diff --git a/.sops.yaml b/.sops.yaml
index c685f7b..1333a26 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &darwin02 age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
+ - &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@@ -74,6 +75,15 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
+ - path_regex: hosts/web01/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *web01
+ - *mic92
+ - *ryantm
+ - *zimbatm
+ - *zowoq
+ - *adisbladis
- path_regex: modules/nixos/hercules-ci/.+\.yaml$
key_groups:
- age:
diff --git a/devdoc/hosts.md b/devdoc/hosts.md
index d7472b0..6756715 100644
--- a/devdoc/hosts.md
+++ b/devdoc/hosts.md
@@ -47,6 +47,16 @@ This machine is meant as an aarch64 and x86_64 builder for our CI.
- RAM: 8GB
- Drives: 256GB SSD
+### `web01`
+
+This machine hosts web services such as Lemmy.
+
+- Provider: Hetzner
+- Instance type: CX31
+- CPU: 2 vCPUs on Intel Xeon
+- RAM: 8GB
+- Drives: 80GB SSD
+
## SSH config:
You will need to set your admin username if it doesn't match your local username.
diff --git a/flake.nix b/flake.nix
index 05aeea6..0063fef 100644
--- a/flake.nix
+++ b/flake.nix
@@ -123,6 +123,10 @@
system = "aarch64-linux";
modules = [ ./hosts/build04/configuration.nix ];
};
+ web01 = nixosSystem {
+ system = "x86_64-linux";
+ modules = [ ./hosts/web01/configuration.nix ];
+ };
};
flake.nixosModules = {
diff --git a/hosts/web01/configuration.nix b/hosts/web01/configuration.nix
new file mode 100644
index 0000000..77e34ab
--- /dev/null
+++ b/hosts/web01/configuration.nix
@@ -0,0 +1,15 @@
+{ inputs, ... }:
+{
+ imports = [
+ inputs.disko.nixosModules.disko
+ ./hardware-configuration.nix
+ inputs.srvos.nixosModules.mixins-nginx
+ inputs.srvos.nixosModules.hardware-hetzner-cloud
+ inputs.self.nixosModules.common
+ ];
+
+ networking.hostName = "web01";
+ networking.hostId = "1cfd5aa3";
+
+ system.stateVersion = "23.05";
+}
diff --git a/hosts/web01/hardware-configuration.nix b/hosts/web01/hardware-configuration.nix
new file mode 100644
index 0000000..577feac
--- /dev/null
+++ b/hosts/web01/hardware-configuration.nix
@@ -0,0 +1,57 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath
+, ...
+}:
+{
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ disko.devices = {
+ disk = {
+ sda = {
+ type = "disk";
+ device = "/dev/sda";
+ content = {
+ type = "gpt";
+ partitions = {
+ grub = {
+ name = "grub";
+ size = "1M";
+ type = "ef02";
+ };
+ esp = {
+ name = "ESP";
+ type = "EF00";
+ size = "500M";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "filesystem";
+ # We use xfs because it has support for compression and has a quite good performance for databases
+ format = "xfs";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+
+ swapDevices = [ ];
+}
diff --git a/hosts/web01/secrets.yaml b/hosts/web01/secrets.yaml
new file mode 100644
index 0000000..4520d89
--- /dev/null
+++ b/hosts/web01/secrets.yaml
@@ -0,0 +1,66 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:UXM0MBewVe95Bjlh3MNG5tnE/826ZS549N4Ay9uLndYgZ9UKPEPdw9dQYiGi517nJkNKtMJPidJLdnt5MfKlYMggHT0EAP6qdK0KcEB87ratiBIDO9fDa3zAU4iplWcA+OPfxLvmumWVmLqZdAoRTyh/8Szv3Zff2O/fLremCZ0yq7VoPF93PM4BQgk0CqJl8Rt0O9JK3JRxPYaYQ/H2LruqbOAvTr6dcqLqFDW6KQ36XDwfwP3N8bq70dBT6Uq7NzjtuixlNcFnwKA4J8H2ZH8nLpYYH4mQE4z5lZ6mn/V9U91LjmopTRn/vlqtDlM2vICeq/X0iQHr9QAftRVcT0D6Kram27vJOU0tYryBcM1Le9JCGYlYF9yl1uZwB2Lx2LcFUVLT5eT8NGo98t1PnffmYxWh0f6jloNBFmZVIA85uUDoE9G4Jg/gYmKkiDhn7GTllBIol5oOFsE61z7qGShyA5fQRx2gHkOLqwK0sLNA1ogAJJHD90RsUdrU7HF6l2S+4l8CF+C7q/MM9exbrssf9gT4dhOmSdtB,iv:QS3OV0bnQpA7fupbw0C3Hnva+bKFMHLWqaOAARJ+6rY=,tag:FSEF5zwXmICI26FJcyHK+w==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydmZEejVxNnd4Z25QNlR3
