create radicle node on genepi

hosts/crocus/default.nix

@@ -7,8 +7,10 @@
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
+    inputs.agenix.nixosModules.default
     inputs.disko.nixosModules.disko
     ./disk.nix
+    ./radicle.nix
   ];
 
   networking.hostName = "crocus";
@@ -53,4 +55,20 @@
       }
     ];
   };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@rpqt.fr";
+  };
 }

hosts/crocus/radicle.nix

@@ -0,0 +1,21 @@
+{ config, keys, ... }:
+{
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-private-key.path;
+    publicKey = keys.services.radicle;
+    node = {
+      openFirewall = true;
+    };
+    httpd = {
+      enable = true;
+      nginx = {
+        serverName = "radicle.rpqt.fr";
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
+}

infra/crocus.tf

@@ -41,4 +41,12 @@ resource "hcloud_firewall" "crocus_firewall" {
     port       = "443"
     source_ips = ["0.0.0.0/0", "::/0"]
   }
+
+  # radicle-node
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "8776"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
 }

parts/keys.nix

@@ -4,7 +4,12 @@
   hosts = {
     haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKga5V0H602RsBESBXf5kwRCnI1yfBPOHmjGsM4Rxf5r root@haze";
     genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
+    crocus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAiz3nzuJGO5tRka2Y/kzqKa68wF7wwHr4hAympLNb9F root@crocus";
     storagebox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
     storagebox-rsa = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
   };
+
+  services = {
+    radicle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuoHC4P0h88OAL5PJmiqkbkvQR1cwfkjaevWbwdKOU7 radicle@rpqt.fr";
+  };
 }

secrets/radicle-private-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 M/D1Cg YfbyictbASsHxNw6wLCn39IrkNtbpVM8QZNczMArVkw
+om2OLtWnWYLvUm7L4tSDDXHtUKd1O+wqwKO78QZ/6cg
+-> ssh-ed25519 8TpKTA vtuEudd4t+4kzeztRImB1QqGtH7QJiCppBzSngEzKm4
+qUgxtzght+zL/PVuBKbD3S+B4H3siZveg7n0mqJQqDQ
+--- 8xbzXxMfsk2mfLI25fp+xtzTfjJr2t6nSQWa69Ua9Mw
+!<21>n<1B><0F><><EFBFBD><EFBFBD>:<3A><><10>=<3D>`\i<><69><EFBFBD><EFBFBD><EFBFBD>Mti<04><><EFBFBD><1D><><EFBFBD><EFBFBD>:<3A>A'<27>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD>ww<77>^r<><72><EFBFBD><EFBFBD><EFBFBD>o<EFBFBD><6F>
+,NMC<4D><43>qژ<71>ڿz<DABF>Y<EFBFBD>\<<3C>ޕlS<6C>+<2B>d^Y<>Ϲ1r<31>}<05><><EFBFBD><1D><>Z<EFBFBD><5A><EFBFBD><EFBFBD>fm<66><6D><EFBFBD>@<40><><EFBFBD>Д<EFBFBD><D094>c<0C>3<EFBFBD>|M<><4D><EFBFBD><EFBFBD>V<>K<EFBFBD>a<EFBFBD><61><EFBFBD>?E<>A<EFBFBD>+<2B>s<EFBFBD>q,<2C><><02><1F>ÅV<C385>$|N<>I	T<>	<02>-xܐk<DC90><6B><EFBFBD>$<03><>A~<7E>W<EFBFBD>'<k<>|<7C><><EFBFBD>Sh+h<><68><1A><>,J<>W<EFBFBD>h<EFBFBD><68><EFBFBD>E<EFBFBD>&K<><4B>&<26>@<40>p<EFBFBD>P<EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD>A<EFBFBD><41>L<>b<0E><><EFBFBD>$<24>J<EFBFBD>2nk%|Y,!t ><3E><>nM	<09><><EFBFBD><1B><><EFBFBD><p<>{<7B>D<EFBFBD><44><0C>r<13>e<1E><><EFBFBD><1F>R<><19>7PyQ<06><>:<3A><><EFBFBD>;9X<39> nu6Si剞x <1A><>F<EFBFBD>5<EFBFBD><05>MҠb<D2A0><03><>HY<48>[<5B><>g<EFBFBD>Ӟmt<6D><74><EFBFBD>cj<63>Y<EFBFBD><DIQ<>|<7C>MF<4D>#<23>+<2B><><EFBFBD>#<23>+9bb<62><62>6ԅ<36>D3<02><>.<2E>]e<>m(<28><08>oW<6F><57>

secrets/secrets.nix

@@ -5,6 +5,11 @@ let
     keys.hosts.genepi
     keys.rpqt.haze
   ];
+
+  keysForCrocus = [
+    keys.hosts.crocus
+    keys.rpqt.haze
+  ];
 in
 {
   "gandi.age".publicKeys = keysForGenepi;
@@ -17,4 +22,6 @@ in
 
   # Password of the default user
   "freshrss.age".publicKeys = keysForGenepi;
+
+  "radicle-private-key.age".publicKeys = keysForCrocus;
 }