feat: server with external volume

Author: justinrubek

.sops.yaml

@@ -5,6 +5,7 @@ keys:
   - &server_ceylon age1sdpel8lnp90e43a7nag7p44mkpuglf5mg0f0ccq4kr9pvxmdkfpqznvu2r
   - &server_pyxis age1n52ec7jk26u40rx3c858s9udwp603s24af05h8jpc4h5zqr95uzs86t9w7 
   - &server_huginn age1l5pkxrftt3e25kny6l8xllw53uh6almh9usv8x9h67g82k7q63ss8daq5e
+  - &server_alex age1z94tzmzngntrkn32jm4283m2fwhhw73q8gghawld4vya7a6jtafsyznmnk
 creation_rules:
   - path_regex: secrets/bunky/[^/]+\.yaml$
     key_groups:
@@ -20,6 +21,8 @@ creation_rules:
       - *server_ceylon
       - *server_pyxis
       - *server_huginn
+      - *server_alex
+
   - path_regex: secrets/vault/[^/]+\.yaml$
     key_groups:
     - age:

deploy/default.nix

@@ -27,6 +27,7 @@ in {
       pyxis = mkDeployNode {hostname = "pyxis";};
       ceylon = mkDeployNode {hostname = "ceylon";};
       huginn = mkDeployNode {hostname = "huginn";};
+      alex = mkDeployNode {hostname = "alex";};
     };
   };
 }

home/configurations/default.nix

@@ -69,5 +69,16 @@ in {
           }
         ];
     };
+
+    "justin@alex" = {
+      system = "x86_64-linux";
+      modules =
+        extraModules
+        ++ [
+          {
+            home.stateVersion = "21.11";
+          }
+        ];
+    };
   };
 }

home/configurations/justin@alex/default.nix

@@ -0,0 +1,18 @@
+{comma, ...}: {pkgs, ...}: let
+in {
+  config = {
+    activeProfiles = ["development"];
+
+    home.packages = with pkgs; [
+      comma.packages.x86_64-linux.default
+      alejandra
+    ];
+
+    programs.zellij = {
+      enable = true;
+      settings = {
+        default-shell = "zsh";
+      };
+    };
+  };
+}

nixos/configurations/alex/bootloader.nix

@@ -0,0 +1,7 @@
+{
+  pkgs,
+  lib,
+  self,
+  config,
+  ...
+}: {}

nixos/configurations/alex/default.nix

@@ -0,0 +1,77 @@
+{unixpkgs, ...} @ inputs: {
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+  ];
+
+  # Linux kernel
+
+  # Enable networking
+  # networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "America/Chicago";
+
+  # Select internationalisation properties.
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  # personal modules
+  justinrubek = {
+    tailscale = {
+      enable = true;
+      autoconnect.enable = true;
+    };
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users = {
+    justin = {
+      isNormalUser = true;
+      description = "Justin";
+      extraGroups = ["networkmanager" "wheel"];
+      shell = pkgs.zsh;
+
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1Uj62/yt8juK3rSfrVuX/Ut+xzw1Z75KZS/7fOLm6l justin@eunomia"
+      ];
+    };
+  };
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # services.openssh = {
+  #   enable = true;
+  #   permitRootLogin = "no";
+  # };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev)
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+}

nixos/configurations/alex/hardware.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/profiles/minimal.nix"
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  justinrubek = {
+    filesystem.zfs.enable = true;
+
+    cloudhost.hetzner = {
+      enable = true;
+    };
+  };
+
+  fileSystems = {
+    "/var/nfs" = {
+      device = "persist/data";
+      fsType = "zfs";
+      # options = [ "noatime" "compression=lz4" ];
+    };
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-label/SWAP";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  # powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+  # hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixos/configurations/default.nix

@@ -40,6 +40,10 @@ in {
       system = "x86_64-linux";
       modules = hetznerModules ++ sshModule;
     };
+    alex = {
+      system = "x86_64-linux";
+      modules = hetznerModules ++ sshModule;
+    };
 
