From acdf68195be0d2f2ae770c47ebf5d2689041dfed Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 23 Feb 2023 01:31:11 +0000 Subject: [PATCH] Add weinturm pretix host --- .sops.yaml | 7 ++++ hosts/default.nix | 4 +++ hosts/weinturm-pretix-prod/configuration.nix | 31 ++++++++++++++++++ .../hardware-configuration.nix | 8 +++++ hosts/weinturm-pretix-prod/secrets.yaml | 32 +++++++++++++++++++ .../weinturm-pretix-prod/services/default.nix | 5 +++ .../weinturm-pretix-prod/services/pretix.nix | 19 +++++++++++ 7 files changed, 106 insertions(+) create mode 100644 hosts/weinturm-pretix-prod/configuration.nix create mode 100644 hosts/weinturm-pretix-prod/hardware-configuration.nix create mode 100644 hosts/weinturm-pretix-prod/secrets.yaml create mode 100644 hosts/weinturm-pretix-prod/services/default.nix create mode 100644 hosts/weinturm-pretix-prod/services/pretix.nix diff --git a/.sops.yaml b/.sops.yaml index 39f6e15..c0ff79d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &admin_jalr_tb FE170812543DF81393EA56BA5042B8317A10617E - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44 + - &host_weinturm_pretix_prod age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m creation_rules: - path_regex: hosts/hafnium/secrets\.yaml$ key_groups: @@ -16,6 +17,12 @@ creation_rules: - *admin_jalr age: - *host_aluminium + - path_regex: hosts/weinturm-pretix-prod/secrets\.yaml$ + key_groups: + - pgp: + - *admin_jalr + age: + - *host_weinturm_pretix_prod - path_regex: secrets\.yaml$ key_groups: - pgp: diff --git a/hosts/default.nix b/hosts/default.nix index 7a46c63..f3b7436 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -13,4 +13,8 @@ hafnium = { system = "x86_64-linux"; }; + weinturm-pretix-prod = { + system = "x86_64-linux"; + targetHost = "91.107.235.15"; + }; } diff --git a/hosts/weinturm-pretix-prod/configuration.nix b/hosts/weinturm-pretix-prod/configuration.nix new file mode 100644 index 0000000..5f8a565 --- /dev/null +++ b/hosts/weinturm-pretix-prod/configuration.nix @@ -0,0 +1,31 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ../../home-manager/users/jalr.nix + ./services + ]; + + networking = { + hostName = "weinturm-pretix-prod"; + interfaces.ens3.ipv6.addresses = [{ + address = "2a01:4f8:1c1e:ed47::"; + prefixLength = 64; + }]; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens3"; + }; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 60; + numDevices = 1; + priority = 1; + }; + + security.sudo.wheelNeedsPassword = false; + + system.stateVersion = "22.11"; +} diff --git a/hosts/weinturm-pretix-prod/hardware-configuration.nix b/hosts/weinturm-pretix-prod/hardware-configuration.nix new file mode 100644 index 0000000..6679bdf --- /dev/null +++ b/hosts/weinturm-pretix-prod/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} diff --git a/hosts/weinturm-pretix-prod/secrets.yaml b/hosts/weinturm-pretix-prod/secrets.yaml new file mode 100644 index 0000000..8c9cc34 --- /dev/null +++ b/hosts/weinturm-pretix-prod/secrets.yaml @@ -0,0 +1,32 @@ +pretix-cfg: ENC[AES256_GCM,data:Cy9GDL+9VpVquV1MyQSzRoTK/20lSeFkXf91cb+zApf3wp/rQPpqc3e+/ZspSUELYTqtlitL8uECejO7/GShsItaMptDs6vfWnc/V0y2d2Aae5Fv/J0qkRFYZbgGK+/i9MH261W5DoylTbUDkssgJ23tJuiEYPnkwkQpmJ3VToEvyGHLScQNHeMtkheAf52QfyG5cpmQqw==,iv:gbvRj70A+dHNHNkz3mbEtL3JwAvOrMB9q3f5iJMtPHo=,tag:C47SUiAw9ilOMVs07CFCpA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeTl6WjVObjAxMTU2QWUz + VzNFYkg0VEd0WkZhL21zYjJCaHZ3emU5UmdrCnZaTmpleC9BNEpFYkl0RnRrNDdP + d2FpMWo4amxsa1RTVEJJSXh6RzJxbkUKLS0tIHl1YjlQaUtEbzNVcll1eHEzK2dL + N2VMRTNjR1RQVm00YnlpbVBzSmZPRkUKv7LCrjyKb4z0e4yBdzwRR5+ErQYHzZCv + +j8j4EuhA6NwsTydgIjueuORbrX/c6VxcgQwRd9En+vQVYhWhlu5Xw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-23T00:33:46Z" + mac: ENC[AES256_GCM,data:dD7qZ0EwfpV0GvlzJseZLJyg0rB2hccyf+QaSDc7yeDBuEm5ERDUq/o/JB6gUnnkBlBEfLsZie6xxUFxv8tv8oVWcsWOSNUWORl3hQ/LzSHxQf4AUXH/lWmA4fHaxheNiFeUbgB40JJbNKZ+/f5Br5uRj5c5ydmZlOKkcHawo4w=,iv:BE2nNyDx1Tn24LSy4MvNRv+gaq0K8usyHBo+vZhxlBs=,tag:KOMLNKcrNj2YisVrV9SOwg==,type:str] + pgp: + - created_at: "2023-02-23T00:30:25Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D3ylLYNOsO+0SAQdA2SmHfeFrNINSLf2aLONZeidpLaCScS7zmWq0YaeM/SUw + 66MK2BqgIxX81M9lIexCXdQ9EVS1p0KGQ2dw0CpAN07qdDqqOnJeedgv9zZ3trwU + 0l4BwoXSnuKxaLDs7vq6y9xrzyKZS5Mx8H7BxVRg0o1mAvSwFez23DmDQWnJyUgO + otTg9fp217ldr3VNwKIYtoO+1floZtbfmoH2EhZhpml36mz1oRCUUJvjQO++EpJW + =N9AT + -----END PGP MESSAGE----- + fp: 66FB54F6081375106EEBF651A222365EB448F934 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/weinturm-pretix-prod/services/default.nix b/hosts/weinturm-pretix-prod/services/default.nix new file mode 100644 index 0000000..731194c --- /dev/null +++ b/hosts/weinturm-pretix-prod/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./pretix.nix + ]; +} diff --git a/hosts/weinturm-pretix-prod/services/pretix.nix b/hosts/weinturm-pretix-prod/services/pretix.nix new file mode 100644 index 0000000..659b1ea --- /dev/null +++ b/hosts/weinturm-pretix-prod/services/pretix.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + services.pretix = { + enable = true; + instanceName = "Weinturm Open Air"; + domain = "tickets.weinturm-open-air.de"; + enableTls = true; + enableRegistration = false; + passwordReset = true; + locale = "de"; + timezone = "Europe/Berlin"; + secretsFile = ../secrets.yaml; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "helfer@weinturm-open-air.de"; + }; +}