Define the initial NixOS configuration of webforge in a flake with CI support

.github/workflows/nix.yml

@@ -0,0 +1,93 @@
+name: Nix
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'nix/**'
+      - 'flake.*'
+  pull_request:
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'nix/**'
+      - 'flake.*'
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        id: install_nix
+        uses: nixbuild/nix-quick-install-action@v30
+
+      - name: Check Nix Flake
+        id: check
+        run: |
+          nix flake show
+          nix flake check
+
+      - name: Set matrix
+        id: set-matrix
+        run: |
+          # Create a "matrix" targeting the systems we want to check (and later deploy).
+          # It will be consumed by the next job(s) to fire one build per system in parallel.
+          # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow
+          echo "matrix<<end_of_matrix" >> $GITHUB_OUTPUT
+          cat >> $GITHUB_OUTPUT <<-EOF
+          {"include":[
+          {"target":"webforge","hostname":"webforge","domain":"tahoe-lafs.org"}
+          ]}
+          EOF
+          echo "end_of_matrix" >> $GITHUB_OUTPUT
+          # TODO: Find a simpe way to get the target list from the flake
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    if: github.event_name == 'pull_request'
+    needs: check
+    strategy:
+      fail-fast: false
+      # Consuming the matrix created above
+      matrix: ${{fromJson(needs.check.outputs.matrix)}}
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        id: install_nix
+        uses: nixbuild/nix-quick-install-action@v30
+
+      - name: Restore and cache Nix store ${{ matrix.target }}
+        uses: nix-community/cache-nix-action@v6
+        with:
+          # restore and save a cache using this key
+          primary-key: ${{ runner.os }}-Nix-${{ matrix.target }}-${{ hashFiles('flake.*', 'nix/common/*.nix', 'nix/modules/**.nix', format('nix/hosts/{0}/*.nix', matrix.target)) }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: ${{ runner.os }}-Nix-${{ matrix.target }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          gc-max-store-size-linux: 1073741824
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: ${{ runner.os }}-Nix-${{ matrix.target }}-
+          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
+
+      - name: Build nixosConfiguration for ${{ matrix.target }}
+        id: check_target
+        run: |
+          nix build .#nixosConfigurations.${{ matrix.target }}.config.system.build.toplevel

flake.nix

@@ -0,0 +1,23 @@
+{
+  inputs = {
+    # The nixpkgs channels we want to consume
+    nixpkgs-24_11.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+
+    # Some links to the above channels for consistent naming in outputs
+    nixpkgs.follows = "nixpkgs-24_11";
+  };
+  outputs = { self, nixpkgs, ... }@attrs: {
+    # Generate an attrset of nixosConfigurations based on their system name
+    nixosConfigurations = nixpkgs.lib.attrsets.genAttrs [
+      "webforge"
+    ] (sysname: nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = attrs;
+        modules = [
+          { system.name = sysname; }
+          ./nix/hosts/${sysname}/configuration.nix
+        ];
+      }
+    );
+  };
+}

nix/hosts/webforge/configuration.nix

@@ -0,0 +1,16 @@
+{ ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix # generated at runtime by nixos-infect
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "webforge";
+  networking.domain = "tahoe-lafs.org";
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlPneIaRT/mqu13N83ctEftub4O6zAfi6qgzZKerU5o florian@leastauthority.com"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZtWY7t8HVnaz6bluYsrAlzZC3MZtb8g0nO5L5fCQKR benoit@leastauthority.com" ];
+  system.stateVersion = "23.11";
+}

nix/hosts/webforge/hardware-configuration.nix

@@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}

nix/hosts/webforge/networking.nix

@@ -0,0 +1,35 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [
+      "2a01:4ff:ff00::add:2"
+      "2a01:4ff:ff00::add:1"
+      "185.12.64.1"
+      "185.12.64.2"
+    ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address="135.181.155.146"; prefixLength=32; }
+        ];
+        ipv6.addresses = [
+          { address="2a01:4f9:c011:b882::1"; prefixLength=64; }
+          { address="fe80::9400:4ff:fe03:57eb"; prefixLength=64; }
+        ];
+        ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+        ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
+      };
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:04:03:57:eb", NAME="eth0"
+  '';
+}

