feat: add new machine "sentinel", a Hetzner Cloud server

hosts/common/hardware/cloud.nix

@@ -1,4 +0,0 @@
-# Configuration for cloud-servers machines
-{
-  services.smartd.enable = true;
-}

hosts/common/hardware/intel.nix

@@ -1,3 +1,3 @@
-{pkgs, ...}: {
+{
   powerManagement.cpuFreqGovernor = "powersave";
 }

hosts/sentinel/default.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    ../common/core
+    ../common/initrd-ssh.nix
+    ../common/zfs.nix
+
+    ./fs.nix
+    ./net.nix
+    ./nginx.nix
+  ];
+
+  boot.loader.timeout = lib.mkDefault 2;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = false;
+    devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
+  };
+  console.earlySetup = true;
+}

hosts/sentinel/fs.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  extraLib,
+  pkgs,
+  ...
+}: {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/${config.repo.secrets.local.disk.main}";
+        content = with extraLib.disko.gpt; {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            (partEfi "efi" "0%" "512MiB")
+            (partLuksZfs "rpool" "512MiB" "100%")
+          ];
+        };
+      };
+    };
+    zpool = with extraLib.disko.zfs; {
+      rpool =
+        defaultZpoolOptions
+        // {
+          datasets = {
+            "local" = unmountable;
+            "local/root" =
+              filesystem "/"
+              // {
+                postCreateHook = "zfs snapshot rpool/local/root@blank";
+              };
+            "local/nix" = filesystem "/nix";
+            "safe" = unmountable;
+            "safe/persist" = filesystem "/persist";
+          };
+        };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = true;
+
+  # After importing the rpool, rollback the root system to be empty.
+  boot.initrd.systemd.services.impermanence-root = {
+    wantedBy = ["initrd.target"];
+    after = ["zfs-import-rpool.service"];
+    before = ["sysroot.mount"];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+    };
+  };
+}

hosts/sentinel/net.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  utils,
+  ...
+}: {
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "10-wan";};
+  };
+
+  systemd.network.networks = {
+    "10-wan" = let
+      icfg = config.repo.secrets.local.networking.interfaces.wan;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  # TODO mkForce nftables
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      untrusted.interfaces = ["wan"];
+    };
+  };
+
+  extra.wireguard.proxy-sentinel.server = {
+    host = config.networking.fqdn;
+    port = 51443;
+    reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
+    openFirewallRules = ["untrusted-to-local"];
+  };
+}

hosts/sentinel/nginx.nix

@@ -0,0 +1,51 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme personalDomain;
+in {
+  networking.domain = personalDomain;
+
+  rekey.secrets."dhparams.pem" = {
+    file = ./secrets/dhparams.pem.age;
+    mode = "440";
+    group = "nginx";
+  };
+
+  rekey.secrets.acme-credentials = {
+    file = ./secrets/acme-credentials.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  #security.acme = {
+  #  acceptTerms = true;
+  #  defaults = {
+  #    inherit (acme) email;
+  #    credentialsFile = config.rekey.secrets.acme-credentials.path;
+  #    dnsProvider = "cloudflare";
+  #    dnsPropagationCheck = true;
+  #    reloadServices = ["nginx"];
+  #  };
+  #};
+  #extra.acme.wildcardDomains = acme.domains;
+  #users.groups.acme.members = ["nginx"];
+
+  #services.nginx = {
+  #  enable = true;
+  #  upstreams."kanidm" = {
+  #    servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
+  #    extraConfig = ''
+  #      zone kanidm 64k;
+  #      keepalive 2;
+  #    '';
+  #  };
+  #  virtualHosts.${authDomain} = {
+  #    forceSSL = true;
+  #    useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
+  #    locations."/".proxyPass = "https://kanidm";
+  #    # Allow using self-signed certs to satisfy kanidm's requirement
+  #    # for TLS connections. (This is over wireguard anyway)
+  #    extraConfig = ''
+  #      proxy_ssl_verify off;
+  #    '';
+  #  };
+  #};
+}

hosts/zackbiene/default.nix

@@ -49,6 +49,6 @@
   boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"];
   console.earlySetup = true;
 
-  # Fails if there are not SMART devices
+  # Fails if there are no SMART devices
   services.smartd.enable = lib.mkForce false;
 }