Initial commit

config.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, rpi5-kernel, ... }:
+{
+  imports = [ ./hardware-configuration.nix ./modules ];
+
+  # boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
+  boot.kernelPackages = rpi5-kernel.legacyPackages.aarch64-linux.linuxPackages_rpi5;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  nix.package = pkgs.nixFlakes;
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  time.timeZone = "America/New_York";
+
+  networking.hostName = "toki-rpi5";
+  networking.wireless.iwd.enable = true;
+  networking.wireless.iwd.settings = {
+    Settings.AutoConnect = true;
+    Network.EnableIPv6 = false;
+    General.EnableNetworkConfiguration = true;
+  };
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    PermitRootLogin = "yes";
+  };
+  users.users.root.openssh.authorizedKeys.keyFiles = [ ./ssh/authorized_keys ];
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+
+  environment.systemPackages = with pkgs; [
+    openssl
+    rsync
+    curl
+    git
+    wget
+  ];
+
+  system.stateVersion = "24.05";
+}
+

flake.lock

@@ -0,0 +1,63 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "revCount": 57,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1720957393,
+        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "rpi5-kernel": "rpi5-kernel"
+      }
+    },
+    "rpi5-kernel": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1704485878,
+        "narHash": "sha256-i7UH31IZyil99EUB5qnQJAiszFkea1B1yZf5pQEDIYg=",
+        "owner": "vriska",
+        "repo": "nix-rpi5",
+        "rev": "ac9942532e1dc2f825ad2aa3a6d31bfbd3b42eed",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "vriska",
+        "repo": "nix-rpi5",
+        "type": "gitlab"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,22 @@
+{
+description = "Server system conf";
+
+inputs = {
+  nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  
+  rpi5-kernel.url = "gitlab:vriska/nix-rpi5";
+  rpi5-kernel.inputs.nixpkgs.follows = "nixpkgs";
+};
+
+outputs = inputs@{ self, nixpkgs, rpi5-kernel, ... }:
+  {
+    nixosConfigurations."toki-rpi5" =
+      nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        modules = [
+          { _module.args = inputs; }
+          ./config.nix
+        ];
+      };
+  };
+}

hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/278088c7-1e81-4aec-ae7a-849bbfb4c8bc";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/56DC-DAA1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/03af869a-1357-43ce-800d-4480f0fa28d1"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

modules/acme.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "kiana.a.sheibani@gmail.com";
+    dnsProvider = "namecheap";
+    environmentFile = "/root/.namecheap_api";
+  };
+}

modules/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./acme.nix
+    ./fail2ban.nix
+    ./forgejo.nix
+    ./nginx.nix
+  ];
+}

modules/fail2ban.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.fail2ban.enable = true;
+}

modules/forgejo.nix

@@ -0,0 +1,47 @@
+{ config, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  services.nginx.virtualHosts.${srv.DOMAIN} = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations."/".proxyPass = "http://localhost:${builtins.toString srv.HTTP_PORT}";
+  };
+
+  services.forgejo = {
+    enable = true;
+    
+    settings = {
+      server = {
+        DOMAIN = "git.tokinanpa.dev";
+        ROOT_URL = "https://${srv.DOMAIN}/";
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+
+      repository = {
+        DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues";
+        DISABLE_STARS = true;
+
+        ENABLE_PUSH_CREATE_USER = true;
+        DEFAULT_PUSH_CREATE_PRIVATE = false;
+
+        PREFERRED_LICENSES = "MIT";
+      };
+
+      ui = {
+        DEFAULT_THEME = "forgejo-dark";
+        DEFAULT_SHOW_FULL_NAME = true;
+        
+      };
+
+      mirror.DEFAULT_INTERVAL = "1h";
+    };
+  };
+}

modules/nginx.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.nginx.enable = true;
+}

ssh/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDemOeWGP40M495KAuylZfRHXKKr9av0QHYjQwuG5EKzoy+KH0EAtBM3MbDLX5+bCd4O4oB9H/ZWxDZFfaitTPf1nrBMA89GWAxiGwVT3U2kQL2KUIP9rXjH/KLwocqnqsljRka1McF0mijtpMhNR0jpXAOfZboHFWRE07kRacvXmhkltcJhXiCGMYmUfFT/HroxSgV+1BM9csYItzHlHFhoB2laEQOoTE5jLxkTkqZ55W0V9QUlM1N830fvhv9z/I6PQcIPXttB4nm+339r2qA3qncRkF7j0+JIXbUkIxK7nQhv25EyFUS8WplnI7mbb2T9JWVeLsAO24WrAApbPxmu+ItKq003Qi4a/0+v6D2PCXm+YoxJlM5aHh8FZdXoIhMv76j3lk0P0sN9Sr09gjoWkV+/rSN+3ZLCJBGS5a3LpBk3HC2ZP/mvfsd1LTDhYQBJSW0LiBZO5aRuKZrTbyY9+i75cTWjnJuvZyBDn3giSYMiVhIAcZg5dU0ySG4M28= kiana@kiana-laptop