chore: migrate disk host

.gitignore

@@ -5,8 +5,12 @@
 !docs/
 
 !hosts/
+
+!hosts/disk/
+
 !hosts/nine/
 !hosts/nine/github2forgejo/
+
 !hosts/pala/
 
 !lib/

hosts/disk/default.nix

@@ -0,0 +1,66 @@
+lib: lib.nixosSystem ({ config, keys, lib, ... }: let
+  inherit (lib) collectNix remove;
+in {
+  imports = collectNix ./. |> remove ./default.nix;
+
+  secrets.id.file           = ./id.age;
+  services.openssh.hostKeys = [{
+    type = "ed25519";
+    path = config.secrets.id.path;
+  }];
+
+  secrets.floppyPassword.file = ./password.floppy.age;
+  users.users                 = {
+    root.hashedPasswordFile = config.secrets.floppyPassword.path;
+
+    floppy = {
+      description                 = "Floppy";
+      openssh.authorizedKeys.keys = keys.admins;
+      hashedPasswordFile          = config.secrets.floppyPassword.path;
+      isNormalUser                = true;
+      extraGroups                 = [ "wheel" ];
+    };
+
+    backup = {
+      description                 = "Backup";
+      openssh.authorizedKeys.keys = keys.all;
+      hashedPasswordFile          = config.secrets.floppyPassword.path;
+      isNormalUser                = true;
+    };
+  };
+
+  home-manager.users = {
+    root   = {};
+    floppy = {};
+    backup = {};
+  };
+
+  networking = let
+    interface = "ens32";
+  in {
+    hostName = "disk";
+
+    ipv4 = "23.164.232.40";
+    ipv6 = "2602:f9f7::40";
+
+    domain = "rgbcu.be";
+
+    defaultGateway = {
+      inherit interface;
+
+      address = "23.164.232.1";
+    };
+
+    defaultGateway6 = {
+      inherit interface;
+
+      address = "2602:f9f7::1";
+    };
+  };
+
+  nixpkgs.hostPlatform       = "x86_64-linux";
+  system.stateVersion        = "23.11";
+  home-manager.sharedModules = [{
+    home.stateVersion = "23.11";
+  }];
+})

hosts/disk/hardware.nix

@@ -0,0 +1,36 @@
+{ config, lib, modulesPath, ... }: let
+  inherit (lib) enabled;
+in {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+
+  boot.loader = {
+    systemd-boot = enabled {
+      editor = false;
+    };
+
+    efi.canTouchEfiVariables = true;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "ata_piix"
+    "nvme"
+    "sr_mod"
+  ];
+
+  fileSystems."/" = {
+    device  = "/dev/disk/by-label/root";
+    fsType  = "ext4";
+    options = [ "noatime" ];
+  };
+
+  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
+    device  = "/dev/disk/by-label/boot";
+    fsType  = "vfat";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/swap";
+  }];
+}

hosts/disk/mail.nix

@@ -0,0 +1,11 @@
+{ config, self, ... }: let
+  inherit (config.networking) domain;
+
+  fqdn = "mail1.${domain}";
+in {
+  imports = [(self + /modules/mail)];
+
+  mailserver = {
+    inherit fqdn;
+  };
+} 

hosts/disk/password.floppy.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 spFFQA pJguGLlB7R7iXrGfwKabGxmryMrfY57yvfaCytZG/Fs
+1USXbjiteoTrs7+KEFPTMVBNHpBWFXyHi/iLxFL7tls
+-> ssh-ed25519 CzqbPQ IbK7nvEUn324R2zHDJzfgMV/FDqwLCU/jGZLSjrG4FY
+naDshlcyrpvgLQydqxAXg/hhfFAFov568p163F7wrZ4
+--- MTj/7Zs1N348gDK+G1p01d6EZ21JzpPJnlaUc1ChcBo
+*°<>òluçM¹â=&Á÷à³Z<C2B3>¾›·
×ü0•ï!<21>¶A3eí\ÙB0“ÎVêýÚš¢¦í¢R‹; \6Ö¹®¡ío’÷^ZRÎ}_³›­ç%~›kÑ ™»Ão¹Œž$³O¸$É^…Aâ*¦Ù

