpM/j2XYwIaEOM/fEBvSVwR91U9J4ONqOD0SxIV/i9BoS472q3vjGbzQ1PyaNznvqBuL0WFfWVoUHNw+62LuOF57x6dhzy+et17xk5A4qmsQ2hScDLg6Ha4ygsGKbkLbFz+HQt7IUpIGAmN31ybtrkGR7Z973866njx7yLMFW4gR6bLgz/uNO55FNDLJ20YPSGtt6xoS2dDFfvJD9CTWaw7Z/kfGwjI/IEJgnFDNIEm3mIiM3f4O19m9EJy/ySXTYpTyGnRaEjz2DFIQiStNB+CmDuGgG4fTymFArGt2ieF+aB10E0pLJsZrV/62fRE37BXBuZWhCUshu1HfO9wkkooPunjqVN+5OqN+zgmi6nHzadlbnATK/dPcuBF6nA1wCQd/Y/qpFiYhy2NY1G3lG80/fUdwlTCYP+FFY4x+fxw4qh9J6XhNf1FFTcRpmrmhzjyjb6OvWCgdSRybBxzifTGaAWUde3UEpLHyZzd8Ag+etLwCcLBLeKPfVtfceqWYgkMp62zIXPZ5KZsDDQ8BN9JTMOEk93lL/vGmdXQhxioZ1NmA+Pi1dkSgDEDoUqZLL/FVrbsJ4v9WbpAexjcmKdVxJLCuzxzZKNfc8YeGc/xPgFRAC0BfTxGNkvKONIt6FGc7IF+lJze9HwDR5OLx+cFRhnGJjiw5OoguxRmMl5nzwFggmBCB1IZT4m6ADL8DaCw9RDjErmyz4wU5kROnGBLNgX6tWvYNStUFdIgSoXDAZxr5ArX4kpj93ls8rI+azvRHOATb5kLCS+N8JlyBQRjs22OGf/rjP5Tb7u857MSEy8TWtLwbt8PpL0Zg4h9pAzSgdZHPdVFMc/fZFOT8psVZn03jcsDETeya6uzMUHyBdGnbvbHrJ2y6MCbcWn8suacfBSANoicuhHXW1Kj8dNSpNYrD3xfHfU0s8ajR4HuG92GEGqV4NAb/IXXU5h14OH3bkt46dDABg3vV0bcunmtO8ReWcL4FKrehJU1ycfcgFMVGzxhOQObqWhCbWk3qS2YvUbK7ODzBFCqHUAwfJFNd1wnI+Ml7AjHdG+boFI07C6D0NX3mu1y9Mnns+9Ghr0kh30qeBux2hyz3jGjAy1qrhgbkyR6rBGEQoFz2iSueT867r4D5XPgIKeh8CR0ZkVMME2Z2DKpv3nfbKYZhXzAvQ8TYEueOvKT8f1zuDjcmo3x+GvVPYz1KntNKRrSN5pgPoQLiF1fHommEUAAXM90ysijUGw9K3w5FGrzd05ipcGRaUGb4bOglEezfzt3ODOoe5oW4P8LbnEu1I9GkoU7fDeNZJZ2ZrtL9zNpELo77daupcHt8Ytt6JwQaQcQXNmUcAgIg7sCet+063WES5jwDbR8UgZ5MYNC3Kca4zdI5Ki3ncWHecCtGKCNLeOTbSPb+iGzZI0Grb1pZXs2LfkU4Q2/GIPFF5lkDjPlXATuGh9SjR2xM8YQdYKBDjkMYITSdarjLPR51vGS+RgexJjFNNh3gY/qv8C0j1TUZ5C+FaT4H6A4KCJgo8Pb9hZsJ+hRM+yLDZeK3JUno1IckkLdBkB0E4s5l92ABg87AiTwHeYalQIJIb5mCaMOt4cu/0szWLvd32lmVHN08Xs9AapfG5StpAqSssx0/bbaPPdJW4D0ystMTit+SVvhwVqeGX+8LI0zVsJTzuJCUtfZosdOdThg9zjtYfQFChpogNUBu+4XD6ere02ihY4JvL8Souc2Rel9b/lB9bVAc9Vvq6YrqFsM0w1L1tkqG3TCZ2Mga3at04CP7wItDejmzkLPVEHm7OjuWtBEAl4vqUkV2bfkEzICQPwC6ugiTOQraJqXhlgWLPkBWsQBTxrMT5bnhPg5KvwjRbUXEHL5txqH8C/0EFsaU48Dg/y9CLq8ADIuTRE9R4tR63eOZ017ObkkQeNt76mq+S3DCTrvU+6qUNczLmi0BX5RWqNXJzD46KIEdjkQxr+NBCMC/QdVBdbt/orqNXpPqzVkgmLB4Uze6ppZ+64qWO/Ana7hVtb7cFv8MABIAFxII1y6DZAftA9kfZl1aL7JD4KLZVo9+PfKkH5Z4ZngRaNt2YAruqn0WmgwdPYoZTTCDgqxRfxsfh33LWYJQMV55Tc5UdDol1OpomUoKrNI+zOSeIvMO1C9tUupNjkWNlCEbwVSOqWh5tjMAtH1FSpZgAsqbxVvsYOsF8S/5TgdzMz7N9N4MoIdU2PEwLtOZAhMbTQR2iGIBGJQinFJvjPZGuYQF8+e29gDjRvEzOIuamwmuWtELfqmsFz346a8d/emZkMX8pyprt1afaX4xFfI8qFqm8Vj3Tx6Cd4ll7fQaWkNraPPetZBEKuuHnDfPAHzuYhgYKsIhxaMxkRfT+q7ihVdj6SgcLZRWxF2VyqwLKH6oKJljUso+FxQoY3SdF2bTSCGbIzKeLpej9NMq1rb8jLb1lI1weKY5Hg6cglt8UGSGvNY4qouh/9//Ab6dkEuEBwRvDgwC5a0y/wkGR8VQlsw0+17oudVhjbyv//8cPU8q+VSYrJ3QYJ63MjHAsu+5uukP0s2UuArzszROg2SdHGDdff5svZoG2hVptUgyGh8GlvTst7QDMIM+Wp/+Daer/7YUrqdIoOX+Por9u9++R+FLmnX/MGI3cV/TaeLEHVT6N/A8XtliicE1nWCcqvc+fwOg1WJIVkyyKRI1hPzVJudONOd54m5YKGxOIHNKNGSCu5i/K2Ft01tQMd7g3DcTGHiGys6cC+CkZvAFFXiOCvfhtAVqGKgbZxyJBzdUnkf6uqtP8TSP2+Ea8xUY2tq4Hg2FnC6sk6wuk9v5nE4e8XMyrYNWuZAiBeQ228ko6GOZyKaGxTqh2DQaFSvjNabtUbu5byiqdTySTvhTqV0HhruH1geb6VHNFiYAvV3dP5rIkCwIfRLyqHcNauOtgS+r+hKCg9vH7dFiQJugGzOvxM2yqi7762QCeMhaWAUxRR0m/x2dOymd8HKHUBY4fP7f6qExYE2l+yFbzms/KMaUyX9Ppspyhnw89b85fT1OsFhdphc4vzhN138YfXcOUQa4SjrCIO2D4/jrc46TlEh5byAucNSeX9da8PBE24vDl1vbMft9z/KK5dIRqbhb5TaSUgxUjfimbSaim9dh1jL94XPYmACy6EqYBIcKFNj9Ghw/J1e2xAnDs8S9HCCMiJHUUOCGTHFjpjq585iqasQvxPzccZfteXxObmOVrL7CjiiCY/+IuPnSoBvynPAW86Z7YLCYzx1yEgKcVbK0Q5qXJBjCQdqZ9/ySN0R9HSDW3m2+I6Q58sAMiU4hhzkIm/64GWAoJHqwZFX3aoJd4kYx0sgbWwvItn00UEmU6Q0AW2ZugV+95J3GRMuusq2IKdYOHFR+b538HWN8sk4nMKIRKaJDdFChBWmIF/ASDXwd29tM+nTHU/UNYTQTLp8J4JNtbbUbTADQ5Fy7xCiO0/UVZQju5iReJi0aqFZAHR6gSqMfWFEfISGjliCdt1Eo93YbBL+A66GgSgKX7vGWw0Q46yFzc0uQhfAIcwvT+wa5ZI6L50wJSr/TY1NF4prV/sTKRbeUGtOcO0MOpC1ToRxC+LTfmLYsxFBTg7uYFPDWOkHxwGkUTBCpDD5gs1PgAPekdJ5fiWVt1TdYqIuFexoe9+V,iv:zW+4q1dRbz8WYtDWoHXZMrdyBS+lbmgc/kLvaxluOKU=,tag:lg7uOWcUPXK1BCl6jVV7dg==,type:str]
+ssh_host_rsa_key.pub: ENC[AES256_GCM,data:Gqk5+cDBsYg84d5Y5vowhnPyGncW3bycpeZAsuclUbiET5z9nVzK2CT06ktQb+MHN8jytc7RfME0c2uk3lQxtFRqxmSYcE0fhM8Lg047eEIswRTYpW+54m2WQL4WYsfZorMRPiWEdt0m7l5dZAC7tOmplGo/ZJxtkhPmf8M142yYjoCgk5Fv24GQkuYh4tKwVYYfoVem1ALE64tl1PXT20uVzvq7kVUJ0Ge3UyEY1zLpg61O2N/3tQQ2FqlstulKHtXjwFkeERUhju7sIuL9VskHKwYbG2JJxlTY5XWMDFPU3Ey3VECsBwjxfcGspp8bP9KdNICsL8pSxkT/clKqkDY6AwW4/C8QXLsrijLbe4M9f9QK1KwunBBRj3nk0DXYySYrn++GyZJRPASyhALyBGf2cMNcbHhB+ARGqhxixUyCmXx+vDqvFe8SzuVGKXGm16uP02ZKgdUVwPByWFydqOISibtJiZxyEyWNCLKpYCiZMoZchZv5PZ/jdZe4kv5YBtK3SfNeyWxPijR5ye+JORPPhjBQJLtX5xtknWF/z2SmJu6iMIw4cjQvkNREVtGj/C2xsRPNhNeP+gpk0iy/VEWj6Mk/I2lI+23jbX1m/JElsj4ig/vnUOhZnI5FNvGjfavnTvVeKaXVAjnWk04rxF2zsxm5H91xSh6qUWe1fFBdgzG2KW4d69Kmi3I9zPo9p6GwqkKEHJdXd6KmLbSoPmfP22Gv6vYbFWl5NKKfPiimw+IXLAGyzz8gWHk7cLA4J9vGSiaxbdLkvbAbvdZJ9K97LmyYsFVzAuz75UbLqyGZysn18OceoSo3nTEiy/WCIjfXsKu95/lYOd6fycfDF+gpkp8ejw3C0JRiZ939CFpG/MrUpCQrgzz9xgKpcTy5w0yWt30naZGlVZ0kcAjv/Bd2X0ON/eEdBrq/MnJHaMDOuuVe9iA+lNVqhFMqEsemOUSJm7R1Ttug4PFdiaMYUg==,iv:9DD76j3rDz+KFw6BmC4mVfhfgadjCR1DXytfV6dKeHY=,tag:Z7Akx72UnALXIcdUIrYWpw==,type:str]
 harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
 matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
 registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
@@ -12,41 +17,32 @@ sops:
         - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQjQzUUx2cGtkdEZUUkhq
-            VGNlZTZzWVhYVmo3d1VGaDNkNHJNSDdkdkdjCmV4L0N5dHdDZVN2Sys2cVBqdXg2
-            bDZ2cDdnaGd5WnJaU21Fd0MxV1JGNEEKLS0tIE04ejBWeDRHeWJ1RGpTOWRvQWpt
-            V0wxNW4xQUdldEgzR0xKSERtRXdRdkEKWVDjODXiCfMm4TfmnURJAsX47rz+TC9d
-            T6a5mlGrMOrB9Vlpmw9ZlaXN6aUKLGKw2r3siq8I7RW4HJAYw2aZGA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVTJrY2hIdis5eGJYQkdM
+            MUdGTmVkc2pxN1NjbkR2NVF6Uk11SnBSSUNrCnY0dXlTMnpTbnNJdjNJZHZtYWE4
