Radish alpha
r
radicle-infra
rad:z254T5p17bdFPmzfDojsdjo4HjpoZ
Radicle Infrastructure as Code (NixOS, OpenTofu, …)
Radicle
Git
Commits 4d645b4
os/host: Add iris
Lorenz Leutgeb committed 10 months ago
commit 4d645b45a2414011ee096bcef8939b48fe48f773
parent 4c854f5
7 files changed +174 -1
modified flake.nix
@@ -163,7 +163,10 @@
    in

      result;

  in {
- 
    nixosConfigurations.seed = host (import ./os/host/seed);
+ 
    nixosConfigurations = {
+ 
      seed = host (import ./os/host/seed);
+ 
      iris = host (import ./os/host/iris);
+ 
    };



    devShells.${system}.default = pkgs.mkShell {

      inherit (self.checks.${system}.pre-commit) shellHook;
added os/host/iris/default.nix
@@ -0,0 +1,53 @@
+ 
{
+ 
  self,
+ 
  config,
+ 
  pkgs,
+ 
  lib,
+ 
  modulesPath,
+ 
  ...
+ 
}: {
+ 
  imports = [
+ 
    ../../mixin/cache.nix
+ 
    ../../mixin/common.nix
+ 
    ../../mixin/disk-config.nix
+ 
    ../../mixin/kmscon.nix
+ 
    ../../mixin/motd.nix
+ 
    ../../mixin/nix.nix
+ 
    ../../mixin/sops.nix
+ 
    ../../mixin/users.nix
+
+ 
    ./ssh.nix
+ 
    #./radicle.nix
+ 
    #./tor.nix
+
+ 
    (modulesPath + "/installer/scan/not-detected.nix")
+ 
    (modulesPath + "/profiles/qemu-guest.nix")
+ 
  ];
+
+ 
  systemd.network.enable = true;
+
+ 
  boot.loader.grub = {
+ 
    efiSupport = true;
+ 
    efiInstallAsRemovable = true;
+ 
  };
+
+ 
  networking = {
+ 
    hostName = "iris";
+ 
    useDHCP = false;
+
+ 
    firewall = {
+ 
      allowedTCPPorts = [
+ 
        22 # ssh
+ 
        80 # http
+ 
        443 # https
+ 
        8776 # radicle-node
+ 
      ];
+
+ 
      allowedUDPPorts = [
+ 
        443 # http3
+ 
      ];
+ 
    };
+ 
  };
+
+ 
  networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+ 
}
added os/host/iris/radicle.nix
@@ -0,0 +1,26 @@
+ 
{
+ 
  config,
+ 
  pkgs,
+ 
  ...
+ 
}: let
+ 
  alias = "seed.radicle.garden";
+ 
in {
+ 
  imports = [
+ 
    ../../mixin/radicle.nix
+ 
    ../../mixin/radicle-permissive.nix
+ 
  ];
+
+ 
  fileSystems."/var/lib/radicle" = {
+ 
    device = "/dev/disk/by-id/scsi-0HC_Volume_34062081";
+ 
    fsType = "btrfs";
+ 
    options = ["discard=async" "noatime" "compress=zstd"];
+ 
  };
+
+ 
  services.radicle = {
+ 
    settings.node.externalAddresses = [
+ 
      "${alias}:8776"
+ 
      "irisradizskwweumpydlj4oammoshkxxjur3ztcmo7cou5emc6s5lfid.onion:8776"
+ 
    ];
+ 
    httpd.nginx.serverAliases = [alias];
+ 
  };
+ 
}
added os/host/iris/sops/ssh.yaml
@@ -0,0 +1,44 @@
+ 
ssh:
+ 
