From c2f820b85dea3bf95ea8a2350e4cd220f9afb5f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Mon, 18 Nov 2024 12:11:32 +0100
Subject: [PATCH 1/4] Add Forgejo machine to the `infra/` directory

---
 infra/README.org                              |  1 +
 {forgejo => infra/vm02116}/configuration.nix  | 61 +++++++++----------
 {forgejo => infra/vm02116}/forgejo.nix        | 11 ++--
 .../vm02116}/hardware-configuration.nix       | 25 +++++---
 4 files changed, 51 insertions(+), 47 deletions(-)
 rename {forgejo => infra/vm02116}/configuration.nix (93%)
 rename {forgejo => infra/vm02116}/forgejo.nix (97%)
 rename {forgejo => infra/vm02116}/hardware-configuration.nix (70%)

diff --git a/infra/README.org b/infra/README.org
index 29986825..d7c5ffcf 100644
--- a/infra/README.org
+++ b/infra/README.org
@@ -21,5 +21,6 @@ infrastructure.
 
 | Machine | Description            | Deployment      |
 |---------+------------------------+-----------------|
+| vm02116 | Forgejo                | /none/            |
 | vm02179 | Forgejo actions runner | actions-runners |
 | vm02186 | Forgejo actions runner | actions-runners |
diff --git a/forgejo/configuration.nix b/infra/vm02116/configuration.nix
similarity index 93%
rename from forgejo/configuration.nix
rename to infra/vm02116/configuration.nix
index 9158f3c9..061919ca 100644
--- a/forgejo/configuration.nix
+++ b/infra/vm02116/configuration.nix
@@ -2,15 +2,15 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      # This will install and configure Forgejo
-      ./forgejo.nix
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    # This will install and configure Forgejo
+    ./forgejo.nix
+  ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -22,7 +22,7 @@
   # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
   # Networking
-  networking = {  
+  networking = {
     hostName = "vm02116";
     domain = "procolix.com";
     interfaces = {
@@ -53,15 +53,18 @@
       address = "2a00:51c0:12:1201::1";
       interface = "eth0";
     };
-    nameservers = [ "2a00:51c0::5fd7:b906" "95.215.185.7" ];
+    nameservers = [
+      "2a00:51c0::5fd7:b906"
+      "95.215.185.7"
+    ];
     firewall.enable = false;
     nftables = {
       enable = true;
       ruleset = ''
         #!/usr/sbin/nft -f
-      
+
         flush ruleset
-      
+
         ########### define usefull variables here #####################
         define wan        = eth0
         define ssh_allow  = {
@@ -77,21 +80,21 @@
         define nrpe_allow = {
                     95.215.185.34/32,   # nagios2 ipv4
                 }
-      
+
         ########### here starts the automated bit #####################
         table inet filter {
             chain input {
                 type filter hook input priority 0; 
                 policy drop;
-      
+
                 # established/related connections
                 ct state established,related accept
                 ct state invalid drop
-      
+
                 # Limit ping requests.
                 ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
                 ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
-      
+
                 # loopback interface
                 iifname lo accept
                 
@@ -99,17 +102,17 @@
                 ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
                 # Without the nd-* ones ipv6 will not work.
                 ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
-      
+
                 # open tcp ports: sshd (22)
                 #ip saddr $ssh_allow tcp dport {ssh} accept
                 tcp dport {ssh} accept
-      
+
                 # open tcp ports: snmp (161)
                 ip saddr $snmp_allow udp dport {snmp} accept
-      
+
                 # open tcp ports: nrpe (5666)
                 ip saddr $nrpe_allow tcp dport {nrpe} accept
-      
+
                 # open tcp ports: http (80,443)
                 tcp dport {http,https} accept
             }
@@ -120,7 +123,7 @@
                 type filter hook output priority 0;
             }
         }
-      
+
         table ip nat {
             chain postrouting {
             }   
@@ -131,7 +134,6 @@
     };
   };
 
-
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
 
@@ -150,9 +152,6 @@
   # Enable the X11 windowing system.
   # services.xserver.enable = true;
 
-
-  
-
   # Configure keymap in X11
   # services.xserver.xkb.layout = "us";
   # services.xserver.xkb.options = "eurosign:e,caps:escape";
@@ -175,7 +174,7 @@
       openssh.authorizedKeys.keys = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
         "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
-        ];
+      ];
     };
   };
 
@@ -183,9 +182,9 @@
   # $ nix search wget
   environment.systemPackages = with pkgs; [
     (pkgs.vim_configurable.customize {
-        name = "vim";
-        vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
-          start = [ vim-nix ]; # load plugin on startup
+      name = "vim";
+      vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
+        start = [ vim-nix ]; # load plugin on startup
       };
       vimrcConfig.customRC = ''
         " your custom vimrc
@@ -196,7 +195,8 @@
         " ...
       '';
     })
-    wget subversion
+    wget
+    subversion
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -244,7 +244,6 @@
   # and migrated your data accordingly.
   #
   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "24.05"; 
+  system.stateVersion = "24.05";
 
 }
-
diff --git a/forgejo/forgejo.nix b/infra/vm02116/forgejo.nix
similarity index 97%
rename from forgejo/forgejo.nix
rename to infra/vm02116/forgejo.nix
index 3b543016..32c33819 100644
--- a/forgejo/forgejo.nix
+++ b/infra/vm02116/forgejo.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ pkgs, ... }:
 let
   domain = "git.fediversity.eu";
 in
@@ -32,7 +32,7 @@ in
   };
 
   users.groups.keys.members = [ "forgejo" ];
-  
+
   services.mysql = {
     enable = true;
     package = pkgs.mariadb;
@@ -61,7 +61,7 @@ in
     clientMaxBodySize = "500m";
     appendHttpConfig = ''
 
- 
+
       map $uri $forgejo_access_log {
         default 1;
         /api/actions/runner.v1.RunnerService/FetchTask 0;
@@ -73,12 +73,12 @@ in
           https   "max-age=31536000; includeSubdomains; always";
       }
       add_header Strict-Transport-Security $hsts_header;
-      '';
+    '';
     virtualHosts.${domain} = {
       listenAddresses = [
         "185.206.232.34"
         "[2a00:51c0:12:1201::20]"
-      ]; 
+      ];
       enableACME = true;
       forceSSL = true;
       locations."/" = {
@@ -91,4 +91,3 @@ in
     };
   };
 }
-
diff --git a/forgejo/hardware-configuration.nix b/infra/vm02116/hardware-configuration.nix
similarity index 70%
rename from forgejo/hardware-configuration.nix
rename to infra/vm02116/hardware-configuration.nix
index b6f60e38..82d13564 100644
--- a/forgejo/hardware-configuration.nix
+++ b/infra/vm02116/hardware-configuration.nix
@@ -1,25 +1,30 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, ... }:
 
 {
   imports = [ ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "sr_mod"
+    "xen_blkfront"
+  ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2CE2-1173";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2CE2-1173";
+    fsType = "vfat";
+  };
 
   swapDevices = [ ];
 

From 47bca471da6473dd3384f2a5166cc999eee328ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Mon, 18 Nov 2024 11:30:00 +0100
Subject: [PATCH 2/4] Add wiki machine to the `infra/` directory

---
 infra/README.org                              |  1 +
 {wiki => infra/vm02187}/configuration.nix     | 67 ++++++++++---------
 .../vm02187}/hardware-configuration.nix       | 36 ++++++----
 3 files changed, 57 insertions(+), 47 deletions(-)
 rename {wiki => infra/vm02187}/configuration.nix (85%)
 rename {wiki => infra/vm02187}/hardware-configuration.nix (63%)

diff --git a/infra/README.org b/infra/README.org
index d7c5ffcf..a03701bb 100644
--- a/infra/README.org
+++ b/infra/README.org
@@ -24,3 +24,4 @@ infrastructure.
 | vm02116 | Forgejo                | /none/            |
 | vm02179 | Forgejo actions runner | actions-runners |
 | vm02186 | Forgejo actions runner | actions-runners |
+| vm02187 | Wiki                   | /none/            |
diff --git a/wiki/configuration.nix b/infra/vm02187/configuration.nix
similarity index 85%
rename from wiki/configuration.nix
rename to infra/vm02187/configuration.nix
index ffdcce6c..0c5a6d29 100644
--- a/wiki/configuration.nix
+++ b/infra/vm02187/configuration.nix
@@ -1,15 +1,14 @@
-
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -22,7 +21,7 @@
 
   services.mediawiki = {
     enable = true;
-    name   = "Fediversity Wiki";
+    name = "Fediversity Wiki";
     webserver = "nginx";
     nginx.hostName = "wiki.fediversity.eu";
     passwordFile = pkgs.writeText "password" "eiM9etha8ohmo9Ohphahpesiux0ahda6";
@@ -35,7 +34,7 @@
       $wgMaxShellMemory = 524288;
       $wgSVGMetadataCutoff = 1024*1024;
       $wgAllowExternalImages = false; 
-      
+
       ## Permissions
       $wgGroupPermissions['*']['edit'] = false;
       $wgGroupPermissions['*']['createaccount'] = false;
@@ -48,21 +47,23 @@
       # 1 GB ought to be enough for everyone
       $wgUploadSizeWarning = 1024*1024*512;
       $wgMaxUploadSize = 1024*1024*1024;
-      
+
       $wgHeadScriptCode = <<<'END'
       <link rel=me href="https://mastodon.fediversity.eu/@fediversity">
       END;
-   '';
+    '';
 