+            YmlUWFpkUXdtbFh6R1BvTjd1UEZTRFUKLS0tIEdTMEozMFltVWJ0Q1BZS201eE50
+            UHcwNW5nNkdHL0w2d3g0RzBQZ1RrY3MKCDNdsobZ7wZOjBWOy0FmBR0i0afpHM/x
+            uDax1cdEXnh710TTI0Ck99KGthFRWBIeJH1xioC6TTsgmrgE4VPkNA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTWdKNElYcU4rNzFTQjVq
-            c0ZjUjZGay9RMjFGNGFDWm5JaENRQVdoNm1JClZTRXIrTmttNGJLOW5XbnFtRnFM
-            QzFqeVhNQzRHL2xpVm5kNXRRaytpYlkKLS0tIHFmMTZQMWVaV010UVd4a25mTFdX
-            MXVDNGRUd2VsbWhwN25LMFV0a0YrZWcKTQSOjn4l+va5u+8CUrZgD2JlW/pSAgRz
-            RkOoOe1IHNgyG3Z5veZAtWdMtcq63JwkduC5Vf2aIuRlXnZP74wB8w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SStJbWNsVFN0cUMvMnp4
-            VCs1ai92MnBkRzd2Qko5NDZMZG15TytoNG5FClRPZEhYTzJ5ZkU3cTBwdjVrdHpF
-            RjZOeGczc08xWE1jUWYxeVUwclJINE0KLS0tIGM1bi9UWmxQelhxSWlMRmRNamFF
-            ci9xdEtzS0ZCUHN6SG1sUUh6aHA4bUUKraj2gMOPis4rQjT3D4qYqScaix4WGgFn
-            reMrrG8bM4XpwuwzY6rQIbb7tj93w0Mn0G2i+qfg1R6LmsqCPruK1w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRWp6R3B2T3N0aE1GaU8r
+            cUppT0ZrNGJTTXhsZi9EU3dRZTNTR09tYVdvCmVBUFRVWkFTeHZVMDFhSDNQY1dL
+            T09zMjN4ZkZpNFRqZjVqWVRZOGdIaGcKLS0tIGNJbnBFNDAvMS9pdndVRklTNHZ2
+            UjRPRXB5RkxYUDN2TVE2ZTlzV0I5NGsK8tIxBNl0UFkAw1u8Jn7QjnDJ6dcr4+6P
+            iHXTDyxadZAljV5ZXlmzM1dm5p+v86jJ/KvYbA0dkga+CBEOUDt3Yw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY1YvVTViWmFQYUlvMHBF
-            aXVPNnltb2RkL3hJYjF6RjNUbVBjaEtHUDN3CjRsQmMyNzY2cDF0RWJ0NGVLUE14
-            SkxYUExTUVZhWk9mOUdPYUNlYWRuY0UKLS0tIGNFV2krZU1PT0RUQ1AvalVwTDRD
-            YzRRV3VqL2V1WU5qOHlveEZERGMwVWcKi+XRZK28XMVKu0GVsKixBlExiGZ85pI2
-            LkM2KzNKMVcUtC6luRxI/hkY5UzAVnzzaMrRHY03rs5wkWJM74Tjlg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDh2OWxJdjcwK0o1M3Nt
+            RXV4UTlnbFphR0JISG9ZcGorb1ppMzd4SVR3CnZTOW9YeHBKR3drTHdGb3pEZVI3
+            S3NtbDFHL2dlZlRKK3FIc0lwMGt1SzQKLS0tIEZrMWNLOEtuTXB5eE93Uy9nalhD
+            Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
+            KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-13T14:38:59Z"
-    mac: ENC[AES256_GCM,data:jUKdCKb0Lw2+C+P5GfTt8zBw/LcAsBiyw/ShsJcpBmuokYgnkREJVokbeiVCql06a5IGnV3GBEzZvd+SnhRzKD9cgsu+ekwSzLGdVSv2j8B7il2M+L7IpBbUe/SnBKkQezKHaQ+mN2nJiCNtyjvPJKX16jmHVUx9yGee8tTi2sg=,iv:DwrfwR8BZDfBnG8CVPXZPSCMlBJbT1WFslGm6MM/j5E=,tag:Hqjp+qdhxXfM7O+ASQAcOw==,type:str]
+    lastmodified: "2023-07-18T12:55:47Z"
+    mac: ENC[AES256_GCM,data:suFEE3xr2EZtidjH2Qpp1TvcYIn7dBorWcRUqef82TCf0o8/zQmd02g4eqSXKSl+SQ8/cUm72EuEVqZtvzo+pqw6cJht1pkeRMHJGPMjlz7MelUZwQpb0PoUy5he6neA9BfLi455DTuFIpi7fQi/c9E0B9IfR3ocsDdOQzf8Le0=,iv:wh8MeQbQ/Azf1eSQk/XWT3vv0KNh+QBL++ob5aKZaC0=,tag:U/lQvBtvuZKqgm5bVdqAxQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

targets/web01/terraform.tf

@@ -5,11 +5,15 @@ terraform {
 variable "hetznerdns_token" {}
 
 module "web01" {
-  source           = "../../terraform/web01"
-  domain           = "clan.lol"
-  nixos_flake_attr = "web01"
-  nixos_vars_file  = "${path.module}/nixos-vars.json"
-  hetznerdns_token = var.hetznerdns_token
+  source            = "../../terraform/web01"
+  hostname          = "clan.lol"
+  dns_zone          = "clan.lol"
+  nixos_flake_attr  = ".#web01"
+  nixos_vars_file   = "${path.module}/nixos-vars.json"
+  hetznerdns_token  = var.hetznerdns_token
+  ipv4_address      = "65.109.103.5"
+  ipv6_address      = "2a01:4f9:3080:282a::1"
+  sops_secrets_file = "${abspath(path.module)}/secrets.yaml"
   tags = {
     Terraform = "true"
     Target    = "web01"

targets/web01/terraform.tfstate.1689686803.backup

@@ -0,0 +1,114 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.2",
+  "serial": 37,
+  "lineage": "f0922169-b4f0-1871-87a0-ffc792457ef2",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "adsp",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "dkim",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "dmarc",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "matrix",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "server_a",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "server_aaaa",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "hetznerdns_record",
+      "name": "spf",
+      "provider": "module.web01.provider[\"registry.terraform.io/timohirt/hetznerdns\"]",
+      "instances": []
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "local_file",
+      "name": "nixos_vars",
+      "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "content": "{\"ipv6_address\":\"2a01:4f9:3080:282a::1\"}",
+            "content_base64": null,
+            "content_base64sha256": "ZuPe81EcTf/aUDkRB7cNnxWgqRQaMWG/FwN3ZR68w74=",
+            "content_base64sha512": "gomtSM3LLEFFwrBZYIDN4FJ47VF2JVbtlbuLcQuU2txHPeLLhRRrcvhJYqk8JKYfEMue1h8HK2TzL/RF/o7CZg==",
+            "content_md5": "73ae23b774900b9ebb7a005deedb7fd1",
+            "content_sha1": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "content_sha256": "66e3def3511c4dffda50391107b70d9f15a0a9141a3161bf170377651ebcc3be",
+            "content_sha512": "8289ad48cdcb2c4145c2b0596080cde05278ed51762556ed95bb8b710b94dadc473de2cb85146b72f84962a93c24a61f10cb9ed61f072b64f32ff445fe8ec266",
+            "directory_permission": "0777",
+            "file_permission": "600",
+            "filename": "./nixos-vars.json",
+            "id": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "sensitive_content": null,
+            "source": null
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "nixos-anywhere",
+      "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "3274908638910150703",
+            "triggers": {
+              "instance_id": "65.109.103.5"
+            }
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

targets/web01/terraform.tfstate.1689687361.backup

@@ -0,0 +1,58 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.2",
+  "serial": 40,
+  "lineage": "f0922169-b4f0-1871-87a0-ffc792457ef2",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "local_file",
+      "name": "nixos_vars",
+      "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "content": "{\"ipv6_address\":\"2a01:4f9:3080:282a::1\"}",
+            "content_base64": null,
+            "content_base64sha256": "ZuPe81EcTf/aUDkRB7cNnxWgqRQaMWG/FwN3ZR68w74=",
+            "content_base64sha512": "gomtSM3LLEFFwrBZYIDN4FJ47VF2JVbtlbuLcQuU2txHPeLLhRRrcvhJYqk8JKYfEMue1h8HK2TzL/RF/o7CZg==",
+            "content_md5": "73ae23b774900b9ebb7a005deedb7fd1",
+            "content_sha1": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "content_sha256": "66e3def3511c4dffda50391107b70d9f15a0a9141a3161bf170377651ebcc3be",
+            "content_sha512": "8289ad48cdcb2c4145c2b0596080cde05278ed51762556ed95bb8b710b94dadc473de2cb85146b72f84962a93c24a61f10cb9ed61f072b64f32ff445fe8ec266",
+            "directory_permission": "0777",
+            "file_permission": "600",
+            "filename": "./nixos-vars.json",
+            "id": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "sensitive_content": null,
+            "source": null
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "nixos-anywhere",
+      "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "2223496113651560298",
+            "triggers": {
+              "instance_id": "65.109.103.5"
+            }
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

