Add barebone server "alto"

.sops.yaml

@@ -1,5 +1,6 @@
 keys:
   # Hosts
+  - &alto age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t
   - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
   - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
   - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
@@ -11,6 +12,11 @@ keys:
 
 creation_rules:
   # Hosts
+  - path_regex: hosts/alto/secrets.yaml$
+    key_groups:
+      - age:
+          - *seb-admin
+          - *alto
   - path_regex: hosts/fern/secrets.yaml$
     key_groups:
       - age:

flake/hosts.nix

@@ -24,16 +24,25 @@ in
 {
   flake = {
     nixosConfigurations = lib.mkMerge [
+      (mkHost "alto")
       (mkHost "fern")
       (mkHost "north")
       (mkHost "stratus")
     ];
 
-    deploy.nodes.stratus = {
-      hostname = "stratus";
-      sshUser = "root";
-      remoteBuild = true;
-      profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.stratus;
+    deploy.nodes = {
+      stratus = {
+        hostname = "stratus";
+        sshUser = "root";
+        remoteBuild = true;
+        profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.stratus;
+      };
+      alto = {
+        hostname = "alto";
+        sshUser = "root";
+        remoteBuild = true;
+        profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alto;
+      };
     };
   };
 }

hosts/alto/default.nix

@@ -0,0 +1,19 @@
+{
+  imports = [
+    ../shared.nix
+    ./hardware.nix
+    ./disko.nix
+  ];
+
+  system.stateVersion = "24.11";
+
+  myConfig = {
+    boot.loader.systemdBoot.enable = true;
+    sops.enable = true;
+    tailscale = {
+      enable = true;
+      ssh.enable = true;
+      exitNode.enable = true;
+    };
+  };
+}

hosts/alto/disko.nix

@@ -0,0 +1,41 @@
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/vda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          ESP = {
+            type = "EF00";
+            size = "500M";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg.pool = {
+      type = "lvm_vg";
+      lvs.root = {
+        size = "100%FREE";
+        content = {
+          type = "filesystem";
+          format = "ext4";
+          mountpoint = "/";
+          mountOptions = [ "defaults" ];
+        };
+      };
+    };
+  };
+}

hosts/alto/hardware.nix

@@ -0,0 +1,43 @@
+{ modulesPath, inputs, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.default
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "sr_mod"
+    "virtio_blk"
+  ];
+
+  zramSwap.enable = true;
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks."10-ens3" = {
+      matchConfig.Name = "ens3";
+      address = [
+        "152.53.85.193/22"
+        "2a0a:4cc0:c0:23bd::/64"
+      ];
+      routes = [
+        { Gateway = "152.53.84.1"; }
+        { Gateway = "fe80::1"; }
+      ];
+      dns = [
+        "46.38.225.230"
+        "46.38.252.230"
+        "2a03:4000:0:1::e1e6"
+        "2a03:4000:8000::fce6"
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+  services.resolved.enable = true;
+}

hosts/alto/secrets.yaml

@@ -0,0 +1,31 @@
+seb-password: ENC[AES256_GCM,data:oGrXukkbK9qYYo0ci+F4RwiwlRyme/+ypJozgiqH2DFd33SyjYnzX6u2f6a0+rIfwxO45dUrXCJyidWE2Fw26xE/uH9nPmDzuw==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag://NpB2SnxWlJPHNp92hdVA==,type:str]
+tailscale-auth-key: ENC[AES256_GCM,data:lGXbnNHnlKSv2Po4J7yTVOdCxwgxENBglp/MLZnIpdqVxEkO3D2Risi4iPkVPnPyKBuI4hog4xtGyiUH5L4=,iv:Cvc8+VPRpPrNYTcWjBYBPzYAwy80hJv1VCR8hrMh4AM=,tag:+qt5Caaxfig6TqoJm/uCwg==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cVR4NThpT1FmWWR0NVl5
+        djFPYWM1MTFtNTc0R05vRzdHYURYcnc3V2lFCmg1MDNDaWJNNmdXb3FxVmV4UHkr
+        MnB4U09PMDVadHFZQ0VwQjFsL3hVQmcKLS0tIG9pemROZFhweiticzExdUVyK3NG
+        SDR6cXhBTmNTa1BTeEhlSXRwSmVEOWcKcL/594j/dbbUJTeE4REtMRbNZwIElYEq
+        vmkKTEvvqyWWeOhu6e2zN2OSY7FJIstirbzU0S7MSJhUOe4LwvXOOg==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac0VBTXZVdmpjc29oMkJT
+        VXhoZnJaWkFjVEVtelphMzlBM1BaNjM3VjBNCjV3U2JwUnRjeEhWWVlMbmZHcjJP
+        T1VNUDlNUTM1UjlVdkNGN1BrWHNpVTQKLS0tIDkyWGZVTWFIQzJrVDQ2U0ErQXRm
+        dEhnSkQ5SDlnbmhGSVdYaDNuc3ZkM00K7WPEZRYWAd7uGY0IcDwGgQVPrpkF/tnz
+        ncj03JXM4BXwvEQOmD/i6wS4U4WCwkh9EauGJljVFTeu6TciomDULQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-03-27T20:51:15Z"
+  mac: ENC[AES256_GCM,data:e0DDr/JHEdceS1ZZBRwdiG783MN5UulCz5GIEhvy3psqMirVBSsnXYGavEwg6E550Dby6wGdaqpFPjorBhj2Qb441gFf6IVGDPGSQg1JVzKpkMVhYBiW9vlshG2dSONcKe2J92O0uIA05Cp7uiv48bUBj13MovvCqvS0O17QCns=,iv:tNC4gk4ardfK01t/LKY73Uzdvn/R5BPdtIaPXR6g1x4=,tag:vygO6ZeQiIySEXREYPprbw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.4

users/seb/@alto/default.nix

@@ -0,0 +1 @@
+{ imports = [ ../user.nix ]; }