2026-02-07 19:07:33 +00:00
27 changed files with 311 additions and 187 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -74,15 +74,6 @@
            ./hosts/ns1
          ];
        };
        ns2 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self;
          };
          modules = commonModules ++ [
            ./hosts/ns2
          ];
        };
        ha1 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
@@ -92,15 +83,6 @@
            ./hosts/ha1
          ];
        };
        template1 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self;
          };
          modules = commonModules ++ [
            ./hosts/template
          ];
        };
        template2 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
@@ -200,6 +182,15 @@
            ./hosts/testvm03
          ];
        };
        ns2 = nixpkgs.lib.nixosSystem {
          inherit system;
          specialArgs = {
            inherit inputs self;
          };
          modules = commonModules ++ [
            ./hosts/ns2
          ];
        };
      };
      packages = forAllSystems (
        { pkgs }:
--- a/hosts/ha1/configuration.nix
+++ b/hosts/ha1/configuration.nix
@@ -7,7 +7,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/template/hardware-configuration.nix
+++ b/hosts/template/hardware-configuration.nix
--- a/hosts/http-proxy/configuration.nix
+++ b/hosts/http-proxy/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/http-proxy/hardware-configuration.nix
+++ b/hosts/http-proxy/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/jelly01/configuration.nix
+++ b/hosts/jelly01/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/jelly01/hardware-configuration.nix
+++ b/hosts/jelly01/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/jump/configuration.nix
+++ b/hosts/jump/configuration.nix
@@ -3,7 +3,7 @@
 {
  imports =
    [
-      ../template/hardware-configuration.nix
+      ./hardware-configuration.nix
      ../../system
    ];
--- a/hosts/monitoring01/configuration.nix
+++ b/hosts/monitoring01/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/monitoring01/hardware-configuration.nix
+++ b/hosts/monitoring01/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/nats1/configuration.nix
+++ b/hosts/nats1/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/nats1/hardware-configuration.nix
+++ b/hosts/nats1/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/nix-cache01/configuration.nix
+++ b/hosts/nix-cache01/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/nix-cache01/hardware-configuration.nix
+++ b/hosts/nix-cache01/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@@ -7,7 +7,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../services/ns/master-authorative.nix
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@@ -7,23 +7,38 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ../template2/hardware-configuration.nix
    ../../system
    ../../common/vm
    # DNS services
    ../../services/ns/secondary-authorative.nix
    ../../services/ns/resolver.nix
    ../../common/vm
  ];
  # Host metadata
  homelab.host = {
    tier = "prod";
    role = "dns";
    labels.dns_role = "secondary";
  };
  # Enable Vault integration
  vault.enable = true;
  # Enable remote deployment via NATS
  homelab.deploy.enable = true;
  nixpkgs.config.allowUnfree = true;
  # Use the systemd-boot EFI boot loader.
  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.device = "/dev/vda";
  networking.hostName = "ns2";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  # Disable resolved - conflicts with Unbound resolver
  services.resolved.enable = false;
  networking.nameservers = [
    "10.69.13.5"
@@ -47,14 +62,7 @@
    "nix-command"
    "flakes"
  ];
-  vault.enable = true;
+  nix.settings.tarball-ttl = 0;
  homelab.deploy.enable = true;
  homelab.host = {
    role = "dns";
    labels.dns_role = "secondary";
  };
  environment.systemPackages = with pkgs; [
    vim
    wget
@@ -67,5 +75,5 @@
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "25.11"; # Did you read the comment?