targets/web01/terraform.tfstate.1689688128.backup

@@ -0,0 +1,58 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.2",
+  "serial": 43,
+  "lineage": "f0922169-b4f0-1871-87a0-ffc792457ef2",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "local_file",
+      "name": "nixos_vars",
+      "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "content": "{\"ipv6_address\":\"2a01:4f9:3080:282a::1\"}",
+            "content_base64": null,
+            "content_base64sha256": "ZuPe81EcTf/aUDkRB7cNnxWgqRQaMWG/FwN3ZR68w74=",
+            "content_base64sha512": "gomtSM3LLEFFwrBZYIDN4FJ47VF2JVbtlbuLcQuU2txHPeLLhRRrcvhJYqk8JKYfEMue1h8HK2TzL/RF/o7CZg==",
+            "content_md5": "73ae23b774900b9ebb7a005deedb7fd1",
+            "content_sha1": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "content_sha256": "66e3def3511c4dffda50391107b70d9f15a0a9141a3161bf170377651ebcc3be",
+            "content_sha512": "8289ad48cdcb2c4145c2b0596080cde05278ed51762556ed95bb8b710b94dadc473de2cb85146b72f84962a93c24a61f10cb9ed61f072b64f32ff445fe8ec266",
+            "directory_permission": "0777",
+            "file_permission": "600",
+            "filename": "./nixos-vars.json",
+            "id": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "sensitive_content": null,
+            "source": null
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "nixos-anywhere",
+      "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "1568182612899498697",
+            "triggers": {
+              "instance_id": "65.109.103.5"
+            }
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

targets/web01/terraform.tfstate.1689688870.backup

@@ -0,0 +1,58 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.2",
+  "serial": 49,
+  "lineage": "f0922169-b4f0-1871-87a0-ffc792457ef2",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "local_file",
+      "name": "nixos_vars",
+      "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "content": "{\"ipv6_address\":\"2a01:4f9:3080:282a::1\"}",
+            "content_base64": null,
+            "content_base64sha256": "ZuPe81EcTf/aUDkRB7cNnxWgqRQaMWG/FwN3ZR68w74=",
+            "content_base64sha512": "gomtSM3LLEFFwrBZYIDN4FJ47VF2JVbtlbuLcQuU2txHPeLLhRRrcvhJYqk8JKYfEMue1h8HK2TzL/RF/o7CZg==",
+            "content_md5": "73ae23b774900b9ebb7a005deedb7fd1",
+            "content_sha1": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "content_sha256": "66e3def3511c4dffda50391107b70d9f15a0a9141a3161bf170377651ebcc3be",
+            "content_sha512": "8289ad48cdcb2c4145c2b0596080cde05278ed51762556ed95bb8b710b94dadc473de2cb85146b72f84962a93c24a61f10cb9ed61f072b64f32ff445fe8ec266",
+            "directory_permission": "0777",
+            "file_permission": "600",
+            "filename": "./nixos-vars.json",
+            "id": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "sensitive_content": null,
+            "source": null
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "nixos-anywhere",
+      "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "2439104454362977938",
+            "triggers": {
+              "instance_id": "65.109.103.5"
+            }
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

targets/web01/terraform.tfstate.1689689331.backup

@@ -0,0 +1,58 @@
+{
+  "version": 4,
+  "terraform_version": "1.5.2",
+  "serial": 52,
+  "lineage": "f0922169-b4f0-1871-87a0-ffc792457ef2",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "local_file",
+      "name": "nixos_vars",
+      "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "content": "{\"ipv6_address\":\"2a01:4f9:3080:282a::1\"}",
+            "content_base64": null,
+            "content_base64sha256": "ZuPe81EcTf/aUDkRB7cNnxWgqRQaMWG/FwN3ZR68w74=",
+            "content_base64sha512": "gomtSM3LLEFFwrBZYIDN4FJ47VF2JVbtlbuLcQuU2txHPeLLhRRrcvhJYqk8JKYfEMue1h8HK2TzL/RF/o7CZg==",
+            "content_md5": "73ae23b774900b9ebb7a005deedb7fd1",
+            "content_sha1": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "content_sha256": "66e3def3511c4dffda50391107b70d9f15a0a9141a3161bf170377651ebcc3be",
+            "content_sha512": "8289ad48cdcb2c4145c2b0596080cde05278ed51762556ed95bb8b710b94dadc473de2cb85146b72f84962a93c24a61f10cb9ed61f072b64f32ff445fe8ec266",
+            "directory_permission": "0777",
+            "file_permission": "600",
+            "filename": "./nixos-vars.json",
+            "id": "c7ce82bad4084cff061c69531455d5b3862b1f20",
+            "sensitive_content": null,
+            "source": null
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.web01",
+      "mode": "managed",
+      "type": "null_resource",
+      "name": "nixos-anywhere",
+      "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "3032732216119874957",
+            "triggers": {
+              "instance_id": "65.109.103.5"
+            }
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

