Add valkyrie host

config/common/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 {
   imports = [
     ./prometheus-node-exporter.nix
@@ -41,7 +41,7 @@
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
-      PermitRootLogin = "no";
+      PermitRootLogin = lib.mkForce "no";
     };
   };
 

config/environments/openstack-vm/default.nix

@@ -0,0 +1,8 @@
+{ lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  users.users.root.initialPassword = lib.mkForce null;
+}

config/environments/openstack-vm/hardware-configuration.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+    autoResize = true;
+  };
+
+  boot = {
+    growPartition = true;
+    kernelParams = [ "console=tty1" ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/vda";
+      extraConfig = ''
+        serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1
+        terminal_output console serial
+        terminal_input console serial
+      '';
+    };
+  };
+
+  systemd.services."serial-getty@tty1".enable = true;
+}

config/hosts/valkyrie/configuration.nix

@@ -0,0 +1,51 @@
+{ ... }:
+{
+  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+
+  networking = {
+    hostName = "valkyrie";
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 51820 51827 51828 ];
+    };
+    wireguard = {
+      enable = true;
+      interfaces.wg0 = {
+        listenPort = 51820;
+        ips = [
+          "10.203.10.3/24"
+        ];
+        peers = [
+          {
+            name = "site1-grzb";
+            publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
+            presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret";
+            endpoint = "site1.grzb.de:51826";
+            allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
+          }
+          {
+            name = "site2-grzb";
+            publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
+            presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret";
+            endpoint = "site2.grzb.de:51826";
+            allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
+          }
+          {
+            name = "site2-jsts";
+            publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
+            presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret";
+            endpoint = "site1.jsts.xyz:51823";
+            allowedIPs = [ "10.203.10.4/32" ];
+          }
+        ];
+        privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
+      };
+    };
+  };
+
+  services.prometheus.exporters.node.enable = false;
+
+  system.stateVersion = "23.05";
+}

config/hosts/valkyrie/containers/uptime-kuma/default.nix

@@ -0,0 +1,14 @@
+{ nixpkgs-unstable, ... }:
+{
+  containers.uptime-kuma = {
+    nixpkgs = nixpkgs-unstable;
+    autoStart = true;
+    config = { ... }: {
+      services.uptime-kuma = {
+        enable = true;
+      };
+
+      system.stateVersion = "23.05";
+    };
+  };
+}

config/hosts/valkyrie/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+    ./containers/uptime-kuma
+  ];
+}

config/hosts/valkyrie/nginx.nix

@@ -0,0 +1,25 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."status.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }
+      ];
+      locations."/" = {
+        proxyPass = "http://localhost:3001";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

config/hosts/valkyrie/secrets.nix

@@ -0,0 +1,35 @@
+{ ... }:
+{
+  deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}

config/nixos-generators/default.nix

@@ -10,26 +10,5 @@
     firewall.enable = true;
   };
 
-  proxmox = {
-    qemuConf = {
-      ostype = "l26";
-      cores = 2;
-      memory = 1024;
-      bios = "seabios";
-      # Option not available in 23.05
-      # diskSize = "8096";
-      virtio0 = "local-zfs:base-disk-0,discard=on";
-      boot = "order=virtio0";
-      net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
-      agent = true;
-    };
-    qemuExtraConf = {
-      cpu = "cputype=host,flags=+aes";
-      onboot = 1;
-      machine = "q35";
-      template = 1;
-    };
-  };
-
   system.stateVersion = "23.05";
 }

config/nixos-generators/proxmox.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  proxmox = {
+    qemuConf = {
+      ostype = "l26";
+      cores = 2;
+      memory = 1024;
+      bios = "seabios";
+      # Option not available in 23.05
+      # diskSize = "8096";
+      virtio0 = "local-zfs:base-disk-0,discard=on";
+      boot = "order=virtio0";
+      net0 = "tag=999,virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1";
+      agent = true;
+    };
+    qemuExtraConf = {
+      cpu = "cputype=host,flags=+aes";
+      onboot = 1;
+      machine = "q35";
+      template = 1;
+    };
+  };
+}

flake.nix

@@ -26,13 +26,15 @@
         nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
 
         specialArgs = {
-          inherit hosts simple-nixos-mailserver;
+          inherit nixpkgs-unstable hosts simple-nixos-mailserver;
         };
       };
     } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
 
     hydraJobs = {
-      nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
+      nixConfigurations = builtins.mapAttrs (
+        host: helper.generateNixConfiguration host { inherit nixpkgs-unstable hosts simple-nixos-mailserver; }
+      ) hosts;
     };
 
     # Generate a base VM image for Proxmox with `nix build .#base-proxmox`
@@ -42,10 +44,20 @@
         modules = [
           ./config/common
           ./config/nixos-generators
+          ./config/nixos-generators/proxmox.nix
           ./config/environments/proxmox-vm
         ];
         format = "proxmox";
       };
+      base-openstack = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = [
+          ./config/common
+          ./config/nixos-generators
+          ./config/environments/openstack-vm
+        ];
+        format = "openstack";
+      };
     };
 
     # Binary cache hint

hosts.nix

@@ -5,6 +5,9 @@ let
     "proxmox" = [
       ./config/environments/proxmox-vm
     ];
+    "openstack" = [
+      ./config/environments/openstack-vm
+    ];
   };
   generateDefaults = hosts: builtins.mapAttrs (name: {
     hostNixpkgs ? nixpkgs,
@@ -25,7 +28,6 @@ in
   generateDefaults {
     #fee = {
     #  site = "wg";
-    #  environment = "bare-metal";
     #};
     hydra = {
       site = "vs";
@@ -79,6 +81,10 @@ in
       site = "vs";
       environment = "proxmox";
     };
+    valkyrie = {
+      site = "af";
+      environment = "openstack";
+    };
     web-public-2 = {
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";