feat(ops/machines): add configuration for sanduny.tvl.su r/3839

This will be an additional web host / fallback git server for whitby
incidents.

Change-Id: Icd6f7ce574ffd520b5783a50ff317feed7b71fc6
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5297
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>

3 files changed, 103 insertions, 1 deletions

diff --git a/ops/machines/all-systems.nix b/ops/machines/all-systems.nix
index df1cfa6a48..2536958c38 100644
--- a/ops/machines/all-systems.nix
+++ b/ops/machines/all-systems.nix
@@ -1,6 +1,7 @@
 { depot, ... }:
 
 (with depot.ops.machines; [
+  sanduny
   whitby
 ]) ++
 
diff --git a/ops/machines/sanduny/default.nix b/ops/machines/sanduny/default.nix
new file mode 100644
index 0000000000..6746917769
--- /dev/null
+++ b/ops/machines/sanduny/default.nix
@@ -0,0 +1,100 @@
+# sanduny.tvl.su
+#
+# This is a VPS hosted with Bitfolk, intended to additionally serve
+# some of our public services like cgit, josh and the websites.
+#
+# In case of whitby going down, sanduny will keep depot available.
+
+_: # ignore readTree options
+
+{ config, depot, lib, pkgs, ... }:
+
+{
+  networking = {
+    hostName = "sanduny";
+    domain = "tvl.su";
+    useDHCP = false;
+
+    interfaces.eth0 = {
+      ipv4.addresses = lib.singleton {
+        address = "85.119.82.231";
+        prefixLength = 21;
+      };
+
+      ipv6.addresses = lib.singleton {
+        address = "2001:ba8:1f1:f109::feed:edef:beef";
+        prefixLength = 64;
+      };
+    };
+
+    defaultGateway = "85.119.80.1";
+    defaultGateway6.address = "2001:ba8:1f1:f109::1";
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  users.users.tazjin = {
+    isNormalUser = true;
+    extraGroups = [ "git" "wheel" ];
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    emacs-nox
+    vim
+    curl
+    unzip
+    htop
+  ];
+
+  programs.mtr.enable = true;
+
+  services.openssh.enable = true;
+  services.fail2ban.enable = true;
+
+  # Automatically collect garbage from the Nix store.
+  services.depot.automatic-gc = {
+    enable = true;
+    interval = "1 hour";
+    diskThreshold = 2; # GiB
+    maxFreed = 5; # GiB
+    preserveGenerations = "90d";
+  };
+
+  time.timeZone = "UTC";
+
+  # GRUB does not actually need to be installed on disk; Bitfolk have
+  # their own way of booting systems as long as config is in place.
+  boot.loader.grub.device = "nodev";
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.initrd.availableKernelModules = [ "xen_blkfront" ];
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/aabc3638-43ca-45f3-af89-c451e8448e92";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/75aa99d5-fed7-4c5c-8570-7745f6cff9f5";
+      fsType = "ext3";
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-uuid/d1721678-c294-482b-b72e-3b15f2c56c63";
+      fsType = "ext4";
+    };
+  };
+
+  swapDevices = lib.singleton {
+    device = "/dev/disk/by-uuid/df4ad9da-0a06-4c27-93e5-5d44e4750e55";
+  };
+
+  system.stateVersion = "22.05"; # Did you read the comment?
+}
diff --git a/ops/nixos.nix b/ops/nixos.nix
index 3a113ac4bb..291413c5b5 100644
--- a/ops/nixos.nix
+++ b/ops/nixos.nix
@@ -50,5 +50,6 @@ in rec {
 
   # Systems that should be built in CI
   whitbySystem = (nixosFor depot.ops.machines.whitby).system;
-  meta.ci.targets = [ "whitbySystem" ];
+  sandunySystem = (nixosFor depot.ops.machines.sanduny).system;
+  meta.ci.targets = [ "sandunySystem" "whitbySystem" ];
 }