hosts/disk/site6.nix

@@ -0,0 +1,7 @@
+{ self, ... }: {
+  imports = [
+    # (self + /modules/acme)
+    # (self + /modules/nginx.nix)
+    # (self + /modules/site.nix)
+  ];
+} 

hosts/nine/default.nix

@@ -56,18 +56,6 @@ in {
 
       address = "fe80::1";
     };
-
-    interfaces.${interface} = {
-      ipv4.addresses = [{
-        address      = config.networking.ipv4;
-        prefixLength = 22;
-      }];
-
-      ipv6.addresses = [{
-        address      = config.networking.ipv6;
-        prefixLength = 64;
-      }];
-    };
   };
 
   nixpkgs.hostPlatform       = "aarch64-linux";

hosts/nine/hardware.nix

@@ -18,13 +18,15 @@ in {
   boot.initrd.kernelModules = [ "nvme" ];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-label/root";
-    fsType = "ext4";
+    device  = "/dev/disk/by-label/root";
+    fsType  = "ext4";
+    options = [ "noatime" ];
   };
 
   fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
-    device = "/dev/disk/by-label/boot";
-    fsType = "vfat";
+    device  = "/dev/disk/by-label/boot";
+    fsType  = "vfat";
+    options = [ "noatime" ];
   };
 
   zramSwap = enabled;

modules/acme/environment.age

@@ -1,13 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw /sYx2CZG4l/oWbh9aKT4lFOcSiwY6A9SxwgX32mXqBs
-iK6qzFpI4xGh5m4oqmW18eM2v6OVj/z3t1aRslnhH50
--> ssh-ed25519 spFFQA S3tkGQbTGQgWcp8Uh625eMCnE/h4nFVeb/z1AVemBkw
-9RiAPo2w7PC+2abVofU1Aficcn0eOfvvOMgxGXRIL+0
--> ssh-ed25519 dASlBQ zuVu1QbtutWUG93M+i/UlVlkrmUdz71SrW8jhV4Pxg4
-OMEdnXV0Ix11FRX58Q3zH7nRG2tSkBl1wDmGY7J4JLM
--> ssh-ed25519 CzqbPQ XLqIYDBAQXyL4/khZ71XP6uajnkX2HhzA2Ksx1UTGiU
-MWrt9f1XjxECD4TRKbME2bN4XU1ns9VQ7btuqijXJYU
---- rpTCT+04nE+Jl+2qDHbocBGeYQYBtW/EcRiYHWTqcvw
-ñP3ÐÔ¢p
¸ŸQ¬^“¬­ ³š8lA<6C>¶Å»‰ÌhYQê±	Gü×ÿ‘¢ðWÐüÊ'ï&ãתHÐÉ;Ü<>ï ¼	á*3™­û Ð÷
-t€AõàOXkˆ>M¸††öiœ:!äo¸Ì›s9å!:£$£rŽ»ÿaŽ4"HUD
-Œ¾ËbHºôH£–w'Å Ì<C2A0>Ù±x·³ÌJ¨<>àXœYy«+å–ú¡P»(‹eG&&ŽTGÐ'ÔÍ8à:!)Ôª<´
+-> ssh-ed25519 +rZ0Tw DMMzxXSIPSsRLkIvKJAiE6OzV1z3EZ0T+od2iIxMiA0
+OHVLHmVzeiWlsVI+DQ5M+iNik+nsdiQBz4zcquygC0A
+-> ssh-ed25519 spFFQA TVqArtAoudQlrgAqshCP8ZU0YlVZoKwkvUVh968NqC8
+Cy7+Y1rTFiAoWp6Gw8a1cljCjWPHtNwXjlXWQyu8A8U
+-> ssh-ed25519 dASlBQ ui5a61Tg1JoJvR8okc8qKkDhrSE9dH84XZQWhLn7cCo
+5ehK2bvVgLZSYr5AstV1dwW7/qaVGRxs8PdzAg7sk4w
+-> ssh-ed25519 CzqbPQ wgktFhPRIAwX8BNJu8svEHDrpz0ZCOw94nR+M3FJCTY
+RAErTHg/g/voC7yPf2lB+ELmysNwQXre9jucw2y+ZVc
+--- AB7oiyhts6riNlp5xuWsFTzIx2y7Axn0CU4uCXHfVLo
+ê`8³ô¡eߧJ°SçT'ûBÄ›ýz÷gÖK‹‰Ÿ®üªÕ
¡zꚉWc¡Fݸ3ᇴGRÁ}’²¼R×™qü6Ä]¢òn€0bÖ<
+ãÉdàÔ´ø\EƒC”•MìUͱÀØ¿3ü X{qé¶ö<C2B6>jÊ<6A>ŠEŠ0&MìÙë8x¸t‰öʈ¢°F	Ç}/Oáqž_<C5BE>:ýªÝï¹ÒŸ0£ö±ßá(•I/hôËKH„Ÿ„K\ÊÏX\'(ÒgÀŠ†b±A¶ßÜ<>

