Radish alpha
r
radicle-infra
rad:z254T5p17bdFPmzfDojsdjo4HjpoZ
Radicle Infrastructure as Code (NixOS, OpenTofu, …)
Radicle
Git
Commits cd14984
os/host: Add rosa
Lorenz Leutgeb committed 10 months ago
commit cd149841d30e45530633f752ce684788a6b7fb08
parent 4d645b4
7 files changed +171 -0
modified flake.nix
@@ -166,6 +166,7 @@
    nixosConfigurations = {

      seed = host (import ./os/host/seed);

      iris = host (import ./os/host/iris);
+ 
      rosa = host (import ./os/host/rosa);

    };



    devShells.${system}.default = pkgs.mkShell {
added os/host/rosa/default.nix
@@ -0,0 +1,53 @@
+ 
{
+ 
  self,
+ 
  config,
+ 
  pkgs,
+ 
  lib,
+ 
  modulesPath,
+ 
  ...
+ 
}: {
+ 
  imports = [
+ 
    ../../mixin/cache.nix
+ 
    ../../mixin/common.nix
+ 
    ../../mixin/disk-config.nix
+ 
    ../../mixin/kmscon.nix
+ 
    ../../mixin/motd.nix
+ 
    ../../mixin/nix.nix
+ 
    ../../mixin/sops.nix
+ 
    ../../mixin/users.nix
+
+ 
    ./ssh.nix
+ 
    ./radicle.nix
+ 
    ./tor.nix
+
+ 
    (modulesPath + "/installer/scan/not-detected.nix")
+ 
    (modulesPath + "/profiles/qemu-guest.nix")
+ 
  ];
+
+ 
  systemd.network.enable = true;
+
+ 
  boot.loader.grub = {
+ 
    efiSupport = true;
+ 
    efiInstallAsRemovable = true;
+ 
  };
+
+ 
  networking = {
+ 
    hostName = "rosa";
+ 
    useDHCP = false;
+
+ 
    firewall = {
+ 
      allowedTCPPorts = [
+ 
        22 # ssh
+ 
        80 # http
+ 
        443 # https
+ 
        8776 # radicle-node
+ 
      ];
+
+ 
      allowedUDPPorts = [
+ 
        443 # http3
+ 
      ];
+ 
    };
+ 
  };
+
+ 
  networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+ 
}
added os/host/rosa/radicle.nix
@@ -0,0 +1,26 @@
+ 
{
+ 
  config,
+ 
  pkgs,
+ 
  ...
+ 
}: let
+ 
  alias = "ash.radicle.garden";
+ 
in {
+ 
  imports = [
+ 
    ../../mixin/radicle.nix
+ 
    ../../mixin/radicle-permissive.nix
+ 
  ];
+
+ 
  fileSystems."/var/lib/radicle" = {
+ 
    device = "/dev/disk/by-id/scsi-0HC_Volume_100506310";
+ 
    fsType = "btrfs";
+ 
    options = ["discard=async" "noatime" "compress=zstd"];
+ 
  };
+
+ 
  services.radicle = {
+ 
    settings.node.externalAddresses = [
+ 
      "${alias}:8776"
+ 
      "rosarad5bxgdlgjnzzjygnsxrwxmoaj4vn7xinlstwglxvyt64jlnhyd.onion:8776"
+ 
    ];
+ 
    httpd.nginx.serverAliases = [alias];
+ 
  };
+ 
}
added os/host/rosa/sops/ssh.yaml
@@ -0,0 +1,44 @@
+ 
ssh:
+ 
    key: ENC[AES256_GCM,data:9McivwROwytP+vM3VsrGja2Vo2WWYi9i3jWPEsE1CarT/pdhjhFu+e3WZwhBE76JKXBsUe5fXb1LLb3iZv1u7vPzKd3qH/aoxCsYfiNoEjndrIAVWG11i5Z4tfpRjEDrcNL3L9OGSYXHCGhTvGF+0EXZJGT4JzQRkD0CR85cvuR9BUzcCfNHJHzIrVPBAc4YFnja+TjCWPoL0K89sfEoZ6fmRsVKEan7Z8wrykFUK2NhmHCSdYSiTHUxMwegwLdPlIkSpV9L4ZT/4drbWmNsbjcgVPG3e1n9OqGXqAlpS1tZoC9rO56Ha2t1Pu5WZNH94ExCPVCZhjS2R2wFmdnUL7T6ehCjw3u99dCLHnmJm7p1er9Wv70iE1+WINq+kenqDvjHdpPOOer2IPwvCpdX16dw1cpaRC4ThdcO/5JNot1I8S0+wWwX2oErAUiz6YEClDjuG33yZJmQDyJFl2i8Hv/b8gGQHnuqOL3II2Ud57cs6E85CPCVOC8AkOPUSJktlMg3ZNX9zU2+XsrGFQA8,iv:6sRajQ2l+YJ7P+M2cUxp3n/am0UB8/OC2CVIxiSIcUo=,tag:tMAi8OKwgZtyh5bscWPNPQ==,type:str]
