diff --git a/.sops.yaml b/.sops.yaml
index f373817..749ec79 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
+ - &web02 age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@@ -74,6 +75,15 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
+ - path_regex: hosts/web02/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *web02
+ - *mic92
+ - *ryantm
+ - *zimbatm
+ - *zowoq
+ - *adisbladis
- path_regex: modules/darwin/.+\.yaml$
key_groups:
- age:
diff --git a/devdoc/hosts.md b/devdoc/hosts.md
index b1539e7..dba257d 100644
--- a/devdoc/hosts.md
+++ b/devdoc/hosts.md
@@ -67,6 +67,16 @@ This machine hosts web services such as Lemmy.
- RAM: 8GB
- Drives: 80GB SSD
+### `web02`
+
+This machine hosts monitoring of our machines and services.
+
+- Provider: Gandi
+- Instance type: [V-R4](https://www.gandi.net/en-GB/cloud/vps)
+- CPU: 2 CPU
+- RAM: 4GB
+- Drives: 25GB
+
## SSH config:
You will need to set your admin username if it doesn't match your local username.
diff --git a/flake.nix b/flake.nix
index 65c381d..fe5a76d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -138,6 +138,10 @@
system = "x86_64-linux";
modules = [ ./hosts/web01/configuration.nix ];
};
+ web02 = nixosSystem {
+ system = "x86_64-linux";
+ modules = [ ./hosts/web02/configuration.nix ];
+ };
};
flake.darwinModules = {
diff --git a/hosts/web02/configuration.nix b/hosts/web02/configuration.nix
new file mode 100644
index 0000000..3a3b38f
--- /dev/null
+++ b/hosts/web02/configuration.nix
@@ -0,0 +1,11 @@
+{ inputs, ... }:
+{
+ imports = [
+ ./gandi.nix
+ inputs.self.nixosModules.common
+ ];
+
+ networking.hostName = "web02";
+
+ networking.useDHCP = true;
+}
diff --git a/hosts/web02/gandi.nix b/hosts/web02/gandi.nix
new file mode 100644
index 0000000..22069a8
--- /dev/null
+++ b/hosts/web02/gandi.nix
@@ -0,0 +1,45 @@
+# This is the configuration required to run NixOS on GandiCloud.
+{ lib, modulesPath, ... }:
+{
+ imports = [
+ (modulesPath + "/virtualisation/openstack-config.nix")
+ ];
+ config = {
+ boot.initrd.kernelModules = [
+ "xen-blkfront"
+ "xen-tpmfront"
+ "xen-kbdfront"
+ "xen-fbfront"
+ "xen-netfront"
+ "xen-pcifront"
+ "xen-scsifront"
+ ];
+
+ # Show debug kernel message on boot then reduce loglevel once booted
+ boot.consoleLogLevel = 7;
+ boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
+
+ # For "openstack console log show"
+ boot.kernelParams = [ "console=ttyS0" ];
+ systemd.services."serial-getty@ttyS0" = {
+ enable = true;
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Restart = "always";
+ };
+
+ # The device exposed by Xen
+ boot.loader.grub.device = lib.mkForce "/dev/xvda";
+
+ # This is to get a prompt via the "openstack console url show" command
+ systemd.services."getty@tty1" = {
+ enable = lib.mkForce true;
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.Restart = "always";
+ };
+
+ # This is required to get an IPv6 address on our infrastructure
+ networking.tempAddresses = "disabled";
+
+ system.stateVersion = "23.05";
+ };
+}
diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
new file mode 100644
index 0000000..8722ace
--- /dev/null
+++ b/hosts/web02/secrets.yaml
@@ -0,0 +1,66 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:mp33XErF8FL7/rxKUsXiVijkCcDlSmtopkxTA/tDpcVx1ft6e9/YIoGYvLwxMhwowlEjktuANnZXo0tPHoCaiRdsFL2XMlNhbMHz5PKdIwpQyGysbqJKzVSa81F8RS1IG0sY8YGaCXsOfWPBbNJFTapT+9Xb6niRwiQkwwPAxBN9zdS+nMvllNHEZSv4RQ84uKzvyaLPB9N3GU7GHPq5UzBYNO1eH0eHoDEvv3JI6W/C8dws4liAwCSoCOF0RTdBpVKZvlf2DMYCKEZYWlnyBvq/NVJr2JujNDhtKOozL0tVLCkh8QQrLiWucN1yCMiy+1VS5yqmvqa6Gvc4P9hgmMHRjA37oJtDrik4SWQZq0VfxJ00oC3ByGmH6mR4AZY/BTPMnRAgF/m3rjryEd4hCjlQ1jJhdWmRTchruK7oSz/FrZmtCp/fVsRulcJ2JmU2gEQF0rfP9+eq/LWLD0FPvsp9ytf18wPMAY6fYj7vQGj5dx9ZB6oJ0RxlgAhPFhjAztjmMQD43oSsNnm9FKISS5Vv07tQDQBUHe3d,iv:Z6SfUFsjfRaVc23CNM1NE4/c92MLmbdEXilPJomX9qM=,tag:xknd9rqBVvUg69ICvhXHcA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTHNIYkY2eE1rWnVDVlk1
