sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

web02: init

Browse source
This commit is contained in:
zowoq 2023-07-22 09:50:53 +10:00
parent 967b3efeef
commit cc367a8b05
8 changed files with 152 additions and 2 deletions

10
.sops.yaml
View file

@ -4,6 +4,7 @@ keys:
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq - &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj - &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl - &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
- &web02 age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst - &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay - &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@ -74,6 +75,15 @@ creation_rules:
- *zimbatm - *zimbatm
- *zowoq - *zowoq
- *adisbladis - *adisbladis
- path_regex: hosts/web02/[^/]+\.yaml$
key_groups:
- age:
- *web02
- *mic92
- *ryantm
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: modules/darwin/.+\.yaml$ - path_regex: modules/darwin/.+\.yaml$
key_groups: key_groups:
- age: - age:

10
devdoc/hosts.md
View file

@ -67,6 +67,16 @@ This machine hosts web services such as Lemmy.
- RAM: 8GB - RAM: 8GB
- Drives: 80GB SSD - Drives: 80GB SSD
### `web02`
This machine hosts monitoring of our machines and services.
- Provider: Gandi
- Instance type: [V-R4](https://www.gandi.net/en-GB/cloud/vps)
- CPU: 2 CPU
- RAM: 4GB
- Drives: 25GB
## SSH config: ## SSH config:
You will need to set your admin username if it doesn't match your local username. You will need to set your admin username if it doesn't match your local username.

4
flake.nix
View file

@ -138,6 +138,10 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./hosts/web01/configuration.nix ]; modules = [ ./hosts/web01/configuration.nix ];
}; };
web02 = nixosSystem {
system = "x86_64-linux";
modules = [ ./hosts/web02/configuration.nix ];
};
}; };
flake.darwinModules = { flake.darwinModules = {

11
hosts/web02/configuration.nix Normal file
View file

@ -0,0 +1,11 @@
{ inputs, ... }:
{
imports = [
./gandi.nix
inputs.self.nixosModules.common
];
networking.hostName = "web02";
networking.useDHCP = true;
}

45
hosts/web02/gandi.nix Normal file
View file

@ -0,0 +1,45 @@
# This is the configuration required to run NixOS on GandiCloud.
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/openstack-config.nix")
];
config = {
boot.initrd.kernelModules = [
"xen-blkfront"
"xen-tpmfront"
"xen-kbdfront"
"xen-fbfront"
"xen-netfront"
"xen-pcifront"
"xen-scsifront"
];
# Show debug kernel message on boot then reduce loglevel once booted
boot.consoleLogLevel = 7;
boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
# For "openstack console log show"
boot.kernelParams = [ "console=ttyS0" ];
systemd.services."serial-getty@ttyS0" = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
};
# The device exposed by Xen
boot.loader.grub.device = lib.mkForce "/dev/xvda";
# This is to get a prompt via the "openstack console url show" command
systemd.services."getty@tty1" = {
enable = lib.mkForce true;
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
};
# This is required to get an IPv6 address on our infrastructure
networking.tempAddresses = "disabled";
system.stateVersion = "23.05";
};
}

66
hosts/web02/secrets.yaml Normal file
View file

@ -0,0 +1,66 @@
ssh_host_ed25519_key: ENC[AES256_GCM,data:mp33XErF8FL7/rxKUsXiVijkCcDlSmtopkxTA/tDpcVx1ft6e9/YIoGYvLwxMhwowlEjktuANnZXo0tPHoCaiRdsFL2XMlNhbMHz5PKdIwpQyGysbqJKzVSa81F8RS1IG0sY8YGaCXsOfWPBbNJFTapT+9Xb6niRwiQkwwPAxBN9zdS+nMvllNHEZSv4RQ84uKzvyaLPB9N3GU7GHPq5UzBYNO1eH0eHoDEvv3JI6W/C8dws4liAwCSoCOF0RTdBpVKZvlf2DMYCKEZYWlnyBvq/NVJr2JujNDhtKOozL0tVLCkh8QQrLiWucN1yCMiy+1VS5yqmvqa6Gvc4P9hgmMHRjA37oJtDrik4SWQZq0VfxJ00oC3ByGmH6mR4AZY/BTPMnRAgF/m3rjryEd4hCjlQ1jJhdWmRTchruK7oSz/FrZmtCp/fVsRulcJ2JmU2gEQF0rfP9+eq/LWLD0FPvsp9ytf18wPMAY6fYj7vQGj5dx9ZB6oJ0RxlgAhPFhjAztjmMQD43oSsNnm9FKISS5Vv07tQDQBUHe3d,iv:Z6SfUFsjfRaVc23CNM1NE4/c92MLmbdEXilPJomX9qM=,tag:xknd9rqBVvUg69ICvhXHcA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTHNIYkY2eE1rWnVDVlk1
ZXg0ZFJEQ0JlNEYwOFZRNUh3K0I5L2lKNkFrCkl1c01YNDZobHM2djhSdGEyVklL
V1I0UzRqY0hxUm1oajZNZXB0a2JyeGsKLS0tIDlPUU1XVStkZUppM09NclkyRDFu
UC80VU01SS96dytmWkdHeHBkZzlsT2sKTbRmdfN5l3tFqi0bXQ5FQheunbabSBZ4
bGpju602wejkNx9L3rmHQCVTkRncr4UqYVeezRLq8rdBsPePsssYnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTHR5Zm0yR1crQi9ITjQx
Zlh2SXpnN1pmSGRseHFRTzhKMFhNL0h5d0hBCm0vQWNmSVhaTm4yN3pVeHhZbk5r
ZE9zM2VXSU9RV2IzMXlQNFFhNXZGeEkKLS0tIC9JNm9VVEFZM0FPSjJSS2VkbkVD
THNidzhQempPdmQzdklKSUJlTThjaXMKJ1DzntjD0Zca0NVNUIcMj1gAErnFqcfi
1f7w5PLIJZ0zTR+c2ozAYj+O/lD6cxA9q3cgdkFJRDIG/UP0sHuQ+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbUJ4RGVKcFFHeUUwTC8x
Sy9rUjg1elo2eW9kNmw4RklCbVRNUjdQQXpnCjBzQ1p3VDFxUkdyeXZLVUNta2l6
dmtLYUE2L29ueFp1OWtHRHB6SCtvekkKLS0tIFc0a3EzengwR1cwekxqeEQ4YWhn
T21CNzNCU2NqeWwzMEw4UkJjcnlSd0UKf+1tn7/+0+RDWU0PLk2zGqOaXNLnhqK9
IhvbJrI+/dsY7fsPxR9c+p3z8TFltb3Q0jgUlmcujQ1VyTJB9qiu2Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybHRHZUU0dEFzdXIxQWtL
RGRKZm9uWVRWd0tDTDVPdFJGT1liY01HbUI4CkY3SFFwS1Y2UGprUDhkdlFibXBT
MWZUbDdEb2JBZ2x1VFJsWVVtZUY5NXcKLS0tIDdTY21jc2llM3ZoeUhpbzBnMTFQ
am5LMVgyVGRhdnRVUjZ6QlFWbDVTWE0KF6gctt/6t9WGhNQMXdfk+KctwUYKnEGq
ed+xCZ7flm2ifY3l8baaX1jVaYU56xsNnhNGyxVzfgbDOXnlPEcN+w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ1dDQVZLN3RCYVo5bkFm
ZkZYNlUwYU9adnZqck5kYjM4OHAwSWtta2c4CmltckJnRTZnR2VVSnZjYnZwQnFB
OXJkZHpkSVdFN29qMkZ2c2JzcFB6OTgKLS0tIHY5SVB3TGp6L2txeU1YUmJBNitr
dFIwN1BIb1dWc1hPZUYxWU9ob0xVR28KnsuH74n4c0beUwyAoN6j4BbUYUFRmJA2
6RFl032mjGu/k2eeGc5gV8CqBtyOTualqWt9P/+efWrVT4p1FMsbDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmxhWFZ1WE5adXhlaUpp
cno1VDBtY0I4Q253UW9SaUc3UzZyc0tyamtVClprLzkvOCthanRha3JGWU85YmVh
OTFLSldvREhiNFk0TU9ZTW5rd25oN0kKLS0tIEFMbXBlaWNQQWJqYUlJRi9ZcW84
QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-29T05:26:34Z"
mac: ENC[AES256_GCM,data:HS8Jr5pHtANiytEOAYYja3b+FxyCb858pTFZvi1ZZ2NBkjRmkOY8UEzoL+dEJQ2RQ49l3GktIwu3oBwkjjoBHC7cqo5VfwB7a23u28iWwfiHduZMOOu4xHg6vsUCtScu1tr3bJexfVu47RHI/su/ds3UWk6eJKBm49MzcGTI7lU=,iv:J1lgkh9mSmd3iUf9pkvJAAsPgDZQsNtjMeBTwm+nhdQ=,tag:3IMkozS5d6jRoz+Gl8K0BA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

4
modules/nixos/common/security.nix
View file

@ -39,6 +39,10 @@
hostNames = [ "web01.nix-community.org" ]; hostNames = [ "web01.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl";
}; };
web02 = {
hostNames = [ "web02.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAkBZMRNgsJ/IbLtjMHqBw/9+4tyn9nT+5B5RFiV0vJ";
};
}; };
services.openssh = { services.openssh = {

4
terraform/cloudflare_nix-community_org.tf
View file

@ -122,14 +122,14 @@ resource "cloudflare_record" "nix-community-org-web01-A" {
resource "cloudflare_record" "nix-community-org-web02-A" { resource "cloudflare_record" "nix-community-org-web02-A" {
zone_id = local.nix_community_zone_id zone_id = local.nix_community_zone_id
name = "web02" name = "web02"
value = "46.226.106.114" value = "46.226.105.188"
type = "A" type = "A"
} }
resource "cloudflare_record" "nix-community-org-web02-AAAA" { resource "cloudflare_record" "nix-community-org-web02-AAAA" {
zone_id = local.nix_community_zone_id zone_id = local.nix_community_zone_id
name = "web02" name = "web02"
value = "2001:4b98:dc0:43:f816:3eff:fe0c:b15b" value = "2001:4b98:dc0:43:f816:3eff:fe99:9fca"
type = "AAAA" type = "AAAA"
} }