commit 5cd83c813efec3b1c06b93b2dc91c2f9554a392a Author: Grimmauld Date: Tue Dec 26 16:48:59 2023 +0000 initial config diff --git a/authorizedKeys.nix b/authorizedKeys.nix new file mode 100644 index 0000000..3f57310 --- /dev/null +++ b/authorizedKeys.nix @@ -0,0 +1,5 @@ +# these are public keys. Publishing them shouldn't be an issue until there is quantum computers breaking rsa. +# todo: use post-quantum keys for ssh (not possible yet, yikes) +[ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos" +] diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..f1c9c01 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,166 @@ +{ lib, config, inputs, pkgs, ... }: +let + root_host = "grimmauld.de"; + + # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt + root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0); + + puffer_port = 8080; + puffer_sftp_port = 5657; + puffer_host = "puffer.${root_host}"; + + gitea_host = "git.${root_host}"; + gitea_port = 8081; +in { + imports = [ + ./hardware-configuration.nix + ]; + + services.gitea = { + enable = true; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + HTTP_PORT = gitea_port; + DISABLE_SSH = true; + }; +# log.LEVEL = "Debug"; + }; + lfs.enable = true; + }; + + age.secrets = { + duckdns_token.file = ./secrets/duckdns_token.age; + }; + + users.users.grimmauld = { + isNormalUser = true; + description = "grimmauld"; + extraGroups = [ "wheel" "docker" ]; + shell = pkgs.xonsh; + packages = with pkgs; [ + hyfetch + ]; + openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); + }; + + programs.xonsh.enable = true; + environment.systemPackages = with pkgs; [ + wget + tree + vim + git + file + git-lfs + util-linux + btop + cached-nix-shell + cloud-utils + parted + visualvm + linuxPackages.perf + lshw + pciutils + gitea +# ffmpeg-full + + pufferpanel + (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@") + pypy3 + ]; + + systemd.services = { + dynamic-dns-updater = { + path = [ + pkgs.curl + ]; + script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="''; + startAt = "hourly"; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = root_email; + certs."${root_host}" = { + webroot = "/var/lib/acme/acme-challenge/"; + extraDomainNames = [ puffer_host gitea_host]; + }; + }; + + environment.sessionVariables = { + NIXPKGS_ALLOW_UNFREE="1"; + OMP_NUM_THREADS = "4"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ]; + allowPing = true; + allowedUDPPortRanges = [ +# { from = 4000; to = 4007; } + ]; + }; + + services.pufferpanel = { + enable = true; + environment = { + PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; + PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; + }; + extraPackages = with pkgs; [ jdk17_headless ]; + extraGroups = [ "podman" "docker" ]; + }; + + virtualisation.podman.enable = true; + virtualisation.docker.enable = true; + + services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts."${root_host}" = { + forceSSL = true; + useACMEHost = root_host; + root = "/var/www/grimmauld.duckdns.org"; + }; + + virtualHosts."${puffer_host}" = { + serverName = puffer_host; + forceSSL = true; + useACMEHost = root_host; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; + }; + }; + + virtualHosts."${gitea_host}" = { + serverName = gitea_host; + forceSSL = true; + useACMEHost = root_host; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString gitea_port}"; + }; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + system.stateVersion = "unstable"; + nixpkgs.config.allowUnfree = true; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "grimmauld-nixos-server"; + networking.domain = ""; + services.openssh.enable = true; +# users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..ac82061 --- /dev/null +++ b/flake.lock @@ -0,0 +1,123 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1703433843, + "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=", + "owner": "ryantm", + "repo": "agenix", + "rev": "417caa847f9383e111d1397039c9d4337d024bf0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1703255338, + "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..9e05f41 --- /dev/null +++ b/flake.nix @@ -0,0 +1,26 @@ +# /etc/nixos/flake.nix +{ + description = "flake for grimmauld-nixos-server"; + + inputs = { + agenix.url = "github:ryantm/agenix"; + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + }; + + outputs = { self, nixpkgs, agenix }: let + system = "x86_64-linux"; + in { + nixosConfigurations = { + grimmauld-nixos-server = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration.nix + agenix.nixosModules.default + { environment.systemPackages = [ agenix.packages.${system}.default ]; } + ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..08ea065 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; }; + +} diff --git a/result b/result new file mode 120000 index 0000000..9b342d7 --- /dev/null +++ b/result @@ -0,0 +1 @@ +/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc \ No newline at end of file diff --git a/secrets/duckdns_token.age b/secrets/duckdns_token.age new file mode 100644 index 0000000..7b3aed1 --- /dev/null +++ b/secrets/duckdns_token.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa jWbwAg +qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO +US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI +is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj +fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z +qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1 +NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3 +ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy +nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz +5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6 +ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w +qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic +--- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA +ܕa +&ڇ^vAfV;CݢD`Ӓ'7m泶 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..27c5331 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + # obtained with `ssh-keyscan [ip]` + contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw=="; +in +{ + "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; +}