feat: add basic server config · wiro.world/dotfiles@3a2eccc

+6 -5

configurations.nix

··· 17 17 (user "milomoisson" { description = "Milo Moisson"; profile = "desktop"; keys = keys.users; }) 18 18 ]; 19 19 20 - # # Servers 21 - # "weird-row-server" = createSystem pkgs [ 22 - # (system "weird-row-server" "server") 23 - # (user "milomoisson" { description = "Milo Moisson"; profile = "minimal"; keys = keys.users; }) 24 - # ]; 20 + # Servers 21 + "weird-row-server" = createSystem pkgs [ 22 + (system "weird-row-server" "server") 23 + (managedDiskLayout "ext4-hetzner" { device = "sda"; swapSize = 2; }) 24 + (user "milomoisson" { description = "Milo Moisson"; profile = "server"; keys = keys.users; }) 25 + ]; 25 26 }; 26 27 27 28 # I bundle my Home Manager config via the NixOS modules which create system generations and give free rollbacks.

+16

home-manager/profiles/server.nix

··· 1 + { isDarwin 2 + , ... 3 + }: 4 + 5 + { 6 + config = { 7 + assertions = [ 8 + { assertion = !isDarwin; message = "this is a HM non-darwin config"; } 9 + ]; 10 + 11 + local.flags.onlyCached = true; 12 + 13 + local.fragment.shell.enable = true; 14 + }; 15 + } 16 +

-1

lib/flake/default.nix

··· 45 45 }; 46 46 user = import ./user.nix; 47 47 managedDiskLayout = import ./managedDiskLayout.nix; 48 - 49 48 }; 50 49 51 50 # Darwin related

+24

nixos/hardware/weird-row-server.nix

··· 1 + { lib 2 + 3 + , modulesPath 4 + , ... 5 + }: 6 + 7 + { 8 + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; 9 + 10 + config = { 11 + system.stateVersion = "24.11"; 12 + 13 + # --- Generated by `nixos-generate-config` --- 14 + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; 15 + boot.initrd.kernelModules = [ ]; 16 + boot.kernelModules = [ ]; 17 + boot.extraModulePackages = [ ]; 18 + 19 + networking.useDHCP = lib.mkDefault true; 20 + 21 + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 22 + }; 23 + } 24 +

+63

nixos/layout/ext4-hetzner.nix

··· 1 + { config 2 + , ... 3 + }: 4 + 5 + let 6 + cfg = config.local.disk; 7 + in 8 + { 9 + options = { }; 10 + 11 + config.disko.devices.disk.primary = { 12 + device = cfg.device; 13 + content = { 14 + type = "gpt"; 15 + partitions = { 16 + ESP = { 17 + size = "512M"; 18 + type = "EF00"; 19 + content = { 20 + type = "filesystem"; 21 + format = "vfat"; 22 + mountpoint = "/boot"; 23 + }; 24 + }; 25 + luks = { 26 + size = "100%"; 27 + content = { 28 + type = "luks"; 29 + # TODO: change to encrypted 30 + name = "crypted"; 31 + settings = { 32 + allowDiscards = true; 33 + # yubiKey = I want a YubiKey 34 + }; 35 + content = { 36 + type = "btrfs"; 37 + extraArgs = [ "-f" ]; 38 + subvolumes = { 39 + "/root" = { 40 + mountpoint = "/"; 41 + mountOptions = [ "compress=zstd" "noatime" ]; 42 + }; 43 + "/home" = { 44 + mountpoint = "/home"; 45 + mountOptions = [ "compress=zstd" "noatime" ]; 46 + }; 47 + "/nix" = { 48 + mountpoint = "/nix"; 49 + mountOptions = [ "compress=zstd" "noatime" ]; 50 + }; 51 + "/swap" = { 52 + mountpoint = "/.swapvol"; 53 + swap.swapfile.size = "${toString cfg.swapSize}G"; 54 + }; 55 + }; 56 + }; 57 + }; 58 + }; 59 + }; 60 + }; 61 + }; 62 + } 63 +

+74

nixos/profiles/server.nix

··· 1 + { config 2 + , pkgs 3 + , upkgs 4 + , ... 5 + }: 6 + 7 + let 8 + ext-if = "en0"; 9 + 10 + external-ip6 = "2a01:4f8:c2c:76d2::/64"; 11 + external-netmask6 = 64; 12 + external-gw6 = "fe80::1"; 13 + in 14 + { 15 + imports = [ ]; 16 + 17 + config = { 18 + boot.loader.grub.device = "/dev/nvme0n1"; 19 + 20 + # Single network card is `eth0` 21 + networking.usePredictableInterfaceNames = false; 22 + 23 + networking = { 24 + interfaces.${ext-if} = { 25 + ipv6.addresses = [{ 26 + address = external-ip6; 27 + prefixLength = external-netmask6; 28 + }]; 29 + }; 30 + defaultGateway6 = { 31 + interface = ext-if; 32 + address = external-gw6; 33 + }; 34 + }; 35 + 36 + services.qemuGuest.enable = true; 37 + 38 + services.fail2ban = { 39 + enable = true; 40 + 41 + maxretry = 5; 42 + ignoreIP = [ ]; 43 + 44 + bantime = "24h"; 45 + bantime-increment = { 46 + enable = true; 47 + multipliers = "1 2 4 8 16 32 64"; 48 + maxtime = "168h"; 49 + overalljails = true; 50 + }; 51 + 52 + jails = { }; 53 + }; 54 + 55 + # TODO: switch to nightly channel 56 + # services.pds = { 57 + # enable = true; 58 + # pdsadmin.enable = true; 59 + 60 + 61 + # }; 62 + 63 + services.caddy = { 64 + enable = true; 65 + 66 + virtualHosts."localhost".extraConfig = '' 67 + reverse_proxy https://wirolibre.xyz/ 68 + ''; 69 + }; 70 + 71 + programs.fish.enable = true; 72 + }; 73 + } 74 +

+4

secrets/default.nix

··· 11 11 api-wakatime.file = ./api-wakatime.age; 12 12 }; 13 13 14 + deploy = { 15 + pds-config.file = ./pds-env.age; 16 + }; 17 + 14 18 none = { 15 19 pgp-ca5e.file = ./pgp-ca5e.age; 16 20 ssh-uxgi.file = ./ssh-uxgi.age;

+5

secrets/keys.nix

··· 4 4 neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR1/9o1HLnSRkXt3xxAM5So1YCCNdJpBN1leSu7giuR"; 5 5 systems = [ archaic neo ]; 6 6 7 + # weird-row = "..."; 8 + servers = [ 9 + # weird-row 10 + ]; 11 + 7 12 # Sessions specific age key (~/.ssh/id_home_manager.pub) 8 13 neo-milomoisson = "age1vz2zmduaqhaw5jrqh277pmp36plyth8rz5k9ccxeftfcl2nlhalqwvx5xz"; 9 14 sessions = [ neo-milomoisson ];

secrets/pds-env.age

This is a binary file and will not be displayed.

+4 -1

secrets/secrets.nix

··· 1 1 let 2 - inherit (import ./keys.nix) users systems sessions; 2 + inherit (import ./keys.nix) servers sessions systems users; 3 3 4 4 nixos = systems ++ users; 5 5 home-manager = sessions ++ users; 6 + deploy = servers ++ users; 6 7 in 7 8 { 8 9 # Used in NixOS config ··· 14 15 "api-digital-ocean.age".publicKeys = home-manager; 15 16 "api-gitguardian.age".publicKeys = home-manager; 16 17 "api-wakatime.age".publicKeys = home-manager; 18 + 19 + "pds-env.age".publicKeys = deploy; 17 20 18 21 # Not used in config but useful 19 22 "pgp-ca5e.age".publicKeys = users;