infra: add infrastructure directory

we're having official demo instances & websites

infra/.envrc

@@ -0,0 +1,3 @@
+source_up
+
+use nix

infra/hive.nix

@@ -0,0 +1,24 @@
+# This file is used by Colmena to deploy trustix.dev and associated services
+
+{
+  meta = {
+    nixpkgs = import ../pkgs.nix { };
+  };
+
+  defaults = { pkgs, ... }: {
+    imports = [ ../nixos ];
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "adisbladis@gmail.com";
+
+    services.nginx = {
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+    };
+  };
+
+  "trustix.dev" = { name, nodes, ... }: {
+    imports = [ ./trustix.dev ];
+  };
+}

infra/shell.nix

@@ -0,0 +1,7 @@
+{ pkgs ? import ../pkgs.nix { } }:
+
+pkgs.mkShell {
+  buildInputs = [
+    pkgs.colmena
+  ];
+}

infra/trustix.dev/default.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+
+let
+  servedDomains = [
+    "trustix.dev"
+    "r13y.trustix.dev"
+  ];
+
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./trustix.dev.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "trustixdotdev";
+
+  networking.usePredictableInterfaceNames = false;
+  networking.dhcpcd.enable = false;
+  systemd.network = {
+    enable = true;
+    networks."ethernet".extraConfig = ''
+      [Match]
+      Type = ether
+      [Network]
+      DHCP = ipv4
+      Address = 2a01:4f9:c012:7359::1/64
+      Gateway = fe80::1
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+    # Set sane TLS defaults for all vhosts
+    virtualHosts = builtins.listToAttrs (map
+      (n: {
+        name = n;
+        value = {
+          enableACME = true;
+          forceSSL = true;
+        };
+      })
+      servedDomains);
+  };
+
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+  };
+
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:FF7F00" # adisbladis
+  ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  networking.firewall.allowedUDPPorts = [
+    80
+    443
+  ];
+
+  system.stateVersion = "22.11";
+}

infra/trustix.dev/hardware-configuration.nix

@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/c65785e2-af11-4497-bd8e-f5e1310a58c3";
+      fsType = "btrfs";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/5b669564-975d-4876-b3b9-1305aa58d00d"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

infra/trustix.dev/trustix.dev.nix

@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."trustix.dev" = {
+    root = pkgs.trustix-doc;
+  };
+}