terraform/web01-old/dns.tf

@@ -0,0 +1,88 @@
+locals {
+  subdomains = [
+    "@",
+    "git",
+    "mail",
+    "cache",
+    "matrix",
+    "www"
+  ]
+  domains = [
+    var.domain,
+    "www.${var.domain}",
+    "git.${var.domain}",
+    "mail.${var.domain}",
+    "cache.${var.domain}",
+    "matrix.${var.domain}",
+  ]
+}
+
+#resource "hetznerdns_zone" "server" {
+#  name = var.domain
+#  ttl  = 3600
+#}
+#
+#resource "hetznerdns_record" "server_a" {
+#  for_each = toset(local.subdomains)
+#  zone_id  = hetznerdns_zone.server.id
+#  name     = each.value
+#  type     = "A"
+#  value    = hcloud_server.server.ipv4_address
+#}
+#
+#resource "hetznerdns_record" "server_aaaa" {
+#  for_each = toset(local.subdomains)
+#  zone_id  = hetznerdns_zone.server.id
+#  name     = each.value
+#  type     = "AAAA"
+#  value    = hcloud_server.server.ipv6_address
+#}
+#
+## for sending emails
+#resource "hetznerdns_record" "spf" {
+#  zone_id = hetznerdns_zone.server.id
+#  name    = "@"
+#  type    = "TXT"
+#  value   = "\"v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all\""
+#}
+#
+#resource "hetznerdns_record" "dkim" {
+#  zone_id = hetznerdns_zone.server.id
+#  name    = "v1._domainkey"
+#  type    = "TXT"
+#  # take from `systemctl status opendkim`
+#  value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTFSkQcM0v6mC4kiWEoF/EgK/hPVgOBJlHesLVIe+8BmidylaUowKlyC2gECipXhoVX9++OfMFAKNtGrIJcCTVNH/DRGkhbHLSxzzXijCbJ7G/fjpHRifpxMydEmybQDKdidR44YMR74Aj0OwUEgu+N/yJZ2+ubOlstW0fZJaJwQIDAQAB\""
+#}
+#
+#resource "hetznerdns_record" "adsp" {
+#  zone_id = hetznerdns_zone.server.id
+#  name    = "_adsp._domainkey"
+#  type    = "TXT"
+#  value   = "\"dkim=all;\""
+#}
+#
+#resource "hetznerdns_record" "matrix" {
+#  zone_id = hetznerdns_zone.server.id
+#  name    = "_matrix._tcp"
+#  type    = "SRV"
+#  value   = "0 5 443 matrix"
+#}
+#
+#resource "hetznerdns_record" "dmarc" {
+#  zone_id = hetznerdns_zone.server.id
+#  name    = "_dmarc"
+#  type    = "TXT"
+#  value   = "\"v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100\""
+#}
+
+resource "hcloud_rdns" "master_a" {
+  server_id  = hcloud_server.server.id
+  ip_address = hcloud_server.server.ipv4_address
+  dns_ptr    = "mail.${var.domain}"
+}
+
+resource "hcloud_rdns" "master_aaaa" {
+  server_id  = hcloud_server.server.id
+  ip_address = hcloud_server.server.ipv6_address
+  dns_ptr    = "mail.${var.domain}"
+}

terraform/web01-old/main.tf

@@ -0,0 +1,39 @@
+# Record the SSH public key into Hetzner Cloud
+data "hcloud_ssh_keys" "server" {
+  with_selector = "web01=true"
+}
+
+resource "hcloud_server" "server" {
+  image       = "debian-10"
+  keep_disk   = true
+  name        = "web01"
+  server_type = var.server_type
+  ssh_keys    = data.hcloud_ssh_keys.server.ssh_keys.*.name
+  backups     = false
+  labels      = var.tags
+
+  location = var.server_location
+
+  lifecycle {
+    # Don't destroy server instance if ssh keys changes.
+    ignore_changes  = [ssh_keys]
+    prevent_destroy = false
+  }
+}
+
+module "deploy" {
+  depends_on             = [local_file.nixos_vars]
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
+  target_host            = hcloud_server.server.ipv4_address
+  instance_id            = hcloud_server.server.id
+  debug_logging          = true
+}
+
+locals {
+  nixos_vars = {
+    ipv6_address = hcloud_server.server.ipv6_address
+    ssh_keys     = data.hcloud_ssh_keys.server.ssh_keys.*.public_key
+  }
+}

terraform/web01-old/nixos_vars.tf

@@ -0,0 +1,18 @@
+resource "local_file" "nixos_vars" {
+  content         = jsonencode(local.nixos_vars)
+  filename        = var.nixos_vars_file
+  file_permission = "600"
+
+  provisioner "local-exec" {
+    interpreter = ["bash", "-c"]
+    command     = "git add -f '${local_file.nixos_vars.filename}'"
+  }
+  # also pro-actively add hosts and flake-module.nix to git so nix can find it.
+  provisioner "local-exec" {
+    interpreter = ["bash", "-c"]
+    command     = <<EOT
+git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
+EOT
+    on_failure  = continue
+  }
+}

terraform/web01-old/providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    hcloud     = { source = "hetznercloud/hcloud" }
+    local      = { source = "hashicorp/local" }
+    hetznerdns = { source = "timohirt/hetznerdns" }
+  }
+}
+
+variable "hetznerdns_token" {}
+provider "hetznerdns" {
+  apitoken = var.hetznerdns_token
+}

terraform/web01-old/variables.tf

@@ -0,0 +1,32 @@
+variable "server_type" {
+  type        = string
+  default     = "cpx41"
+  description = "Hetzner cloud server type"
+}
+
+variable "server_location" {
+  type        = string
+  default     = "hel1"
+  description = "Hetzner cloud server location"
+}
+
+variable "nixos_vars_file" {
+  type        = string
+  description = "File to write NixOS configuration variables to"
+}
+
+variable "nixos_flake_attr" {
+  type        = string
+  description = "NixOS configuration flake attribute"
+}
+
+variable "domain" {
+  type        = string
+  description = "Domain name"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "Tags to add to the server"
+}

