squibid/flake-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
Squibid 2025-11-09 23:51:40 -05:00
commit 4014d5e658
Signed by: squibid
GPG key ID: BECE5684D3C4005D
30 changed files with 911 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/crayon/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
imports = [
./hardware-configuration.nix # Include the results of the hardware scan.
./mailserver.nix
./nginx.nix
./git.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
}

32
hosts/crayon/git.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in {
services.nginx.virtualHosts.${srv.DOMAIN} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
services.forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.squi.bid";
ROOT_URL = "https://${srv.DOMAIN}/";
HTTP_PORT = 3000;
};
service = {
ENABLE_CAPTCHA = true;
REGISTER_MANUAL_CONFIRM = true; # all new users must be approved by me
};
ui.DEFAULT_THEME = "gitea-dark";
};
};
}

32
hosts/crayon/hardware-configuration.nix Normal file
View file

@ -0,0 +1,32 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4d47e9c5-a695-4c12-b44c-1c3c81de20d4";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/937d42d7-9d77-46fd-88fb-3d6d746635ed"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
virtualisation.hypervGuest.enable = true;
}

41
hosts/crayon/mailserver.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, ... }:
{
# this should really be imported through a flake but I couldn't get that
# working :(
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
sha256 = "1qn5fg0h62r82q7xw54ib9wcpflakix2db2mahbicx540562la1y";
})
];
mailserver = {
enable = true;
fqdn = "mail.zacharyscheiman.com";
domains = [ "zacharyscheiman.com" "squi.bid" ];
messageSizeLimit = 2500000000; # 2.5GB
loginAccounts = {
"me@zacharyscheiman.com" = {
hashedPasswordFile = config.sops.secrets."mail/me".path;
aliases = [
"zach@zacharyscheiman.com"
"zack@zacharyscheiman.com"
"zachary@zacharyscheiman.com"
# required aliases
"postmaster@zacharyscheiman.com"
"abuse@zacharyscheiman.com"
"security@zacharyscheiman.com"
];
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "security@zacharyscheiman.com";
}

46
hosts/crayon/nginx.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs, config, ... }:
let
mkVirtHosts = virtHosts:
builtins.listToAttrs (builtins.map (name: {
name = name;
value = (builtins.import ./www/${name}.nix {
# we have to explicitly pass in arguments because we're using import
phpsock = config.services.phpfpm.pools.nginx.socket;
inherit pkgs;
});
}) <| virtHosts);
in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
# setup phpfpm pooler for sites using php
services.phpfpm.pools = {
nginx = {
user = config.services.nginx.user;
group = config.services.nginx.group;
phpPackage = pkgs.php;
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"listen.mode" = "0660";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
};
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = mkVirtHosts [
"squi.bid"
"5438.squi.bid"
"voidpkgs.squi.bid"
];
};
}

12
hosts/crayon/www/5438.squi.bid.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
root = "/var/www/5438"; # TODO: make declarative
locations."/" = {
index = "zacharys-guide.pdf";
};
# https
enableACME = true;
forceSSL = true;
}

31
hosts/crayon/www/squi.bid.nix Normal file
View file

@ -0,0 +1,31 @@
{ phpsock, pkgs, ... }:
{
serverAliases = ["www.squi.bid"];
root = "/var/www/squi.bid"; # TODO: make declarative
locations = {
"/" = {
tryFiles = "$uri $uri.html $uri/ @extensionless-php";
index = "index.html index.htm index.php";
};
"~ \\.php$" = {
extraConfig = ''
fastcgi_pass unix:${phpsock};
include ${pkgs.nginx}/conf/fastcgi.conf;
expires 3m;
add_header Cache-Control "max-age=180, public";
'';
};
"~* \\.(?:css|js|jpg|png)$" = {
extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "max-age=31556952, public";
'';
};
};
# https
enableACME = true;
forceSSL = true;
}

17
hosts/crayon/www/voidpkgs.squi.bid.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
root = "/var/www/voidpkgs"; # TODO: make declarative
locations."/" = {
extraConfig = ''
try_files $uri $uri/ =404;
sendfile on;
sendfile_max_chunk 1m;
autoindex on;
'';
};
# https
enableACME = true;
forceSSL = true;
}