summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--configuration.nix93
-rw-r--r--flake.lock226
-rw-r--r--flake.nix16
-rw-r--r--gitolite.nix10
-rw-r--r--hardware-configuration.nix9
-rw-r--r--networking.nix35
6 files changed, 389 insertions, 0 deletions
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..0da4b09
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,93 @@
+{ pkgs, inputs, ... }: {
+ imports = [
+ ./hardware-configuration.nix
+ ./networking.nix # generated at runtime by nixos-infect
+ ];
+ nix.settings.experimental-features = [ "nix-command" "flakes" ];
+ systemd.services.ann = {
+ enable = true;
+ description = "Ann";
+ script = ''
+ export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable"
+ ${inputs.ann.apps.${pkgs.system}."migrate-up".program}
+ exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
+ '';
+ wantedBy = [ "multi-user.target" ];
+ };
+
+ services.freshrss = {
+ enable = true;
+ defaultUser = "freshrss";
+ passwordFile = "/run/secrets/freshrss";
+ dataDir = "/srv/freshrss/data";
+ virtualHost = "rssf.mccd.space";
+ baseUrl = "https://rssf.mccd.space";
+ };
+
+ services.postgresql = {
+ enable = true;
+ ensureDatabases = [ "ann" ];
+ settings = {
+ listen_addresses = pkgs.lib.mkForce "*";
+ };
+ authentication = pkgs.lib.mkOverride 10 ''
+ #type database DBuser auth-method
+ local all all trust
+ host all all ::1/128 trust
+ '';
+ };
+
+ services.nginx = {
+ enable = true;
+
+ gitweb = {
+ enable = false;
+ };
+
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+
+ virtualHosts."rssf.mccd.space" = {
+ forceSSL = true;
+ enableACME = true;
+ };
+
+ virtualHosts."ann.sh" = {
+ enableACME = true;
+ addSSL = true;
+
+ locations."~" = {
+ proxyPass = "http://localhost:8080";
+ proxyWebsockets = true; # needed if you need to use WebSocket
+ extraConfig =
+ # required when the target is also TLS server with multiple hosts
+ "proxy_ssl_server_name on;" +
+ # required when the server wants to use HTTP Authentication
+ "proxy_pass_header Authorization;"
+ ;
+ };
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 80 443];
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "marcc@mccd.space";
+ };
+
+ environment.systemPackages = with pkgs; [ git vim ];
+
+ users.users.git = {
+ isNormalUser = true;
+ home = "/home/git";
+ description = "Git User";
+ extraGroups = [ "wheel" "networkmanager" "git" ];
+ openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ];
+ };
+
+ boot.cleanTmpDir = true;
+ zramSwap.enable = true;
+ networking.hostName = "nix";
+ networking.domain = "webgit.mccd.space";
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ];
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..f7a2ea8
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,226 @@
+{
+ "nodes": {
+ "ann": {
+ "inputs": {
+ "flake-utils": "flake-utils",
+ "nixpkgs": [
+ "ann",
+ "opam-nix",
+ "nixpkgs"
+ ],
+ "opam-nix": "opam-nix"
+ },
+ "locked": {
+ "lastModified": 1705771845,
+ "narHash": "sha256-tGYRGhQqFspEcC444fCCimfSGx3dNHWdLRAyOg+jb58=",
+ "ref": "refs/heads/main",
+ "rev": "93272882f709fc15f5f893f856895f80f10f4378",
+ "revCount": 45,
+ "type": "git",
+ "url": "https://git.sr.ht/~marcc/ann_bloop"
+ },
+ "original": {
+ "type": "git",
+ "url": "https://git.sr.ht/~marcc/ann_bloop"
+ }
+ },
+ "flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1627913399,
+ "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1701680307,
+ "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flake-utils_2": {
+ "locked": {
+ "lastModified": 1638122382,
+ "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "mirage-opam-overlays": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1661959605,
+ "narHash": "sha256-CPTuhYML3F4J58flfp3ZbMNhkRkVFKmBEYBZY5tnQwA=",
+ "owner": "dune-universe",
+ "repo": "mirage-opam-overlays",
+ "rev": "05f1c1823d891ce4d8adab91f5db3ac51d86dc0b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "dune-universe",
+ "repo": "mirage-opam-overlays",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1682362401,
+ "narHash": "sha256-/UMUHtF2CyYNl4b60Z2y4wwTTdIWGKhj9H301EDcT9M=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "884ac294018409e0d1adc0cae185439a44bd6b0b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1705566941,
+ "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "b06ff4bf8f4ad900fe0c2a61fc2946edc3a84be7",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "opam-nix": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "flake-utils": "flake-utils_2",
+ "mirage-opam-overlays": "mirage-opam-overlays",
+ "nixpkgs": "nixpkgs",
+ "opam-overlays": "opam-overlays",
+ "opam-repository": "opam-repository",
+ "opam2json": "opam2json"
+ },
+ "locked": {
+ "lastModified": 1702988812,
+ "narHash": "sha256-XdGK59SJsZZU9eeulWxopzdS3PZSbRls7i53KEJZ60A=",
+ "owner": "tweag",
+ "repo": "opam-nix",
+ "rev": "a2c8f7d640f1dcb92f036044f13eb9135f6db474",
+ "type": "github"
+ },
+ "original": {
+ "owner": "tweag",
+ "repo": "opam-nix",
+ "type": "github"
+ }
+ },
+ "opam-overlays": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1654162756,
+ "narHash": "sha256-RV68fUK+O3zTx61iiHIoS0LvIk0E4voMp+0SwRg6G6c=",
+ "owner": "dune-universe",
+ "repo": "opam-overlays",
+ "rev": "c8f6ef0fc5272f254df4a971a47de7848cc1c8a4",
+ "type": "github"
+ },
+ "original": {
+ "owner": "dune-universe",
+ "repo": "opam-overlays",
+ "type": "github"
+ }
+ },
+ "opam-repository": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1701363371,
+ "narHash": "sha256-DeiPIuWNDSOxvlF41YPae7UpVGZLf7/E3qp2JMerovg=",
+ "owner": "ocaml",
+ "repo": "opam-repository",
+ "rev": "bc52affc41b55ff00c0d3ac9a376538d79695aaf",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ocaml",
+ "repo": "opam-repository",
+ "type": "github"
+ }
+ },
+ "opam2json": {
+ "inputs": {
+ "nixpkgs": [
+ "ann",
+ "opam-nix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1671540003,
+ "narHash": "sha256-5pXfbUfpVABtKbii6aaI2EdAZTjHJ2QntEf0QD2O5AM=",
+ "owner": "tweag",
+ "repo": "opam2json",
+ "rev": "819d291ea95e271b0e6027679de6abb4d4f7f680",
+ "type": "github"
+ },
+ "original": {
+ "owner": "tweag",
+ "repo": "opam2json",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "ann": "ann",
+ "nixpkgs": "nixpkgs_2"
+ }
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..82dc5b1
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,16 @@
+{
+ description = "Run Ann Server as a systemd service";
+ inputs.nixpkgs.url = "github:NixOS/nixpkgs?ref=nixpkgs-unstable";
+ inputs.ann.url = "git+https://git.sr.ht/~marcc/ann_bloop";
+
+
+ outputs = {self,nixpkgs, ann, ...}@inputs: {
+ nixosConfigurations.nix = nixpkgs.lib.nixosSystem {
+ specialArgs = {inherit inputs;};
+ system = "x86_64-linux";
+ modules = [
+ ./configuration.nix
+ ];
+ };
+ };
+}
diff --git a/gitolite.nix b/gitolite.nix
new file mode 100644
index 0000000..1811387
--- /dev/null
+++ b/gitolite.nix
@@ -0,0 +1,10 @@
+{
+ services.gitolite = {
+ user = "git";
+ extraGitoliteRc = ''
+ $RC{UMASK} = 0027;
+ '';
+ enable = true;
+ adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd";
+ };
+}
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
new file mode 100644
index 0000000..5e7b44e
--- /dev/null
+++ b/hardware-configuration.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+ boot.loader.grub.device = "/dev/sda";
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+ boot.initrd.kernelModules = [ "nvme" ];
+ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+}
diff --git a/networking.nix b/networking.nix
new file mode 100644
index 0000000..2f1b2be
--- /dev/null
+++ b/networking.nix
@@ -0,0 +1,35 @@
+{ lib, ... }: {
+ # This file was populated at runtime with the networking
+ # details gathered from the active system.
+ networking = {
+ nameservers = [ "2a01:4ff:ff00::add:2"
+ "2a01:4ff:ff00::add:1"
+ "185.12.64.1"
+ ];
+ defaultGateway = "172.31.1.1";
+ defaultGateway6 = {
+ address = "fe80::1";
+ interface = "eth0";
+ };
+ dhcpcd.enable = false;
+ usePredictableInterfaceNames = lib.mkForce false;
+ interfaces = {
+ eth0 = {
+ ipv4.addresses = [
+ { address="128.140.49.64"; prefixLength=32; }
+ ];
+ ipv6.addresses = [
+ { address="2a01:4f8:c17:ddd1::1"; prefixLength=64; }
+{ address="fe80::9400:2ff:feeb:f56c"; prefixLength=64; }
+ ];
+ ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+ ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
+ };
+
+ };
+ };
+ services.udev.extraRules = ''
+ ATTR{address}=="96:00:02:eb:f5:6c", NAME="eth0"
+
+ '';
+}