No description
1f9c2669a2
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| dns | ||
| hosts/watcher | ||
| modules | ||
| scripts | ||
| sites/tyrolize.ch | ||
| terraform/infomaniak | ||
| .gitignore | ||
| .sops.yaml | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
remote_server
Personal infrastructure on Infomaniak Public Cloud (OpenStack), end-to-end Swiss. A small always-on watcher VM plus, later, on-demand workers using the same OpenStack APIs.
Layout
.
├── flake.nix # NixOS configs + watcher QCOW2 image package
├── hosts/
│ └── watcher/
│ └── default.nix # services, users, SSH; boot/disk via openstack-* modules
├── terraform/
│ └── infomaniak/ # OpenStack provider, security group, instance
│ ├── main.tf
│ ├── variables.tf
│ ├── watcher.tf
│ ├── outputs.tf
│ ├── clouds.yaml.example
│ └── .env.example
├── scripts/
│ ├── build-image.sh # build QCOW2 → upload to Infomaniak Glance
│ └── deploy.sh # terraform apply → nixos-rebuild switch
└── .sops.yaml # secrets encryption rules
First-time setup
- Infomaniak Public Cloud project — Manager → Public Cloud → create a project. In the project's API access section, generate an application credential and copy the ID + secret.
- Fill
.env(gitignored, lives only in the repo — nothing in~/.config):
Pastecp terraform/infomaniak/.env.example terraform/infomaniak/.env $EDITOR terraform/infomaniak/.envOS_APPLICATION_CREDENTIAL_ID,OS_APPLICATION_CREDENTIAL_SECRET, andTF_VAR_ssh_public_key. - Enter the dev shell — brings in
openstack,terraform,jq,sopsand auto-loads.env:nix develop - Smoke-test auth and confirm catalogue defaults match:
openstack token issue openstack flavor list | grep a2_ram4_disk20_perf1 openstack network list | grep ext-net1 - Paste your SSH public key into
hosts/watcher/default.nix(users.users.tyro.openssh.authorizedKeys.keys). - Build & upload the watcher image (~5 min the first time):
./scripts/build-image.sh - Provision and deploy:
./scripts/deploy.sh
After the script finishes: ssh tyro@<ipv4>.
Routine updates
From inside nix develop, edit the flake, then push:
nixos-rebuild switch --flake .#watcher --target-host tyro@<ipv4> --use-remote-sudo
You only need to re-run build-image.sh if you want fresh boots to start
from a current image (e.g. after a major NixOS bump).
DNS
Managed at Infomaniak (registrar). After the watcher has IPs:
tyrolize.chA/AAAA → watcher*.tyrolize.chA/AAAA → watcher (wildcard for subdomains served by Caddy)lize.chA/AAAA → watcher (for the 301 redirect to tyrolize.ch)lize.chMX/SPF/DKIM/DMARC → Infomaniak kSuite (auto-configured)tyrolize.chempty-SPF + DMARCp=reject(anti-spoofing on non-mail domain)