secrets/.public_keys/adm_btlogy.asc

@@ -0,0 +1,47 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: benoit@leastauthority.com
+
+mDMEY7A6HxYJKwYBBAHaRw8BAQdAYzot0Vh4hn7DI79htP+xfeFzm6sQkbVHCM2T
+TMWQLoW0JEJlbm9pdCBEb25uZWF1eCA8YmVub2l0QGRvbm5lYXV4LmV1PoiRBBMW
+CgA5AhsBBAsJCAcEFQoJCAUWAgMBAAIeAQIXgBYhBEEesW0TtCJJD+uhFVp6CfDC
+efzWBQJjsutGAhkBAAoJEFp6CfDCefzWpvsBAPRU1V6VrObBZkKJdzOMGmPL1oNA
+Bz7xRJaGknA/9MfiAP9kick2Xe6736AHTGEkBF5QPbu3ZFdiINNY1Pjah/y6DIkB
+MwQQAQoAHRYhBISDYWVkaSHK7A3kGI6P8kyyawozBQJjsDviAAoJEI6P8kyyawoz
+uPgIAIFYup3yx+1W7DegwdkK3/DW3r8bknx3w27my5CUk/pmKeWhPtKp2R7RptaF
+b/9vBCcaSyAvSC+Zqa80YIPjupahtdGaHt1IwpVhGG5+U0gh5pG4Q+/V3tVMPclm
+HLSCaCpRK2XaSVWmAmhxn1x4e0i7Np8kbOVU1taNxd/8pImg6+HbO3NSt0LvsxwU
+8hGFukYu/LNesa5YzzmdYPKIcx8Vow4PgLOWnXypeF4+HHYIPXzOj7Z42k63QFZc
+8QwgftgY8ZNsx/1SwyWh6SNbXydXFgSRDUC/Csv1q04wEz4AM6nQIJpzo1YlNPpV
+M9tsZzbTwtGi7lWvbroOvnKYGFm0MEJlbm9pdCBEb25uZWF1eCAoYjNuL2J0bG9n
+eSkgPGJlbkB0ZXJnb2xvZ3kuY29tPoiOBBMWCgA2FiEEQR6xbRO0IkkP66EVWnoJ
+8MJ5/NYFAmOy6lYCGwEECwkIBwQVCgkIBRYCAwEAAh4BAheAAAoJEFp6CfDCefzW
+z5kA/0xexO8In1Mh+jWWT2Ph5hYBkmk8bIlNxNXpO4LQ/tFhAP9G8OIXe3zxtVat
+hLY6l0yXRCmANOOzxPRmnqfgH+D2B7Q7QmVub2l0IERvbm5lYXV4IChiRW4vYmRv
+bm5lYXV4KSA8YmVub2l0QGxlYXN0YXV0aG9yaXR5LmNvbT6IjgQTFgoANhYhBEEe
+sW0TtCJJD+uhFVp6CfDCefzWBQJjsurOAhsBBAsJCAcEFQoJCAUWAgMBAAIeAQIX
+gAAKCRBaegnwwnn81s5WAP9/uRO0t/yUMamYw1eu80+WnYuK8JRECkAOFpEmkvZS
+uAEAuEjz8Yo0TykIS4J3w4Z3UopF/ZA+NaeohUi9EzNI+gK0M0Jlbm9pdCBEb25u
+ZWF1eCAoYjNuL2Jkb25uZWF1eCkgPGJlbm9pdEBkYXBwcmUuY29tPoiOBBMWCgA2
+FiEEQR6xbRO0IkkP66EVWnoJ8MJ5/NYFAmOy6vkCGwEECwkIBwQVCgkIBRYCAwEA
+Ah4BAheAAAoJEFp6CfDCefzW370BAPpO3aGS0l+vQ03XuTht1eyeQs7SxLBWT+JR
+VWkY5yaPAP9CPZrY6V9QB/337Jk2whXmhTyc3cXtnN6ASXV10SpDDbQgQmVub2l0
+IERvbm5lYXV4IDxiZW5AdGVybG9nLm5ldD6IjgQTFgoANhYhBEEesW0TtCJJD+uh
+FVp6CfDCefzWBQJmgVSBAhsBBAsJCAcEFQoJCAUWAgMBAAIeAQIXgAAKCRBaegnw
+wnn81kOtAQCQ3iD0LMEzrLSFRsti34UhKPmfLoT2SdSCWEn2LFwB7AD9En0pdMNO
+uSxp879i/Kpi162msYgNot3QopsEH+hCiQu4MwRjstwVFgkrBgEEAdpHDwEBB0CM
+ZnyWJJVeD6NF/+pqgj18MbSKY/miwY2T37PMpHFUjoj1BBgWCgAmAhsCFiEEQR6x
+bRO0IkkP66EVWnoJ8MJ5/NYFAmfQM/0FCQX+i2gAgXYgBBkWCgAdFiEEmxtQLqkR
+A7s7vsJFNpllLMQ0JkYFAmOy3BUACgkQNpllLMQ0JkYNWQD6A7Nmi4aEATFNkD15
+8iJ10wyAlB4gHQ1SSo0Es4ui6UwA/iYLUPLTov9QTDCtbaAMo1T58dQYxeVOTGPJ
+PSKaO/IECRBaegnwwnn81vJ/AP4hL5pCzsJVeeYC62Gcyu0aRlfDsJT8KpPt3Y4/
+Vibg7QEA16TOMncyuvgjGOuIjZeiZENGtHHQsyGh9I3jCd5czAu4OARjstzeEgor
+BgEEAZdVAQUBAQdAnOyinFQ5g+2Fh5/nlXQ5RFM1Y38Y7awRikqfFpHDVjQDAQgH
+iH4EGBYKACYCGwwWIQRBHrFtE7QiSQ/roRVaegnwwnn81gUCZ9Az/QUJBf6KnwAK
+CRBaegnwwnn81hK6AQCvsLYKn/83IqFluqZTdTobKIuR5HkrWHJmHFI4uz52fgEA
+9XlX6sv8aRLqRsbZS5TSpebMw7+jFOq7t49sy+RdDAq4MwRjst7sFgkrBgEEAdpH
+DwEBB0CGbVmO7fB1Z2s+m5bmLKwJc2QtzGbW/INJzuS+XwkCkYh+BBgWCgAmAhsg
+FiEEQR6xbRO0IkkP66EVWnoJ8MJ5/NYFAmfQM/0FCQX+iJEACgkQWnoJ8MJ5/Nbz
+MgD9Fn9qeWcR+qv7ICRpGb+fEMl5cmAp45Gpcgpq/CQIMrAA/ReW0qZOmdfWCRKw
+8te5p7SeMzBNTRwURckwsxZcLsAI
+=GNi/
+-----END PGP PUBLIC KEY BLOCK-----