-   extensions = {
-     VisualEditor = null;
-   };
+    extensions = {
+      VisualEditor = null;
+    };
   };
 
   services.nginx = {
     enable = true;
     virtualHosts."wiki.fediversity.eu" = {
-      basicAuth = { fediv = "SecretSauce123!"; };
+      basicAuth = {
+        fediv = "SecretSauce123!";
+      };
       forceSSL = true;
       enableACME = true;
     };
@@ -75,7 +76,7 @@
 
   users.users.nginx.extraGroups = [ "acme" ];
 
-  networking = {  
+  networking = {
     hostName = "vm02187";
     domain = "procolix.com";
     interfaces = {
@@ -106,15 +107,18 @@
       address = "2a00:51c0:12:1201::1";
       interface = "eth0";
     };
-    nameservers = [ "95.215.185.6" "95.215.185.7" ];
+    nameservers = [
+      "95.215.185.6"
+      "95.215.185.7"
+    ];
     firewall.enable = false;
     nftables = {
       enable = true;
       ruleset = ''
         #!/usr/sbin/nft -f
-      
+
         flush ruleset
-      
+
         ########### define usefull variables here #####################
         define wan        = eth0
         define ssh_allow  = {
@@ -131,21 +135,21 @@
         define nrpe_allow = {
                     95.215.185.34/32,   # nagios2 ipv4
                 }
-      
+
         ########### here starts the automated bit #####################
         table inet filter {
             chain input {
                 type filter hook input priority 0; 
                 policy drop;
-      
+
                 # established/related connections
                 ct state established,related accept
                 ct state invalid drop
-      
+
                 # Limit ping requests.
                 ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
                 ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
-      
+
                 # loopback interface
                 iifname lo accept
                 
@@ -153,16 +157,16 @@
                 ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
                 # Without the nd-* ones ipv6 will not work.
                 ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
-      
+
                 # open tcp ports: sshd (22)
                 ip saddr $ssh_allow tcp dport {ssh} accept
-      
+
                 # open tcp ports: snmp (161)
                 ip saddr $snmp_allow udp dport {snmp} accept
-      
+
                 # open tcp ports: nrpe (5666)
                 ip saddr $nrpe_allow tcp dport {nrpe} accept
-      
+
                 # open tcp ports: http (80,443)
                 tcp dport {http,https} accept
             }
@@ -173,7 +177,7 @@
                 type filter hook output priority 0;
             }
         }
-      
+
         table ip nat {
             chain postrouting {
             }   
@@ -184,7 +188,6 @@
     };
   };
 
-
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
 
@@ -199,11 +202,10 @@
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     hashedPassword = "$y$j9T$UH8Dh/poTCCZ3PXk43au6/$iYen8VUEVvv7SIPqteNtTPKktLxny3TbqvjUwhvi.6B";
     openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
-    ];
-    packages = with pkgs; [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
     ];
+    packages = with pkgs; [ ];
   };
 
   # List packages installed in system profile. To search, run:
@@ -245,4 +247,3 @@
   system.stateVersion = "24.05"; # Did you read the comment?
 
 }
-
diff --git a/wiki/hardware-configuration.nix b/infra/vm02187/hardware-configuration.nix
similarity index 63%
rename from wiki/hardware-configuration.nix
rename to infra/vm02187/hardware-configuration.nix
index d18784ac..79f182ef 100644
--- a/wiki/hardware-configuration.nix
+++ b/infra/vm02187/hardware-configuration.nix
@@ -1,28 +1,36 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ lib, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/6AB5-4FA8";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6AB5-4FA8";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
 
   swapDevices = [ ];
 

From 2ffab40687268585e5508191b293e6efa6f36ddf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Mon, 18 Nov 2024 11:44:35 +0100
Subject: [PATCH 3/4] Add Forgejo machine to `git` deployment

This deployment is the old `actions-runners` deployment, renamed.
---
 infra/README.org                | 17 +++++++++++------
 infra/flake-part.nix            | 20 +++++++++++++++++++-
 infra/vm02116/configuration.nix | 10 +++++-----
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/infra/README.org b/infra/README.org
index a03701bb..8004f326 100644
--- a/infra/README.org
+++ b/infra/README.org
@@ -13,15 +13,20 @@ to see the available deployments. Given a deployment (eg. ~actions-runners~), ru
 nixops4 apply <deployment>
 #+end_src
 
+* Deployments
+
+- ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
+  runners
+
 * Procolix machines
 
 These machines are hosted on the Procolix Proxmox instance, to which
 non-Procolix members of the project do not have access. They host our stable
 infrastructure.
 