+ RDZucXdaWGg1MjdNK0tzaklJeXhnaEd2aEU4CmpkYUQwMFhPYjJCd2s2bzk5WGJJ
+ akV2aThxczFSMGoxTk1GOUdzZDNxVmMKLS0tIE1QVk5xaGtkZVk1Q0VRdTIwTkZ5
+ OHhGZkEzMUlGZWEzTHhhYitmWHZPalUKAyMtdYoSLO0Eb6lN5fOYK0MmaLtc+8/I
+ 2YtZbvbHoi6UwHDHVtKNKE3Uy6+IdJPt4dTdEf4LOwnV7Ygvvf37yQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBka3psU0Z0QndEeHNCTFJP
+ M0JFMjBWK0RqczM3bEdJTXNnSDU4cWlsVkFnCjhDeVF6eXFOSG5rN1NXaE43ZkQw
+ b0tVUXdOc0NrcDV2VnRvamVidXRmVlUKLS0tIFRsQzlGeStmVWNHU0tnYTZ2UmQr
+ VHduZStubjVvaERPL3IvVXNHUFpsODgKX2siCYedeME+RkkgfwfKz8Xl5ZOEbYBG
+ lCGNN/Pkif8C1YXKx3qBk503U/RWgrGIsJJDaJNhKwRAo4q77kkozA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeFYyc2VQVDhNZ3dEUEJO
+ WEFwTjkzOGovU3crMXB3Z2FXTFFEVHo0SzBFClVkbE9BMWFmbjBheXJwUEhJN2I4
+ a3Z0KzNhYW43R24zSDBMR3JnWUFwRWcKLS0tIHMzU3RuWnhNVWRLeTNmSUhEeFpq
+ WHB0cVpQMGZoT0JyZ3c3UUdrUzBZSTQKnFg4GBDzpQnTYRnOXkk47lqy9niML/tw
+ wdsIR1hLd5ZQdwWCcsx9wlNvfEajZ2O+TpVnWM5qJqJx80db2Zodlg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjK0NoSUY5dmdoUEhIR1ZY
+ U2hNcUlqYjNkRFRmMUJtaFNkY1I5TFFrQWpRCmFhV2NTbnF4V0N4MzZobEliVUE4
+ SVd4SnFtYW81Y2dUWGxoZ0toa0dObWcKLS0tIHArT2lVb2xzUWp3QlR6U2ExUWtI
+ KzJKcy9KOUM0WkQ2M2RwSStlNk82QncKc1/Wz4OXlXkQGmQnQkWtRi55eqKRkqkP
+ kGdKrjixgRB75NyNhx4i+OgnMAIdrKM0sTBN0G8CQ673+Hf8SCKuwg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWld4akVNWEhmWEVYTU1O
+ YWFNNFVYZ0dYNEpPRjhGQlBQNGlacFpEMkRNCkd3UTQ0NEVrS0JqUHIrVXJyWkRx
+ UWZXVDY5MkRia3NUT3pVb0Y3UUtWam8KLS0tIFpCc2pramJScDRYczFiWnBWSnZq
+ eCtaSER2YzU0TkcyRkRKaC9scWg3R28KRfzx3jUAkTviPOsqtGOFtwWyYSwpg7L0
+ xm0iFaR8U/hNA2+t6glFc+DyF65UCtN2sc5HFWxgXsiRQB0IGBdkJQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK3JubFRvM2dFVlFadFMy
+ dmpmVjVrQ25VOElZN2dKNkZyUGdFTHR0ZlZzCm9qY1IyY3NMZjd4THV1MUJyMHY3
+ U2IxNTRkQXRHU09kYkFuSHRYTURoaE0KLS0tIGwwdVFFbzZJN3RSL2xERTF3US9l
+ bFFYZ0ZvUkU2RzI1Sk1EMXU3L2kzNXcKTNd6rP4vwBlxy0IOpvJkwD2DHEuygQQj
+ 6nP/LDINN6byq+SCUOO60r/dPDixmRDZdWnvkRIntVweSpSgoM9dSw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-07-04T04:17:56Z"
+ mac: ENC[AES256_GCM,data:NBFyPyL26aN2MU30qhCW3/JGBlvk+rSjuRbaCLUFlTYEVyS2I+w+yoF51WtZPVYXuKsQ0JY7y/aoOMEqN+odrbkeX+PivOOgc1WVkPXEF8vIRg8qWkzovTTpQNk7IBM6EGGAj13T2eSPCxkrYyzu/FrUHXvRD6e8+u3kSTu+NAQ=,iv:wfZyk5sSt2S/gr1dt1iMrQ28yyQgWCsNdzbiUqzVf3M=,tag:Q2s7qUS8tJrXxDdapKVA2Q==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/modules/nixos/security.nix b/modules/nixos/security.nix
index bc257e7..0217d54 100644
--- a/modules/nixos/security.nix
+++ b/modules/nixos/security.nix
@@ -31,6 +31,10 @@
hostNames = [ "[u348918.your-storagebox.de]:23" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
};
+ web01 = {
+ hostNames = [ "web01.nix-community.org" ];
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl";
+ };
};
services.openssh = {
diff --git a/terraform/cloudflare_nix-community_org.tf b/terraform/cloudflare_nix-community_org.tf
index 15253a3..4d9af0a 100644
--- a/terraform/cloudflare_nix-community_org.tf
+++ b/terraform/cloudflare_nix-community_org.tf
@@ -91,6 +91,27 @@ resource "cloudflare_record" "nix-community-org-darwin02-AAAA" {
type = "AAAA"
}
+resource "cloudflare_record" "nix-community-org-web01-AAAA" {
+ zone_id = local.nix_community_zone_id
+ name = "web01"
+ value = "2a01:4f9:c011:932f::1"
+ type = "AAAA"
+}
+
+resource "cloudflare_record" "nix-community-org-web01-A" {
+ zone_id = local.nix_community_zone_id
+ name = "web01"
+ value = "95.216.139.211"
+ type = "A"
+}
+
+resource "cloudflare_record" "nix-community-org-lemmy-CNAME" {
+ zone_id = local.nix_community_zone_id
+ name = "lemmy"
+ value = "web01.nix-community.org"
+ type = "CNAME"
+}
+
# Used by nix-community/nixpkgs-docker
resource "cloudflare_record" "nix-community-org-docker-CNAME" {
zone_id = local.nix_community_zone_id