commit 41d546e21d8e90d9472f62b9ed1cfa6daabfad1b Author: Kiana Sheibani Date: Sun Jul 21 01:44:38 2024 -0400 Initial commit diff --git a/config.nix b/config.nix new file mode 100644 index 0000000..7d8336b --- /dev/null +++ b/config.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, rpi5-kernel, ... }: +{ + imports = [ ./hardware-configuration.nix ./modules ]; + + # boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; + boot.kernelPackages = rpi5-kernel.legacyPackages.aarch64-linux.linuxPackages_rpi5; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = false; + + nix.package = pkgs.nixFlakes; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + time.timeZone = "America/New_York"; + + networking.hostName = "toki-rpi5"; + networking.wireless.iwd.enable = true; + networking.wireless.iwd.settings = { + Settings.AutoConnect = true; + Network.EnableIPv6 = false; + General.EnableNetworkConfiguration = true; + }; + + services.openssh.enable = true; + services.openssh.settings = { + PasswordAuthentication = false; + PermitRootLogin = "yes"; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ ./ssh/authorized_keys ]; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + + environment.systemPackages = with pkgs; [ + openssl + rsync + curl + git + wget + ]; + + system.stateVersion = "24.05"; +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..5866bdf --- /dev/null +++ b/flake.lock @@ -0,0 +1,63 @@ +{ + "nodes": { + "flake-compat": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1720957393, + "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "rpi5-kernel": "rpi5-kernel" + } + }, + "rpi5-kernel": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704485878, + "narHash": "sha256-i7UH31IZyil99EUB5qnQJAiszFkea1B1yZf5pQEDIYg=", + "owner": "vriska", + "repo": "nix-rpi5", + "rev": "ac9942532e1dc2f825ad2aa3a6d31bfbd3b42eed", + "type": "gitlab" + }, + "original": { + "owner": "vriska", + "repo": "nix-rpi5", + "type": "gitlab" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..88502e0 --- /dev/null +++ b/flake.nix @@ -0,0 +1,22 @@ +{ +description = "Server system conf"; + +inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + rpi5-kernel.url = "gitlab:vriska/nix-rpi5"; + rpi5-kernel.inputs.nixpkgs.follows = "nixpkgs"; +}; + +outputs = inputs@{ self, nixpkgs, rpi5-kernel, ... }: + { + nixosConfigurations."toki-rpi5" = + nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + { _module.args = inputs; } + ./config.nix + ]; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..66b07f6 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/278088c7-1e81-4aec-ae7a-849bbfb4c8bc"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/56DC-DAA1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/03af869a-1357-43ce-800d-4480f0fa28d1"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/modules/acme.nix b/modules/acme.nix new file mode 100644 index 0000000..cedb79e --- /dev/null +++ b/modules/acme.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + security.acme.acceptTerms = true; + security.acme.defaults = { + email = "kiana.a.sheibani@gmail.com"; + dnsProvider = "namecheap"; + environmentFile = "/root/.namecheap_api"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..0c6d059 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./acme.nix + ./fail2ban.nix + ./forgejo.nix + ./nginx.nix + ]; +} diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix new file mode 100644 index 0000000..20befaf --- /dev/null +++ b/modules/fail2ban.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.fail2ban.enable = true; +} diff --git a/modules/forgejo.nix b/modules/forgejo.nix new file mode 100644 index 0000000..9fce1fe --- /dev/null +++ b/modules/forgejo.nix @@ -0,0 +1,47 @@ +{ config, ... }: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in { + services.nginx.virtualHosts.${srv.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${builtins.toString srv.HTTP_PORT}"; + }; + + services.forgejo = { + enable = true; + + settings = { + server = { + DOMAIN = "git.tokinanpa.dev"; + ROOT_URL = "https://${srv.DOMAIN}/"; + }; + + service = { + DISABLE_REGISTRATION = true; + }; + + repository = { + DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues"; + DISABLE_STARS = true; + + ENABLE_PUSH_CREATE_USER = true; + DEFAULT_PUSH_CREATE_PRIVATE = false; + + PREFERRED_LICENSES = "MIT"; + }; + + ui = { + DEFAULT_THEME = "forgejo-dark"; + DEFAULT_SHOW_FULL_NAME = true; + + }; + + mirror.DEFAULT_INTERVAL = "1h"; + }; + }; +} diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 0000000..41197d8 --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.nginx.enable = true; +} diff --git a/ssh/authorized_keys b/ssh/authorized_keys new file mode 100644 index 0000000..5c04d29 --- /dev/null +++ b/ssh/authorized_keys @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDemOeWGP40M495KAuylZfRHXKKr9av0QHYjQwuG5EKzoy+KH0EAtBM3MbDLX5+bCd4O4oB9H/ZWxDZFfaitTPf1nrBMA89GWAxiGwVT3U2kQL2KUIP9rXjH/KLwocqnqsljRka1McF0mijtpMhNR0jpXAOfZboHFWRE07kRacvXmhkltcJhXiCGMYmUfFT/HroxSgV+1BM9csYItzHlHFhoB2laEQOoTE5jLxkTkqZ55W0V9QUlM1N830fvhv9z/I6PQcIPXttB4nm+339r2qA3qncRkF7j0+JIXbUkIxK7nQhv25EyFUS8WplnI7mbb2T9JWVeLsAO24WrAApbPxmu+ItKq003Qi4a/0+v6D2PCXm+YoxJlM5aHh8FZdXoIhMv76j3lk0P0sN9Sr09gjoWkV+/rSN+3ZLCJBGS5a3LpBk3HC2ZP/mvfsd1LTDhYQBJSW0LiBZO5aRuKZrTbyY9+i75cTWjnJuvZyBDn3giSYMiVhIAcZg5dU0ySG4M28= kiana@kiana-laptop