hosts.web01: init

This machine is intended to host web applications.
Initially [Lemmy](https://join-lemmy.org/), but perhaps more down the line.

The initial PR only deals with setting up the machine and required infra like DNS, not setting up Lemmy itself which will be a follow-up.

.sops.yaml

@@ -4,6 +4,7 @@ keys:
   - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
   - &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
   - &darwin02 age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
+  - &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
   - &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
   - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
   - &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@@ -74,6 +75,15 @@ creation_rules:
           - *zimbatm
           - *zowoq
           - *adisbladis
+  - path_regex: hosts/web01/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *web01
+          - *mic92
+          - *ryantm
+          - *zimbatm
+          - *zowoq
+          - *adisbladis
   - path_regex: modules/nixos/hercules-ci/.+\.yaml$
     key_groups:
       - age:

devdoc/hosts.md

@@ -47,6 +47,16 @@ This machine is meant as an aarch64 and x86_64 builder for our CI.
 - RAM: 8GB
 - Drives: 256GB SSD
 
+### `web01`
+
+This machine hosts web services such as Lemmy.
+
+- Provider: Hetzner
+- Instance type: CX31
+- CPU: 2 vCPUs on Intel Xeon
+- RAM: 8GB
+- Drives: 80GB SSD
+
 ## SSH config:
 
 You will need to set your admin username if it doesn't match your local username.

flake.nix

@@ -123,6 +123,10 @@
               system = "aarch64-linux";
               modules = [ ./hosts/build04/configuration.nix ];
             };
+            web01 = nixosSystem {
+              system = "x86_64-linux";
+              modules = [ ./hosts/web01/configuration.nix ];
+            };
           };
 
         flake.nixosModules = {

hosts/web01/configuration.nix

@@ -0,0 +1,15 @@
+{ inputs, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    inputs.srvos.nixosModules.mixins-nginx
+    inputs.srvos.nixosModules.hardware-hetzner-cloud
+    inputs.self.nixosModules.common
+  ];
+
+  networking.hostName = "web01";
+  networking.hostId = "1cfd5aa3";
+
+  system.stateVersion = "23.05";
+}

hosts/web01/hardware-configuration.nix

@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath
+, ...
+}:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  disko.devices = {
+    disk = {
+      sda = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            grub = {
+              name = "grub";
+              size = "1M";
+              type = "ef02";
+            };
+            esp = {
+              name = "ESP";
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              name = "root";
+              size = "100%";
+              content = {
+                type = "filesystem";
+                # We use xfs because it has support for compression and has a quite good performance for databases
+                format = "xfs";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  swapDevices = [ ];
+}