+ 
sops:
+ 
    age:
+ 
        - recipient: age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZm5Za1RlNmNzRnBjVDVo
+ 
            OHVUN2RSQU5QNmlncHp5VWI2WmZDc3dORUhNCnNHTHBua3JYUVhIN2NPNjUwZEMr
+ 
            ZlN6VnVacmpjTjAxWFJtSzN2YzZFYVkKLS0tIFBnMHA5Z1lBaDY4am1EMEZMcUdz
+ 
            a2JhT2MyeDNXa2ZuU3IrZ0p4citCUjQK8IlbOuXzo+vORmttF50ZH2OCqwUQ5Ktp
+ 
            BgjALcViNT+2O+s4O+j/T78rmbesRwMfTqKZwOKgwV0OXkJ/v5oEtg==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Y2NCMk9LdVVoN1RkMEt2
+ 
            WjVkTFhDb2l5RnMwdnh1bFAxU2dUdlRySXdZCkk1VVlGWWRVdTFYek55MFFJMmhK
+ 
            QW1rUDBMcTVaQlhTZnFxZU1QT25aUDAKLS0tIFc2SjhZTkRqSHo1SFNidVRPS29X
+ 
            Y2NRYWtrQy9kQXJuWW55RVQ5TGF1RVEKjzTxU3mGp56T65TbxdPFHCaN+TMZIii9
+ 
            /5wtmHgnmVXo2aMCN2nwNmjXGwqd9nHRYbZF3LgMMYPCEs0NfUHE7Q==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbFVyL1F6ejZsSlg0czdq
+ 
            WHo1Ym9ZOGh0VHR4akRiaDRmMDhpZGwyV25VCnRvd1g1eXEyQ28wMnRiaVcrUlNl
+ 
            NjRxRUgxZWV1OXYvcFBqRlRWUFIwOGcKLS0tIFYvTGc5RzdhU2N0LzBLZm96ejZ0
+ 
            TGdvVytPRDJkN0JBY1ZjazVaU3RXSkEK2M65hrhfZnaigR3QMKj2VcJw8fwCdWN5
+ 
            aeRxoVkml23GWXyyYsf5jgIObKiOswiIbA/15FpeLqkea+dQOPQ52A==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
        - recipient: age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49
+ 
          enc: |
+ 
            -----BEGIN AGE ENCRYPTED FILE-----
+ 
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL29DT0JsaVNaLzBYaUNr
+ 
            eXRYQmJERUdFOVh5dFltM3E3QlhCbFRIUlc0CjNxQnZzRlVYU1dQYXJtTEg0WXZD
+ 
            RE5NbGFybCsrR3VsOGJlTUttSmo5RkEKLS0tIHpGbUJuOVZ4TFhQVHNPZ2RDQzVE
+ 
            Mkk4YTFLU0xZa0duS3FHWEQ5U3d5WEEK4jkV6IKUOYdbABLXzL3ry78iAPCQ135S
+ 
            uCLO2extw+cvjJCTohyfhtsqCNX1Df37HPl1zQqpkKafByOAEsfF3w==
+ 
            -----END AGE ENCRYPTED FILE-----
+ 
    lastmodified: "2025-06-15T15:34:45Z"
+ 
    mac: ENC[AES256_GCM,data:gbfrOmn+a+PbsB73kt73oqAU0G5rJi3af5Tywv0gSF9buA7zFh8pudFt0CpNIYQjzjqo+GgWaGH8A81A9slfDRduX/Y1XwPLGLae4k2M5jOMRlQvwQXzH01EdbpbRLfJqonrKq61iC7QgXTWM5RuUWAhnZBlhsPpQwfDszpzXIg=,iv:4biq+3GOLebhcMpohPeZrrOZ1iUTnXBK/zaD2j4NE9o=,tag:Y1YWuJ8/qxjvby+CD12UXg==,type:str]
+ 
    unencrypted_suffix: _unencrypted
+ 
    version: 3.10.2
added os/host/rosa/sops/tor_hs_ed25519_secret_key.bin.json
@@ -0,0 +1,27 @@
+ 
{
+ 
	"data": "ENC[AES256_GCM,data:j99AWR4KoUEytey0+upZfvA7Edh6gqiVl2qoGxmDiGQxHqjdwSZcPAlD0j1+HTC9GM2p2CJRQyIQW+NlDUvjuP1SS46Ii3JwZIREXJxQpykbjKTFttQuUfZKB16Fiql5,iv:19I1cxJI+Ahyc8DLQuyRAQs0HLZmuc7VrstW4xmLqR0=,tag:HSX/28+OnznN4SjAiYle0g==,type:str]",
+ 
	"sops": {
+ 
		"age": [
+ 
			{
+ 
				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeUgxTlM2c3BlOTdjVG1U\nQjlZalNkWC9UQk1mRzFsQ0psZk9hTGh4bEh3CkxTb0NhT2JvMHJRWHNGRks2MjI1\nSXdQbWdXMDdPeGkwd0o3UTkzMVh1b2MKLS0tIHJLTzlkbVJBVjhKS2xTK2VIeCtq\nK0NzcTFhZVM3cWNPNXc1RFpmdk9VdWsKD9fyFi9j2H7GxNxO37hWSPbMT15vgRIr\n9e5caKVk6AZ/6tHLuhklZVAPU22FkmdxmSw3PE5gFrXDtlU7RsYYVg==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSTBRRDdoeFV5VHdMYWZQ\nSktLOWxpRFZpVStWdVFrRXp0U3NlK1cvNlh3CjV0YVNyV3R1UysvbGp0TGsvZ3Mv\naXFVbFJUeGxwNlhLQkgvWkFWd00zdlUKLS0tIGlGQVl4SUxySWRGK01Nc2JZdEYy\nUHJJaHdIYk5sUnJvR3lLVytNVTM4NEkK2VE88iRZb7djWm0ySyxOIIASuuRNIcLZ\nLaEcW3JoOKcpqQsBANsgxLfA7VYfmc5uSWGSwq/OKnr89JB7gvuD4Q==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWHRVZ0cyMnlEZFltMG12\nNi9ybnlBTkZHOW1hL2s5emFVRUpNUkVxWEVVCnVxRnloOFcrZ1FjMmNCN0x2U3ZJ\nNjJtcDQzRk80djBaZjFwZndHQ0pveWMKLS0tIHZWdjFhMy9rSkFUN3p6bC8rN2pT\nWS9rRVZCdzJWbG5PTWFSZlJhSGIyQU0KZAvNOHu2R2lg8yIsT3P3rQIhnJYh1GkT\ncCm9vTm0e2UdGrCFbOsKouLNUySowsYwNQxyYCfzGCy8zcxWgbjNvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1edrvqxxahlt760rnnq990m2hmeezh4gzl538e2zg5j2axnd37vaqcp0x49",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ21PRVBxWk4yV2dRSXNm\nQ2M4L0xzZ2pCRllTY1RPWEo1N0trMVdJQURzCjhRT0JPYjRxUm9xbStUT1VqSXNj\nU2ZsTDVma0dYSTVsdE5GeDhDOFNzQzQKLS0tIDF6S3RLSlVXL3dpcTNVS0l6enRt\nWnEvYmhXcTBKb0UwY2RyOG9wU0trWUkKP4Myb4824yQA8E7nmoqJ8MeuLQiZeP7a\nBnq1lTYbi5V4ZbjOvNKsuHczp/UZbFZa1LVDfqzWdaJhaS3Zs8W4Yg==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			}
+ 
		],
+ 
		"lastmodified": "2025-06-16T21:25:01Z",
+ 
		"mac": "ENC[AES256_GCM,data:ofQNg1OeKSn6KvIiwDJljEEi57yUdgtwcLUqNQxc6kIqMl7Rik6aSDPHzLX3x4L8CB/etE6XoylU9iHkO+ze5qQAheLjfVl6OZDC/x1XQ+XjCqJ5+530TbwV0xG1YhzoWvULtoxFb4+7nmEBGAd3sS3BfVpI9DF4mKYmnJd43FA=,iv:ynuVLkia1TR8wBEM++prEh5fFPIOK5CzXmkuEwp9ykI=,tag:dUumfBA6TTsuu+H2M2AAgQ==,type:str]",
+ 
		"unencrypted_suffix": "_unencrypted",
+ 
		"version": "3.10.2"
+ 
	}
+ 
}
added os/host/rosa/ssh.nix
@@ -0,0 +1,14 @@
+ 
{
+ 
  pkgs,
+ 
  config,
+ 
  lib,
+ 
  ...
+ 
}: {
+ 
  imports = [
+ 
    ../../mixin/ssh.nix
+ 
  ];
+
+ 
  sops.secrets."ssh/key".sopsFile = ./sops/ssh.yaml;
+
+ 
  environment.etc."ssh/ssh_host_ed25519_key.pub".text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3IXeH6/VO4oBUB7rr0TMfJyChcSINlZUrShC05fLf4 ${config.networking.fqdn}";
+ 
}
added os/host/rosa/tor.nix
@@ -0,0 +1,6 @@
+ 
let
+ 
  secret = "tor/hs_ed25519_secret_key";
+ 
in {
+ 
  imports = [../../mixin/tor.nix];
+ 
  sops.secrets.${secret}.sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
+ 
}