change a Xomment

default.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (builtins) toString;
-  inherit (lib.modules) mkDefault;
+  inherit (lib.modules) mkDefault mkIf;
   inherit (lib.my) mapModulesRec';
 in {
   imports =
@@ -15,6 +15,7 @@ in {
     package = pkgs.nix;
 
     # flake registry and nix path pinning
+    # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f
     nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     registry.nixpkgs.flake = inputs.nixpkgs;
   
@@ -32,6 +33,9 @@ in {
   	};
   };
 
+  # set our git revision inside `nixos-version`
+  system.configurationRevision = with inputs; mkIf (self ? rev) self.rev;
+
   time.timeZone = mkDefault "America/Los_Angeles";
   
   i18n.defaultLocale = mkDefault "en_US.UTF-8";

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709485962,
+        "lastModified": 1710164657,
-        "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=",
+        "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d579633ff9915a8f4058d5c439281097e92380a8",
+        "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2",
         "type": "github"
       },
       "original": {
@@ -22,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709237383,
+        "lastModified": 1709961763,
-        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
+        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "Flake-o-rama";
+  description = "a collection of personal nix configurations";
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

hosts/nixos-server-reid/default.nix

@@ -4,20 +4,16 @@ let
 
 in {
   imports = [
-    ./hardware-configuration.nix
+    ./hardware.nix
     ./webapps/default.nix
   ];
 
-  users.groups.dotfiles = {};
-
-  # HACK HACK HACK
-  services.logrotate.checkConfig = false;
-  # HACK HACK HACK
-
   normalUsers = {
     reidlab = {
       conf = {
-        packages = with pkgs; [ bat tree micro duf ];
+        packages = with pkgs; [
+          bat btop duf file micro nix-output-monitor tree which
+        ];
         extraGroups = [ "wheel" "dotfiles" ];
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
@@ -33,11 +29,6 @@ in {
     };
   };
 
-  keyboard = {
-    locale = "en_US.UTF-8";
-    variant = "qwerty";
-  };
-
   modules = {
     services = {
       ssh = {
@@ -55,8 +46,6 @@ in {
     security.useDoas = false;
   };
 
-  networking = {
+  # enable network manager - probably not the best on a single server but Oh Well
-    hostName = "nixos-server-reid";
+  networking.networkmanager.enable = true;
-    networkmanager.enable = true;
-  };
 }

hosts/nixos-server-reid/hardware.nix

@@ -7,10 +7,12 @@
     ];
 
   boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
 	initrd.kernelModules = [ ];
-    kernelPackages = pkgs.linuxPackages_latest;
 	kernelModules = [ ];
+	extraModulePackages = [ ];
+	# TODO: move bootloader, networking, boot speed to another file?
+    kernelPackages = pkgs.linuxPackages_latest;
     loader = {
       # use u-boot over grub
       grub.enable = lib.mkForce false;
@@ -18,14 +20,13 @@
     };
   };
 
-  fileSystems = {
+  fileSystems."/" = {
-  	"/" = {
   	  device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
       fsType = "ext4";
     };
-  };
 
-  swapDevices = [ ];
+  swapDevices = 
+    [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/nixos-server-reid/webapps/default.nix

@@ -12,15 +12,10 @@ in {
           port = 3000;
         };
 
-        metrics = {
-          enable = false;
-          domain = "metrics.reidlab.online";
-          port = 2342;
-        };
-
         # you should probably keep this on
-        # configures acme, gzip, optimization, proxy, and ssl config
+        # actually enables nginx, configures acme,
-        # opens ports and adds some Headers
+        # gzip, optimization, proxy, ssl config,
+        # opens ports, and adds some Headers
         nginx-config = {
           enable = true;
           defaultLuaPackagePath = /var/www/reidlab.online/lua;

modules/keyboard.nix

@@ -1,17 +0,0 @@
-{ config, lib, pkgs, options, ... }:
-
-with lib;
-let
-  cfg = config.keyboard;
-in {
-  options.keyboard = {
-    locale = mkOption {
-      type = types.str;
-      default = "en_US.UTF-8";
-    };
-    variant = mkOption {
-      type = types.str;
-      default = "";
-    };
-  };
-}

modules/security.nix

@@ -5,7 +5,7 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    useDoas = mkEnableOption "use doas instead of sudo";
+    useDoas = mkEnableOption "use opendoas instead of sudo";
   };
 
   config = mkIf cfg.enable {
@@ -23,7 +23,7 @@ in {
           # do not accept IP source packets (we are not a router)
           "net.ipv4.conf.all.accept_source_route" = 0;
           "net.ipv6.conf.all.accept_source_route" = 0;
-          # Don't send ICMP redirects (again, we're not a router)
+          # don't send ICMP redirects (again, we're not a router)
           "net.ipv4.conf.all.send_redirects" = 0;
           "net.ipv4.conf.default.send_redirects" = 0;
           # refuse ICMP redirects (MITM mitigations)
@@ -49,9 +49,16 @@ in {
       };
 
       security = {
+        # prevents replacing the kernel without a reboot
       	protectKernelImage = true;
+      	# rtkit allows unprivileged processes to use realtime scheduling
+        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
       	rtkit.enable = true;
+        polkit.enable = true;
       };
+
+      # while this is on by default, i am going to explicitly specify this
+      networking.firewall.enable = true;
     } // (mkIf cfg.useDoas {
     	security.sudo.enable = false;
     	security.doas.enable = true;