terraform/web01/dns.tf

@@ -1,5 +1,5 @@
 locals {
-  subdomains = [
+  subhostnames = [
     "@",
     "git",
     "mail",
@@ -7,35 +7,35 @@ locals {
     "matrix",
     "www"
   ]
-  domains = [
-    var.domain,
-    "www.${var.domain}",
-    "git.${var.domain}",
-    "mail.${var.domain}",
-    "cache.${var.domain}",
-    "matrix.${var.domain}",
+  hostnames = [
+    var.hostname,
+    "www.${var.hostname}",
+    "git.${var.hostname}",
+    "mail.${var.hostname}",
+    "cache.${var.hostname}",
+    "matrix.${var.hostname}",
   ]
 }
 
 resource "hetznerdns_zone" "server" {
-  name = var.domain
+  name = var.dns_zone
   ttl  = 3600
 }
 
 resource "hetznerdns_record" "server_a" {
-  for_each = toset(local.subdomains)
+  for_each = toset(local.subhostnames)
   zone_id  = hetznerdns_zone.server.id
   name     = each.value
   type     = "A"
-  value    = hcloud_server.server.ipv4_address
+  value    = var.ipv4_address
 }
 
 resource "hetznerdns_record" "server_aaaa" {
-  for_each = toset(local.subdomains)
+  for_each = toset(local.subhostnames)
   zone_id  = hetznerdns_zone.server.id
   name     = each.value
   type     = "AAAA"
-  value    = hcloud_server.server.ipv6_address
+  value    = var.ipv6_address
 }
 
 # for sending emails
@@ -43,20 +43,20 @@ resource "hetznerdns_record" "spf" {
   zone_id = hetznerdns_zone.server.id
   name    = "@"
   type    = "TXT"
-  value   = "\"v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all\""
+  value   = "\"v=spf1 ip4:${var.ipv4_address} ip6:${var.ipv6_address} ~all\""
 }
 
 resource "hetznerdns_record" "dkim" {
   zone_id = hetznerdns_zone.server.id
-  name    = "v1._domainkey"
+  name    = "v1._hostnamekey"
   type    = "TXT"
   # take from `systemctl status opendkim`
-  value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTFSkQcM0v6mC4kiWEoF/EgK/hPVgOBJlHesLVIe+8BmidylaUowKlyC2gECipXhoVX9++OfMFAKNtGrIJcCTVNH/DRGkhbHLSxzzXijCbJ7G/fjpHRifpxMydEmybQDKdidR44YMR74Aj0OwUEgu+N/yJZ2+ubOlstW0fZJaJwQIDAQAB\""
+  value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpQeJirqh8VFGHRQBemqF5CeicC/5qHJn3vqKkVIOQNqkgp7IE+EZDg+MXoxMQZEJ0RbO0JpZZgYpOf3jf8o5w56WbE4dbpbi+9112R57k5w41R16Q0EUjf7MbrLJqcF6mtf+3bPklF9ngdcWhgN024YfhR9SlebCOapCVYqVt8QIDAQAB\""
 }
 
 resource "hetznerdns_record" "adsp" {
   zone_id = hetznerdns_zone.server.id
-  name    = "_adsp._domainkey"
+  name    = "_adsp._hostnamekey"
   type    = "TXT"
   value   = "\"dkim=all;\""
 }
@@ -74,15 +74,3 @@ resource "hetznerdns_record" "dmarc" {
   type    = "TXT"
   value   = "\"v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100\""
 }
-
-resource "hcloud_rdns" "master_a" {
-  server_id  = hcloud_server.server.id
-  ip_address = hcloud_server.server.ipv4_address
-  dns_ptr    = "mail.${var.domain}"
-}
-
-resource "hcloud_rdns" "master_aaaa" {
-  server_id  = hcloud_server.server.id
-  ip_address = hcloud_server.server.ipv6_address
-  dns_ptr    = "mail.${var.domain}"
-}

terraform/web01/install.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p coreutils sops openssh nix
+set -euox pipefail
+
+if [[ -z "${HOST:-}" ]]; then
+  echo "HOST is not set"
+  exit 1
+fi
+if [[ -z "${FLAKE_ATTR:-}" ]]; then
+  echo "FLAKE_ATTR is not set"
+  exit 1
+fi
+if [[ -z "${SOPS_SECRETS_FILE:-}" ]]; then
+  echo "SOPS_SECRETS_FILE is not set"
+  exit 1
+fi
+
+tmp=$(mktemp -d)
+trap 'rm -rf $tmp' EXIT
+
+
+mkdir -p "$tmp/etc/ssh" "$tmp/var/lib/secrets"
+for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ "$keyname" == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  sops --extract '["'$keyname'"]' -d "$SOPS_SECRETS_FILE" > "$tmp/etc/ssh/$keyname"
+done
+
+umask 0177
+sops --extract '["initrd_ssh_key"]' -d "$SOPS_SECRETS_FILE" > "$tmp/var/lib/secrets/initrd_ssh_key"
+# restore umask
+umask 0022
+
+ssh "root@$HOST" "modprobe dm-raid && modprobe dm-integrity"
+
+nix run --refresh github:numtide/nixos-anywhere -- \
+   --debug \
+   --disk-encryption-keys /tmp/secret.key <(sops --extract '["cryptsetup_key"]' --decrypt "$SOPS_SECRETS_FILE") \
+   --extra-files "$tmp" \
+   --flake "$FLAKE_ATTR" \
+   "root@$HOST"

terraform/web01/main.tf

@@ -1,39 +1,32 @@
-# Record the SSH public key into Hetzner Cloud
-data "hcloud_ssh_keys" "server" {
-  with_selector = "web01=true"
+locals {
 }
 