-| Machine | Description            | Deployment      |
-|---------+------------------------+-----------------|
-| vm02116 | Forgejo                | /none/            |
-| vm02179 | Forgejo actions runner | actions-runners |
-| vm02186 | Forgejo actions runner | actions-runners |
-| vm02187 | Wiki                   | /none/            |
+| Machine | Description            | Deployment |
+|---------+------------------------+------------|
+| vm02116 | Forgejo                | ~git~        |
+| vm02179 | Forgejo actions runner | ~git~        |
+| vm02186 | Forgejo actions runner | ~git~        |
+| vm02187 | Wiki                   | /none/       |
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 5a08844f..148f76f2 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -1,12 +1,30 @@
 { inputs, ... }:
 
 {
-  nixops4Deployments.actions-runners =
+  nixops4Deployments.git =
     { providers, ... }:
     {
       providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
 
       resources = {
+        vm02116 = {
+          type = providers.local.exec;
+          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+          ssh = {
+            host = "185.206.232.34";
+            opts = "";
+            hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
+          };
+          nixpkgs = inputs.nixpkgs;
+          nixos.module = {
+            imports = [
+              ./vm02116/configuration.nix
+              ./vm02116/forgejo.nix
+              ./vm02116/hardware-configuration.nix
+            ];
+          };
+        };
+
         vm02179 = {
           type = providers.local.exec;
           imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix
index 061919ca..4ac97bc2 100644
--- a/infra/vm02116/configuration.nix
+++ b/infra/vm02116/configuration.nix
@@ -178,6 +178,11 @@
     };
   };
 
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
+  ];
+
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
@@ -223,11 +228,6 @@
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  system.copySystemConfiguration = true;
-
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #

From 62eea1bf8aad7dabf1a1d4db4f15f8f180e7f81e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Mon, 18 Nov 2024 11:55:50 +0100
Subject: [PATCH 4/4] Add Wiki machine to `web` deployment

---
 infra/README.org                |  5 +++--
 infra/flake-part.nix            | 25 +++++++++++++++++++++++++
 infra/vm02187/configuration.nix | 13 +++++++------
 3 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/infra/README.org b/infra/README.org
index 8004f326..c50af471 100644
--- a/infra/README.org
+++ b/infra/README.org
@@ -7,7 +7,7 @@ Their configuration can be updated via NixOps4. Run
 nixops4 deployments list
 #+end_src
 
-to see the available deployments. Given a deployment (eg. ~actions-runners~), run
+to see the available deployments. Given a deployment (eg. ~git~), run
 
 #+begin_src sh
 nixops4 apply <deployment>
@@ -17,6 +17,7 @@ nixops4 apply <deployment>
 
 - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
   runners
+- ~web~ :: Machines hosting our online content, eg. the website or the wiki
 
 * Procolix machines
 
@@ -29,4 +30,4 @@ infrastructure.
 | vm02116 | Forgejo                | ~git~        |
 | vm02179 | Forgejo actions runner | ~git~        |
 | vm02186 | Forgejo actions runner | ~git~        |
-| vm02187 | Wiki                   | /none/       |
+| vm02187 | Wiki                   | ~web~        |
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 148f76f2..857848a2 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -62,4 +62,29 @@
         };
       };
     };
+
+  nixops4Deployments.web =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
+
+      resources = {
+        vm02187 = {
+          type = providers.local.exec;
+          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+          ssh = {
+            host = "185.206.232.187";
+            opts = "";
+            hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83";
+          };
+          nixpkgs = inputs.nixpkgs;
+          nixos.module = {
+            imports = [
+              ./vm02187/configuration.nix
+              ./vm02187/hardware-configuration.nix
+            ];
+          };
+        };
+      };
+    };
 }
diff --git a/infra/vm02187/configuration.nix b/infra/vm02187/configuration.nix
index 0c5a6d29..1d73482c 100644
--- a/infra/vm02187/configuration.nix
+++ b/infra/vm02187/configuration.nix
@@ -195,7 +195,13 @@
   i18n.defaultLocale = "en_US.UTF-8";
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.root.hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A";
+  users.users.root = {
+    hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
+    ];
+  };
 
   users.users.procolix = {
     isNormalUser = true;
@@ -233,11 +239,6 @@
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  system.copySystemConfiguration = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave