default.nix

@@ -7,32 +7,13 @@ in {
     [ inputs.home-manager.nixosModules.home-manager ]
     ++ _.mapModulesRec' ./modules import;
 
-  nix = {
-  	settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-      auto-optimise-store = true;
-      keep-outputs = true;
-      keep-derivations = true;
-      substituters = [ 
-        "https://nix-community.cachix.org" 
-      ];
-      trusted-public-keys = [
-      	"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
-  	};
-  };
-
   environment.systemPackages = with pkgs; [
-    unrar unzip
+    curl git
-    curl wget
-    # hello! if you remove this, good luck
-    # ever rebuilding your system using flakes!
-    git
   ];
 
-  time.timeZone = lib.mkDefault "America/Los_Angeles";
+  i18n.defaultLocale = "en_US.UTF-8";
 
-  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
   
   system.stateVersion = lib.mkDefault "23.11";
 }

hosts/server/default.nix

@@ -10,6 +10,13 @@ in {
     ./webapps/default.nix
   ];
 
+  user = {
+    packages = with pkgs; [
+      git
+      curl
+    ];
+  };
+
   users.groups.dotfiles = {};
 
   normalUsers = {
@@ -50,7 +57,7 @@ in {
       mosh.enable = true;
     };
 
-    security.useDoas = true;
+    security.enable = true;
   };
 
   time.timeZone = "America/Los_Angeles";

hosts/server/webapps/default.nix

@@ -12,17 +12,10 @@ in {
           port = 3000;
         };
 
-        # you should probably keep this on
-        # configures acme, gzip, optimization, proxy, and ssl config
-        # opens ports and adds some Headers
         nginx-config = {
           enable = true;
           defaultLuaPackagePath = /var/www/reidlab.online/lua;
         };
-
-        staticSites = {
-          "v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";	
-        };
       };
     };
 

modules/security.nix

@@ -5,43 +5,33 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    useDoas = mkEnableOption "use doas instead of sudo";
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+    };
   };
 
   config = mkIf cfg.enable {
-	boot = {
+    security.rtkit.enable = true;
-		tmp.useTmpfs = lib.mkDefault true;
-		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
 
-    	kernel.sysctl = {
+    boot.kernel.sysctl = {
-      	  "kernel.sysrq" = 0;
+      "kernel.sysrq" = 0;
 
-          "net.ipv4.conf.all.accept_source_code" = 0;
+      "net.ipv4.conf.all.accept_source_code" = 0;
-          "net.ipv6.conf.all.accept_source_code" = 0;
+      "net.ipv6.conf.all.accept_source_code" = 0;
-          "net.ipv4.conf.default.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
-          "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
-          "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
-          "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.all.accept_redirects" = 0;
-          "net.ipv6.conf.default.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
-          "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
-          "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
-          "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
-          "net.ipv4.tcp_syncookies" = 1;
+      "net.ipv4.tcp_syncookies" = 1;
-          "net.ipv4.tcp_rfc1337" = 1;
+      "net.ipv4.tcp_rfc1337" = 1;
-          "net.ipv4.tcp_fastopen" = 3;
+      "net.ipv4.tcp_fastopen" = 3;
-          "net.ipv4.tcp_conjestion_control" = "bbr";
+      "net.ipv4.tcp_conjestion_control" = "bbr";
-          "net.core.default_qdisc" = "cake";
+      "net.core.default_qdisc" = "cake";
-        };
+    };
-      };
+  };
-
-      security = {
-      	protectKernelImage = true;
-      	polkit.enable = true;
-      	rtkit.enable = true;
-      };
-    } // (mkIf cfg.useDoas {
-    	security.sudo.enable = false;
-    	security.doas.enable = true;
-    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
-    });
 }

modules/services/staticSites.nix

@@ -1,88 +0,0 @@
-{ pkgs, lib, config, options, ... }:
-
-with lib;
-let
-  sites = config.modules.services.staticSites;
-  staticSiteModule.options = {
-    dataDir = mkOption {
-      type = types.oneOf [ types.str types.path ];
-      default = null;
-    };
-
-    auth = mkOption {
-      type = types.attrsOf types.str;
-      description = "Basic authentication options. Defines a set of user = password pairs.";
-      example = literalExpr ''
-        {
-          user = "password";
-          anotherUser = "anotherPassword";
-          /* ... */
-        }
-      '';
-      default = {};
-    };
-
-    disableLogsForMisc = mkOption {
-      type = types.bool;
-      description = "Disables access logs for /favicon.ico and /robots.txt";
-      default = true;
-    };
-
-    denySensitivePaths = mkOption {
-      type = types.bool;
-      description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data";
-      default = true;
-    };
-
-    forceSSL = mkOption {
-      type = types.bool;
-      description = "Redirects HTTP requests to HTTPS.";
-      default = true;
-    };
-  };
-in {
-  options.modules.services.staticSites = mkOption {
-    type = types.attrsOf (types.submodule staticSiteModule);
-    example = literalExpression ''
-      {
-        "goop.network".dataDir = /var/www/goop.network;
-        "reidlab.online".dataDir = /etc/secret/private/reidlab-online;
-      }
-    '';
-    default = {};
-  };
-
-  config = {
-    assertions = mapAttrsToList (domain: _@{dataDir, ...}:
-      { assertion = dataDir != null;
-        description = "${domain} must specify a dataDir.";
-      }) sites;
-
-    services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: {
-      ${domain} = {
-        locations = mkMerge [
-          { "/".basicAuth = site.auth; }
-
-          ( mkIf site.disableLogsForMisc {
-            "= /favicon.ico".extraConfig = ''
-              access_log off;
-              log_not_found off;
-            '';
-            "= /robots.txt".extraConfig = ''
-              access_log off;
-              log_not_found off;
-            '';
-          })
-
-          ( mkIf site.denySensitivePaths {
-            "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;'';
-          })
-        ];
-        forceSSL = site.forceSSL;
-        addSSL = !site.forceSSL;
-        enableACME = true;
-        root = site.dataDir;
-      };
-    }) sites);
-  };
-}

readme.md

@@ -15,11 +15,3 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"`
 please periodically run `nix flake update` to make sure we arent slacking on package versions
 
 before committing, please run `nix flake check` and make sure everything is ok
-
-## todo
-
-- analytics using matomo
-- php support in staticsites
-- no more luapackagepath. please stop.
-- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
-- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz