# remote_server

Personal infrastructure on **Infomaniak Public Cloud** (OpenStack), end-to-end
Swiss. A small always-on **watcher** VM plus, later, on-demand workers using
the same OpenStack APIs.

## Layout

```
.
├── flake.nix                 # NixOS configs + watcher QCOW2 image package
├── hosts/
│   └── watcher/
│       └── default.nix       # services, users, SSH; boot/disk via openstack-* modules
├── terraform/
│   └── infomaniak/           # OpenStack provider, security group, instance
│       ├── main.tf
│       ├── variables.tf
│       ├── watcher.tf
│       ├── outputs.tf
│       ├── clouds.yaml.example
│       └── .env.example
├── scripts/
│   ├── build-image.sh        # build QCOW2 → upload to Infomaniak Glance
│   └── deploy.sh             # terraform apply → nixos-rebuild switch
└── .sops.yaml                # secrets encryption rules
```

## First-time setup

1. **Infomaniak Public Cloud project** — Manager → Public Cloud → create a
   project. In the project's API access section, generate an
   **application credential** and copy the ID + secret.
2. **Fill `.env`** (gitignored, lives only in the repo — nothing in `~/.config`):
   ```bash
   cp terraform/infomaniak/.env.example terraform/infomaniak/.env
   $EDITOR terraform/infomaniak/.env
   ```
   Paste `OS_APPLICATION_CREDENTIAL_ID`, `OS_APPLICATION_CREDENTIAL_SECRET`,
   and `TF_VAR_ssh_public_key`.
3. **Enter the dev shell** — brings in `openstack`, `terraform`, `jq`, `sops`
   and auto-loads `.env`:
   ```bash
   nix develop
   ```
4. **Smoke-test auth and confirm catalogue defaults match**:
   ```bash
   openstack token issue
   openstack flavor list | grep a2_ram4_disk20_perf1
   openstack network list | grep ext-net1
   ```
5. **Paste your SSH public key** into `hosts/watcher/default.nix`
   (`users.users.tyro.openssh.authorizedKeys.keys`).
6. **Build & upload the watcher image** (~5 min the first time):
   ```bash
   ./scripts/build-image.sh
   ```
7. **Provision and deploy**:
   ```bash
   ./scripts/deploy.sh
   ```

After the script finishes: `ssh tyro@<ipv4>`.

## Routine updates

From inside `nix develop`, edit the flake, then push:

```bash
nixos-rebuild switch --flake .#watcher --target-host tyro@<ipv4> --use-remote-sudo
```

You only need to re-run `build-image.sh` if you want **fresh boots** to start
from a current image (e.g. after a major NixOS bump).

## DNS

Managed at Infomaniak (registrar). After the watcher has IPs:

- `tyrolize.ch` A/AAAA → watcher
- `*.tyrolize.ch` A/AAAA → watcher (wildcard for subdomains served by Caddy)
- `lize.ch` A/AAAA → watcher (for the 301 redirect to tyrolize.ch)
- `lize.ch` MX/SPF/DKIM/DMARC → Infomaniak kSuite (auto-configured)
- `tyrolize.ch` empty-SPF + DMARC `p=reject` (anti-spoofing on non-mail domain)