From 3f72ad6ac97d7b732ead44a4bfcafd77f6c2be71 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Tue, 4 Feb 2025 22:30:11 +0100
Subject: [PATCH] create radicle node on genepi

---
 hosts/crocus/default.nix        | 18 ++++++++++++++++++
 hosts/crocus/radicle.nix        | 21 +++++++++++++++++++++
 infra/crocus.tf                 |  8 ++++++++
 parts/keys.nix                  |  5 +++++
 secrets/radicle-private-key.age |  8 ++++++++
 secrets/secrets.nix             |  7 +++++++
 6 files changed, 67 insertions(+)
 create mode 100644 hosts/crocus/radicle.nix
 create mode 100644 secrets/radicle-private-key.age

diff --git a/hosts/crocus/default.nix b/hosts/crocus/default.nix
index 6111baf..d8ad527 100644
--- a/hosts/crocus/default.nix
+++ b/hosts/crocus/default.nix
@@ -7,8 +7,10 @@
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
+    inputs.agenix.nixosModules.default
     inputs.disko.nixosModules.disko
     ./disk.nix
+    ./radicle.nix
   ];
 
   networking.hostName = "crocus";
@@ -53,4 +55,20 @@
       }
     ];
   };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@rpqt.fr";
+  };
 }
diff --git a/hosts/crocus/radicle.nix b/hosts/crocus/radicle.nix
new file mode 100644
index 0000000..d7f60b5
--- /dev/null
+++ b/hosts/crocus/radicle.nix
@@ -0,0 +1,21 @@
+{ config, keys, ... }:
+{
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-private-key.path;
+    publicKey = keys.services.radicle;
+    node = {
+      openFirewall = true;
+    };
+    httpd = {
+      enable = true;
+      nginx = {
+        serverName = "radicle.rpqt.fr";
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
+}
diff --git a/infra/crocus.tf b/infra/crocus.tf
index c937335..abd9bf8 100644
--- a/infra/crocus.tf
+++ b/infra/crocus.tf
@@ -41,4 +41,12 @@ resource "hcloud_firewall" "crocus_firewall" {
     port       = "443"
     source_ips = ["0.0.0.0/0", "::/0"]
   }
+
+  # radicle-node
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "8776"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
 }
diff --git a/parts/keys.nix b/parts/keys.nix
index fcf6079..f6fce87 100644
--- a/parts/keys.nix
+++ b/parts/keys.nix
@@ -4,7 +4,12 @@
   hosts = {
     haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKga5V0H602RsBESBXf5kwRCnI1yfBPOHmjGsM4Rxf5r root@haze";
     genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
+    crocus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAiz3nzuJGO5tRka2Y/kzqKa68wF7wwHr4hAympLNb9F root@crocus";
     storagebox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
     storagebox-rsa = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
   };
+
+  services = {
+    radicle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuoHC4P0h88OAL5PJmiqkbkvQR1cwfkjaevWbwdKOU7 radicle@rpqt.fr";
+  };
 }
diff --git a/secrets/radicle-private-key.age b/secrets/radicle-private-key.age
new file mode 100644
index 0000000..7ed9647
--- /dev/null
+++ b/secrets/radicle-private-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 M/D1Cg YfbyictbASsHxNw6wLCn39IrkNtbpVM8QZNczMArVkw
+om2OLtWnWYLvUm7L4tSDDXHtUKd1O+wqwKO78QZ/6cg
+-> ssh-ed25519 8TpKTA vtuEudd4t+4kzeztRImB1QqGtH7QJiCppBzSngEzKm4
+qUgxtzght+zL/PVuBKbD3S+B4H3siZveg7n0mqJQqDQ
+--- 8xbzXxMfsk2mfLI25fp+xtzTfjJr2t6nSQWa69Ua9Mw
+!™n‰ýÙù:ùŽŸ=Ä`\iý€§ˆÛMti³ðö°ÙÄÞ:ŸA'ñp––®õ¾wwª^râ€Ûâøo¶ò,NMC„úqÚ˜âÚ¿z–YÉ\<ÒÞ•lSÒ+d^YŒÏ¹1rº}ï€ëã¾Z‘®ÇØfm¼ÉÒ@–‚äÐ”èåc—3Ä|MÜìÎÕV÷Kåa½Ûå?EðAÃ+èsq,…÷™ØÃ…VÄ$|N I	TÄ	¤-xÜk÷€µ$¬¢A~•WÈ'<k˜|¶—×Sh+hƒÞ§Ç,J¹Wùhƒ¢öE¢&K‰ù&ø@ëp”P§p¿¿‹ðAÃÄLûbðÌÆ$íJÈ2nk%|Y,!t >„ünM	¯¯þÑÀ˜<p¡{ÊDØåórßeù¦ûåRû²7PyQùì:©¸¹;9XÖ nu6Siå‰žx î˜FÔ5•ÍMÒ bœŠHYÿ[æÿgþÓžmt×è£cjÛY„<DIQ˜|ÿMFá#˜+Öè#æ+9bb±«6Ô…§D3ˆ.‘]eŽm(ŠïoWù¤
+8˜ô
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2d796fb..a97580a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,6 +5,11 @@ let
     keys.hosts.genepi
     keys.rpqt.haze
   ];
+
+  keysForCrocus = [
+    keys.hosts.crocus
+    keys.rpqt.haze
+  ];
 in
 {
   "gandi.age".publicKeys = keysForGenepi;
@@ -17,4 +22,6 @@ in
 
   # Password of the default user
   "freshrss.age".publicKeys = keysForGenepi;
+
+  "radicle-private-key.age".publicKeys = keysForCrocus;
 }