init

2023-08-09 21:05:37 -07:00 · 2023-08-09 21:05:37 -07:00 · 834ba83f0b
commit 834ba83f0b
4 changed files with 294 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1691368598,
        "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "5a8e9243812ba528000995b294292d3b5e120947",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,27 @@
 {
  description = "A very basic flake";
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  };
  outputs = { self, nixpkgs }:
  let
    system = "aarch64-linux";
    pkgs = import nixpkgs {
      allowUnfree = true;
    };
  in
  {
    nixosConfigurations = {
      server = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit system; };
        modules = [
          ./hosts/server/configuration.nix
        ];
      };
    };
  };
 }
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -0,0 +1,207 @@
 { config, lib, pkgs, luaOlder, buildLuarocksPackage, lua, fetchgit, ... }:
 {
  imports =
    [
      ./hardware-configuration.nix
    ];
  # Git
  environment.systemPackages = [
    pkgs.git
  ];
  # Bootloader
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  # Enable flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  # Networking
  networking.hostName = "nixos-server-reid";
  networking.wireless.environmentFile = "/run/secrets/wireless.env";
  networking.wireless = {
    enable = true;
    userControlled.enable = true;
    networks = {
      Ryan = {
        psk = "@password@";
      };
    };
  };
  # Set your time zone.
  time.timeZone = "America/Los_Angeles";
  # Users  
  # Users - reidlab
  users.users.reidlab = {
    isNormalUser = true;
    extraGroups = [ "wheel" "dotfiles" ];
    packages = with pkgs; [
      tree
    ];
  };
  # Services
  # Services - Openssh
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
  };
  # Services - Nginx
  services.nginx = {
    package = pkgs.openresty;
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
  };
  services.nginx.commonHttpConfig = let
    lua-resty-template = pkgs.fetchFromGitHub {
      owner = "bungle";
      repo = "lua-resty-template";
      rev = "v2.0";
      sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";      
    };
    lua-resty-redis = pkgs.fetchFromGitHub {
      owner = "openresty";
      repo = "lua-resty-redis";
      rev = "v0.29";
      sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
    };
  in ''
    # Lua path
    lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;";
    # Add HSTS header with preloading to HTTPS requests.
    # Adding this header to HTTP requests is discouraged
    map $scheme $hsts_header {
        https   "max-age=31536000; includeSubdomains; preload";
    }
    add_header Strict-Transport-Security $hsts_header;
    # Enable CSP for your services.
    # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    # ^ this above is breaking forgejo
    # Minimize information leaked to other domains
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    # Disable embedding as a frame
    add_header X-Frame-Options DENY;
    # Prevent injection of code in other mime types (XSS Attacks)
    add_header X-Content-Type-Options nosniff;
    # Enable XSS protection of the browser.
    # May be unnecessary when CSP is configured properly (see above)
    add_header X-XSS-Protection "1; mode=block";
    # This might create errors
    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
  '';
  services.nginx.virtualHosts."reidlab.online" = {
    forceSSL = true;
    enableACME = true;
    root = "/var/www/reidlab.online/public";
    extraConfig = ''
      error_page 404 /errors/404.html;
      error_page 403 /errors/403.html;
      error_page 500 /errors/500.html;
      location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
      location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
      location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
      location / {
        try_files $uri @main;
      }
      location /chat {
        access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
      }
      location @main {
        content_by_lua '
            require("main").handle_request()
        ';
      }
    '';
  };
  # Services - Forgejo
  services.gitea = {
    enable = true;
    package = pkgs.forgejo;
    stateDir = "/var/lib/git.reidlab.online";
    appName = "Forgejo: reidlab.online git";
    database = {
      type = "postgres";
      name = "gitea";
    };
    settings = {
      "security" = {
        INSTALL_LOCK = true;
        PASSWORD_HASH_ALGO = "argon2";	
        PASSWORD_CHECK_PWN = true;
      };
      "ui.meta" = {
        AUTHOR = "reidlab";
        DESCRIPTION = "reidlab's git instance";
      };
      "server" = {
        DOMAIN = "git.reidlab.online";
        HTTP_PORT = 3000;
        ROOT_URL = "https://git.reidlab.online/";
      };
      "repository" = {
        DEFAULT_BRANCH = "main";
      };
      "picture" = {
        DISABLE_GRAVATAR = false;
        ENABLE_FEDERATED_AVATAR = true;
      };
      "service" = {
        ENABLE_CAPTCHA = false;
        REGISTER_EMAIL_CONFIRM = false;
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        DEFAULT_ENABLE_TIMETRACKING = true;
        DISABLE_REGISTRATION = true;
      };
    };
  };
  services.nginx.virtualHosts."git.reidlab.online" = {
    forceSSL = true;
    enableACME = true;
    locations."/".extraConfig = ''
      proxy_pass "http://127.0.0.1:3000";
    '';
  };
  # Services - Postgres
  services.postgresql.enable = true;
  # Services - Redis
  services.redis.enable = true;
  # Security
  security = {
    protectKernelImage = true;
  };
  security.acme = {
    acceptTerms = true;
    email = "reidlab325@gmail.com";
  };
  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/server/hardware-configuration.nix
+++ b/hosts/server/hardware-configuration.nix
@ -0,0 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
      fsType = "ext4";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }