NixOS · Mic92 · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -48,6 +48,10 @@
         flake-utils.follows = "flake-utils";
       };
     };
+
+    hydra.url = "github:NixOS/hydra/hydra.nixos.org";
+    hydra.inputs.nixpkgs.follows = "nixpkgs";
+    nix.follows = "hydra/nix";
   };
   outputs =
     inputs@{ flake-parts, ... }:

diff --git a/non-critical-infra/.sops.yaml b/non-critical-infra/.sops.yaml
@@ -3,6 +3,10 @@ keys:
   - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
   - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq
   - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6
+  - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v
+  - &m1-s age1v5qpkvs3zpz65gvfr2gv3ln7x6yfexvpregdr02hyvxnunu63ujqgwevf8
+  - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+  - &shivaraj-bh age1rskg564672la06lqyla73je6e00hx92j9uhyycn3m3vtpw54avwqcn6wx9
 
 creation_rules:
   - path_regex: secrets/[^/]+.caliban
@@ -18,3 +22,19 @@ creation_rules:
           - *umbriel
           - *hexa
           - *zimbatm
+
+  # ssh keys used to bootstrap new machines
+  - path_regex: secrets/[^/]+-hostkeys.yaml
+    key_groups:
+      - age:
+          - *m1-s
+          - *shivaraj-bh
+          - *mic92
+
+  - path_regex: secrets/[^/]+.staging-hydra
+    key_groups:
+      - age:
+          - *staging-hydra
+          - *shivaraj-bh
+          - *m1-s
+          - *mic92
diff --git a/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh b/non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Use this script to deploy the initial keys when bootstrapping a new machine.
+
+set -euo pipefail
+tmpDir=$(mktemp -d)
+sshDir="$tmpDir/etc/ssh"
+mkdir -p "$sshDir"
+trap 'rm -rf "$tmpDir"' EXIT
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ $keyname == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml" >"$sshDir/$keyname"
+done
+nix run nixpkgs#nixos-anywhere -- --extra-files "$tmpDir" -f .#staging-hydra [email protected]
diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix
@@ -0,0 +1,49 @@
+{ inputs, lib, ... }:
+{
+  imports = [
+    ./hardware.nix
+    inputs.srvos.nixosModules.server
+    inputs.srvos.nixosModules.hardware-hetzner-cloud-arm
+    ../../modules/common.nix
+    ./hydra-proxy.nix
+    ./hydra.nix
+    inputs.hydra.nixosModules.hydra
+  ];
+
+  nixpkgs.overlays = [
+    inputs.nix.overlays.default
+    inputs.hydra.overlays.default
+  ];
+
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      timeout = lib.mkForce 5;
+      efi.efiSysMountPoint = "/efi";
+    };
+    kernelParams = [ "console=tty" ];
+  };
+  networking = {
+    hostName = "staging-hydra";
+    domain = "nixos.org";
+  };
+
+  systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:c012:d5d3::1/128";
+
+  disko.devices = import ./disko.nix;
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  networking.firewall.allowedUDPPorts = [ ];
+
+  system.stateVersion = "24.11";
+  users.users.root.openssh.authorizedKeys.keys = [
+    # m1-s
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaGspw6myJ5GKHHxN+7jaJWyU1SlVo4nCzDajyJdtvg"
+    # shivaraj-bh
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFN5Ov2zDIG59/DaYKjT0sMWIY15er1DZCT9SIak07vK"
+  ];
+}
diff --git a/non-critical-infra/hosts/staging-hydra/disko.nix b/non-critical-infra/hosts/staging-hydra/disko.nix
@@ -0,0 +1,61 @@
+{
+  disk = {
+    main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          esp = {
+            type = "EF00";
+            size = "1024M";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/efi";
+            };
+          };
+          root = {
+            size = "100%";
+            content = {
+              type = "zfs";
+              pool = "zroot";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  zpool.zroot = {
+    type = "zpool";
+    options = {
+      # smartctl --all /dev/sda
+      # Logical block size:   512 bytes
+      ashift = "9";
+    };
+    rootFsOptions = {
+      acltype = "posixacl";
+      compression = "zstd";
+      mountpoint = "none";
+      xattr = "sa";
+    };
+    datasets = {
+      "root" = {
+        type = "zfs_fs";
+        mountpoint = "/";
+      };
+      "nix" = {
+        type = "zfs_fs";
+        mountpoint = "/nix";
+      };
+      "reserved" = {
+        type = "zfs_fs";
+        options = {
+          canmount = "off";
+          refreservation = "1G";
+        };
+      };
+    };
+  };
+}
diff --git a/non-critical-infra/hosts/staging-hydra/hardware.nix b/non-critical-infra/hosts/staging-hydra/hardware.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+{
+
+  boot.initrd = {
+    availableKernelModules = [
+      "xhci_pci"
+      "virtio_pci"
+      "usbhid"
+      "sr_mod"
+    ];
+    kernelModules = [ "virtio_gpu" ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}