tyro/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/flake.nix
tyrolize 1f9c2669a2 sops-nix bootstrap + Forgejo at git.tyrolize.ch 
sops:
- devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to
  $REPO/.sops-age-key.txt (gitignored, generated locally).
- .sops.yaml lists laptop + watcher recipients. The watcher recipient is
  derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the
  watcher decrypts using its SSH host key as the age identity at boot.
- hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install-
  secrets surfaces it at /run/secrets/example (root-only).

Forgejo:
- modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz
  dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000.
- modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to
  localhost. Caddy gets a Let's Encrypt cert automatically.
- terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group.
- Admin user `tyro` (role admin) created out-of-band via the gitea CLI.

Both services live on the watcher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-16 23:59:55 +02:00

66 lines
2.1 KiB
Nix
Raw Blame History

{
description = "Personal infra on Infomaniak Public Cloud (OpenStack)";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nixos-generators.url = "github:nix-community/nixos-generators";
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, sops-nix, nixos-generators, ... }:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in {
# `nix develop` to enter a shell with every tool this repo needs.
devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [
openstackclient # `openstack` CLI
opentofu # `tofu` — drop-in for terraform, OSS license
jq
age
sops # encrypted secrets, paired with sops-nix
ssh-to-age # convert an SSH host key to an age recipient
];
shellHook = ''
if [ -f "$PWD/terraform/infomaniak/.env" ]; then
set -a; . "$PWD/terraform/infomaniak/.env"; set +a
echo "loaded terraform/infomaniak/.env"
fi
export SOPS_AGE_KEY_FILE="$PWD/.sops-age-key.txt"
'';
};
# Runtime config — what the watcher box actually IS.
# Push updates with:
# nixos-rebuild switch --flake .#watcher --target-host tyro@<ip> --use-remote-sudo
nixosConfigurations.watcher = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
({ modulesPath, ... }: {
imports = [
"${modulesPath}/virtualisation/openstack-config.nix"
];
})
sops-nix.nixosModules.sops
./hosts/watcher
];
};
# Build a QCOW2 image of the watcher to upload to Infomaniak Glance:
# nix build .#watcher-image
# ls -lh result/nixos.qcow2
packages.${system}.watcher-image = nixos-generators.nixosGenerate {
inherit system pkgs;
format = "openstack";
modules = [
sops-nix.nixosModules.sops
./hosts/watcher
];
};
};
}
Reference in a new issue View git blame Copy permalink