initial commit

configuration.nix

@@ -0,0 +1,65 @@
+{
+  networking.hostName = "nix-www";
+  users.users.root.openssh.authorizedKeys.keys = [
+    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2''
+    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2''
+  ];
+
+  nix = {
+    settings = {
+      substituters = [
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+    gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-older-than 7d";
+    };
+    optimise.automatic = true;
+  };
+
+  system = {
+    stateVersion = "25.05";
+    # enable auto updates
+    autoUpgrade = {
+      enable = true;
+      allowReboot = true;
+      dates = "daily";
+      flake = "git+https://git.berlin.ccc.de/cccb-website-team/nix-config.git";
+    };
+  };
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PermitRootLogin = "without-password";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  networking.firewall = {
+    enable = true;
+    # checkReversePath = "loose";
+  };
+
+  programs = {
+    zsh.enable = true;
+    htop.enable = true;
+    iotop.enable = true;
+    git.enable = true;
+    nano = {
+      enable = true;
+      syntaxHighlight = true;
+    };
+  };
+}

flake.lock

@@ -0,0 +1,48 @@
+{
+  "nodes": {
+    "cccb-www": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749316976,
+        "narHash": "sha256-L9xnHsdn+ejv7LEvdmnLPjdeVPpwjGDfoEBYa/B7gXU=",
+        "ref": "refs/heads/staging",
+        "rev": "9b0da1e267c160f2aa9ad14f2869b04bfd2467a4",
+        "revCount": 348,
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/cccb-website-team/www.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/cccb-website-team/www.git"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1749086602,
+        "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4792576cb003c994bd7cc1edada3129def20b27d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "cccb-www": "cccb-www",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,36 @@
+{
+  description = "A very basic flake";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05";
+    cccb-www = {
+      url = "git+https://git.berlin.ccc.de/cccb-website-team/www.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      cccb-www,
+    }:
+    {
+      nixosConfigurations.nix-www = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        specialArgs = {
+          mkWwwContent = cccb-www.lib.mkWwwContent;
+        };
+        modules = [
+          ./configuration.nix
+          ./hardware.nix
+          ./nginx.nix
+        ];
+      };
+
+      formatter = {
+        x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
+        aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.nixfmt-rfc-style;
+      };
+    };
+}

hardware.nix

@@ -0,0 +1,63 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  config = {
+    nixpkgs = {
+      hostPlatform = "aarch64-linux";
+      system = "aarch64-linux";
+    };
+
+    boot = {
+      tmp.cleanOnBoot = true;
+      kernelParams = [ "console=tty" ];
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd = {
+        availableKernelModules = [
+          "xhci_pci"
+          "virtio_scsi"
+          "sr_mod"
+          "virtio_gpu"
+        ];
+        kernelModules = [ ];
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/73dfcfd2-3a61-4b05-8440-d57072b89eda";
+        fsType = "ext4";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-uuid/E9C2-D85B";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+
+    swapDevices = [
+      { device = "/dev/disk/by-uuid/737140f2-c2fd-4af9-9974-f05642f8d90e"; }
+    ];
+
+    networking.useNetworkd = true;
+    systemd.network = {
+      enable = true;
+      networks."10-wan" = {
+        matchConfig.Name = "enp1s0";
+        networkConfig.DHCP = "ipv4";
+        address = [
+          "2a01:4f8:c013:cbdd::1/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+        ];
+      };
+    };
+  };
+}

nginx.nix

@@ -0,0 +1,38 @@
+{ pkgs, mkWwwContent, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@zerforschen.plus";
+  };
+
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "shadow" ];
+  };
+
+  services.nginx = {
+    enable = true;
+    additionalModules = [ pkgs.nginxModules.pam ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    virtualHosts = {
+      "nix-www.cccb.zerforschen.plus" = {
+        addSSL = true;
+        enableACME = true;
+        root = mkWwwContent {
+          domain = "nix-www.cccb.zerforschen.plus";
+          inherit (pkgs) system;
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}