Rename hosts again

2026-01-21 18:41:34 +01:00 · 2025-09-05 19:07:20 +02:00 · 2025-09-05 19:07:20 +02:00 · 8b82dd4e18
commit 8b82dd4e18
parent d4ef1575ff
15 changed files with 0 additions and 0 deletions
--- a/hosts/srv-public/default.nix
+++ b/hosts/srv-public/default.nix
@ -0,0 +1,100 @@
+{ config, ... }:
+{
+  system.stateVersion = "24.11";
+
+  meta = {
+    domains.validate = true;
+    ports.validate = true;
+  };
+
+  custom = {
+    sops = {
+      enable = true;
+      agePublicKey = "age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4";
+    };
+
+    boot.loader.grub.enable = true;
+
+    services = {
+      resolved.enable = true;
+      tailscale = {
+        enable = true;
+        ssh.enable = true;
+      };
+
+      crowdsec = {
+        enable = true;
+        firewallBouncer.enable = true;
+        sources = [
+          "sshd"
+          "iptables"
+          "caddy"
+        ];
+      };
+
+      forgejo = {
+        enable = true;
+        doBackups = true;
+        domain = "git.sstork.dev";
+        ssh.enable = true;
+      };
+
+      hedgedoc = {
+        enable = true;
+        doBackups = true;
+        domain = "docs.sprouted.cloud";
+      };
+
+      it-tools = {
+        enable = true;
+        domain = "tools.sprouted.cloud";
+      };
+
+      stirling-pdf = {
+        enable = true;
+        domain = "pdf.sprouted.cloud";
+      };
+
+      privatebin = {
+        enable = true;
+        domain = "pastebin.sprouted.cloud";
+      };
+
+      openspeedtest = {
+        enable = true;
+        domain = "speedtest.sprouted.cloud";
+      };
+
+      caddy.virtualHosts =
+        let
+          inherit (config.custom) services;
+        in
+        {
+          forgejo = {
+            inherit (services.forgejo) domain port;
+          };
+          hedgedoc = {
+            inherit (services.hedgedoc) domain port;
+          };
+          it-tools = {
+            inherit (services.it-tools) domain port;
+          };
+          stirling-pdf = {
+            inherit (services.stirling-pdf) domain port;
+          };
+          privatebin = {
+            inherit (services.privatebin) domain port;
+          };
+          openspeedtest = {
+            inherit (services.openspeedtest) domain port;
+            tls = false;
+            extraReverseProxyConfig = ''
+              request_buffers 35MiB
+              response_buffers 35MiB
+              flush_interval -1
+            '';
+          };
+        };
+    };
+  };
+}
--- a/hosts/srv-public/disko.nix
+++ b/hosts/srv-public/disko.nix
@ -0,0 +1,36 @@
+{
+  disko.devices = {
+    disk.main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            size = "1M";
+            type = "EF02";
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg.pool = {
+      type = "lvm_vg";
+      lvs.root = {
+        size = "100%FREE";
+        content = {
+          type = "filesystem";
+          format = "ext4";
+          mountpoint = "/";
+          mountOptions = [ "defaults" ];
+        };
+      };
+    };
+  };
+}
--- a/hosts/srv-public/hardware.nix
+++ b/hosts/srv-public/hardware.nix
@ -0,0 +1,47 @@
+{ modulesPath, inputs, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.default
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+
+  zramSwap.enable = true;
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks."10-enp1s0" = {
+      matchConfig.Name = "enp1s0";
+      linkConfig.RequiredForOnline = "routable";
+      networkConfig.DHCP = "no";
+      address = [
+        "91.99.70.118/32"
+        "2a01:4f8:1c1b:ffc7::1/64"
+      ];
+      routes = [
+        {
+          Gateway = "172.31.1.1";
+          GatewayOnLink = true;
+        }
+        { Gateway = "fe80::1"; }
+      ];
+      dns = [
+        "1.1.1.1"
+        "8.8.8.8"
+        "2606:4700:4700::1111"
+        "2001:4860:4860::8888"
+      ];
+    };
+  };
+}
--- a/hosts/srv-public/secrets.json
+++ b/hosts/srv-public/secrets.json
@ -0,0 +1,41 @@
+{
+  "seb-password": "ENC[AES256_GCM,data:/J83cgpBhjl6VveVZTX0ElEyexn3G3pZp6RKgfbR39QoG/5mExOk2xM999YFb5/vGaivogGQeFhwQ0j5Ij0KdaWCTXkFIQtfBw==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:QTqmyyywH0cV5rGQhPBBGg==,type:str]",
+  "tailscale": {
+    "auth-key": "ENC[AES256_GCM,data:tv7GTrMc0dtFRpvPLEEegLizRc4Du9KQRlUpbt60o3j9309IXqE1XyndnmzCoSpYiPNASc8tXTp98s3Jqg==,iv:1UmMkobgm/GWM/5NjIYTDnNva13mcxqkX01uyPISNRo=,tag:aHqA3JXwTs0qc0opwiKZXg==,type:str]"
+  },
+  "hedgedoc": {
+    "gitlab-auth-secret": "ENC[AES256_GCM,data:vxgXbP+6mtWpjgfsEaFHJd5IVM+oPPHhYNqwO76+Zw9j2fZZane4T9YUixUvM3kYQwW+Ml/gRHn9GjgM1fIYRRKAsbO1wA==,iv:lyfWZFwZjdP005X4USGKM1OWKu3W8YTZ0oWODhF/uPI=,tag:3Kj1/pUjMo8GjIDTdPBo1A==,type:str]"
+  },
+  "forgejo": {
+    "admin-password": "ENC[AES256_GCM,data:DOZah26AGeR89kgeIvWPCJlVRxML9r7F2g==,iv:4BCOmHxzCr4Z3975MN4mr/lyeEVyJhwuGfDxek6GiSI=,tag:IsgsIhrTEMRp1/FFFQbyhA==,type:str]"
+  },
+  "restic": {
+    "password": "ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str]"
+  },
+  "backblaze": {
+    "key-id": "ENC[AES256_GCM,data:f/diWMmhlyenBfNJKpFHFXQ0QxcW7iS4TA==,iv:FOG6YYp7IeZ/m5p5TRTpzlg2w0ElKXte84ZKU5+3Wlo=,tag:lzhjZDPYWZsCITTmdS0JJg==,type:str]",
+    "application-key": "ENC[AES256_GCM,data:/ONsUFVMHBOHydGpYpsZVpoZ00k6mrhf5e0l3GjINw==,iv:hTCeTWLuUwePgVSksg8EKOJ42b1SmfhTifFk0PDYoMA=,tag:mHo+uBTmT0Y4Sd4PoNT1EA==,type:str]"
+  },
+  "healthchecks": {
+    "ping-key": "ENC[AES256_GCM,data:Lwn1O9M9jXmLYv203lUqSxD02qUDpA==,iv:3pfIJ4LhgOw2hHm75OiWdrqcBTD8h5yCwik50tXDp4E=,tag:T4ND3XCnevBGqpriugu8HQ==,type:str]"
+  },
+  "crowdsec": {
+    "enrollment-key": "ENC[AES256_GCM,data:gcoLmZGUqH0brtvcXiZwXr7CSc9GfEWkvA==,iv:ZLz/3LXSYVXQtcyPZ62qOuslexdXh7jvX0MzoXjlRgM=,tag:V/SwXnNDQkiRQEu90ZTnTg==,type:str]"
+  },
+  "sops": {
+    "age": [
+      {
+        "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTldDcUk1dGVRMzNmZUhw\nbzFRYUdNM3ZQanFIbkpyc2lqeTlLNFJEVzNrCjlnK2pRSnVmUU5WeGo1VW5kVjZp\nb1hTZFB3eVZPL2xpU0F0MlBlTVNVTE0KLS0tIGU2YlRhMG9QRi9uYkVCOFlGTVhK\nUS82UEZXeUZxT2Fub3dRenNSTGVDdnMKJlKpdZdKGGKHcvczYNnzSz6T79mlT67I\nQxNZvBQI+rZ6bNxDu4LqbtwCqRVu1uJLdedGY1VPF3ZIwfuzewyVDA==\n-----END AGE ENCRYPTED FILE-----\n"
+      },
+      {
+        "recipient": "age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc1E4VFJWUTl0Nkhjc1VL\namRLN3pLcVUvc1diWmhHTVdTYjd5SmxYS2hBCkpQSXFnQlVqcndtejNoL2xQQlRh\ncG1uNlQxSUpJc0tRZHZFOVhibnFZOUUKLS0tIE84UGtkdldzM2oyTmF0Y0xPckpZ\naHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae\nXeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg==\n-----END AGE ENCRYPTED FILE-----\n"
+      }
+    ],
+    "lastmodified": "2025-08-17T19:03:33Z",
+    "mac": "ENC[AES256_GCM,data:l/BuK6aTGgcCX7piT3t7A5PEnmsrM7EGTX9lB5m10D0ggoN1AcrgPvCOnyUEREiDRaByKOBkm8LiqM5ubhw8BL8WtSAHjDaA+xGhPZ0rgtWMM1440T3tFACrt+xWTqmJeGrYC33PCunmUVM9e5C4oWaxGlitSwd8eZyCoG7j9qA=,iv:tiLpU6QHnUbkXdiHmGxANisCvks1ZIApWFLTucYvmBs=,tag:TOJRSd5Dnshk7mige41G4Q==,type:str]",
+    "unencrypted_suffix": "_unencrypted",
+    "version": "3.10.2"
+  }
+}