-resource "hcloud_server" "server" {
-  image       = "debian-10"
-  keep_disk   = true
-  name        = "web01"
-  server_type = var.server_type
-  ssh_keys    = data.hcloud_ssh_keys.server.ssh_keys.*.name
-  backups     = false
-  labels      = var.tags
-
-  location = var.server_location
-
-  lifecycle {
-    # Don't destroy server instance if ssh keys changes.
-    ignore_changes  = [ssh_keys]
-    prevent_destroy = false
+resource "null_resource" "nixos-anywhere" {
+  triggers = {
+    instance_id = var.ipv4_address
+  }
+  connection {
+    type = "ssh"
+    user = "root"
+    host = var.ipv4_address
+  }
+  provisioner "remote-exec" {
+    # needed because kexec is broken
+    # https://github.com/numtide/nixos-anywhere/issues/136
+    script = "${path.module}/nixosify.sh"
+  }
+  provisioner "local-exec" {
+    environment = {
+      HOST              = var.ipv4_address
+      FLAKE_ATTR        = var.nixos_flake_attr
+      SOPS_SECRETS_FILE = var.sops_secrets_file
+    }
+    command = "bash -x ${path.module}/install.sh"
   }
-}
-
-module "deploy" {
-  depends_on             = [local_file.nixos_vars]
-  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
-  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
-  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
-  target_host            = hcloud_server.server.ipv4_address
-  instance_id            = hcloud_server.server.id
-  debug_logging          = true
 }
 
 locals {
   nixos_vars = {
-    ipv6_address = hcloud_server.server.ipv6_address
-    ssh_keys     = data.hcloud_ssh_keys.server.ssh_keys.*.public_key
+    ipv6_address = var.ipv6_address
   }
 }

terraform/web01/nixosify.sh

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+set -eu
+
+installNix() {
+  if ! command -v nix >/dev/null; then
+    echo "Installing Nix..."
+    trap 'rm -f /tmp/nix-install' EXIT
+    if command -v curl; then
+      curl -L https://nixos.org/nix/install >/tmp/nix-install
+    elif command -v wget; then
+      wget -O /tmp/nix-install https://nixos.org/nix/install
+    else
+      echo "Please install curl or wget"
+      exit 1
+    fi
+    sh /tmp/nix-install --daemon --yes
+  fi
+  set +u
+  . /etc/profile
+  set -u
+}
+
+patchOsRelease() {
+  cat >/etc/os-release <<EOF
+ID=nixos
+VARIANT_ID=installer
+EOF
+}
+
+installTools() {
+  env=$(
+    cat <<EOF
+with import <nixpkgs> {}; 
+buildEnv { 
+  name = "install-tools"; 
+  paths = [ 
+    nix 
+    nixos-install-tools 
+    parted 
+    mdadm 
+    xfsprogs 
+    dosfstools 
+    btrfs-progs 
+    e2fsprogs 
+    jq 
+    util-linux 
+  ];
+}
+EOF
+  )
+  tools=$(nix-build --no-out-link -E "$env")
+
+  # check if /usr/local/bin is in PATH
+  if ! echo "$PATH" | grep -q /usr/local/bin; then
+    echo "WARNING: /usr/local/bin is not in PATH" >&2
+  fi
+
+  mkdir -p /usr/local/bin
+  for i in "$tools/bin/"*; do
+    ln -sf "$i" /usr/local/bin
+  done
+}
+
+applyHetznerZfsQuirk() {
+  if test -f /etc/hetzner-build; then
+    # Hetzner has dummy binaries here for zfs,
+    # however those won't work and even crashed the system.
+    rm -f /usr/local/sbin/zfs /usr/local/sbin/zpool /usr/local/sbin/zdb
+  fi
+}
+
+installNix
+patchOsRelease
+installTools
+applyHetznerZfsQuirk

terraform/web01/variables.tf

@@ -1,13 +1,11 @@
-variable "server_type" {
+variable "ipv4_address" {
   type        = string
-  default     = "cpx41"
-  description = "Hetzner cloud server type"
+  description = "IPv4 address of the machine"
 }
 
-variable "server_location" {
+variable "ipv6_address" {
   type        = string
-  default     = "hel1"
-  description = "Hetzner cloud server location"
+  description = "IPv6 address of the machine"
 }
 
 variable "nixos_vars_file" {
@@ -20,9 +18,19 @@ variable "nixos_flake_attr" {
   description = "NixOS configuration flake attribute"
 }
 
-variable "domain" {
+variable "sops_secrets_file" {
   type        = string
-  description = "Domain name"
+  description = "Path to SOPS secrets file storing the secrets for ssh keys and cryptsetup keys"
+}
+
+variable "hostname" {
+  type        = string
+  description = "Zone name of the machine"
+}
+
+variable "dns_zone" {
+  type        = string
+  description = "DNS zone to add the machine to"
 }
 
 variable "tags" {