-}
+}
--- a/hosts/ns2/default.nix
+++ b/hosts/ns2/default.nix
@@ -2,4 +2,4 @@
  imports = [
    ./configuration.nix
  ];
-}
+}
--- a/hosts/ns2/hardware-configuration.nix
+++ b/hosts/ns2/hardware-configuration.nix
@@ -1,36 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  # boot.kernelModules = [ ];
  # boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d";
      fsType = "xfs";
    };
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/BC07-3B7A";
      fsType = "vfat";
    };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/pgdb1/configuration.nix
+++ b/hosts/pgdb1/configuration.nix
@@ -5,7 +5,7 @@
 {
  imports = [
-    ../template/hardware-configuration.nix
+    ./hardware-configuration.nix
    ../../system
    ../../common/vm
--- a/hosts/pgdb1/hardware-configuration.nix
+++ b/hosts/pgdb1/hardware-configuration.nix
@@ -0,0 +1,42 @@
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [
    "ptp_kvm"
  ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "xfs";
  };
  swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/template/configuration.nix
+++ b/hosts/template/configuration.nix
@@ -1,62 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
      ../../system
    ];
  # Template host - exclude from DNS zone generation
  homelab.dns.enable = false;
  homelab.host = {
    tier = "test";
    priority = "low";
  };
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "nixos-template";
  networking.domain = "home.2rjus.net";
  networking.useNetworkd = true;
  networking.useDHCP = false;
  services.resolved.enable = true;
  networking.nameservers = [
    "10.69.13.5"
    "10.69.13.6"
  ];
  systemd.network.enable = true;
  systemd.network.networks."ens18" = {
    matchConfig.Name = "ens18";
    address = [
      "10.69.8.250/24"
    ];
    routes = [
      { Gateway = "10.69.8.1"; }
    ];
    linkConfig.RequiredForOnline = "routable";
  };
  time.timeZone = "Europe/Oslo";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.tarball-ttl = 0;
  environment.systemPackages = with pkgs; [
    age
    vim
    wget
    git
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/template/default.nix
+++ b/hosts/template/default.nix
@@ -1,7 +0,0 @@
 { ... }: {
  imports = [
    ./hardware-configuration.nix
    ./configuration.nix
    ./scripts.nix
  ];
 }
--- a/hosts/template/scripts.nix
+++ b/hosts/template/scripts.nix
@@ -1,30 +0,0 @@
 { pkgs, ... }:
 let
  prepare-host-script = pkgs.writeShellApplication {
    name = "prepare-host.sh";
    text = ''
      echo "Removing machine-id"
      rm -f /etc/machine-id || true
      echo "Removing SSH host keys"
      rm -f /etc/ssh/ssh_host_* || true
      echo "Restarting SSH"
      systemctl restart sshd
      echo "Removing temporary files"
      rm -rf /tmp/* || true
      echo "Removing logs"
      journalctl --rotate || true
      journalctl --vacuum-time=1s || true
      echo "Removing cache"
      rm -rf /var/cache/* || true
    '';
  };
 in
 {
  environment.systemPackages = [ prepare-host-script ];
  users.motd = "Prepare host by running 'prepare-host.sh'.";
 }
--- a/scripts/create-host/validators.py
+++ b/scripts/create-host/validators.py
@@ -140,20 +140,22 @@ def validate_ip_unique(ip: Optional[str], repo_root: Path) -> None:
    ip_part = ip.split("/")[0]
    # Check all hosts/*/configuration.nix files
    # Search for IP with CIDR notation to match static IP assignments
    # (e.g., "10.69.13.5/24") but not DNS resolver entries (e.g., "10.69.13.5")
    hosts_dir = repo_root / "hosts"
    if hosts_dir.exists():
        for config_file in hosts_dir.glob("*/configuration.nix"):
            content = config_file.read_text()
-            if ip_part in content:
+            if ip in content:
                raise ValueError(
                    f"IP address {ip_part} already in use in {config_file}"
                )
-    # Check terraform/vms.tf
+    # Check terraform/vms.tf - search for full IP with CIDR
    terraform_file = repo_root / "terraform" / "vms.tf"
    if terraform_file.exists():
        content = terraform_file.read_text()
-        if ip_part in content:
+        if ip in content:
            raise ValueError(
                f"IP address {ip_part} already in use in {terraform_file}"
            )
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -80,13 +80,6 @@ locals {
      ]
    }
    "ns2" = {
      paths = [
        "secret/data/hosts/ns2/*",
        "secret/data/shared/dns/*",
      ]
    }
    # Wave 4: http-proxy
    "http-proxy" = {
      paths = [
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -20,6 +20,12 @@ locals {
        "secret/data/hosts/testvm03/*",
      ]
    }
    "ns2" = {
      paths = [
        "secret/data/hosts/ns2/*",
        "secret/data/shared/dns/*",
      ]
    }
  }
--- a/terraform/vms.tf
+++ b/terraform/vms.tf
@@ -58,6 +58,13 @@ locals {
      memory    = 2048
      disk_size = "20G"
    }
    "ns2" = {
      ip        = "10.69.13.6/24"
      cpu_cores = 2
      memory    = 2048
      disk_size = "20G"
      vault_wrapped_token = "s.3nran1e1Uim4B1OomIWCoS4T"
    }
  }
  # Compute VM configurations with defaults applied