From 7ffe2d71d63b1d5f9952f89c35d5edb70e587b4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Mar 2026 13:56:55 +0100
Subject: [PATCH 1/2] openstack-template: add minimal NixOS image for OpenStack

Adds a new host configuration for building qcow2 images targeting
OpenStack (NREC). Uses a nixos user with SSH key and sudo instead
of root login, firewall enabled, and no internal services.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.nix                                  |  9 +++
 hosts/openstack-template/configuration.nix | 72 ++++++++++++++++++++++
 hosts/openstack-template/default.nix       |  7 +++
 3 files changed, 88 insertions(+)
 create mode 100644 hosts/openstack-template/configuration.nix
 create mode 100644 hosts/openstack-template/default.nix

diff --git a/flake.nix b/flake.nix
index 65a7382..aafc279 100644
--- a/flake.nix
+++ b/flake.nix
@@ -218,6 +218,15 @@
             ./hosts/pn02
           ];
         };
+        openstack-template = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self;
+          };
+          modules = commonModules ++ [
+            ./hosts/openstack-template
+          ];
+        };
       };
       packages = forAllSystems (
         { pkgs }:
diff --git a/hosts/openstack-template/configuration.nix b/hosts/openstack-template/configuration.nix
new file mode 100644
index 0000000..036b2dd
--- /dev/null
+++ b/hosts/openstack-template/configuration.nix
@@ -0,0 +1,72 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  users.users.nixos = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
+    ];
+  };
+  security.sudo.wheelNeedsPassword = false;
+  programs.zsh.enable = true;
+
+  homelab.dns.enable = false;
+  homelab.monitoring.enable = false;
+  homelab.host.labels.ansible = "false";
+
+  # Minimal fileSystems for evaluation; openstack-config.nix overrides this at image build time
+  fileSystems."/" = {
+    device = lib.mkDefault "/dev/vda1";
+    fsType = lib.mkDefault "ext4";
+  };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+  networking.hostName = "nixos-openstack-template";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens3" = {
+    matchConfig.Name = "ens3";
+    networkConfig.DHCP = "ipv4";
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  nix.settings.substituters = [
+    "https://cache.nixos.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+  ];
+
+  environment.systemPackages = with pkgs; [
+    age
+    vim
+    wget
+    git
+  ];
+
+  zramSwap.enable = true;
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/openstack-template/default.nix b/hosts/openstack-template/default.nix
new file mode 100644
index 0000000..0047439
--- /dev/null
+++ b/hosts/openstack-template/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../system/packages.nix
+  ];
+}

From adc267bd950cd53c872e3100bb07180c905bfb73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Mar 2026 14:10:05 +0100
Subject: [PATCH 2/2] nrec-nixos01: add host configuration with Caddy web
 server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.nix                            |  9 ++++
 hosts/nrec-nixos01/configuration.nix | 76 ++++++++++++++++++++++++++++
 hosts/nrec-nixos01/default.nix       |  7 +++
 3 files changed, 92 insertions(+)
 create mode 100644 hosts/nrec-nixos01/configuration.nix
 create mode 100644 hosts/nrec-nixos01/default.nix

diff --git a/flake.nix b/flake.nix
index aafc279..2cbf154 100644
--- a/flake.nix
+++ b/flake.nix
@@ -218,6 +218,15 @@
             ./hosts/pn02
           ];
         };
+        nrec-nixos01 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {
+            inherit inputs self;
+          };
+          modules = commonModules ++ [
+            ./hosts/nrec-nixos01
+          ];
+        };
         openstack-template = nixpkgs.lib.nixosSystem {
           inherit system;
           specialArgs = {
diff --git a/hosts/nrec-nixos01/configuration.nix b/hosts/nrec-nixos01/configuration.nix
new file mode 100644
index 0000000..91ec2a0
--- /dev/null
+++ b/hosts/nrec-nixos01/configuration.nix
@@ -0,0 +1,76 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "no";
+      PasswordAuthentication = false;
+    };
+  };
+
+  users.users.nixos = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter"
+    ];
+  };
+  security.sudo.wheelNeedsPassword = false;
+  programs.zsh.enable = true;
+
+  homelab.dns.enable = false;
+  homelab.monitoring.enable = false;
+  homelab.host.labels.ansible = "false";
+
+  fileSystems."/" = {
+    device = lib.mkDefault "/dev/vda1";
+    fsType = lib.mkDefault "ext4";
+  };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+  networking.hostName = "nrec-nixos01";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = true;
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens3" = {
+    matchConfig.Name = "ens3";
+    networkConfig.DHCP = "ipv4";
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+  ];
+
+  nix.settings.substituters = [
+    "https://cache.nixos.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+  ];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts.":80" = {
+      extraConfig = ''
+        respond "Hello from nrec-nixos01"
+      '';
+    };
+  };
+
+  zramSwap.enable = true;
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/nrec-nixos01/default.nix b/hosts/nrec-nixos01/default.nix
new file mode 100644
index 0000000..0047439
--- /dev/null
+++ b/hosts/nrec-nixos01/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ../../system/packages.nix
+  ];
+}