barrucadu · barrucadu · Dec 10, 2024 · Dec 10, 2024
diff --git a/.sops.yaml b/.sops.yaml
@@ -13,3 +13,9 @@ creation_rules:
       - age:
           - *barrucadu
           - 'age1700sgwfejx38fh66k6sajxe507w9x6ptcxfh4dmyffflml75w4fqmteyfy'
+
+  - path_regex: hosts/yuggoth/secrets(/[^/]+)?\.yaml$
+    key_groups:
+      - age:
+          - *barrucadu
+          - 'age1xj0vderjss6wvyuu5uw5gag6lhxzfh6qwfrewgpff5ttpfa03azsxc8600'
diff --git a/flake.nix b/flake.nix
@@ -70,6 +70,7 @@
         {
           carcosa = mkNixosConfiguration "carcosa" [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ];
           nyarlathotep = mkNixosConfiguration "nyarlathotep" [ "${nixpkgs}/nixos/modules/installer/scan/not-detected.nix" ];
+          yuggoth = mkNixosConfiguration "yuggoth" [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ];
         };
 
       packages.${system} =

diff --git a/hosts/yuggoth/configuration.nix b/hosts/yuggoth/configuration.nix
@@ -0,0 +1,32 @@
+# This is a VPS (hosted by Hetzner Cloud).
+#
+# It serves a redundant deployment of a few of my websites.
+#
+# **Alerting:** disabled
+#
+# **Backups:** disabled
+#
+# **Public hostname:** `yuggoth.barrucadu.co.uk`
+#
+# **Role:** server
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  networking.hostId = "62f520b4";
+  boot.supportedFilesystems = { zfs = true; };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.interfaces.enp1s0 = {
+    ipv6.addresses = [{ address = "2a01:4ff:f0:3a38::"; prefixLength = 64; }];
+  };
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
+
+  nixfiles.eraseYourDarlings.enable = true;
+  nixfiles.eraseYourDarlings.machineId = "ee9cfe217f0f4d45bab5e897e782ca91";
+  nixfiles.eraseYourDarlings.barrucaduPasswordFile = config.sops.secrets."users/barrucadu".path;
+  sops.secrets."users/barrucadu".neededForUsers = true;
+}
+
diff --git a/hosts/yuggoth/hardware.nix b/hosts/yuggoth/hardware.nix
@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "local/volatile/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/A5EB-2AC0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/home" =
+    {
+      device = "local/persistent/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "local/persistent/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/persist" =
+    {
+      device = "local/persistent/persist";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/log" =
+    {
+      device = "local/persistent/var-log";
+      fsType = "zfs";
+    };
+
+  swapDevices = [ ];
+}
diff --git a/hosts/yuggoth/secrets.yaml b/hosts/yuggoth/secrets.yaml
@@ -0,0 +1,31 @@
+users:
+    barrucadu: ENC[AES256_GCM,data:AydpgRw6tSPNsj0YJgNKDIwcCF2bo+vwJhrRJhbeJAY39yJHlP9xTarGGNBAczrKBwKKMN2EAA27hRyX+tDc/ne9mtOx4P5JS86mN9wkLKpaHbIamJNGfatDlu3uBvStNIKSC/CrnsFZ,iv:fW5+OJ2O8R9VB6YmKUP3jmKOHDEtZ4fBsVUmqbrkPjw=,tag:N04QCMG9/WV10Sd1lgGzhA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sdnp5uxhdtujc78penv2gntnenzcfju7est4hslz6eqgfk26u9nskkk634
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaTNzNVdaYnY5cVdVSjZs
+            bkF6LzhIQnVQWFI5STV4VjdKMVF5ZDdyMXpVCms5bXI2c3U3aDdsRUovdUJFQitF
+            cnZyNEE4cDlBWGYrUEgweGYzdnhIcHMKLS0tIHFlWUZTeGxySERJYlR3a1B0NnA5
+            a0cwbGFQb2xqdXRxS214ckw4cjNwL2cKsxnsN8q1zPMBWO60Ndr0ozsaPzeGlPhm
+            pilwuo1I/xXqEfHBumwC089C5FT+XVmuychY3iox/zYvycdg3wGYIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xj0vderjss6wvyuu5uw5gag6lhxzfh6qwfrewgpff5ttpfa03azsxc8600
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3dpYUdPdGk5OFNRc3U4
+            a05tNFFPVTRqaEFxQjJtSTV4TlB1Nm1USkVRCk9PdHNXczEzbGw0RGxsRTZ6YUVp
+            MmFSaGw5eGp0cFRPTjNTWWR6Y2wxd0UKLS0tIGJ4SjFaZU90eGNHNFl0VjB4Z3Fu
+            NVBIU1I2MDRqVGt3eGRzbjdDb0d5Yk0KGPo6sIu5pp6s1r/IhyNjfNgDwxl3SWM3
+            TMmIsx3iHsy+xgxUuGQXCsUkCy4YBzEjRVVtycCRfd5IAXryGhHEuQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-10T21:19:17Z"
+    mac: ENC[AES256_GCM,data:yqZiP7oWMe+5fBa9cNb6+OG8XWKX9gV4JZ2STU6Z5mgiEUBS5S/ubt/l9xqUO7yI0562r0XEW0MrUTBUNK2ARtYnbVtZcYFWka9yX78mac6OYJpMlUeDBAL3yeHtZ7cmJhocirbGrTfFL2OHzy246gQy+f41NRDqoAvzZ7yAGxU=,iv:NmYcM/JyZKuaB8SWCxQGS3IMfNzkC34eHfuX7CAvFGg=,tag:vpfU5yYYxnTGfULlkchYvg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/tools/provision-machine.sh b/tools/provision-machine.sh
@@ -116,8 +116,9 @@ EOF
 
 nixos-generate-config --root /mnt
 cat /mnt/persist/etc/nixos/hosts/new/header.nix /mnt/etc/nixos/configuration.nix > /mnt/persist/etc/nixos/hosts/new/configuration.nix
+rm /mnt/persist/etc/nixos/hosts/new/header.nix
 rm /mnt/etc/nixos/configuration.nix
-mv /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hardware.nix
+mv /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hosts/new/hardware.nix
 rmdir /mnt/etc/nixos
 
 nano /mnt/persist/etc/nixos/hosts/new/configuration.nix