From 9c1709c03987631a4904c9e000892ac9522259ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sat, 14 Oct 2023 16:30:51 -0300
Subject: [PATCH] hosts: add ghost

---
 flake.nix                   |  4 ++
 hosts/ghost.nix             | 86 +++++++++++++++++++++++++++++++++++++
 secrets/ghost-nextcloud.age | 15 +++++++
 secrets/secrets.nix         |  1 +
 system/secrets.nix          |  8 +++-
 5 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 hosts/ghost.nix
 create mode 100644 secrets/ghost-nextcloud.age

diff --git a/flake.nix b/flake.nix
index 99464ce..d4b27eb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -138,6 +138,10 @@
             services.flatpak.enable = lib.mkOverride 0 false;
           }];
         };
+        ghost = lib.nixosSystem {
+          inherit system specialArgs;
+          modules = [ ./hosts/ghost.nix ];
+        };
       };
 
       homeConfigurations.lelgenio = home-manager.lib.homeManagerConfiguration {
diff --git a/hosts/ghost.nix b/hosts/ghost.nix
new file mode 100644
index 0000000..e6595cf
--- /dev/null
+++ b/hosts/ghost.nix
@@ -0,0 +1,86 @@
+{ config, pkgs, inputs, ... }: {
+  imports = [
+    "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
+    inputs.agenix.nixosModules.default
+    ../system/nix.nix
+    ../system/secrets.nix
+  ];
+
+  # Use more aggressive compression then the default.
+  virtualisation.digitalOceanImage.compressionMethod = "bzip2";
+
+  # Headless - don't start a tty on the serial consoles.
+  systemd.services."serial-getty@ttyS0".enable = false;
+  systemd.services."serial-getty@hvc0".enable = false;
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@".enable = false;
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "America/Sao_Paulo";
+  # Select internationalisation properties.
+  i18n.defaultLocale = "pt_BR.utf8";
+
+  security.rtkit.enable = true;
+  services.openssh = {
+    enable = true;
+    ports = [ 9022 ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  # Define a user account. Don't forget to set a password with â€˜passwdâ€™.
+  users.mutableUsers = false;
+  users.users.lelgenio = {
+    isNormalUser = true;
+    description = "Leonardo EugÃªnio";
+    hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
+    extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
+    ];
+  };
+  users.users.root = {
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
+    ];
+    initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
+  };
+  security.sudo.wheelNeedsPassword = false;
+
+  programs.fish.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    git
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    hostName = "cloud.lelgenio.xyz";
+    https = true;
+    config = {
+      adminpassFile = config.age.secrets.ghost-nextcloud.path;
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "lelgenio@disroot.org";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "23.05"; # Never change this
+}
+
diff --git a/secrets/ghost-nextcloud.age b/secrets/ghost-nextcloud.age
new file mode 100644
index 0000000..37e726b
--- /dev/null
+++ b/secrets/ghost-nextcloud.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa BwwxHg
+CgOkaIy+ZuqNHzRX/OnUZbtHeSevslgVz71cBSqSsaTxuB74D+hSoIsUZW50/x0n
+jKz9XF/3Fp+WwTtBNGwhI6VpYrbOFSyLzNGtyO+SyUVQKjST9Cw0QbPCko9DTAEK
+pfSjP+Ie3A2gq6mUFJxTjQG4t+kmNPCxHeAVvKepgEkOxkQdirKec+ckjGXh91yK
+IvEOthD4NR5OQF8QqHffzFQtSrFISF5eKHvJJZADydnr54g8+vPJgOy90isRzVPz
+cp3pAnyNgPu4Ia6yOuM6/GmGlJUtSqV/22JQJBgz0DmgmHVlzJEjhQ6b9RIeBz/5
+M6AugEJlGsLpUccqeJcfihLOzDrOeT8wei/CLea4U0jJMGtWEitVWF+dSt7YkrJr
+wWnHMqhl7lFjxN44zbGznQqnSDRcfO7vxmnaUwFAebid0P+v0NNonweYdro0YEF/
+hfTUqQfW82+4GYOsFEDCt0Z3lcifr5b9rgHDGDyycFtwBDKW3SbOmTFkKQJ+vwQ0
+
+-> CL,"/i5.-grease \2_ R|j[#4B Mx5'9 /,
+jX9wt0kuGZ89xhA/
+--- iSlatZrp3jzlFY4VXx5CPNk521dJwM4L3rEDL4mO9GM
+¿¼ßS7?pú+÷è0÷‡íep0\ÏÞ€M©j®0¼»ZöÔÉê]|zçKÚ³š"$EŽ›<u7«åÃšÿÀî
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 28c42a9..991d30a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ in
   "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
   "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
+  "ghost-nextcloud.age".publicKeys = [ main_ssh_public_key ];
 }
diff --git a/system/secrets.nix b/system/secrets.nix
index 776ee6e..4243486 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -1,6 +1,6 @@
 { pkgs, ... }: {
   age = {
-    identityPaths = [ "/home/lelgenio/.ssh/id_rsa" ];
+    identityPaths = [ "/home/lelgenio/.ssh/id_rsa" "/root/.ssh/id_rsa" ];
     secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
     secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
       ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
@@ -10,5 +10,11 @@
       ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
     secrets.monolith-nix-serve-privkey.file =
       ../secrets/monolith-nix-serve-privkey.age;
+    secrets.ghost-nextcloud = {
+      file = ../secrets/monolith-nix-serve-privkey.age;
+      mode = "400";
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
   };
 }