     # other
     hetzner-base = {

secrets/tailscale/server.yaml

@@ -8,56 +8,65 @@ sops:
         - recipient: age1en3a406mje3x7nqpmrth4x9n23fz6mwztmyhmtn3fqyrkl25avgqfwghcd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNzJIaXdlMHF1SzhxdVJq
-            M0grcTQ2MGFUR3RVZlNLRkU1U0RyemdhM1NrCkRIdHdvbFEvOUFrV0JqcVdKSGdQ
-            c1I1RXRjN3JIS3NmSno3R2Y1TVl4OXMKLS0tIDFIL0FmS3JJcWRtbWV6aDg0dFlw
-            dHFGLzlxRit1NisxdlhORHUvMlVwaWcKsnK+G+etnP87inVUHQf0URvOh6xbGGge
-            NHBClxG0JbhBGYgt/xywauvH2pKay/Jyvi2PVrPIUEv+WpYMixfjzQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZ3BFcFdzUUw1YTg5dHE1
+            UkZPSVEvN2Uvb3ZEUDAveEpDVnlaQzM4blZZCjA1RkVLaFA4WEQ1L1Nlbkl5TUs4
+            ZTRwZVVTMGYweU00aHdwSUJpcVF5ZjgKLS0tIGI0UUQzczNRNjNRaW1HcmMweU01
+            VlBrNDN5ZGRLWVRTZlpuSXZJREdWcTAK8uyL8qAKbnLJsd3wDBE3w0/aLMujKZYN
+            aTrayyWe0zq0IzdWp7cqJ8177jDBnnk/1ggXV74IUShWmtJdExmnJQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1eg73s6n7kw0nu73cmlh7r7h3glc7umufv4q027nd9af757lkhflsxdyqp5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TWlDL1poL1VNcFNDYTE1
-            VC9DSzhGRWNWZ2krM2NTeFRYSlNpOHorQXpJCmVsckF3emljSVJ5YzFmc0ZVVlph
-            S1NaL0VkS3A2QUJWelV1MXAyNWVYemsKLS0tIFZtWlROM2UwVVFPWklxSTl0K2w2
-            cmhwUEV5WUJzclBaU0lVdm9YamdQTUEKB8vX/YHMkX22PVLwrwT0sMqmZC2j4Hsm
-            vi/CzNz/jTn0ORsH/4qdK64PsBI6rLasTuCxkJsHJfeXmTG0r3Lr8w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMDE1M3RPVm9jUTZVbnhY
+            M3lRTnlLWmxBdURXNzVybjRQYThTZHNYNlYwCkd0T2NJb0hoNmFKVkJPWHhDbU93
+            dFNhL1VOTUNyaTE0aUwxWHFESEdrczAKLS0tIEFSU09TNUdzZEtjUHJybHBQTit5
+            SEdIN1l3STdiQWhOVUJEdTZFL2ZVMzgKoK+a6iBQga82hzjQM9tJzlWJ5Uzs8/xG
+            ONd/JAGdBM4EBQE0fOreK/Pk3MhU+K/c8gSscymGkt91jE6D6dKKPA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1en3a406mje3x7nqpmrth4x9n23fz6mwztmyhmtn3fqyrkl25avgqfwghcd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2L3ZpZ0ZGWTc5SjA2YWly
-            ZHN0eFZqY2U5eUhOMnpQUFZyRW56cXFpVUd3ClhZVVNGOEpkUWs1bVZ1TStZd1lt
-            SFBsNTFtSUxmR0NzcndHM3RhSTdpa00KLS0tIDJ5bTdpWVB0MHdaTXB0YXlmUE9R
-            OVhOSmZvZnYrRVVOeVQ2aUhZcWRaMncKfM8N4zntRBnRIJHPIDW2N0Ndt08sQd+h
-            +QaUuWd2CKTQCY1pMMx3Komrhzrw2lp3ULuvhmcD8l5FSDNJLQAmFQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZFdWMWdnY09jaFhZaUdx
+            RStSRTRkMzY2WDFpOWlYMFJCYzhoN01vT1hJCnNLMlRYNllCL2lLUmtvTWU2Z3Vy
+            ZXVYVGpldm1hRzkyQTd4dmRyUkhnN2MKLS0tIGRMV0h2SkhSdGpwMkkzeHB3QndR
+            MnhJL0ErOVdTdGFqSThEcXJHWHhqdkEKc7sW7I+p/u9vVHvj9AEEjYt5MkSvT/Yl
+            FHeBSklStYH2/pvZunwVdovYCLvNCNCXa19FFWmOFPMWVDW2L94kAA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sdpel8lnp90e43a7nag7p44mkpuglf5mg0f0ccq4kr9pvxmdkfpqznvu2r
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WmF3ZDFIMVFKcjhVMkRH
-            dktva2ltb3JBRHhNbm1CMGxRWXNYbE9mVXhvCnZpdkNFL1NBdS9zdmpnME9GekxV
-            ODExc3g5NHMxNGpXalFHeFQwU0Q1NlEKLS0tIEc4Tjc3NTlsSVpoZmdoaHhiQzQx
-            RG8xckQ5c3RsOTdxaVhDbndwYlFhMjgKPFZ10F35NrFlNA8CDN7eUovb4LkhRcTN
-            warJOipYXSGPDe33TREA8eGMDjasMRaySkxAPx5oPF7HSXxLkRE+Lw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMWxCY3pzYXpUTWZpWXQr
+            bFJOQkhrNVJHNWViVVJPVy9ob3ZSd3RNdzBBCllNeDA0K0dsNzFsS2daOVY4K0gz
