9 files changed, 207 insertions, 4 deletions
diff --git a/flake.lock b/flake.lock
index 7a545de..d018597 100644
--- a/flake.lock
+++ b/flake.lock
@@ -185,6 +185,29 @@
         "type": "github"
       }
     },
+    "guzzle_api": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgsUnstable"
+        ],
+        "pre-commit-hooks": [
+          "pre-commit-hooks"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682242317,
+        "narHash": "sha256-9lIEkAryZAPxij90Kt51zrN9+w9bq1Ws0pCqTl5ae80=",
+        "owner": "getchoo",
+        "repo": "guzzle_api",
+        "rev": "f90cc8fd86535169342a17acf14013529c25a0b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "getchoo",
+        "repo": "guzzle_api",
+        "type": "github"
+      }
+    },
     "haumea": {
       "inputs": {
         "nixpkgs": [
@@ -437,6 +460,7 @@
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "getchoo": "getchoo",
+        "guzzle_api": "guzzle_api",
         "haumea": "haumea",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
diff --git a/flake.nix b/flake.nix
index a1c84f5..4779da6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-compat.follows = "flake-compat";
     };
+    guzzle_api = {
+      url = "github:getchoo/guzzle_api";
+      inputs.nixpkgs.follows = "nixpkgsUnstable";
+      inputs.pre-commit-hooks.follows = "pre-commit-hooks";
+    };
     haumea = {
       url = "github:nix-community/haumea";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/default.nix b/hosts/default.nix
index 1ad7953..97574c5 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -18,6 +18,7 @@ with inputs; let
           secrets = {
             rootPassword.file = "${self}/users/_secrets/rootPassword.age";
             sethPassword.file = "${self}/users/_secrets/sethPassword.age";
+            pbodyPassword.file = "${self}/users/_secrets/pbodyPassword.age";
           };
         };
 
@@ -44,6 +45,7 @@ in {
         nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
         nixos-hardware.nixosModules.common-pc-ssd
         lanzaboote.nixosModules.lanzaboote
+        (import "${self}/modules/nixos/virtualisation")
       ];
   };
   glados-wsl = {
@@ -54,4 +56,33 @@ in {
         nixos-wsl.nixosModules.wsl
       ];
   };
+  p-body = {
+    builder = nixpkgs.lib.nixosSystem;
+    inherit (common) system;
+
+    specialArgs = let
+      unstable = import nixpkgsUnstable {
+        inherit (common) system;
+        overlays = [guzzle_api.overlays.default];
+      };
+    in {inherit (unstable) guzzle-api-server;};
+
+    modules = [
+      agenix.nixosModules.default
+      guzzle_api.nixosModules.guzzle_api
+      (import "${self}/modules/base")
+      (import "${self}/modules/nixos")
+
+      {
+        age = {
+          identityPaths = ["/etc/age/key"];
+          secrets = {
+            rootPassword.file = "${self}/users/_secrets/rootPassword.age";
+            pbodyPassword.file = "${self}/users/_secrets/pbodyPassword.age";
+          };
+        };
+        nixos.enable = true;
+      }
+    ];
+  };
 }
diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix
new file mode 100644
index 0000000..385f5bd
--- /dev/null
+++ b/hosts/p-body/default.nix
@@ -0,0 +1,139 @@
+{
+  config,
+  modulesPath,
+  pkgs,
+  guzzle-api-server,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/virtualisation/digital-ocean-image.nix")
+  ];
+
+  base = {
+    documentation.enable = false;
+    defaultPackages.enable = false;
+  };
+
+  networking = {
+    hostName = "p-body";
+    firewall = let
+      ports = [80 420];
+    in {
+      allowedUDPPorts = ports;
+      allowedTCPPorts = ports;
+    };