modules/common/ssh/config.age

@@ -1,12 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw 6O4kuzuRQRYphZTIWeFHBxZ8iRImicVWzISKkRDpkHU
-e4kCn+CEtt85NtnEik+GwHyP4VxO926URUgUSXPKF3E
--> ssh-ed25519 spFFQA lzDLZiLU3qfjGEIxLVk6ax+UqvEDsBzyDEA5oBXl+1k
-fA0ObL1S1V19XSv+Wj+sZlxxMQoVDTgMvncn4y56RHo
--> ssh-ed25519 dASlBQ qZALhRmOTNN4Q/rKN6MQkEUFfFbGBZdwrx3rLtC3Xis
-+cNLajIY16dErY3W5jyQt1q/O+AZ08pgqxbxh2e6MV4
--> ssh-ed25519 CzqbPQ YnkQEcf1jOm9/voAlbqmjPdTlNFeyW1eeHGC53V4n2c
-RVtx1VD0yzSGFwBJ7y5nNWBA0qEt8VXwKjCw3c5iMS8
---- j7fj7Ke05D5Q7xr9LhM6++la9TW0gn2R46DxBztXgGE
-˺Õ_´+‚=xMvy¡“Qœ¥•
-à+-‡¶©te{2Ìÿ¨õ.‹§©æìØGÓ2¦ €’Ö¨Ž<>¢ù}#²ùeA²ÞųAT-©u€Í’ÃÊs†
+-> ssh-ed25519 +rZ0Tw ifhIam0q2bs/Y59Z7OcOSOLoTL6+ZpEnnSp+NV6M7wU
+iW4MNMvME9OoYs98bofV5yIAzkRnEC/r+VcI9oDHWGU
+-> ssh-ed25519 spFFQA JwTUt4N7UUYn2DS6BIXceJTxnZSssFh8eFRcg9Fz+18
+aah1QHiAM2qSkKoQPxzNTDQVxyxaJUNGtVXJSNv1n48
+-> ssh-ed25519 dASlBQ jeeRHlJ/5hqyDX2GiQYk1ZRgkpBid9jzZ5qeqVzByyk
+OawpP+fHhVqoB4OFw1ATbc53TZcVMR4EGJ2xcV67xq8
+-> ssh-ed25519 CzqbPQ a2f0ztMO4RQdadwdHbb70javzdF+loMSA65ts+crexI
+inoxpsQcz/ZintLwIsvtOeCdRJ/gqvNdDGRyyXPFBEw
+--- m4JEHQx5W7mCBUSctSb2U9CJSFKEu6oROraAR2pyU7s
+vÐŽþ«ßÂ4‡<34>ø ‘J$·âðÌSú<53>¶#sÖQÜËÒ\ôPîô?Oعâ`ìVRIÿ.ÖÚ™™C¹Ñ£žQ9ù`*DV¤T•PZÇø¡BÕJȤÄâèqí

modules/common/ssh/default.nix

@@ -40,11 +40,11 @@ in {
         #   port     = 2222;
         # };
 
