Grimmauld/grimm-nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

initial config

Browse source
This commit is contained in:
Grimmauld 2023-12-26 16:48:59 +00:00
commit 5cd83c813e
8 changed files with 353 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
authorizedKeys.nix Normal file
View file

@ -0,0 +1,5 @@
# these are public keys. Publishing them shouldn't be an issue until there is quantum computers breaking rsa.
# todo: use post-quantum keys for ssh (not possible yet, yikes)
[
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
]

166
configuration.nix Normal file
View file

@ -0,0 +1,166 @@
{ lib, config, inputs, pkgs, ... }:
let
root_host = "grimmauld.de";
# git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt
root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0);
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${root_host}";
gitea_host = "git.${root_host}";
gitea_port = 8081;
in {
imports = [
./hardware-configuration.nix
];
services.gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
HTTP_PORT = gitea_port;
DISABLE_SSH = true;
};
# log.LEVEL = "Debug";
};
lfs.enable = true;
};
age.secrets = {
duckdns_token.file = ./secrets/duckdns_token.age;
};
users.users.grimmauld = {
isNormalUser = true;
description = "grimmauld";
extraGroups = [ "wheel" "docker" ];
shell = pkgs.xonsh;
packages = with pkgs; [
hyfetch
];
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
};
programs.xonsh.enable = true;
environment.systemPackages = with pkgs; [
wget
tree
vim
git
file
git-lfs
util-linux
btop
cached-nix-shell
cloud-utils
parted
visualvm
linuxPackages.perf
lshw
pciutils
gitea
# ffmpeg-full
pufferpanel
(writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
pypy3
];
systemd.services = {
dynamic-dns-updater = {
path = [
pkgs.curl
];
script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
startAt = "hourly";
};
};
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${root_host}" = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = [ puffer_host gitea_host];
};
};
environment.sessionVariables = {
NIXPKGS_ALLOW_UNFREE="1";
OMP_NUM_THREADS = "4";
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ];
allowPing = true;
allowedUDPPortRanges = [
# { from = 4000; to = 4007; }
];
};
services.pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
};
extraPackages = with pkgs; [ jdk17_headless ];
extraGroups = [ "podman" "docker" ];
};
virtualisation.podman.enable = true;
virtualisation.docker.enable = true;
services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."${root_host}" = {
forceSSL = true;
useACMEHost = root_host;
root = "/var/www/grimmauld.duckdns.org";
};
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
};
virtualHosts."${gitea_host}" = {
serverName = gitea_host;
forceSSL = true;
useACMEHost = root_host;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}";
};
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "unstable";
nixpkgs.config.allowUnfree = true;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "grimmauld-nixos-server";
networking.domain = "";
services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
}

123
flake.lock Normal file
View file

@ -0,0 +1,123 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1703255338,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"nixpkgs": "nixpkgs_2"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

26
flake.nix Normal file
View file

@ -0,0 +1,26 @@
# /etc/nixos/flake.nix
{
description = "flake for grimmauld-nixos-server";
inputs = {
agenix.url = "github:ryantm/agenix";
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
};
outputs = { self, nixpkgs, agenix }: let
system = "x86_64-linux";
in {
nixosConfigurations = {
grimmauld-nixos-server = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./configuration.nix
agenix.nixosModules.default
{ environment.systemPackages = [ agenix.packages.${system}.default ]; }
];
};
};
};
}

9
hardware-configuration.nix Normal file
View file

@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
}

1
result Symbolic link
View file

@ -0,0 +1 @@
/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc

16
secrets/duckdns_token.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO
US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI
is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj
fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z
qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1
NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3
ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy
nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz
5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6
ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w
qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic
--- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA
<EFBFBD>Ü•ùa
Æÿ&Ú‡äÛ¢^vÝAf°V‰ãÁ;µ ½ìÿÑCαÝêÝ¢D`ÙÛÓ’'7ÜîðÖm<C396>Ø泶Á“

7
secrets/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
let
# obtained with `ssh-keyscan [ip]`
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
in
{
"duckdns_token.age".publicKeys = [ contabo_nix_pub ];
}