feat[server]: add dns server

2025-12-06 09:07:21 +01:00 · 2025-11-25 19:49:58 +01:00 · 2025-11-25 19:49:58 +01:00 · 00340a9c01
commit 00340a9c01
parent a8f29d26c6
22 changed files with 478 additions and 38 deletions
--- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
@ -0,0 +1,35 @@
+{ lib, config, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+
+  node.lockFromBootstrapping = lib.mkForce false;
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+  swarselmodules.server.nginx = false;
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    proxyHost = "belchsfactory";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+}
--- a/hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix
@ -0,0 +1,121 @@
+{ lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
--- a/hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix
@ -0,0 +1,15 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
--- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-24T23:34:04Z",
+		"mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-11-25T18:32:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
--- a/hosts/nixos/aarch64-linux/moonside/default.nix
+++ b/hosts/nixos/aarch64-linux/moonside/default.nix
@ -11,7 +11,6 @@ in

  sops = {
    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
    secrets = {
      wireguard-private-key = { inherit sopsFile; };
      wireguard-home-preshared-key = { inherit sopsFile; };
@ -138,9 +137,12 @@ in
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
+    proxyHost = "moonside";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
    syncthing = {
      serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
-      serviceIP = "localhost";
    };
  };
 } // lib.optionalAttrs (!minimal) {
--- a/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:RTj0FFJudZusWh2SuAPBHhpYEU20GmWbeZZSCG/vKCz83iUEJxpZ0lSDm71BN1Di7sz+VchcbWxkUjc+SV9paFOtuRKMPynW5n/HTyp/ub3y8oPUN4AjxiRnvfzh8Qxd/vnmxd6lSh2HxMlOqJURN0JY3D3g+tpHyTIvFUWef6HgzLNZCXDnP3HJzbIY53VPj9f+DsdxtFwU5OHkWd8gH2D4XuPPetN0Iv2HaR9+dvlVrbKEXgElgdENkU+ED78TFxvabk1hqPZqXhsfORF/5RpwF15ip5iSlVWPTwMdBREqCsHRiA+u5F9nwJ5C70U1wz39J40CJoa9oihIxyAmN3dktD0JuY0jiqyxwTRFZXYh7Ioe4CksaET0P7LbTa7+BpctgoBqvmnhM3ZDNcSZMNcCbtX98V30UqEPBoTn3kRYvg/1C1SycR96bVW/AiHMiIzD93dNw2gUWdyQX9xtHvgdxLo3U20pJhjMEcsk9V98H6lPiLp3lltrjAX35RsG5R629W8/WVOGoUQn9nX/y6m9VFKoUPf8/M7tvlxDT9A/QBQQvShdA4AM0K8mdNzb85ac5In+43gWDRXWQPPf72e5gL5nPIqPcZvAcoLHsYFH5ebr7VUaUbHm890jQDoNvtezZ1w9nRlZNGVTwdvwWB3rfzorzwCAKLhkFv6ATUYimP0tiHPOz0MxTQKXg12rtyPXbh8bwjhg0kdIlwljAYnYUKiX7SVSeYq7TQksQIiH83JwxCGrL4xjMWZhNkrg3KQUrEMHHaMbNCZvb5M2nMceBo6eA2zi5qYA9sLVnLTrlwx+3Wl7uFBv+9Z+8qvGg3adpGrtJTJjVf+cig01gzao5WrJtT9q4YD1tOHnWfBhwI9/3ny2A0WlyjlY/fS8WUiOmyhl/6N+ukdffzDZQOcTGf1QD0zO+9FYPqYhxr8eGKRHAB0R81Q5y+ORTLwXJ7EhRIK2f45FJisRIsiR+VTsI2cqy7n9HtubY8jQPxLMLnxuUqTu/OjtUMCcbJO8iqYDxWf6NlCZuTaLsQuUPWvO5uUelQpDmN6HhxSGKD9XG4M7/zCuCWNhKWoH0Z9xfw==,iv:Bs1fdmD4jbM/9hiPHxu+yENrVrwFsmhJ5J38W5+4PtM=,tag:UBpHq3ldgdVORaRxuswzVQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:2BVykBGxqpEx6OGG4//MRHDPfE9xJYatb96gn/NXlaYC5nI8zm/9etMRqX6VWEMLdc+4szrCzwNnJx07P6fvY7psER+kd0iuuJc3dLwpm708/fDMP1eOblL0SpIEOHuw8khxtB8KwwMFrwI+858vJvek0/EGN9owCotseJY0lPfX3Kz1StdEspwf0cNAEtck0sQ8MxyODMQggei1eBpr7R+8KRlMg2hBvKw+KbL4C+05twtno3Emar36aeYZurXplm6Z9o3mhvRbpjAkC4cdv9ffiiqQdRuqD0SIbmswjq2ntAVoike6Go0Gflld8POQvE3inZ0pQFC4khTdsheC7nwkI9eudQbNIPzoGq0tjlF4n+/PWgQwoxDiNFvKuKAMrVaAIjQlflt483ofq+TubC9P6FqyjW1gAI94976RIyoBKWWKvJBfr8WKDbwKErLFeTyCnNci96Uctvw4ivYohBj4bUfrZ2zyQk/Y0u7cJYl6qbb+lT1TwHw2Fe9kbn9dDA0wwck5vh0c+q9nhaSG1QNNWxr62w/UyQL/vDxYv1SF5/CwTRmTxDobjhJu+tkzSAfitJ4d41c4/vZ25fG3wehgdLJsdhrjL1JB8smDs/GOFetFO6vPkHZq8HYUc5JB4lg/v9WFXE+nACaFHcZlISrOV9Eh4dG/xu2hsd/rh1uldBVqEZq39PiTk1y94m6AyeQ+dtmGvgBbAFvIpQfUB4+4f7+qO2yQqbb2R/RuqKUuyt+Yy5DrcciFTivGXmlHvC3Cz/qmtpI19boXwiF1uNzKDUHebvK1+azOc2qxOsM15g+jZG9V23o/kP4sGTY9dXqeuMmfELvBBrPgBB8Nhgdi0DrDed4cpQEp2E+rSGCM7V1IdEFa4iMyC8jJ8xq9eBnluNMdmvC8iWanhO7R4AiMzd2JOQImJ11ZX0QAxgG4FwyvYxyX+QXgIHuJDqUVsMxba6HWqwEU0B4qjgVJUDuf0WZxLNBh8bbjH8pV0sa8c7fJBTdHg8X5MBbbaSsYDxQBhdTVKiUXoG5T/2npr1Efjlr09JDbtZlzWYkNfhJ9gLyQI54hXJ0DHWvtnydzHGLKwsPSXRjFcf/jGgCZr2FideArza5y53HBqz2NSOvzvYgZp/avhNumKRQroFZ930Rx2UJoSI+VNDQiPe1aZpOdFsmS923vxlCg/EC0dElKHt0Ou/RRZeonMAmrqak+JIF1+dWn9k2cNNQ=,iv:aP0jgnZRCiLE+BFimZk7k4ElQmPIeZPOvZnc/96j2zs=,tag:0UQF0LlWWGI9tF0UKf8eIA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-10T23:16:52Z",
-		"mac": "ENC[AES256_GCM,data:CuwVt8/XKRMUHs1rh7Yf4Bk5tWXqTz0HXUiEEjuLhj1TRuMWs6aTC1h9uTMoybP+FmjKeRTar1E8dgUmoheFUGaBFqxd1Kx/FmNeJVLhUOPgmT9XOIjEjTNnzOoaMsYvfhP+AnLKgx+CfOsLnLMOqdKEggx1t5jNfiI2rXqOdfI=,iv:4Mc3WcgMg3z99dERJk+EF4hPpgGZo4mfMt6X45zgp5I=,tag:MP0YDtR1Wq3088WVzXS+8A==,type:str]",
+		"lastmodified": "2025-11-24T23:21:12Z",
+		"mac": "ENC[AES256_GCM,data:qf8XNu9bUnwXh/XDMR/2MKf2HKfpqA9GhKjOln97kU57jqqTLxQkdjIwazwoNxEkVkiXHwSd0J/0ZblqcJoCGgy90PC6nYktxRG5y8c462P6Xv259xfpLFTtxtV9Q/Wg18QOruZzULO6ENYTAXGsPZ46VEpf7HQng03PFe9WtlA=,iv:kI2HHNcMjCC5jzI2EAh1nh86HYj7fb11EPkclhIsHSY=,tag:zeWbqVq0c+GzUdJpvcJeEw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:12:55Z",