+  };
+
+  programs = {
+    git.enable = true;
+    vim.defaultEditor = true;
+  };
+
+  security = {
+    pam.enableSSHAgentAuth = true;
+  };
+
+  services = {
+    caddy = {
+      enable = true;
+
+      email = "[email protected]";
+
+      logFormat = ''
+        output stdout
+        format json
+      '';
+
+      extraConfig = ''
+        (strip-www) {
+        	redir https://{args.0}{uri}
+        }
+
+        (common_domain) {
+        	encode gzip
+
+        	handle {
+        		try_files {path} {path}/
+        	}
+
+        	handle_errors {
+        		@404 {
+        			expression {http.error.status_code} == 404
+        		}
+        		rewrite @404 /404.html
+        		file_server
+        	}
+        }
+
+        (no_embeds) {
+        	header /{args.0} X-Frame-Options DENY
+        }
+
+        (container_proxy) {
+        	handle_path /{args.0}/* {
+        		reverse_proxy {args.1}
+        	}
+        }
+      '';
+
+      globalConfig = ''
+        auto_https off
+      '';
+
+      virtualHosts = {
+        guzzle = rec {
+          hostName = "198.199.68.30";
+          serverAliases = [
+            "www.${hostName}"
+          ];
+          extraConfig = ''
+            root * /var/www
+            import common_domain
+
+            file_server
+
+            import container_proxy api :8000
+          '';
+        };
+      };
+    };
+
+    endlessh = {
+      enable = true;
+      port = 22;
+      openFirewall = true;
+    };
+
+    guzzle-api = {
+      enable = true;
+      url = "http://198.199.68.30/api/api";
+      port = "8000";
+      package = guzzle-api-server;
+    };
+
+    hercules-ci-agent.enable = true;
+
+    openssh = {
+      enable = true;
+      passwordAuthentication = false;
+      ports = [420];
+    };
+  };
+
+  system.stateVersion = "22.11";
+
+  users.users = let
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOeEbjzzzwf9Qyl0JorokhraNYG4M2hovyAAaA6jPpM7 seth@glados"
+    ];
+  in {
+    root = {inherit openssh;};
+    p-body = {
+      extraGroups = ["wheel"];
+      isNormalUser = true;
+      shell = pkgs.bash;
+      passwordFile = config.age.secrets.pbodyPassword.path;
+      inherit openssh;
+    };
+  };
+}
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 5767d6b..0c482ac 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -14,7 +14,7 @@ in {
     ./root.nix
     ./security.nix
     ./systemd.nix
-    ./virtualisation.nix
+    #./virtualisation.nix
   ];
 
   config = mkIf cfg.enable {
diff --git a/users/_secrets/pbodyPassword.age b/users/_secrets/pbodyPassword.age
new file mode 100644
index 0000000..6061cf7
--- /dev/null
+++ b/users/_secrets/pbodyPassword.age
diff --git a/users/_secrets/rootPassword.age b/users/_secrets/rootPassword.age
index 7a2ede3..f2d0b73 100644
--- a/users/_secrets/rootPassword.age
+++ b/users/_secrets/rootPassword.age
diff --git a/users/_secrets/secrets.nix b/users/_secrets/secrets.nix
index c85e64a..c8df22d 100644
--- a/users/_secrets/secrets.nix
+++ b/users/_secrets/secrets.nix
@@ -1,6 +1,10 @@
 let
-  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix";
+  keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVieG9wj00Cz0Co7QYNkoTgfO+B8EO5vlZdfMvCHD76 root@p-body"
+  ];
 in {
-  "rootPassword.age".publicKeys = [key];
-  "sethPassword.age".publicKeys = [key];
+  "rootPassword.age".publicKeys = keys;
+  "sethPassword.age".publicKeys = keys;
+  "pbodyPassword.age".publicKeys = keys;
 }
diff --git a/users/_secrets/sethPassword.age b/users/_secrets/sethPassword.age
index 43040ff..d9c82c9 100644
--- a/users/_secrets/sethPassword.age
+++ b/users/_secrets/sethPassword.age