modules/services/loki.yml

@@ -1,55 +0,0 @@
-auth_enabled: false
-
-server:
-  http_listen_port: 3100
-
-ingester:
-  lifecycler:
-    address: 0.0.0.0
-    ring:
-      kvstore:
-        store: inmemory
-      replication_factor: 1
-    final_sleep: 0s
-  chunk_idle_period: 1h       # Any chunk not receiving new logs in this time will be flushed
-  max_chunk_age: 1h           # All chunks will be flushed when they hit this age, default is 1h
-  chunk_target_size: 1048576  # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
-  chunk_retain_period: 30s    # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
-  max_transfer_retries: 0     # Chunk transfers disabled
-
-schema_config:
-  configs:
-    - from: 2023-12-08
-      store: boltdb-shipper
-      object_store: filesystem
-      schema: v11
-      index:
-        prefix: index_
-        period: 24h
-
-storage_config:
-  boltdb_shipper:
-    active_index_directory: /var/lib/loki/boltdb-shipper-active
-    cache_location: /var/lib/loki/boltdb-shipper-cache
-    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
-    shared_store: filesystem
-  filesystem:
-    directory: /var/lib/loki/chunks
-
-limits_config:
-  reject_old_samples: true
-  reject_old_samples_max_age: 168h
-
-chunk_store_config:
-  max_look_back_period: 0s
-
-table_manager:
-  retention_deletes_enabled: false
-  retention_period: 0s
-
-compactor:
-  working_directory: /var/lib/loki
-  shared_store: filesystem
-  compactor_ring:
-    kvstore:
-      store: inmemory

modules/services/metrics.nix

@@ -1,95 +0,0 @@
-{ config, lib, pkgs, options, ... }:
-
-with lib;
-let
-  cfg = config.modules.services.metrics;
-in {
-  options.modules.services.metrics = {
-    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
-    domain = mkOption {
-      type = types.str;
-      default = "grafana.reidlab.online";
-    };
-    port = mkOption {
-      type = types.int;
-      default = 2342;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.promtail = {
-      description = "promtail, an agent for loki";
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        ExecStart = ''
-          ${pkgs.grafana-loki}/bin/promtail --config.file ${./promtail.yml}
-        '';
-      };
-    };
-    services = {
-      grafana = {
-        enable = true;
-
-        settings = {
-          server = {
-            domain = cfg.domain;
-            http_port = cfg.port;
-            http_addr = "127.0.0.1";
-          };
-        };
-      };
-
-      prometheus = let
-        ports = {
-          base = 9001;
-          node = 9002;
-          nginx = 9003;
-        };
-      in {
-        enable = true;
-        port = ports.base;
-
-        exporters = {
-          node = {
-            enable = true;
-            enabledCollectors = [ "systemd" ];
-            port = ports.node;
-          };
-          nginx = {
-            enable = true;
-            port = ports.nginx;
-          };
-        };
-
-        scrapeConfigs = [
-          {
-            job_name = "nixos-server-reid";
-            static_configs = [{
-              targets = [
-                "127.0.0.1:${toString ports.node}"
-                "127.0.0.1:${toString ports.nginx}"
-              ];
-            }];
-          }
-        ];
-      };
-
-      loki = {
-        enable = true;
-        configFile = ./loki.yml;
-      };
-
-      nginx.statusPage = true;
-
-      nginx.virtualHosts."${cfg.domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString cfg.port}";
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-}

modules/services/nginx-conf.nix

@@ -5,7 +5,7 @@ let
   cfg = config.modules.services.nginx-config;
 in {
   options.modules.services.nginx-config = {
-	enable = mkEnableOption "enable nginx, a high performance web server along with default configurations";
+	enable = mkEnableOption "enable and configure nginx. you know what nginx is.";
 
     package = mkOption {
       type = types.package;
@@ -28,6 +28,7 @@ in {
     security.acme = {
       acceptTerms = true;
       defaults.email = "reidlab325@gmail.com";
+      # uncomment me for staging!
       # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
     };
 
@@ -40,8 +41,6 @@ in {
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
 
-      logError = "stderr warn";
-
       # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
       commonHttpConfig = let
         # lua

modules/services/promtail.yml

@@ -1,20 +0,0 @@
-server:
-  http_listen_port: 28183
-  grpc_listen_port: 0
-
-positions:
-  filename: /tmp/positions.yaml
-
-clients:
-  - url: http://127.0.0.1:3100/loki/api/v1/push
-
-scrape_configs:
-  - job_name: journal
-    journal:
-      max_age: 12h
-      labels:
-        job: systemd-journal
-        host: nixos-server-reid
-    relabel_configs:
-      - source_labels: ["__journal__systemd_unit"]
-        target_label: "unit"

readme.md

@@ -1,27 +1,19 @@
-# flake-o-rama
+# nix-server
 
 nix flake config! this is just used on my personal server at the moment
 
-please do not use this as a learning resource for nix as i have essentially zero clue what i'm doing
-
 ## users
 
-this flake is built for a multi-user experience per host, enforced by `modules/user.nix`, and found in the `default.nix` file for each host.
+this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host.
-
-as this is a multi-user setup, the `dotfiles` group will be used for read and write access to the flake
-
-## development
-
-to build the system, run `sudo nixos-rebuild switch --flake .#server`
-
-please periodically run `nix flake update` to make sure we arent slacking on package versions
-
-before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
-- remove the lua static stuff from nginx + maybe cloudflare ips too
+- remove the lua static stuff from nginx + maybe cloudflare ips too + redis
 - per-host architecture selection, atm it is hardcoded to `aarch64`
 - some weird perl error abt locales when building using doas - `keepEnv` might fix this
+- move common config such as bootloader and networking settings to [`default.nix`](./default.nix)
+- swap back to hardened kernel
 - leverage nixos-hardware
-- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup
+- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed
+- flake-parts
+- god im ruining everything for myself. maybe just make another repo for desktops