    key: ENC[AES256_GCM,data:qhDBCiAIp2OFCgx74ZczyV9JAoswo5b67I2F9RPvuzmKQfMZWCL4uiLspvp8XDbVVdRwKDm8y/1Zq4lWhA+VuhlHcuHRZpcly8v8N8qpSvKfJmxHmv4vyPu5WYsOXFoIvJfgm3+2WIgO373AQGWhN/cr6AZU1aC9HqiU2WNrQmYLUXaMMfJGOaHFZGhkxv23kFG2t4+PkLRBBa6T4vli+CHGxZJ0l854Zif3BG6JnlVyHOSdG96NN1wBm2abUkPBotC1aXqSC9fsAoJYTL/z4adysZS9ppL/cg0DSEl49ZIeOX+Hqknvps6TpUr3TpwLWaBvjYrwviJ/PqVWMl6/yeDPGf/HyioMvjkBg7Ge73N6Uk+lGfZRy7epbVGHgJ2Gvp4NgxEb2senPP7VWXgZNJjPF8Ffj2/fvHjN6FDLrRN8d07ieLX4SSRA8900ymF6AjXEH0+6dGINfUycQCSwyr9134wgzhHmJ0/C/3dqo2odVK5f/F+50VTqm0yVBHAPb1KYb9XG7M4MEXX+gD72,iv:aSiLcHQJ1Wi7xImyZrfHgNjn/NPYxJO/JsnXOklR/EM=,tag:22/rGg4+Aoc9/JGEGPvv6w==,type:str]
+ 
sops:
+ 
    age:
+ 
        - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSm1EU0xhS29ILzFRTEdM
+ 
            WkE2d2hjRzdQZnRKSGY0TzVtT1gzNk1KcjMwCjdWdkozUnhCQ0NFZDdzeTRyOW9J
+ 
            WFlXSDlURXByU3RkYmRQQitGV2Z6dlkKLS0tIE1xQVd4MkhQV3V2T0RKSjQzVU9D
+ 
            WmIwbmVJQjQ5aTBLOXJBbXZvWFlUYmsKajXB1Tumzzy9CNQOjlPqIs1FEGe8qsKX
+ 
            9Z8U9KUPjdi29yuX+XGsXEdpR8rQtYFdsSTJPbOT+ScnTzQnFu7wLg==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMElhWU9tMnQ2WkppcTdM
+ 
            dWUvUEIyNWdmQnhEa0s3VUgrRHBzNXZDVVhnClR5ekhVK1RPb1dJSmtJcWpjYnpM
+ 
            TVRkdEd3SElteXIvdmdvN3VTZFRoeE0KLS0tIGpNTVZER1FLSk9SNUx6RVhwdzNU
+ 
            Z0Q5a1VaU3ZMbnJIam51YXJ0em5yUEEKGFh+fOAsldm7MZlmpBqDoAb5f0pGepPS
+ 
            a/5VTbYL5JPr8IfOHfO/t4N0+WY2g1HbcaeCd5i6+5eskMJWtug80Q==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3MzZVUxR2tSb2VhTHF0
+ 
            ZmR1blRrdnFhNnhBM3FOZk1qU2FZVnBrc1drCmJkSlQzYmVmaDd2Vy9mUFY5bWEz
+ 
            YVRRa280Z05hanloSURLQXdlNVVYa2MKLS0tIGlQZFEzbnZCZDdKZjlGYVhNaVlF
+ 
            a0lNWVFNMm85WUd0ZHV6SUV3dU9OUEUKLOWPfkzH4WtrB7O9P8fM4zL2ouJ+MIG5
+ 
            wBescvN0R7Vd0l7hd+xc1bjLZHsSaYCMf43qUMOhoRxFnZPpsEJyPQ==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4S0tqb3VrQWVWenpHdExR
+ 
            VW9RYWUvOStIK0F0ZUh2N1cxOC9GM04wOTFVCkQ2TGwwSk5aVERiZlJHRVlTdUlC
+ 
            V2RPbis4Z3h4c3NRamF6d3h4WjlvNDgKLS0tIEFraVpjaHhVeXpQSStYL3BLWTBZ
+ 
            T0ZsRjkvdTlsUGpvNDFwTVZ5VGZSbTAKirlzErl2fjEr/KQ38EC4USHXe5Dt29t1
+ 
            BPKEJAPzwqbEOjDWob4RwdC94cCl5zmDDol9i+25a6kMdAhUSjuefw==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
    lastmodified: "2025-06-15T15:33:40Z"
+ 
    mac: ENC[AES256_GCM,data:vOmCAQvSa0dtAyilamxLfITPeggt4MLEsLgwox4OQ4VtMtVxS3qVKQsO24bl1g2g+iHydTAjtrXwdTDA7IwL2YDixqOaDD64stZgJViBoOcrEK4solgRPdvZpppRTDxVVM8aNmSuJs44GXZtnMBSEGFAs4NVahKR/nJDLbrdd3Y=,iv:dBg4X7ptthYxPGUjjCbbJYrigu+yta2ceU7ccKaGEgo=,tag:hWUjV+L8Z629HygRLgFBMA==,type:str]
+ 
    unencrypted_suffix: _unencrypted
+ 
    version: 3.10.2
added os/host/iris/sops/tor_hs_ed25519_secret_key.bin.json
@@ -0,0 +1,27 @@
+ 
{
+ 