+            UnhhR0M3d2RBY0V0MllTVUFRTkw1VUUKLS0tIFh3b2tlYTVOU1g5em9WT3RlYTl4
+            d1lyb0VBZXpaR0FCMnlsVVZtQU5HK00KNEXhewTO8FTaoDrukQWDmTeUzLen5oAS
+            yrc8KWWJhBnnounqnrNVWtOq7gSEGo70O0V5dGtXWVsPI1lqXVXifg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1n52ec7jk26u40rx3c858s9udwp603s24af05h8jpc4h5zqr95uzs86t9w7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINGZnRnhXTm13MFNVSEVC
-            VVRPSTdUUm9ZbVpkYjZyVG45TjYwYVZCMm5RCll4OWIxbEZ0UzV3OWI4WU0vSkJa
-            Y1ErSHdzTEEvYVdGK0lrZU1ncW15clEKLS0tIFRPdXBiRkRuWjN3MXRlMWYvTlFr
-            aUFvYjI1SW84eHhKMmZOUzlLRXFRRm8KkGrfMifisdXhk0IL2d52L7WvBEyLWDUB
-            FVW6hDgJtiqku/gF9wauSFevlARlTxQrY966eNltkAXB99wfVugiMQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMmhmRFFRVWVacjlJcTU5
+            YmlydHZ4TFplZisrRm1kT1BZSS9QWWFtbWhNCjBjaDhzeVhWWStnVVVud3J6UVRI
+            cVNxbnVXSGl2djRpSUErRzlpZ3NWS2sKLS0tIDVqZ3cxbjFvaVN1Z3BmbVAxSGFW
+            amMxNmx4SXZRRm41a0dSZjV2TXNwSlEKo9QiAz6Gdzz13pKa9N9C99vgvxLMeBQt
+            nUimjbUxShvKyBY+HIIXojpMKuwvEiQiEGD9ZpR0zqADiaUT7rWd2A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1l5pkxrftt3e25kny6l8xllw53uh6almh9usv8x9h67g82k7q63ss8daq5e
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWkEzWkhXRjRucHNtQlRH
-            ZHk5NUZRK1dzTzdJMHVORFNYQktkZGpLelh3CnRCRUtnRXdkV2t1eXkxYWpEY1FI
-            Uk5ObStkbUlIelo5TnRmVGljb3lWLzgKLS0tIENMdXMyR0N6SHlDM2RhYVpsKzRH
-            UmlOc3ZTMUxmWkh0bS9SbkNiaFBGQzQKZBThXRCZ8ALKUKYuOb1GyY6HJ+XyNY4I
-            j4Ggp2TeBuP3Pnyge5vRGj40V4BBquPJcXzTXrWTKrYvxnQ+kqFR/A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU1dlZUNWejNmSm5ZQlNh
+            SmVRcXRRMk43L0dhWGNHTHRZK2J1S004VkZNCmo5L2VZb1pseUhyYjhudHdubko3
+            cXlIZnJLVFI4eExGNXBYM0h4akNBZFEKLS0tIEpValM0RmREdTV0MThUNnhrYU1k
+            NldqSjFiTENkQXhIVEI5MzNqd0Z2L3cK0ZVytCzpI1XgieNMCw6YJDlFzh2W24xz
+            jMZ+xT6tsNCxiRbCvCoWrQO8apvPmnFX96YjM+dRuXPP3cnyMXJuHg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z94tzmzngntrkn32jm4283m2fwhhw73q8gghawld4vya7a6jtafsyznmnk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcDdFa250QUwreWRPbDBl
+            UHhtVWtGakRsR1EyVkp0cXRWWFhqMlNLQVhzCmt3cHpNeWRhWU1rWTE2YXd5bTBS
+            YjFEMmRPMldaVjJ2MEVHUDlieCtROU0KLS0tIDIxNXo5NmIxWnV0V2VnZndEbU91
+            MEFsLzJ5L1ZLakNkdnAzVnZYbFE2WlkKnDKUuoVXtheKiiICGzeRE5EBnhksqXfa
+            tSbhK41I2CGO+xxE0FX56Zv8LkTAkM7JhQas1ng1bz0JrjM6jsScQA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2022-12-21T21:37:30Z"
     mac: ENC[AES256_GCM,data:l2EOMri3OomkTa6qeRYAEa6Gm3cB5dj9fzKk5thy4DqfIYScxPwS2M/h3j7gxhqKwB70ctzShpCxr6MOB6ScQlsA7QOYD02fMECvzj4Cov05mMzd7kfmHEGiUCeecCaA0d2Hg8V0ViZG5UzxdHAn1iI1WIctVMosyNDLaB7985c=,iv:4m2cWwbpfimm1eVcxlw2/wlB7n7jmzSeIoiQWhDnE0s=,tag:goaw5rusPmN16SCRPxaA7g==,type:str]

terraform/configurations/hetzner/main.nix

@@ -77,4 +77,25 @@ in {
       "\${hcloud_server.huginn.id}"
     ];
   };
+
+  ### NFS
+
+  resource.hcloud_server.alex = {
+    name = "alex";
+
+    inherit server_type location image;
+    inherit public_net;
+  };
+
+  resource.hcloud_volume.persist = {
+    name = "persist";
+    size = 50;
+    location = "hil";
+  };
+
+  resource.hcloud_volume_attachment.nfs = {
+    server_id = "\${hcloud_server.alex.id}";
+    volume_id = "\${hcloud_volume.persist.id}";
+    automount = false;
+  };
 }