init

hosts/server/configuration.nix

@@ -0,0 +1,207 @@
+{ config, lib, pkgs, luaOlder, buildLuarocksPackage, lua, fetchgit, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  # Git
+  environment.systemPackages = [
+    pkgs.git
+  ];
+
+  # Bootloader
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+ 
+  # Enable flakes
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # Networking
+  networking.hostName = "nixos-server-reid";
+  networking.wireless.environmentFile = "/run/secrets/wireless.env";
+  networking.wireless = {
+    enable = true;
+    userControlled.enable = true;
+    networks = {
+      Ryan = {
+        psk = "@password@";
+      };
+    };
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/Los_Angeles";
+
+  # Users  
+  # Users - reidlab
+  users.users.reidlab = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "dotfiles" ];
+    packages = with pkgs; [
+      tree
+    ];
+  };
+
+  # Services
+  # Services - Openssh
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+  };
+
+  # Services - Nginx
+  services.nginx = {
+    package = pkgs.openresty;
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+  };
+  services.nginx.commonHttpConfig = let
+    lua-resty-template = pkgs.fetchFromGitHub {
+      owner = "bungle";
+      repo = "lua-resty-template";
+      rev = "v2.0";
+      sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";      
+    };
+    lua-resty-redis = pkgs.fetchFromGitHub {
+      owner = "openresty";
+      repo = "lua-resty-redis";
+      rev = "v0.29";
+      sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
+    };
+  in ''
+    # Lua path
+    lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;";
+
+    # Add HSTS header with preloading to HTTPS requests.
+    # Adding this header to HTTP requests is discouraged
+    map $scheme $hsts_header {
+        https   "max-age=31536000; includeSubdomains; preload";
+    }
+    add_header Strict-Transport-Security $hsts_header;
+
+    # Enable CSP for your services.
+    # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+    # ^ this above is breaking forgejo
+
+    # Minimize information leaked to other domains
+    add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+    # Disable embedding as a frame
+    add_header X-Frame-Options DENY;
+
+    # Prevent injection of code in other mime types (XSS Attacks)
+    add_header X-Content-Type-Options nosniff;
+
+    # Enable XSS protection of the browser.
+    # May be unnecessary when CSP is configured properly (see above)
+    add_header X-XSS-Protection "1; mode=block";
+
+    # This might create errors
+    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+  '';
+  services.nginx.virtualHosts."reidlab.online" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "/var/www/reidlab.online/public";
+    extraConfig = ''
+      error_page 404 /errors/404.html;
+      error_page 403 /errors/403.html;
+      error_page 500 /errors/500.html;
+      location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
+      location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
+      location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
+      location / {
+        try_files $uri @main;
+      }
+
+      location /chat {
+        access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
+      }
+
+      location @main {
+        content_by_lua '
+            require("main").handle_request()
+        ';
+      }
+    '';
+  };
+
+  # Services - Forgejo
+  services.gitea = {
+    enable = true;
+    package = pkgs.forgejo;
+    stateDir = "/var/lib/git.reidlab.online";
+    appName = "Forgejo: reidlab.online git";
+    database = {
+      type = "postgres";
+      name = "gitea";
+    };
+    settings = {
+      "security" = {
+        INSTALL_LOCK = true;
+        PASSWORD_HASH_ALGO = "argon2";	
+        PASSWORD_CHECK_PWN = true;
+      };
+      "ui.meta" = {
+        AUTHOR = "reidlab";
+        DESCRIPTION = "reidlab's git instance";
+      };
+      "server" = {
+        DOMAIN = "git.reidlab.online";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.reidlab.online/";
+      };
+      "repository" = {
+        DEFAULT_BRANCH = "main";
+      };
+      "picture" = {
+        DISABLE_GRAVATAR = false;
+        ENABLE_FEDERATED_AVATAR = true;
+      };
+      "service" = {
+        ENABLE_CAPTCHA = false;
+        REGISTER_EMAIL_CONFIRM = false;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        DEFAULT_ENABLE_TIMETRACKING = true;
+        DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+  services.nginx.virtualHosts."git.reidlab.online" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".extraConfig = ''
+      proxy_pass "http://127.0.0.1:3000";
+    '';
+  };
+
+  # Services - Postgres
+  services.postgresql.enable = true;
+
+  # Services - Redis
+  services.redis.enable = true;
+
+  # Security
+  security = {
+    protectKernelImage = true;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    email = "reidlab325@gmail.com";
+  };
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
+

hosts/server/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}