	"data": "ENC[AES256_GCM,data:/ShKCOAvKDgKZCJO9uoZx/ML+IJe+uVfB0Pu2JJ9CPwiaBa9VOh5mZ4XW4eS7JLASWEPmuphJ5hnyV3ggw7Q1z7gxmLO0I6PMG1fg1Aa0lPwN9I+7iu62mkGvyeZ+fWw,iv:pjMDpnhmtcaORc3xQEfjbdMCQO+uUi4zqd/JYqhXu/U=,tag:pqFrnfPtExB+6CHgcVMeCw==,type:str]",
+ 
	"sops": {
+ 
		"age": [
+ 
			{
+ 
				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZlRpaDgwcjA2Z001bTZE\nelBVMjVRTkYyaEhEa0hWUmsrYzFHcnJrcG1vClk2NGI0aHpBQllMSVh3alFhVkZy\nOG1qUFVSSWY2TGJQaGFqVzdBZ0o3NlkKLS0tIGplbThwWnI3M3JMSDhVSitrZFg0\nTCtQMzJ1Tjd5eDRJNnZGamFHbVpoMUUKlrU5GFXKNyzdSOqva+dMhR5JVwgMIwqT\nofzCYT5DO0EkP+xy/J2wjZfFv3dIfL4KI2Deld9mXCSD4WpEg0Ts5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOVJ4WC9CSUtYcm9mZWNN\nMElGYlZUQlc3OEQrd1JvK2pnT1AwMGc4VnljCnVaV0hBWnZGRGVDNGtJeE9obWtK\nNmdRb0lycVA4RS9ORWNkTzl6UzVWNEEKLS0tIFk2RkNzSkl4WllQSXRFRWxOQTFW\nUkxLYWRBNWVtNjEweTFiY1FDMnF0OWMKlT7li07yS3G0ec7JQmMaHIDlcEUJG0+9\nuJkxaPI8xD7W4DBd9o1SzIPodALBqyDCUVRXPjYVySM1bvEXZPppfw==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdEdUYStNQWVZS3M2ZE5m\nMXZBbXZSM0ZRTHBpcklGS3FFcTJWcmZrWGdJCndNUW5ZbkhYcHFKQTFWdUVSYi8r\neitVSG9ubTY5em5YSHQxQU5KOFlITm8KLS0tIGhhOTM2TUZZY3VnL0Z5elA0UXk4\nd0RFV0xlRTk5VkZxVmd4MlZpbjRvaDAK3r7njwWJQKXOAL50+2YGP6+2B2Sn1RtZ\nllL4conesw7fysPCc1CJ2slCwd85pWxUGEaE934wiVOQv2hArZiszw==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1m9vcrmqxqcghkk2672wpngwxsj5dk2807kmdze4r05nz7p3pue2s6djkm6",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSGszUmNIUm0yNjRNeGE0\nUExJOHllbU5hSG9oOWJsdTNWV2JqSDhKRzJBClo3RGdWWDQvdnFZU0c4Q0hCUis3\nMG4rMVJtc3JlWTJzZGVYQkV0Rm4zOUUKLS0tIEc4dTRiMHRVdzFPUURzTVZGYmJk\nRmdwbFdWNHg1NThFZjJpQUpVbldubGMK/NaiPU7hews4kGVIfw7UFpGiz5UHHGZd\nDu4R2B2CqRetgR/BadBnUstcWerycK04wEYhX0tdb6Qo4jb4PfayaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			}
+ 
		],
+ 
		"lastmodified": "2025-06-16T21:24:05Z",
+ 
		"mac": "ENC[AES256_GCM,data:8N/FxxettpYvbQ3MRFYrL1pyUYRfZjx6TEhLl6yOxjCv3u2Ww9zepgXgtIpgWkIj3BhmQvvJmYEL2zr2jLRWevpCuuQvKOZ/EwnHN2iJCz0ayDIqr4epkSjDVsmGofhfbJn6+QX1sA4SNNFNxJBkOLcA9W5mCb4adcq6t/KRmnk=,iv:muZ/n5Ysv5+0dXc1Sf/R/4Au0h+dBQtPyseuU6Nq7n0=,tag:SbBQgy7VW0Ry4DnniUuy/Q==,type:str]",
+ 
		"unencrypted_suffix": "_unencrypted",
+ 
		"version": "3.10.2"
+ 
	}
+ 
}
added os/host/iris/ssh.nix
@@ -0,0 +1,14 @@
+ 
{
+ 
  pkgs,
+ 
  config,
+ 
  lib,
+ 
  ...
+ 
}: {
+ 
  imports = [
+ 
    ../../mixin/ssh.nix
+ 
  ];
+
+ 
  sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
+
+ 
  environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILCHL/pbyjZ8Mm1esh6rXe5x/QSDzPUtiR0RZMhRqPoe ${config.networking.fqdn}";
+ 
}
added os/host/iris/tor.nix
@@ -0,0 +1,6 @@
+ 
let
+ 
  secret = "tor/hs_ed25519_secret_key";
+ 
in {
+ 
  imports = [../../mixin/tor.nix];
+ 
  sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
+ 
}