Add jupiter vps

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/jupiter-vps/README.md

@@ -0,0 +1,12 @@
+# jupiter-vps
+
+## Installation Instructions
+
+1. Provision an OVHcloud VPS on Ubuntu 22.04
+2. Add personal public key
+3. Add a CNAME entry for `vps.karaolidis.com` pointing to the VPS IP/host
+4. Run `hosts/jupiter-vps/install.sh`
+
+## Update Instructions
+
+1. Run `nixos-rebuild switch --flake .#jupiter-vps --target-host root@vps.karaolidis.com`

hosts/jupiter-vps/configs/boot/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  boot = {
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      timeoutStyle = "hidden";
+    };
+
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+}

hosts/jupiter-vps/configs/sshd/default.nix

@@ -0,0 +1,8 @@
+{ lib, ... }:
+{
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
+  ];
+}

hosts/jupiter-vps/configs/wireguard/default.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+{
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+  networking.firewall = {
+    allowedTCPPorts =
+      inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedTCPPorts;
+
+    allowedUDPPorts = [
+      51820
+    ] ++ inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedUDPPorts;
+  };
+
+  sops.secrets."wireguard" = { };
+
+  networking.wireguard.interfaces.wg0 =
+    let
+      iptables = "${pkgs.iptables}/bin/iptables";
+    in
+    {
+      ips = [ "10.100.0.1/24" ];
+      listenPort = 51820;
+      privateKeyFile = config.sops.secrets."wireguard".path;
+
+      postSetup = [
+        "${iptables} -t nat -A PREROUTING -i ens3 -p tcp --dport 22 -j RETURN"
+        "${iptables} -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2"
+        "${iptables} -t nat -A POSTROUTING -o wg0 -j MASQUERADE"
+      ];
+
+      postShutdown = [
+        "${iptables} -t nat -D PREROUTING -i ens3 -p tcp --dport 22 -j RETURN"
+        "${iptables} -t nat -D PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2"
+        "${iptables} -t nat -D POSTROUTING -o wg0 -j MASQUERADE"
+      ];
+
+      peers = [
+        {
+          name = "jupiter";
+          allowedIPs = [ "10.100.0.2/32" ];
+          publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU=";
+        }
+      ];
+    };
+}

hosts/jupiter-vps/default.nix

@@ -0,0 +1,26 @@
+{ inputs, lib, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./format.nix
+
+    ./hardware
+
+    ../common/configs/system/impermanence
+    ../common/configs/system/nix
+    ../common/configs/system/nixpkgs
+    ../common/configs/system/sops
+    ../common/configs/system/sshd
+    ../common/configs/system/system
+    ../common/configs/system/users
+    ../common/configs/system/zsh
+
+    ./configs/boot
+    ./configs/sshd
+    ./configs/wireguard
+  ];
+
+  networking.hostName = "jupiter-vps";
+
+  environment.impermanence.enable = lib.mkForce false;
+}

hosts/jupiter-vps/format.nix

@@ -0,0 +1,39 @@
+{
+  disko.devices = {
+    disk.main = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "esp";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [ "defaults" ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/jupiter-vps/hardware/default.nix

@@ -0,0 +1,28 @@
+{ ... }:
+{
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "virtio_pci"
+        "virtio_scsi"
+        "virtio_net"
+        "virtio_mmio"
+        "virtio_blk"
+        "9p"
+        "9pnet_virtio"
+        "sd_mod"
+      ];
+
+      kernelModules = [
+        "virtio_balloon"
+        "virtio_console"
+        "virtio_rng"
+        "virtio_gpu"
+      ];
+    };
+
+    kernelModules = [ "kvm-amd" ];
+  };
+}

hosts/jupiter-vps/install.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+temp=$(mktemp -d)
+
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+install -d -m 755 "$temp/etc/ssh"
+cp ./hosts/jupiter-vps/secrets/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key"
+
+nix run github:nix-community/nixos-anywhere -- --flake .#jupiter-vps --extra-files "$temp" --target-host ubuntu@vps.karaolidis.com -i ~/.ssh/ssh_personal_ed25519_key

hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps