vps-monitor: Reinstall with xfs /nix

hosts/vps-monitor/default.nix

@@ -0,0 +1,115 @@
+{ config, inputs, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./disko.nix
+    inputs.disko.nixosModules.default
+  ];
+
+  system.stateVersion = "25.11";
+
+  meta = {
+    domains.validate = true;
+    ports.validate = true;
+  };
+
+  custom = {
+    impermanence.enable = true;
+
+    sops = {
+      enable = true;
+      agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994";
+    };
+
+    boot.loader.grub.enable = true;
+
+    services =
+      let
+        tailscaleDomain = config.custom.services.tailscale.domain;
+      in
+      {
+        tailscale = {
+          enable = true;
+          ssh.enable = true;
+        };
+
+        gatus = {
+          enable = true;
+          domain = "status.${tailscaleDomain}";
+          generateDefaultEndpoints = true;
+          endpoints = {
+            "alerts" = {
+              path = "/v1/health";
+              extraConditions = [ "[BODY].healthy == true" ];
+            };
+            "git ssh" = {
+              group = "srv-public";
+              protocol = "ssh";
+              domain = "git.sstork.dev";
+            };
+          };
+        };
+
+        ntfy = {
+          enable = true;
+          domain = "alerts.${tailscaleDomain}";
+        };
+
+        grafana = {
+          enable = true;
+          domain = "grafana.${tailscaleDomain}";
+          datasources = {
+            prometheus.enable = true;
+            victoriametrics.enable = true;
+            victorialogs.enable = true;
+          };
+          dashboards = {
+            nodeExporter.enable = true;
+            victoriametrics.enable = true;
+            victorialogs.enable = true;
+            crowdsec.enable = true;
+          };
+        };
+
+        victoriametrics = {
+          enable = true;
+          domain = "metrics.${tailscaleDomain}";
+        };
+
+        victorialogs = {
+          enable = true;
+          domain = "logs.${tailscaleDomain}";
+        };
+
+        alloy = {
+          enable = true;
+          domain = "alloy-${config.networking.hostName}.${tailscaleDomain}";
+        };
+
+        caddy.virtualHosts =
+          let
+            inherit (config.custom) services;
+          in
+          {
+            gatus = {
+              inherit (services.gatus) domain port;
+            };
+            ntfy = {
+              inherit (services.ntfy) domain port;
+            };
+            grafana = {
+              inherit (services.grafana) domain port;
+            };
+            victoriametrics = {
+              inherit (services.victoriametrics) domain port;
+            };
+            victorialogs = {
+              inherit (services.victorialogs) domain port;
+            };
+            alloy = {
+              inherit (services.alloy) domain port;
+            };
+          };
+      };
+  };
+}

hosts/vps-monitor/disko.nix

@@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk.main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            size = "1M";
+            type = "EF02";
+          };
+          ESP = {
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          nix = {
+            size = "20G";
+            content = {
+              type = "filesystem";
+              format = "xfs";
+              extraArgs = [
+                "-m"
+                "reflink=1"
+              ];
+              mountpoint = "/nix";
+              mountOptions = [ "noatime" ];
+            };
+          };
+          persist = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/persist";
+              mountOptions = [ "noatime" ];
+            };
+          };
+        };
+      };
+    };
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "defaults"
+        "mode=755"
+      ];
+    };
+  };
+}

hosts/vps-monitor/hardware.nix

@@ -0,0 +1,44 @@
+{ modulesPath, ... }:
+{
+  imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+
+  zramSwap.enable = true;
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks."10-enp1s0" = {
+      matchConfig.Name = "enp1s0";
+      linkConfig.RequiredForOnline = "routable";
+      networkConfig.DHCP = "no";
+      address = [
+        "188.245.223.145/32"
+        "2a01:4f8:1c1b:468f::1/64"
+      ];
+      routes = [
+        {
+          Gateway = "172.31.1.1";
+          GatewayOnLink = true;
+        }
+        { Gateway = "fe80::1"; }
+      ];
+      dns = [
+        "1.1.1.1"
+        "8.8.8.8"
+        "2606:4700:4700::1111"
+        "2001:4860:4860::8888"
+      ];
+    };
+  };
+}

hosts/vps-monitor/secrets.json

@@ -0,0 +1,29 @@
+{
+  "seb-password": "ENC[AES256_GCM,data:BsVFQMY7q+RhByY3RTWwrwbdC4Pgb2kNVG8HXn+kmI2evAo8XmGbDHbr7mXnI2LA6E+iXm5bewfwwTnJWZjaup06/kr1bd8JDg==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:ydQaXcLVYllSZYWNCtH7+A==,type:str]",
+  "tailscale": {
+    "auth-key": "ENC[AES256_GCM,data:b+m+4KGLeS7hYLSqYXxX5VhiA946b4SEp+OAQUkK6e6ShYe0RnC0VfnypHjqwrdOiGYAIxB4ggIjZ9F5lfw=,iv:o36k4vtsnSThDQNIMIPBQHJ92WodbIyVC42L1t8Fvzg=,tag:/9oYSFO3asAGmWiedNo+Bw==,type:str]",
+    "service-auth-key": "ENC[AES256_GCM,data:Lz8UTAa2Y0QZ0qtkxrN30/nKj5PoAuoZON0LgflJtvOb5xiE8qAN9E04HA4O2dMWTXJ4zfIK8QC/s/Amlh8=,iv:e55ow3YQh6hd7FkTu09fMN8XgBk5ZsuHCtRDb5Q2sDI=,tag:qpzj9J9BgVCDF/7U3lcbkA==,type:str]"
+  },
+  "healthchecks": {
+    "ping-key": "ENC[AES256_GCM,data:Zq71AU3oym7fC364YZNyRtx4N2G35Q==,iv:ibMBpcrSocLBhtumsSV00+KVN6Pi4SzE7soCkZcU4fY=,tag:Wv/Wr0wRZGXucMHZHgoNtg==,type:str]"
+  },
+  "grafana": {
+    "admin-password": "ENC[AES256_GCM,data:2YRh4DT+1w5W/X3ELIe3Uu2EnMIHG4gUhV5ri6E=,iv:owHyuoupNQO09aRBgU2phIwxg22U1rUqKyYbw2193m4=,tag:dopVQwf4Ewf+lsFterfDOA==,type:str]"
+  },
+  "sops": {
+    "age": [
+      {
+        "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBR3o1ZXQrUFh1NnJqbzcx\nZE9yUmFTMml4SEJzbHNtQ1dIdDVIM0lBaEVrCmJvUjFOdllxSTlWSytOa1FMTVd2\naDM5V3ZjRkkrMXBSL0VKaVpiRVFlc00KLS0tIDg4Ky9RN0RRaEc4Zzc1bDZxSXZi\nc3RzZmJkbEdQUTUzdjNuOE9uMUNQd00KVcSXFBK6W6usS6SIQJXOmU8fN+Oiqg1Y\ndE2NcNJaEWpc+rps1PG19rCRz3MD2tvjZdnJByMJXLopDb/9l1NBxg==\n-----END AGE ENCRYPTED FILE-----\n"
+      },
+      {
+        "recipient": "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmV4dkZEaWVDNHMxUFdr\nYnhuVWpReXBNSEhhZkltQTE4bEpzSlBzL0VJCk15UFlwa0haWTZNaE1DVzVZVFBI\nd0QzcUptYmQ3dmhhdjhFV0xDSWdmMGMKLS0tIFhWamx6SXJleFFSVUFkRmw2VFZy\nOVVhNm9NSE0yRGFMQjNrM1B6cDVxSXMKrhAkDcWqutgSmQI5O+5i8fcwuTh2/XKr\nljK/Vn8EvGr8qEUeHzOBI1b5VtgngJkVJyfM9G/Q0lZvQF7ZZ5YCgQ==\n-----END AGE ENCRYPTED FILE-----\n"
+      }
+    ],
+    "lastmodified": "2025-10-11T15:48:45Z",
+    "mac": "ENC[AES256_GCM,data:4bECM/RM3hCmhGNpVlwQA3uLZvjzkqD/EBmGjhmLBUYIq251B36eJZh5hLli1AkMMiR5RdYxobSsQpMLkNEyLEVMOImsj4P3m+9h9Hh1R8+1R5InGI/afL/CHXjnYrJKohlOBDcJXRtgrQRPH1Rb35/20vl2RvoQ8OwimMRMmeY=,iv:Oqkac45fCnMQgXgLM06TGZjh3fRG2DATwlCKTvnO5Fw=,tag:xapQEWQpjVeIZRAoH0YbqQ==,type:str]",
+    "unencrypted_suffix": "_unencrypted",
+    "version": "3.10.2"
+  }
+}