+ ZXg0ZFJEQ0JlNEYwOFZRNUh3K0I5L2lKNkFrCkl1c01YNDZobHM2djhSdGEyVklL
+ V1I0UzRqY0hxUm1oajZNZXB0a2JyeGsKLS0tIDlPUU1XVStkZUppM09NclkyRDFu
+ UC80VU01SS96dytmWkdHeHBkZzlsT2sKTbRmdfN5l3tFqi0bXQ5FQheunbabSBZ4
+ bGpju602wejkNx9L3rmHQCVTkRncr4UqYVeezRLq8rdBsPePsssYnQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTHR5Zm0yR1crQi9ITjQx
+ Zlh2SXpnN1pmSGRseHFRTzhKMFhNL0h5d0hBCm0vQWNmSVhaTm4yN3pVeHhZbk5r
+ ZE9zM2VXSU9RV2IzMXlQNFFhNXZGeEkKLS0tIC9JNm9VVEFZM0FPSjJSS2VkbkVD
+ THNidzhQempPdmQzdklKSUJlTThjaXMKJ1DzntjD0Zca0NVNUIcMj1gAErnFqcfi
+ 1f7w5PLIJZ0zTR+c2ozAYj+O/lD6cxA9q3cgdkFJRDIG/UP0sHuQ+w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbUJ4RGVKcFFHeUUwTC8x
+ Sy9rUjg1elo2eW9kNmw4RklCbVRNUjdQQXpnCjBzQ1p3VDFxUkdyeXZLVUNta2l6
+ dmtLYUE2L29ueFp1OWtHRHB6SCtvekkKLS0tIFc0a3EzengwR1cwekxqeEQ4YWhn
+ T21CNzNCU2NqeWwzMEw4UkJjcnlSd0UKf+1tn7/+0+RDWU0PLk2zGqOaXNLnhqK9
+ IhvbJrI+/dsY7fsPxR9c+p3z8TFltb3Q0jgUlmcujQ1VyTJB9qiu2Q==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybHRHZUU0dEFzdXIxQWtL
+ RGRKZm9uWVRWd0tDTDVPdFJGT1liY01HbUI4CkY3SFFwS1Y2UGprUDhkdlFibXBT
+ MWZUbDdEb2JBZ2x1VFJsWVVtZUY5NXcKLS0tIDdTY21jc2llM3ZoeUhpbzBnMTFQ
+ am5LMVgyVGRhdnRVUjZ6QlFWbDVTWE0KF6gctt/6t9WGhNQMXdfk+KctwUYKnEGq
+ ed+xCZ7flm2ifY3l8baaX1jVaYU56xsNnhNGyxVzfgbDOXnlPEcN+w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ1dDQVZLN3RCYVo5bkFm
+ ZkZYNlUwYU9adnZqck5kYjM4OHAwSWtta2c4CmltckJnRTZnR2VVSnZjYnZwQnFB
+ OXJkZHpkSVdFN29qMkZ2c2JzcFB6OTgKLS0tIHY5SVB3TGp6L2txeU1YUmJBNitr
+ dFIwN1BIb1dWc1hPZUYxWU9ob0xVR28KnsuH74n4c0beUwyAoN6j4BbUYUFRmJA2
+ 6RFl032mjGu/k2eeGc5gV8CqBtyOTualqWt9P/+efWrVT4p1FMsbDg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmxhWFZ1WE5adXhlaUpp
+ cno1VDBtY0I4Q253UW9SaUc3UzZyc0tyamtVClprLzkvOCthanRha3JGWU85YmVh
+ OTFLSldvREhiNFk0TU9ZTW5rd25oN0kKLS0tIEFMbXBlaWNQQWJqYUlJRi9ZcW84
+ QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
+ LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-07-29T05:26:34Z"
+ mac: ENC[AES256_GCM,data:HS8Jr5pHtANiytEOAYYja3b+FxyCb858pTFZvi1ZZ2NBkjRmkOY8UEzoL+dEJQ2RQ49l3GktIwu3oBwkjjoBHC7cqo5VfwB7a23u28iWwfiHduZMOOu4xHg6vsUCtScu1tr3bJexfVu47RHI/su/ds3UWk6eJKBm49MzcGTI7lU=,iv:J1lgkh9mSmd3iUf9pkvJAAsPgDZQsNtjMeBTwm+nhdQ=,tag:3IMkozS5d6jRoz+Gl8K0BA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
index 4fe12bd..4f1d293 100644
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@@ -39,6 +39,10 @@
hostNames = [ "web01.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl";
};
+ web02 = {
+ hostNames = [ "web02.nix-community.org" ];
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAkBZMRNgsJ/IbLtjMHqBw/9+4tyn9nT+5B5RFiV0vJ";
+ };
};
services.openssh = {
diff --git a/terraform/cloudflare_nix-community_org.tf b/terraform/cloudflare_nix-community_org.tf
index 4cae9e7..894859c 100644
--- a/terraform/cloudflare_nix-community_org.tf
+++ b/terraform/cloudflare_nix-community_org.tf
@@ -122,14 +122,14 @@ resource "cloudflare_record" "nix-community-org-web01-A" {
resource "cloudflare_record" "nix-community-org-web02-A" {
zone_id = local.nix_community_zone_id
name = "web02"
- value = "46.226.106.114"
+ value = "46.226.105.188"
type = "A"
}
resource "cloudflare_record" "nix-community-org-web02-AAAA" {
zone_id = local.nix_community_zone_id
name = "web02"
- value = "2001:4b98:dc0:43:f816:3eff:fe0c:b15b"
+ value = "2001:4b98:dc0:43:f816:3eff:fe99:9fca"
type = "AAAA"
}