vps-private: Reinstall with xfs /nix

hosts/vps-private/default.nix

@@ -0,0 +1,109 @@
+{ config, inputs, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./disko.nix
+    inputs.disko.nixosModules.default
+  ];
+
+  system.stateVersion = "25.11";
+
+  meta = {
+    domains.validate = true;
+    ports.validate = true;
+  };
+
+  custom = {
+    impermanence.enable = true;
+
+    sops = {
+      enable = true;
+      agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69";
+    };
+
+    boot.loader.systemd-boot.enable = true;
+
+    services =
+      let
+        tailscaleDomain = config.custom.services.tailscale.domain;
+      in
+      {
+        tailscale = {
+          enable = true;
+          ssh.enable = true;
+          exitNode.enable = true;
+        };
+
+        syncthing = {
+          enable = true;
+          isServer = true;
+          doBackups = true;
+          deviceId = "5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD";
+          gui.domain = "syncthing.${tailscaleDomain}";
+        };
+
+        filebrowser = {
+          enable = true;
+          domain = "files.${tailscaleDomain}";
+          doBackups = true;
+        };
+
+        radicale = {
+          enable = true;
+          domain = "calendar.${tailscaleDomain}";
+          doBackups = true;
+        };
+
+        memos = {
+          enable = true;
+          domain = "memos.${tailscaleDomain}";
+          doBackups = true;
+        };
+
+        actualbudget = {
+          enable = true;
+          domain = "budget.${tailscaleDomain}";
+          doBackups = true;
+        };
+
+        freshrss = {
+          enable = true;
+          domain = "rss.${tailscaleDomain}";
+          doBackups = true;
+        };
+
+        alloy = {
+          enable = true;
+          domain = "alloy-${config.networking.hostName}.${tailscaleDomain}";
+        };
+
+        caddy.virtualHosts =
+          let
+            inherit (config.custom) services;
+          in
+          {
+            syncthing-gui = {
+              inherit (services.syncthing.gui) domain port;
+            };
+            filebrowser = {
+              inherit (services.filebrowser) domain port;
+            };
+            radicale = {
+              inherit (services.radicale) domain port;
+            };
+            memos = {
+              inherit (services.memos) domain port;
+            };
+            actualbudget = {
+              inherit (services.actualbudget) domain port;
+            };
+            freshrss = {
+              inherit (services.freshrss) domain port;
+            };
+            alloy = {
+              inherit (services.alloy) domain port;
+            };
+          };
+      };
+  };
+}

hosts/vps-private/disko.nix

@@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk.main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            size = "1M";
+            type = "EF02";
+          };
+          ESP = {
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          nix = {
+            size = "20G";
+            content = {
+              type = "filesystem";
+              format = "xfs";
+              extraArgs = [
+                "-m"
+                "reflink=1"
+              ];
+              mountpoint = "/nix";
+              mountOptions = [ "noatime" ];
+            };
+          };
+          persist = {
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/persist";
+              mountOptions = [ "noatime" ];
+            };
+          };
+        };
+      };
+    };
+    nodev."/" = {
+      fsType = "tmpfs";
+      mountOptions = [
+        "defaults"
+        "mode=755"
+      ];
+    };
+  };
+}

hosts/vps-private/hardware.nix

@@ -0,0 +1,44 @@
+{ modulesPath, ... }:
+{
+  imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+
+  zramSwap.enable = true;
+
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks."10-enp1s0" = {
+      matchConfig.Name = "enp1s0";
+      linkConfig.RequiredForOnline = "routable";
+      networkConfig.DHCP = "no";
+      address = [
+        "49.13.231.235/32"
+        "2a01:4f8:1c1e:76fe::1/64"
+      ];
+      routes = [
+        {
+          Gateway = "172.31.1.1";
+          GatewayOnLink = true;
+        }
+        { Gateway = "fe80::1"; }
+      ];
+      dns = [
+        "1.1.1.1"
+        "8.8.8.8"
+        "2606:4700:4700::1111"
+        "2001:4860:4860::8888"
+      ];
+    };
+  };
+}

hosts/vps-private/secrets.json

@@ -0,0 +1,40 @@
+{
+  "seb-password": "ENC[AES256_GCM,data:Q+yRIOJCUzHmCZ5n0OAGyCkePVh0VJfeFYmgG2fh8Wwy6IKyG9c3/3qcMEIRSvG6Qm9KFGahuIR2md5bz7//pTRfPcu1GdIsMA==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:pOLRjWZKL2+GkMgV435FMw==,type:str]",
+  "tailscale": {
+    "auth-key": "ENC[AES256_GCM,data:qqJnjWR309LAuW49/7t2uZqWlAgPUvz8niLZuM2g8kJxaQmF0TEAWcBDpYridy9NLHnJ+xgA9g088t9dSg==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:HPjhNE+vecDWwCAMC+nGfw==,type:str]",
+    "service-auth-key": "ENC[AES256_GCM,data:w9hTq+DLUcHdgHLKOWv0eg+Ew9GoN47GIiOlGNVZY+YnOgCqJ9L59xxt37B9ry1wTJXtlCJWl/fOSxUT/PA=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:HpoX3OyDg0S4OzgGUXRfZw==,type:str]"
+  },
+  "restic": {
+    "password": "ENC[AES256_GCM,data:AERasH4M/uP3aUELnggUmH6NzAx6v4Uqjg+ymF5X,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:adI4AwzXp63SRSA8uAjRZw==,type:str]"
+  },
+  "backblaze": {
+    "key-id": "ENC[AES256_GCM,data:vfw2c+rDyT2bEg6QjJZLGfcxbe56FyrtQg==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:lFrapoEAOJ7ma+/BhuIVQA==,type:str]",
+    "application-key": "ENC[AES256_GCM,data:OdcLprjm4WdBrUF6tRJyn6gvQuHK/2jmnxh3QIM6XQ==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:vGtZ4NYVasQ4GP1IL6dvdQ==,type:str]"
+  },
+  "healthchecks": {
+    "ping-key": "ENC[AES256_GCM,data:40galLLarXCva762hm+CfZ8fULDEYg==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:y2Zw/EuuY1M2JFEcskQqgg==,type:str]"
+  },
+  "syncthing": {
+    "cert": "ENC[AES256_GCM,data:/l5a/ml9XjTPCG2dUjHbIbrWZ0W/Br2EBCTj0eIWQZNMXlc5Fkv/zgLdFHRME0W4FMGXv9i7QP/Kt1po4ucX/kNTYeV92kubxognXH/8mhQynBfrgdyiYeexiIv23GYwwpp8PiY4eYttQZ3VMNqrVBH3wVM6li/iDfNdWMPT57W4xCaRlVgpHQJVe1moqYY1enSOhzhDkbL+X0ApezBeMX+wjZgJOfUjCYRKtr/ZIv6PaXB8z0L9ZzAyyctYi0A5sOOW6Vss5u4Zug3kOUZvxwRWMz8zDhqJR5OqO+fO7iysA/Jp7Me6w9ptqmUE02p1w0wtNwKLuD7kbE2BbAsbGCeoBMxjy8zGgdrjAqnLdYXFtwSP0EL4RgmiVMfDL9rdEP6L3hmbL/bpkhIUbdMDta0jtSUJKxEcd9Zt99meHh4hfVLoqlYVed49XxtzQkBtGyhNRqKSja+yHPCY1NDzc7D5+Jeeq0vEPpLWJ7OKpLOoZri5a0xGCQ0OZeM+rvYyVDdKU4+FETnTtXbWphXS3D0HVSF0Kyx9AQYGq5LwTdPgtQJrsSZs4/9+0M5dAZvfmXlXAnEPiFvbJMnn8MW0gCb2z5s1YXaABgn45Xv/lSZNyzk69NKRKZZgk5Hl3DDlGXUK+Vhe5OW7iXhF/BDwjxKt0jsotP3F/hwX2KDfOvaLgkgKBNn1axMZSmEdgFnFeBRtpeEgfOWBJY2KT972rFVV5G2tNV+4Uv1VIrW8oksnxMzQdlt6rERBTUNJPFeQrcjWGse3P+h32/ziqk1Jv9UUXEw3hvCnVaimZ7sX/dZMrX9mKqC3Bt8mIk6bJEjPyva1VViand/E5FvnSo/d0tlEDhjNMJfLXSDYuJClsFSbVy9xyvRZBHy3dCg+TCmSJi2rk7V9k5Z9YEAV25y8Qq15llnMQVfUsOcI5JCQXeIYRbfuiCX/FxR5cONppoGjUOl1Gmxaq0u5k9DriFvlbpZMACjgHQneUNIKkEnadMjrAe3yyVcm8nYlUrlxX/Usot59P74Ln5V886bt0iQhkFft55w0yiDUwYY=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:JTOYgWwot9/zwdWwVWvSUw==,type:str]",
+    "key": "ENC[AES256_GCM,data:PkL8Bh0pRnFfH0l1AhJdUl6LvRytJW4JTjNtGviORklxEfnh2SR9Fnsl4ftDE78+EwvVw9Fd71L16BFObp5rH3zMImSnVthj8AoBw0OpVOenhzVNnHcPX4ncOm7IPIx1X0VmtqjzO6FTW3opamt2VB3kORZhzybInaY63PlLgU1f0c7wt9wIsefQvsooVm8OS3kvMRlkeaeIqtu7ok/TpyssygALY/6TUWvImvh2Uro4LE6Ue4IzZTnq7CmSywTASwr95YqenIL0nu7cr4EG7kfGWS3/lWJf4BTNUTvfSs6PmHVEigFMBQIILo+juJC4MLdpGP+Bk2rWx1B8rZTyyrKLgS4Nl/HoCFaICOy8PjHyjTgUBlzZMwgj8cEGcwe5,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:1GaPMxFXeSKlB/dJjQUgaw==,type:str]"
+  },
+  "radicale": {
+    "htpasswd": "ENC[AES256_GCM,data:PaN9mAYR8slQQpojnZpCPMNxgQtvCa0pj90tfUgQr9MFgout7RpbWs97XMzbmWws6ov3g91+0U5l1tcS68O4rQ==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:Ce84ptIiCIRHpZHSoozoyg==,type:str]"
+  },
+  "sops": {
+    "age": [
+      {
+        "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3clZ2RDgvVWJXMUdsWVdk\nclBwc0dEQ1Y3cUt0QVpkTHNYdENnRkJQOUNrClFhM2R2L2laQ1N4cDltMElBeTY3\nOWt3VndlZHBONVdUelptM0dRTUdBd1kKLS0tIEtmOGhJUTJ2Z29JQzBsWVdUa3A5\nUWFZUkVOK1Z4bmVoOFhkY09XbU1ZbWsKgDNEjb6goOoCig73u1E8Ew7MDXIMWYx1\nzg6TRt46Ouk51tNgJ1BRMm+LO2B7PFp0Zs/KcazHmBEG9r2EeoC3kA==\n-----END AGE ENCRYPTED FILE-----\n"
+      },
+      {
+        "recipient": "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69",
+        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
+      }
+    ],
+    "lastmodified": "2025-10-11T15:48:45Z",
+    "mac": "ENC[AES256_GCM,data:pVeX+/xaRJJ3g+q7Ob+pdxmybWykgMj+5uVNlSQ7EMSqm4SFEdZTGiH0JVcFOBld5da/feu9VDzQObItAftVNwi7Ta/jJ1BM+oiVzA9dG+sBKd3CIAFuGaODtNsXdaiNFHqZaY0t+7L1xpC8daYyI0E/3StPDsVGKo262CXNMYA=,iv:neXImm5GDmPaRHumiTTXRQob4cM6K019GzFnNBruGGA=,tag:V65xEBNpzn4nLoJYvdCIwQ==,type:str]",
+    "unencrypted_suffix": "_unencrypted",
+    "version": "3.10.2"
+  }
+}