13 changed files with 247 additions and 47 deletions
--- a/default.nix
+++ b/default.nix
@ -2,7 +2,7 @@
 let
  inherit (builtins) toString;
-  inherit (lib.modules) mkDefault mkIf;
+  inherit (lib.modules) mkDefault;
  inherit (lib.my) mapModulesRec';
 in {
  imports =
@ -15,7 +15,6 @@ in {
    package = pkgs.nix;
    # flake registry and nix path pinning
    # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f
    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
    registry.nixpkgs.flake = inputs.nixpkgs;
@ -33,9 +32,6 @@ in {
  	};
  };
  # set our git revision inside `nixos-version`
  system.configurationRevision = with inputs; mkIf (self ? rev) self.rev;
  time.timeZone = mkDefault "America/Los_Angeles";
  i18n.defaultLocale = mkDefault "en_US.UTF-8";
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1710164657,
+        "lastModified": 1709485962,
-        "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=",
+        "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2",
+        "rev": "d579633ff9915a8f4058d5c439281097e92380a8",
        "type": "github"
      },
      "original": {
@ -22,11 +22,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1709961763,
+        "lastModified": 1709237383,
-        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
+        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
+        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,5 +1,5 @@
 {
-  description = "a collection of personal nix configurations";
+  description = "Flake-o-rama";
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
--- a/hosts/nixos-server-reid/default.nix
+++ b/hosts/nixos-server-reid/default.nix
@ -4,16 +4,20 @@ let
 in {
  imports = [
-    ./hardware.nix
+    ./hardware-configuration.nix
    ./webapps/default.nix
  ];
  users.groups.dotfiles = {};
  # HACK HACK HACK
  services.logrotate.checkConfig = false;
  # HACK HACK HACK
  normalUsers = {
    reidlab = {
      conf = {
-        packages = with pkgs; [
+        packages = with pkgs; [ bat tree micro duf ];
          bat btop duf file micro nix-output-monitor tree which
        ];
        extraGroups = [ "wheel" "dotfiles" ];
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
@ -29,6 +33,11 @@ in {
    };
  };
  keyboard = {
    locale = "en_US.UTF-8";
    variant = "qwerty";
  };
  modules = {
    services = {
      ssh = {
@ -46,6 +55,8 @@ in {
    security.useDoas = false;
  };
-  # enable network manager - probably not the best on a single server but Oh Well
+  networking = {
-  networking.networkmanager.enable = true;
+    hostName = "nixos-server-reid";
    networkmanager.enable = true;
  };
 }
--- a/hosts/server/hardware-configuration.nix
+++ b/hosts/server/hardware-configuration.nix
@ -7,12 +7,10 @@
    ];
  boot = {
-    initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
 	initrd.kernelModules = [ ];
 	kernelModules = [ ];
 	extraModulePackages = [ ];
 	# TODO: move bootloader, networking, boot speed to another file?
    kernelPackages = pkgs.linuxPackages_latest;
 	kernelModules = [ ];
    loader = {
      # use u-boot over grub
      grub.enable = lib.mkForce false;
@ -20,13 +18,14 @@
    };
  };
-  fileSystems."/" = {
+  fileSystems = {
  	"/" = {
  	  device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
      fsType = "ext4";
    };
  };
-  swapDevices = 
+  swapDevices = [ ];
    [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/nixos-server-reid/webapps/default.nix
+++ b/hosts/nixos-server-reid/webapps/default.nix
@ -12,10 +12,15 @@ in {
          port = 3000;
        };
        metrics = {
          enable = false;
          domain = "metrics.reidlab.online";
          port = 2342;
        };
        # you should probably keep this on
-        # actually enables nginx, configures acme,
+        # configures acme, gzip, optimization, proxy, and ssl config
-        # gzip, optimization, proxy, ssl config,
+        # opens ports and adds some Headers
        # opens ports, and adds some Headers
        nginx-config = {
          enable = true;
          defaultLuaPackagePath = /var/www/reidlab.online/lua;
--- a/modules/keyboard.nix
+++ b/modules/keyboard.nix
@ -0,0 +1,17 @@
 { config, lib, pkgs, options, ... }:
 with lib;
 let
  cfg = config.keyboard;
 in {
  options.keyboard = {
    locale = mkOption {
      type = types.str;
      default = "en_US.UTF-8";
    };
    variant = mkOption {
      type = types.str;
      default = "";
    };
  };
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@ -5,7 +5,7 @@ let
  cfg = config.modules.security;
 in {
  options.modules.security = {
-    useDoas = mkEnableOption "use opendoas instead of sudo";
+    useDoas = mkEnableOption "use doas instead of sudo";
  };
  config = mkIf cfg.enable {
@ -23,7 +23,7 @@ in {
          # do not accept IP source packets (we are not a router)
          "net.ipv4.conf.all.accept_source_route" = 0;
          "net.ipv6.conf.all.accept_source_route" = 0;
-          # don't send ICMP redirects (again, we're not a router)
+          # Don't send ICMP redirects (again, we're not a router)
          "net.ipv4.conf.all.send_redirects" = 0;
          "net.ipv4.conf.default.send_redirects" = 0;
          # refuse ICMP redirects (MITM mitigations)
@ -49,16 +49,9 @@ in {
      };
      security = {
        # prevents replacing the kernel without a reboot
      	protectKernelImage = true;
      	# rtkit allows unprivileged processes to use realtime scheduling
        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
      	rtkit.enable = true;
        polkit.enable = true;
      };
      # while this is on by default, i am going to explicitly specify this
      networking.firewall.enable = true;
    } // (mkIf cfg.useDoas {
    	security.sudo.enable = false;
    	security.doas.enable = true;
--- a/modules/services/loki.yml
+++ b/modules/services/loki.yml
@ -0,0 +1,55 @@
 auth_enabled: false
 server:
  http_listen_port: 3100
 ingester:
  lifecycler:
    address: 0.0.0.0
    ring:
      kvstore:
        store: inmemory
      replication_factor: 1
    final_sleep: 0s
