wip: new server

modules/flake-module.nix

@@ -10,6 +10,12 @@
       ./single-disk.nix
     ];
 
+    hetzner-ex101.imports = [
+      inputs.srvos.nixosModules.hardware-hetzner-online-intel
+      ./xfs-lvm-crypto-raid.nix
+      ./hetzner-ex101.nix
+    ];
+
     web01.imports = [
       self.nixosModules.server
       inputs.srvos.nixosModules.mixins-nginx

modules/hetzner-ex101.nix

@@ -0,0 +1,7 @@
+{
+  # Enable raid support specifically, this will disable srvos's
+  # systemd-initrd as well, which currently is not compatible with mdraid.
+  boot.initrd.services.swraid.enable = true;
+  systemd.services.mdmonitor.enable = false;
+  boot.loader.systemd-boot.enable = true;
+}

modules/xfs-lvm-crypto-raid.nix

@@ -0,0 +1,85 @@
+{ self, lib, ... }:
+
+let
+  disk = index: {
+    type = "disk";
+    device = "/dev/nvme${toString index}n1";
+    content = {
+      type = "table";
+      format = "gpt";
+      partitions = [
+        {
+          part-type = "primary";
+          start = "0MB";
+          end = "1MB";
+          name = "boot";
+          flags = [ "bios_grub" ];
+          # systemd only wants to have one /boot partition
+          # should we rsync?
+        }
+      ] ++ (lib.optional (index == 0) {
+        name = "ESP";
+        start = "1MB";
+        end = "1G";
+        fs-type = "fat32";
+        bootable = true;
+        content = {
+          #type = "mdraid";
+          #name = "boot";
+          type = "filesystem";
+          format = "vfat";
+          mountpoint = "/boot";
+        };
+      }) ++
+      [{
+        start = "1G";
+        end = "100%";
+        name = "luks";
+        content = {
+          type = "luks";
+          name = "crypted${toString index}";
+          keyFile = "/tmp/secret.key";
+          content = {
+            type = "lvm_pv";
+            vg = "pool";
+          };
+        };
+      }];
+    };
+  };
+in
+{
+  imports = [
+    self.inputs.disko.nixosModules.disko
+  ];
+  disko.devices = {
+    disk = {
+      nvme0n1 = disk 0;
+      nvme1n1 = disk 1;
+    };
+
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "95%FREE";
+            lvm_type = "raid1";
+            extraArgs = [
+              "--raidintegrity"
+              "y"
+            ];
+            content = {
+              type = "filesystem";
+              format = "xfs";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

targets/web01-new/configuration.nix

@@ -0,0 +1,14 @@
+{ self, ... }:
+let
+  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
+in
+{
+  imports = [
+    self.nixosModules.web01
+    self.nixosModules.hetzner-ex101
+  ];
+  systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3080:282a::1";
+  sops.defaultSopsFile = ./secrets.yaml;
+  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
+  system.stateVersion = "23.05";
+}

targets/web01-new/nixos-vars.json

@@ -0,0 +1 @@
+{"ipv6_address":"2a01:4f9:c010:ab77::1","ssh_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ==","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}

targets/web01-new/secrets.auto.tfvars.sops.json

@@ -0,0 +1,24 @@
+{
+	"hetznerdns_token": "ENC[AES256_GCM,data:QMMn/j2Lv0Mz/2PhaYQygBjxEoU6f6hL23D5DrderFo=,iv:lOeXBlx/Lb7adzK2SKDKELxXNjlDNWVWQtLp+Mn6YaI=,tag:zTBP/IFdum6T5zITk+WU9A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYlpjUjk4NzNuRXFLT1dS\nbW1EQXBVQ2NIUys3UVR0UE1mZGI4WVJpTVg4CkZqMlRZbS9vSFBpWXNrVXQ2MGVu\nNjhxMEx4dGZRcjBBdmFxcC9yaHN1ZlkKLS0tIHNSSUJVYUVaVU5ocmpZbVd0R2g3\nMnRzcTc5dXRTS1FvRGYwaWVKK29ZRnMKGRVM6m9Rela5ccZkxpEVtNkO/mC+D5kv\n6Yu8tR9BNY9EOyFGze/gNiQfam10vWZz/z9O0RCiE87TgVo7BUZk2g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bVl2anFPYW1ud2I0bk1K\nU3h1WjcvcWwzUzhJbUdYbWpWMzZ1RUplcFFvClkvZVZrNXpUTjBhNVkrcFZLVldZ\ncitveEtOZCtRRWViRUp2TDBjYXlCMncKLS0tIFZqNE1HR3ArNG9sRDJrOEl1QW15\nVUxpVzFOakR1elo1Z0J1cmpkRVFQNlkKegq9LtnVoD88SKCP13taMAZGQ4uZU+eQ\nZQ//y4E5MZxcz6cl0x91khMqIgXsZ92Qs0gNreC69NB4yt8Gp42oYQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-07-13T15:46:42Z",
+		"mac": "ENC[AES256_GCM,data:TYlJZLdIvaWD96RQg5RnUJyNAR69bze0f0+Ai37BfA0G6VEWDZqvc537vRFk7dj4R8kYCe4q79w7yWmSt30UUZ+SXHSjVcUU9WijO4QprrUz/q4r9ezVZfQLe6disaUDdgsqhQvkQSh0AJ5eJtcr1uVChOViVfH/nk/FfJgUc7s=,iv:ulkInzkkD2ZG8uSQW3vrkAjVD1gWExtultU8zhs2+aU=,tag:bxNP152hKrLBh2zKeGM8KA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