secrets/.public_keys/adm_hacklschorsch.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: florian@leastauthority.com
+
+mDMEZbvonxYJKwYBBAHaRw8BAQdAYq4atW7YnzVqKzml6zH6sejCZFnkRfk6Ggf9
+ShG9z7K0K0Zsb3JpYW4gU2Vzc2VyIDxmbG9yaWFuQGxlYXN0YXV0aG9yaXR5LmNv
+bT6IkQQTFgoAOQIbAQQLCQgHBBUKCQgFFgIDAQACHgUCF4AWIQRSRJcPvsiqZmWO
+xLbX1KRBQxpz8QUCZbvrkAIZAQAKCRDX1KRBQxpz8ctGAP4r+mAERl1G8JuWHJkF
+iDyuRO46fY6xinPg9rhtFQZ7XAD8CHLXXW9vVxvjnhwKPTUQqOp8EEUX3cfgxbzP
+HPuKswC0KEZsb3JpYW4gU2Vzc2VyIDxmbG9yaWFuQHByaXZhdGUuc3RvcmFnZT6I
+jgQTFgoANhYhBFJElw++yKpmZY7EttfUpEFDGnPxBQJlu+sDAhsBBAsJCAcEFQoJ
+CAUWAgMBAAIeBQIXgAAKCRDX1KRBQxpz8WfAAQD6xMklFil++JRSk0opypWpa4tK
+NUoGm9RojWdLijpc/wEA5DSlP/peWY/xVe5rzLOtCM+tr7ItNFS6b5nEVRKPTAW4
+MwRlu+lJFgkrBgEEAdpHDwEBB0CY+PZUMqXN5ryhwPRQxn7cg6cpmjG2G9UtlyBR
+eB5iNYj1BBgWCgAmAhsCFiEEUkSXD77IqmZljsS219SkQUMac/EFAme/b5IFCQen
+IMkAgXYgBBkWCgAdFiEEQ945aRlVC4PWaiIKesxZRaeTP48FAmW76UkACgkQesxZ
+RaeTP48+VQEA51FL/VXAMpuVaq/qnTbKf1QWax27SvBYfySAsNtJfQkBAJ2VStpT
+O3qd3jOMoOw9nYBquw6ofJkXZ/b0M6LTu5ADCRDX1KRBQxpz8ejvAP42iJghPR6K
+NivoK5gr9bgrf1nbEzpD0EsvrtgV8wvAsgEAvMHUaqLg5LluQVJapc+zuvbfHHLk
+Qe8cFpH9dgI5WQW4OARlu+m5EgorBgEEAZdVAQUBAQdAdRuu++bnGOe9AYLt2+dl
+3wfdQqVSNZf1NJ2moI5/cnADAQgHiH4EGBYKACYCGwwWIQRSRJcPvsiqZmWOxLbX
+1KRBQxpz8QUCZ79vkgUJB6cgWQAKCRDX1KRBQxpz8b+3AQCTBN34TZ3AdnqEtWu8
+omL7YOmE8hg1Y9XNgU1CJDsBkgEAywCKENG1rQFbcaz2UDIXPf6nUGgtxmFNddgA
+AJoAtQi4MwRlu+pvFgkrBgEEAdpHDwEBB0CZT53iGkU/5qrtdzfN3LRH7bm+Dusw
+H4uqoM2Snq1OaIh+BBgWCgAmAhsgFiEEUkSXD77IqmZljsS219SkQUMac/EFAme/
+b5IFCQenH6MACgkQ19SkQUMac/HDEQD/cxjwkrMYt3mkBccrBlm3uIShMYd9SLzR
+IL5Bv2iBx5sA/0XK+dEn1fRmEdTjXqJQ/b7+nTx0Oik2y81mAm6XRy0G
+=O96Q
+-----END PGP PUBLIC KEY BLOCK-----