  chunk_idle_period: 1h       # Any chunk not receiving new logs in this time will be flushed
  max_chunk_age: 1h           # All chunks will be flushed when they hit this age, default is 1h
  chunk_target_size: 1048576  # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
  chunk_retain_period: 30s    # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
  max_transfer_retries: 0     # Chunk transfers disabled
 schema_config:
  configs:
    - from: 2023-12-08
      store: boltdb-shipper
      object_store: filesystem
      schema: v11
      index:
        prefix: index_
        period: 24h
 storage_config:
  boltdb_shipper:
    active_index_directory: /var/lib/loki/boltdb-shipper-active
    cache_location: /var/lib/loki/boltdb-shipper-cache
    cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
    shared_store: filesystem
  filesystem:
    directory: /var/lib/loki/chunks
 limits_config:
  reject_old_samples: true
  reject_old_samples_max_age: 168h
 chunk_store_config:
  max_look_back_period: 0s
 table_manager:
  retention_deletes_enabled: false
  retention_period: 0s
 compactor:
  working_directory: /var/lib/loki
  shared_store: filesystem
  compactor_ring:
    kvstore:
      store: inmemory
--- a/modules/services/metrics.nix
+++ b/modules/services/metrics.nix
@ -0,0 +1,95 @@
 { config, lib, pkgs, options, ... }:
 with lib;
 let
  cfg = config.modules.services.metrics;
 in {
  options.modules.services.metrics = {
    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
    domain = mkOption {
      type = types.str;
      default = "grafana.reidlab.online";
    };
    port = mkOption {
      type = types.int;
      default = 2342;
    };
  };
  config = mkIf cfg.enable {
    systemd.services.promtail = {
      description = "promtail, an agent for loki";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = ''
          ${pkgs.grafana-loki}/bin/promtail --config.file ${./promtail.yml}
        '';
      };
    };
    services = {
      grafana = {
        enable = true;
        settings = {
          server = {
            domain = cfg.domain;
            http_port = cfg.port;
            http_addr = "127.0.0.1";
          };
        };
      };
      prometheus = let
        ports = {
          base = 9001;
          node = 9002;
          nginx = 9003;
        };
      in {
        enable = true;
        port = ports.base;
        exporters = {
          node = {
            enable = true;
            enabledCollectors = [ "systemd" ];
            port = ports.node;
          };
          nginx = {
            enable = true;
            port = ports.nginx;
          };
        };
        scrapeConfigs = [
          {
            job_name = "nixos-server-reid";
            static_configs = [{
              targets = [
                "127.0.0.1:${toString ports.node}"
                "127.0.0.1:${toString ports.nginx}"
              ];
            }];
          }
        ];
      };
      loki = {
        enable = true;
        configFile = ./loki.yml;
      };
      nginx.statusPage = true;
      nginx.virtualHosts."${cfg.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString cfg.port}";
          proxyWebsockets = true;
        };
      };
    };
  };
 }
--- a/modules/services/nginx-conf.nix
+++ b/modules/services/nginx-conf.nix
@ -5,7 +5,7 @@ let
  cfg = config.modules.services.nginx-config;
 in {
  options.modules.services.nginx-config = {
-	enable = mkEnableOption "enable and configure nginx. you know what nginx is.";
+	enable = mkEnableOption "enable nginx, a high performance web server along with default configurations";
    package = mkOption {
      type = types.package;
@ -28,7 +28,6 @@ in {
    security.acme = {
      acceptTerms = true;
      defaults.email = "reidlab325@gmail.com";
      # uncomment me for staging!
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
@ -41,6 +40,8 @@ in {
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      logError = "stderr warn";
      # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
      commonHttpConfig = let
        # lua
--- a/modules/services/promtail.yml
+++ b/modules/services/promtail.yml
@ -0,0 +1,20 @@
 server:
  http_listen_port: 28183
  grpc_listen_port: 0
 positions:
  filename: /tmp/positions.yaml
 clients:
  - url: http://127.0.0.1:3100/loki/api/v1/push
 scrape_configs:
  - job_name: journal
    journal:
      max_age: 12h
      labels:
        job: systemd-journal
        host: nixos-server-reid
    relabel_configs:
      - source_labels: ["__journal__systemd_unit"]
        target_label: "unit"
--- a/readme.md
+++ b/readme.md
@ -1,19 +1,27 @@
-# nix-server
+# flake-o-rama
 nix flake config! this is just used on my personal server at the moment
 please do not use this as a learning resource for nix as i have essentially zero clue what i'm doing
 ## users
-this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host.
+this flake is built for a multi-user experience per host, enforced by `modules/user.nix`, and found in the `default.nix` file for each host.
 as this is a multi-user setup, the `dotfiles` group will be used for read and write access to the flake
 ## development
 to build the system, run `sudo nixos-rebuild switch --flake .#server`
 please periodically run `nix flake update` to make sure we arent slacking on package versions
 before committing, please run `nix flake check` and make sure everything is ok
 ## todo
- remove the lua static stuff from nginx + maybe cloudflare ips too + redis
+- remove the lua static stuff from nginx + maybe cloudflare ips too
 - per-host architecture selection, atm it is hardcoded to `aarch64`
 - some weird perl error abt locales when building using doas - `keepEnv` might fix this
 - move common config such as bootloader and networking settings to [`default.nix`](./default.nix)
 - swap back to hardened kernel
 - leverage nixos-hardware
- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed
+- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup
 - flake-parts
 - god im ruining everything for myself. maybe just make another repo for desktops