diff --git a/hosts/magus.nix b/hosts/magus.nix index 99761d7..a957662 100644 --- a/hosts/magus.nix +++ b/hosts/magus.nix @@ -1,48 +1,56 @@ -# WIP { config, pkgs, lib, inputs, + modulesPath, ... }: { imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ./server/disk-config.nix ./server/hardware-configuration.nix ./server/networking.nix ./server/security.nix ./server/nginx.nix ./server/redis.nix + ./modules/timezone.nix + ./modules/docker.nix + ./modules/npm.nix + ./modules/nixos.nix ]; - system.stateVersion = "24.11"; - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - networking.hostName = "alteur"; - users.users.admin = { - isNormalUser = true; - extraGroups = ["wheel"]; - openssh.authorizedKeys.keyFiles = [ - ../.secrets/id_ed25519.pub - ]; + + system.stateVersion = "25.05"; + + boot = { + loader.grub.enable = true; + initrd.availableKernelModules = ["xen_blkfront" "virtio_blk"]; }; + environment.systemPackages = with pkgs; [ wget curl git htop btop - nodejs_20 ffmpeg yt-dlp + fastfetch ]; - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; + + nix = { + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + settings.auto-optimise-store = true; }; - nix.settings.auto-optimise-store = true; - services.fstrim.enable = true; - services.xserver.enable = false; + + services = { + fstrim.enable = true; + xserver.enable = false; + }; + sound.enable = false; } diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix new file mode 100644 index 0000000..6acf427 --- /dev/null +++ b/hosts/server/configuration.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + + boot.loader.grub = { + enable = true; + }; + + boot.initrd.availableKernelModules = ["xen_blkfront" "virtio_blk"]; + + networking = { + hostName = "alteur"; + useDHCP = false; + interfaces.enX0.ipv4.addresses = [ + { + address = "redacted"; + prefixLength = 24; + } + ]; + defaultGateway = "redacted"; + nameservers = ["8.8.8.8" "8.8.4.4"]; + }; + + services.openssh = { + enable = true; + ports = [8123]; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "redacted" + ]; + + environment.systemPackages = with pkgs; [ + curl + git + htop + ]; + + networking.firewall = { + enable = true; + allowedTCPPorts = [8123 80 443]; + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/server/disk-config.nix b/hosts/server/disk-config.nix new file mode 100644 index 0000000..047edcc --- /dev/null +++ b/hosts/server/disk-config.nix @@ -0,0 +1,28 @@ +{lib, ...}: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/xvda"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; + size = "1M"; + priority = 1; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/server/flake.lock b/hosts/server/flake.lock new file mode 100644 index 0000000..c49dfbb --- /dev/null +++ b/hosts/server/flake.lock @@ -0,0 +1,64 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760701190, + "narHash": "sha256-y7UhnWlER8r776JsySqsbTUh2Txf7K30smfHlqdaIQw=", + "owner": "nix-community", + "repo": "disko", + "rev": "3a9450b26e69dcb6f8de6e2b07b3fc1c288d85f5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nixos-facter-modules": { + "locked": { + "lastModified": 1761137276, + "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "owner": "numtide", + "repo": "nixos-facter-modules", + "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixos-facter-modules", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1761440988, + "narHash": "sha256-2qsow3cQIgZB2g8Cy8cW+L9eXDHP6a1PsvOschk5y+E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "de69d2ba6c70e747320df9c096523b623d3a4c35", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nixos-facter-modules": "nixos-facter-modules", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/server/flake.nix b/hosts/server/flake.nix new file mode 100644 index 0000000..fcaf5f4 --- /dev/null +++ b/hosts/server/flake.nix @@ -0,0 +1,49 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixos-facter-modules.url = "github:numtide/nixos-facter-modules"; + + outputs = { + nixpkgs, + disko, + nixos-facter-modules, + ... + }: { + nixosConfigurations.alteur = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./configuration.nix + ]; + }; + + # Use this for all other targets + # nixos-anywhere --flake .#generic --generate-hardware-config nixos-generate-config ./hardware-configuration.nix + nixosConfigurations.generic = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./configuration.nix + ./hardware-configuration.nix + ]; + }; + + # Slightly experimental: Like generic, but with nixos-facter (https://github.com/numtide/nixos-facter) + # nixos-anywhere --flake .#generic-nixos-facter --generate-hardware-config nixos-facter facter.json + nixosConfigurations.generic-nixos-facter = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + disko.nixosModules.disko + ./configuration.nix + nixos-facter-modules.nixosModules.facter + { + config.facter.reportPath = + if builtins.pathExists ./facter.json + then ./facter.json + else throw "Have you forgotten to run nixos-anywhere with `--generate-hardware-config nixos-facter ./facter.json`?"; + } + ]; + }; + }; +} diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix new file mode 100644 index 0000000..a6ba248 --- /dev/null +++ b/hosts/server/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "platform_pci" "sr_mod" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enX0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/server/networking.nix b/hosts/server/networking.nix new file mode 100644 index 0000000..48c50a9 --- /dev/null +++ b/hosts/server/networking.nix @@ -0,0 +1,22 @@ +{ + config, + lib, + ... +}: { + networking = { + hostName = "magus"; + useDHCP = false; + interfaces.enX0.ipv4.addresses = [ + { + address = "104.152.210.245"; + prefixLength = 24; + } + ]; + defaultGateway = "104.152.210.1"; + nameservers = ["8.8.8.8" "8.8.4.4"]; + firewall = { + enable = true; + allowedTCPPorts = [8123 80 443]; + }; + }; +} diff --git a/hosts/server/redis.nix b/hosts/server/redis.nix new file mode 100644 index 0000000..55a5cd4 --- /dev/null +++ b/hosts/server/redis.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + ... +}: { + services.redis.servers."" = { + enable = true; + bind = "127.0.0.1"; + port = 6379; + settings = { + maxmemory = "256mb"; + maxmemory-policy = "allkeys-lru"; + }; + }; +} diff --git a/hosts/server/security.nix b/hosts/server/security.nix new file mode 100644 index 0000000..dcb55de --- /dev/null +++ b/hosts/server/security.nix @@ -0,0 +1,28 @@ +{ + config, + pkgs, + ... +}: { + services.openssh = { + enable = true; + ports = [8123]; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../.secrets/id_ed25519.pub + ]; + + users.users.admin = { + isNormalUser = true; + extraGroups = ["wheel" "docker"]; + openssh.authorizedKeys.keyFiles = [ + ../../.secrets/id_ed25519.pub + ]; + }; + + security.sudo.wheelNeedsPassword = false; +}