-        # disk = {
-        #   hostname = self.disk.networking.ipv4;
-        #   user     = "floppy";
-        #   port     = 2222;
-        # };
+        disk = {
+          hostname = self.disk.networking.ipv4;
+          user     = "floppy";
+          port     = 2222;
+        };
 
         nine = {
           hostname = self.nine.networking.ipv4;

modules/linux/ip.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }: let
+  inherit (config.networking.defaultGateway) interface;
+  inherit (lib) optionals;
+in {
+  networking.interfaces.${interface} = {
+    ipv4.addresses = optionals (config.networking.ipv4 != null) [{
+      address      = config.networking.ipv4;
+      prefixLength = 22;
+    }];
+
+    ipv6.addresses = optionals (config.networking.ipv4 != null)  [{
+      address      = config.networking.ipv6;
+      prefixLength = 64;
+    }];
+  };
+}

modules/mail/default.nix

@@ -1,8 +1,6 @@
 { self, config, lib, ... }: let
   inherit (lib) const enabled genAttrs head mkDefault;
   inherit (config.networking) domain;
-
-  fqdn = "mail1.${domain}";
 in {
   imports = [(self + /modules/acme)];
 
@@ -19,8 +17,6 @@ in {
   acmeGroup = "mail";
 
   mailserver = enabled {
-    fqdn = mkDefault fqdn;
-
     domains           = mkDefault [ domain ];
     certificateScheme = "acme";
 

modules/mail/password.plain.age

@@ -1,12 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0
-+hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A
--> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE
-jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI
--> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A
-vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI
--> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8
-y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w
---- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg
-iOﾐ2ﾑｻGQ
(o
<0A>X3=>ｮ:ｨｲﾉ)m鄂
-ﾀﾁ削"[炅ｻQ
+-> ssh-ed25519 +rZ0Tw e/Myh9IdG3mTDdO2Y6dQX1xH7O/wXFXeu5J/3L9AZns
+FflORBOBRxFu+BxdFocuYpAMROBks9S+n/jo+fGYzNI
+-> ssh-ed25519 spFFQA VjBxKfyWeNSLlyryeQ/XHtQZIrYOIPaaGsir52DBAn4
+gI3kBrmv7za+3n00TeUXAlA0rHLmwFq3rcd4XjUpZu4
+-> ssh-ed25519 dASlBQ YNcwqwyyyjqthVG1U51b8ZlWJy97oaBhspAloOyG2Sw
+OjdM1z/V3OOIIJCQfslqvUq2UAoZMBLTpjRhgJnvUSY
+-> ssh-ed25519 CzqbPQ Zg6rZXjzr4SBL7C9Ns9OgIOh+Cu4nMN9g8k7p64kuAk
+vgFArTTOqj72QjbfKnstG9rOUcFygZBMPKFPFlpeAok
+--- dougaYMQ93Sk/8K3EcxZJCLLpikrKytfNgWpVbQ7yYM
+Áâ÷êÀÆr™E©vЫ®_#ëQûŠk|â<»³
+ˆ#vbã4Õ9GaI,F

secrets.nix

@@ -1,6 +1,10 @@
 let
-  inherit (import ./keys.nix) nine admins all;
+  inherit (import ./keys.nix) disk nine admins all;
 in {
+  # disk
+  "hosts/disk/password.floppy.age".publicKeys = [ disk ] ++ admins;
+  "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
+
   # nine
   "hosts/nine/id.age".publicKeys                         = [ nine ] ++ admins;
   "hosts/nine/password.seven.age".publicKeys             = [ nine ] ++ admins;