hosts/web01/secrets.yaml

@@ -0,0 +1,66 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:UXM0MBewVe95Bjlh3MNG5tnE/826ZS549N4Ay9uLndYgZ9UKPEPdw9dQYiGi517nJkNKtMJPidJLdnt5MfKlYMggHT0EAP6qdK0KcEB87ratiBIDO9fDa3zAU4iplWcA+OPfxLvmumWVmLqZdAoRTyh/8Szv3Zff2O/fLremCZ0yq7VoPF93PM4BQgk0CqJl8Rt0O9JK3JRxPYaYQ/H2LruqbOAvTr6dcqLqFDW6KQ36XDwfwP3N8bq70dBT6Uq7NzjtuixlNcFnwKA4J8H2ZH8nLpYYH4mQE4z5lZ6mn/V9U91LjmopTRn/vlqtDlM2vICeq/X0iQHr9QAftRVcT0D6Kram27vJOU0tYryBcM1Le9JCGYlYF9yl1uZwB2Lx2LcFUVLT5eT8NGo98t1PnffmYxWh0f6jloNBFmZVIA85uUDoE9G4Jg/gYmKkiDhn7GTllBIol5oOFsE61z7qGShyA5fQRx2gHkOLqwK0sLNA1ogAJJHD90RsUdrU7HF6l2S+4l8CF+C7q/MM9exbrssf9gT4dhOmSdtB,iv:QS3OV0bnQpA7fupbw0C3Hnva+bKFMHLWqaOAARJ+6rY=,tag:FSEF5zwXmICI26FJcyHK+w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydmZEejVxNnd4Z25QNlR3
+            RDZucXdaWGg1MjdNK0tzaklJeXhnaEd2aEU4CmpkYUQwMFhPYjJCd2s2bzk5WGJJ
+            akV2aThxczFSMGoxTk1GOUdzZDNxVmMKLS0tIE1QVk5xaGtkZVk1Q0VRdTIwTkZ5
+            OHhGZkEzMUlGZWEzTHhhYitmWHZPalUKAyMtdYoSLO0Eb6lN5fOYK0MmaLtc+8/I
+            2YtZbvbHoi6UwHDHVtKNKE3Uy6+IdJPt4dTdEf4LOwnV7Ygvvf37yQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka3psU0Z0QndEeHNCTFJP
+            M0JFMjBWK0RqczM3bEdJTXNnSDU4cWlsVkFnCjhDeVF6eXFOSG5rN1NXaE43ZkQw
+            b0tVUXdOc0NrcDV2VnRvamVidXRmVlUKLS0tIFRsQzlGeStmVWNHU0tnYTZ2UmQr
+            VHduZStubjVvaERPL3IvVXNHUFpsODgKX2siCYedeME+RkkgfwfKz8Xl5ZOEbYBG
+            lCGNN/Pkif8C1YXKx3qBk503U/RWgrGIsJJDaJNhKwRAo4q77kkozA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeFYyc2VQVDhNZ3dEUEJO
+            WEFwTjkzOGovU3crMXB3Z2FXTFFEVHo0SzBFClVkbE9BMWFmbjBheXJwUEhJN2I4
+            a3Z0KzNhYW43R24zSDBMR3JnWUFwRWcKLS0tIHMzU3RuWnhNVWRLeTNmSUhEeFpq
+            WHB0cVpQMGZoT0JyZ3c3UUdrUzBZSTQKnFg4GBDzpQnTYRnOXkk47lqy9niML/tw
+            wdsIR1hLd5ZQdwWCcsx9wlNvfEajZ2O+TpVnWM5qJqJx80db2Zodlg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjK0NoSUY5dmdoUEhIR1ZY
+            U2hNcUlqYjNkRFRmMUJtaFNkY1I5TFFrQWpRCmFhV2NTbnF4V0N4MzZobEliVUE4
+            SVd4SnFtYW81Y2dUWGxoZ0toa0dObWcKLS0tIHArT2lVb2xzUWp3QlR6U2ExUWtI
+            KzJKcy9KOUM0WkQ2M2RwSStlNk82QncKc1/Wz4OXlXkQGmQnQkWtRi55eqKRkqkP
+            kGdKrjixgRB75NyNhx4i+OgnMAIdrKM0sTBN0G8CQ673+Hf8SCKuwg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWld4akVNWEhmWEVYTU1O
+            YWFNNFVYZ0dYNEpPRjhGQlBQNGlacFpEMkRNCkd3UTQ0NEVrS0JqUHIrVXJyWkRx
+            UWZXVDY5MkRia3NUT3pVb0Y3UUtWam8KLS0tIFpCc2pramJScDRYczFiWnBWSnZq
+            eCtaSER2YzU0TkcyRkRKaC9scWg3R28KRfzx3jUAkTviPOsqtGOFtwWyYSwpg7L0
+            xm0iFaR8U/hNA2+t6glFc+DyF65UCtN2sc5HFWxgXsiRQB0IGBdkJQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK3JubFRvM2dFVlFadFMy
+            dmpmVjVrQ25VOElZN2dKNkZyUGdFTHR0ZlZzCm9qY1IyY3NMZjd4THV1MUJyMHY3
+            U2IxNTRkQXRHU09kYkFuSHRYTURoaE0KLS0tIGwwdVFFbzZJN3RSL2xERTF3US9l
+            bFFYZ0ZvUkU2RzI1Sk1EMXU3L2kzNXcKTNd6rP4vwBlxy0IOpvJkwD2DHEuygQQj
+            6nP/LDINN6byq+SCUOO60r/dPDixmRDZdWnvkRIntVweSpSgoM9dSw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-04T04:17:56Z"
+    mac: ENC[AES256_GCM,data:NBFyPyL26aN2MU30qhCW3/JGBlvk+rSjuRbaCLUFlTYEVyS2I+w+yoF51WtZPVYXuKsQ0JY7y/aoOMEqN+odrbkeX+PivOOgc1WVkPXEF8vIRg8qWkzovTTpQNk7IBM6EGGAj13T2eSPCxkrYyzu/FrUHXvRD6e8+u3kSTu+NAQ=,iv:wfZyk5sSt2S/gr1dt1iMrQ28yyQgWCsNdzbiUqzVf3M=,tag:Q2s7qUS8tJrXxDdapKVA2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

modules/nixos/security.nix

@@ -31,6 +31,10 @@
       hostNames = [ "[u348918.your-storagebox.de]:23" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
     };
+    web01 = {
+      hostNames = [ "web01.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl";
+    };
   };
 
   services.openssh = {

terraform/cloudflare_nix-community_org.tf

@@ -91,6 +91,27 @@ resource "cloudflare_record" "nix-community-org-darwin02-AAAA" {
   type    = "AAAA"
 }
 
+resource "cloudflare_record" "nix-community-org-web01-AAAA" {
+  zone_id = local.nix_community_zone_id
+  name    = "web01"
+  value   = "2a01:4f9:c011:932f::1"
+  type    = "AAAA"
+}
+
+resource "cloudflare_record" "nix-community-org-web01-A" {
+  zone_id = local.nix_community_zone_id
+  name    = "web01"
+  value   = "95.216.139.211"
+  type    = "A"
+}
+
+resource "cloudflare_record" "nix-community-org-lemmy-CNAME" {
+  zone_id = local.nix_community_zone_id
+  name    = "lemmy"
+  value   = "web01.nix-community.org"
+  type    = "CNAME"
+}
+
 # Used by nix-community/nixpkgs-docker
 resource "cloudflare_record" "nix-community-org-docker-CNAME" {
   zone_id = local.nix_community_zone_id