targets/web01-new/secrets.yaml

@@ -0,0 +1,43 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
+harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
+matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str]
+registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str]
+gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVTJrY2hIdis5eGJYQkdM
+            MUdGTmVkc2pxN1NjbkR2NVF6Uk11SnBSSUNrCnY0dXlTMnpTbnNJdjNJZHZtYWE4
+            YmlUWFpkUXdtbFh6R1BvTjd1UEZTRFUKLS0tIEdTMEozMFltVWJ0Q1BZS201eE50
+            UHcwNW5nNkdHL0w2d3g0RzBQZ1RrY3MKCDNdsobZ7wZOjBWOy0FmBR0i0afpHM/x
+            uDax1cdEXnh710TTI0Ck99KGthFRWBIeJH1xioC6TTsgmrgE4VPkNA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRWp6R3B2T3N0aE1GaU8r
+            cUppT0ZrNGJTTXhsZi9EU3dRZTNTR09tYVdvCmVBUFRVWkFTeHZVMDFhSDNQY1dL
+            T09zMjN4ZkZpNFRqZjVqWVRZOGdIaGcKLS0tIGNJbnBFNDAvMS9pdndVRklTNHZ2
+            UjRPRXB5RkxYUDN2TVE2ZTlzV0I5NGsK8tIxBNl0UFkAw1u8Jn7QjnDJ6dcr4+6P
+            iHXTDyxadZAljV5ZXlmzM1dm5p+v86jJ/KvYbA0dkga+CBEOUDt3Yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDh2OWxJdjcwK0o1M3Nt
+            RXV4UTlnbFphR0JISG9ZcGorb1ppMzd4SVR3CnZTOW9YeHBKR3drTHdGb3pEZVI3
+            S3NtbDFHL2dlZlRKK3FIc0lwMGt1SzQKLS0tIEZrMWNLOEtuTXB5eE93Uy9nalhD
+            Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
+            KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-13T14:38:59Z"
+    mac: ENC[AES256_GCM,data:jUKdCKb0Lw2+C+P5GfTt8zBw/LcAsBiyw/ShsJcpBmuokYgnkREJVokbeiVCql06a5IGnV3GBEzZvd+SnhRzKD9cgsu+ekwSzLGdVSv2j8B7il2M+L7IpBbUe/SnBKkQezKHaQ+mN2nJiCNtyjvPJKX16jmHVUx9yGee8tTi2sg=,iv:DwrfwR8BZDfBnG8CVPXZPSCMlBJbT1WFslGm6MM/j5E=,tag:Hqjp+qdhxXfM7O+ASQAcOw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

targets/web01-new/terraform.tf

@@ -0,0 +1,17 @@
+terraform {
+  backend "local" {}
+}
+
+variable "hetznerdns_token" {}
+
+module "web01" {
+  source           = "../../terraform/web01"
+  domain           = "clan.lol"
+  nixos_flake_attr = "web01"
+  nixos_vars_file  = "${path.module}/nixos-vars.json"
+  hetznerdns_token = var.hetznerdns_token
+  tags = {
+    Terraform = "true"
+    Target    = "web01"
+  }
+}

targets/web01-new/tf.sh

@@ -0,0 +1 @@
+../admins/tf.sh