Initial commit
This commit is contained in:
commit
41d546e21d
42
config.nix
Normal file
42
config.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, rpi5-kernel, ... }:
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ./modules ];
|
||||
|
||||
# boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
|
||||
boot.kernelPackages = rpi5-kernel.legacyPackages.aarch64-linux.linuxPackages_rpi5;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
|
||||
nix.package = pkgs.nixFlakes;
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
time.timeZone = "America/New_York";
|
||||
|
||||
networking.hostName = "toki-rpi5";
|
||||
networking.wireless.iwd.enable = true;
|
||||
networking.wireless.iwd.settings = {
|
||||
Settings.AutoConnect = true;
|
||||
Network.EnableIPv6 = false;
|
||||
General.EnableNetworkConfiguration = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings = {
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "yes";
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [ ./ssh/authorized_keys ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
openssl
|
||||
rsync
|
||||
curl
|
||||
git
|
||||
wget
|
||||
];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
63
flake.lock
Normal file
63
flake.lock
Normal file
|
@ -0,0 +1,63 @@
|
|||
{
|
||||
"nodes": {
|
||||
"flake-compat": {
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"revCount": 57,
|
||||
"type": "tarball",
|
||||
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1720957393,
|
||||
"narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"rpi5-kernel": "rpi5-kernel"
|
||||
}
|
||||
},
|
||||
"rpi5-kernel": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1704485878,
|
||||
"narHash": "sha256-i7UH31IZyil99EUB5qnQJAiszFkea1B1yZf5pQEDIYg=",
|
||||
"owner": "vriska",
|
||||
"repo": "nix-rpi5",
|
||||
"rev": "ac9942532e1dc2f825ad2aa3a6d31bfbd3b42eed",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "vriska",
|
||||
"repo": "nix-rpi5",
|
||||
"type": "gitlab"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
22
flake.nix
Normal file
22
flake.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
{
|
||||
description = "Server system conf";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
|
||||
rpi5-kernel.url = "gitlab:vriska/nix-rpi5";
|
||||
rpi5-kernel.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, nixpkgs, rpi5-kernel, ... }:
|
||||
{
|
||||
nixosConfigurations."toki-rpi5" =
|
||||
nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
modules = [
|
||||
{ _module.args = inputs; }
|
||||
./config.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
40
hardware-configuration.nix
Normal file
40
hardware-configuration.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "usbhid" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/278088c7-1e81-4aec-ae7a-849bbfb4c8bc";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/56DC-DAA1";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/03af869a-1357-43ce-800d-4480f0fa28d1"; }
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
9
modules/acme.nix
Normal file
9
modules/acme.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ ... }:
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults = {
|
||||
email = "kiana.a.sheibani@gmail.com";
|
||||
dnsProvider = "namecheap";
|
||||
environmentFile = "/root/.namecheap_api";
|
||||
};
|
||||
}
|
9
modules/default.nix
Normal file
9
modules/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./acme.nix
|
||||
./fail2ban.nix
|
||||
./forgejo.nix
|
||||
./nginx.nix
|
||||
];
|
||||
}
|
4
modules/fail2ban.nix
Normal file
4
modules/fail2ban.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.fail2ban.enable = true;
|
||||
}
|
47
modules/forgejo.nix
Normal file
47
modules/forgejo.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
cfg = config.services.forgejo;
|
||||
srv = cfg.settings.server;
|
||||
in {
|
||||
services.nginx.virtualHosts.${srv.DOMAIN} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
'';
|
||||
locations."/".proxyPass = "http://localhost:${builtins.toString srv.HTTP_PORT}";
|
||||
};
|
||||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "git.tokinanpa.dev";
|
||||
ROOT_URL = "https://${srv.DOMAIN}/";
|
||||
};
|
||||
|
||||
service = {
|
||||
DISABLE_REGISTRATION = true;
|
||||
};
|
||||
|
||||
repository = {
|
||||
DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues";
|
||||
DISABLE_STARS = true;
|
||||
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
DEFAULT_PUSH_CREATE_PRIVATE = false;
|
||||
|
||||
PREFERRED_LICENSES = "MIT";
|
||||
};
|
||||
|
||||
ui = {
|
||||
DEFAULT_THEME = "forgejo-dark";
|
||||
DEFAULT_SHOW_FULL_NAME = true;
|
||||
|
||||
};
|
||||
|
||||
mirror.DEFAULT_INTERVAL = "1h";
|
||||
};
|
||||
};
|
||||
}
|
4
modules/nginx.nix
Normal file
4
modules/nginx.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.nginx.enable = true;
|
||||
}
|
1
ssh/authorized_keys
Normal file
1
ssh/authorized_keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDemOeWGP40M495KAuylZfRHXKKr9av0QHYjQwuG5EKzoy+KH0EAtBM3MbDLX5+bCd4O4oB9H/ZWxDZFfaitTPf1nrBMA89GWAxiGwVT3U2kQL2KUIP9rXjH/KLwocqnqsljRka1McF0mijtpMhNR0jpXAOfZboHFWRE07kRacvXmhkltcJhXiCGMYmUfFT/HroxSgV+1BM9csYItzHlHFhoB2laEQOoTE5jLxkTkqZ55W0V9QUlM1N830fvhv9z/I6PQcIPXttB4nm+339r2qA3qncRkF7j0+JIXbUkIxK7nQhv25EyFUS8WplnI7mbb2T9JWVeLsAO24WrAApbPxmu+ItKq003Qi4a/0+v6D2PCXm+YoxJlM5aHh8FZdXoIhMv76j3lk0P0sN9Sr09gjoWkV+/rSN+3ZLCJBGS5a3LpBk3HC2ZP/mvfsd1LTDhYQBJSW0LiBZO5aRuKZrTbyY9+i75cTWjnJuvZyBDn3giSYMiVhIAcZg5dU0ySG4M28= kiana@kiana-laptop
|
Loading…
Reference in a new issue