commit 480c4a556c2dcaee2dca6af56becd6b9b4ddf977 Author: Vinzenz Schroeter Date: Sat Jun 7 19:32:00 2025 +0200 initial commit diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..211e81d --- /dev/null +++ b/configuration.nix @@ -0,0 +1,65 @@ +{ + networking.hostName = "nix-www"; + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2'' + ]; + + nix = { + settings = { + substituters = [ + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + optimise.automatic = true; + }; + + system = { + stateVersion = "25.05"; + # enable auto updates + autoUpgrade = { + enable = true; + allowReboot = true; + dates = "daily"; + flake = "git+https://git.berlin.ccc.de/cccb-website-team/nix-config.git"; + }; + }; + + services.openssh = { + enable = true; + openFirewall = true; + settings = { + PermitRootLogin = "without-password"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + networking.firewall = { + enable = true; + # checkReversePath = "loose"; + }; + + programs = { + zsh.enable = true; + htop.enable = true; + iotop.enable = true; + git.enable = true; + nano = { + enable = true; + syntaxHighlight = true; + }; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..1a7cc56 --- /dev/null +++ b/flake.lock @@ -0,0 +1,48 @@ +{ + "nodes": { + "cccb-www": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1749316976, + "narHash": "sha256-L9xnHsdn+ejv7LEvdmnLPjdeVPpwjGDfoEBYa/B7gXU=", + "ref": "refs/heads/staging", + "rev": "9b0da1e267c160f2aa9ad14f2869b04bfd2467a4", + "revCount": 348, + "type": "git", + "url": "https://git.berlin.ccc.de/cccb-website-team/www.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/cccb-website-team/www.git" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1749086602, + "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "cccb-www": "cccb-www", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f2d2e0a --- /dev/null +++ b/flake.nix @@ -0,0 +1,36 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05"; + cccb-www = { + url = "git+https://git.berlin.ccc.de/cccb-website-team/www.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { + self, + nixpkgs, + cccb-www, + }: + { + nixosConfigurations.nix-www = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { + mkWwwContent = cccb-www.lib.mkWwwContent; + }; + modules = [ + ./configuration.nix + ./hardware.nix + ./nginx.nix + ]; + }; + + formatter = { + x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style; + aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.nixfmt-rfc-style; + }; + }; +} diff --git a/hardware.nix b/hardware.nix new file mode 100644 index 0000000..ffa8c2e --- /dev/null +++ b/hardware.nix @@ -0,0 +1,63 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + config = { + nixpkgs = { + hostPlatform = "aarch64-linux"; + system = "aarch64-linux"; + }; + + boot = { + tmp.cleanOnBoot = true; + kernelParams = [ "console=tty" ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + availableKernelModules = [ + "xhci_pci" + "virtio_scsi" + "sr_mod" + "virtio_gpu" + ]; + kernelModules = [ ]; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/73dfcfd2-3a61-4b05-8440-d57072b89eda"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/E9C2-D85B"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/737140f2-c2fd-4af9-9974-f05642f8d90e"; } + ]; + + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + address = [ + "2a01:4f8:c013:cbdd::1/64" + ]; + routes = [ + { Gateway = "fe80::1"; } + ]; + }; + }; + }; +} diff --git a/nginx.nix b/nginx.nix new file mode 100644 index 0000000..ed460ff --- /dev/null +++ b/nginx.nix @@ -0,0 +1,38 @@ +{ pkgs, mkWwwContent, ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "acme@zerforschen.plus"; + }; + + security.pam.services.nginx.setEnvironment = false; + systemd.services.nginx.serviceConfig = { + SupplementaryGroups = [ "shadow" ]; + }; + + services.nginx = { + enable = true; + additionalModules = [ pkgs.nginxModules.pam ]; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + virtualHosts = { + "nix-www.cccb.zerforschen.plus" = { + addSSL = true; + enableACME = true; + root = mkWwwContent { + domain = "nix-www.cccb.zerforschen.plus"; + inherit (pkgs) system; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +}