Initial commit
This commit is contained in:
commit
3e4a52e6dd
16 changed files with 257 additions and 0 deletions
0
.gitignore
vendored
Normal file
0
.gitignore
vendored
Normal file
5
README.md
Normal file
5
README.md
Normal file
|
@ -0,0 +1,5 @@
|
|||
# plinth slashfiles
|
||||
|
||||
- repo root: `/srv`
|
||||
- symlink `flake` to `/etc/nixos`
|
||||
|
3
flake/activate.sh
Executable file
3
flake/activate.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
sudo nixos-rebuild --verbose --flake path:/srv/flake switch
|
44
flake/flake.lock
Normal file
44
flake/flake.lock
Normal file
|
@ -0,0 +1,44 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1731797254,
|
||||
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1731676054,
|
||||
"narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
28
flake/flake.nix
Normal file
28
flake/flake.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
description = "plinth system flake";
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
|
||||
nixosConfigurations = {
|
||||
plinth = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = {
|
||||
unstable-pkgs = nixpkgs-unstable.legacyPackages."x86_64-linux";
|
||||
};
|
||||
|
||||
modules = [
|
||||
# lix.nixosModules.default
|
||||
({...}: { system.stateVersion = "23.11"; })
|
||||
./system/hardware-configuration.nix
|
||||
./system/base.nix
|
||||
./system/software.nix
|
||||
./system/nginx.nix
|
||||
./system/borg.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
29
flake/system/base.nix
Normal file
29
flake/system/base.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ pkgs, ... }: {
|
||||
nix = {
|
||||
settings.experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
package = pkgs.lix;
|
||||
};
|
||||
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
zramSwap.enable = true;
|
||||
|
||||
networking.hostName = "plinth";
|
||||
time.timeZone = "UTC";
|
||||
networking.firewall.enable = false;
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PasswordAuthentication = false;
|
||||
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiGDjT86bf2DNsVPOgtvT1SGCsI5EE5bLhxiJnMaDJQ charlotte@crystal'' ]; # failsafe
|
||||
|
||||
programs.zsh.enable = true;
|
||||
users.users.charlotte = {
|
||||
isNormalUser = true;
|
||||
description = "charlotte";
|
||||
extraGroups = ["wheel"];
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
}
|
26
flake/system/borg.nix
Normal file
26
flake/system/borg.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ pkgs, ... }: {
|
||||
services.borgmatic = {
|
||||
enable = true;
|
||||
configurations = {
|
||||
default = {
|
||||
repositories = [
|
||||
{ label = "plinth"; path = "ssh://backup@100.66.18.84/./plinth"; }
|
||||
];
|
||||
source_directories = [
|
||||
"/srv/pds"
|
||||
];
|
||||
encryption_passcommand = "${pkgs.coreutils}/bin/cat /root/.borg_password";
|
||||
|
||||
compression = "auto,zstd,10";
|
||||
relocated_repo_access_is_ok = true;
|
||||
|
||||
keep_daily = 7;
|
||||
keep_weekly = 4;
|
||||
keep_monthly = 6;
|
||||
keep_yearly = 4;
|
||||
|
||||
exclude_if_present = ["CACHEDIR.tag"];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
14
flake/system/hardware-configuration.nix
Normal file
14
flake/system/hardware-configuration.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
fileSystems."/boot" = { device = "/dev/disk/by-uuid/6623-8E77"; fsType = "vfat"; };
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
|
||||
|
||||
}
|
46
flake/system/nginx.nix
Normal file
46
flake/system/nginx.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{ pkgs, lib, ... }: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
certbot
|
||||
];
|
||||
|
||||
systemd.services.certbot-renew = {
|
||||
description = "certbot auto renew service";
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.certbot}/bin/certbot renew --quiet --post-hook 'systemctl reload nginx.service'";
|
||||
};
|
||||
};
|
||||
systemd.timers.certbot-renew = {
|
||||
description = "certbot auto renew timer";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Persistent = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
user = "root";
|
||||
enableReload = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
};
|
||||
services.nginx.appendHttpConfig = "include /srv/ngx/out/*.conf;";
|
||||
|
||||
services.nginx.appendConfig = "user root;";
|
||||
|
||||
systemd.services.nginx.serviceConfig = lib.mkForce {
|
||||
User = "root";
|
||||
Group = "root";
|
||||
ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf";
|
||||
ExecReload = [
|
||||
"${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf -t"
|
||||
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
|
||||
];
|
||||
LogsDirectory = "nginx";
|
||||
RuntimeDirectory = "nginx";
|
||||
};
|
||||
}
|
18
flake/system/software.nix
Normal file
18
flake/system/software.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ pkgs, unstable-pkgs, ... }: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
tmux
|
||||
] ++ [ unstable-pkgs.deno ];
|
||||
|
||||
programs.vim.defaultEditor = true;
|
||||
environment.variables = {
|
||||
EDITOR = "vim";
|
||||
VISUAL = "vim";
|
||||
SYSTEMD_EDITOR = "vim";
|
||||
};
|
||||
|
||||
services.tailscale.enable = true;
|
||||
|
||||
programs.git.enable = true;
|
||||
programs.nix-ld.enable = true; # for Deno :)
|
||||
}
|
1
ngx/.gitignore
vendored
Normal file
1
ngx/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/out
|
12
ngx/default.ts
Normal file
12
ngx/default.ts
Normal file
|
@ -0,0 +1,12 @@
|
|||
import ngx from "jsr:@char/ngx@0.1";
|
||||
|
||||
export const config = ngx("server", [
|
||||
[
|
||||
"listen 80 default_server",
|
||||
"listen [::]:80 default_server"
|
||||
],
|
||||
ngx("location '/.well-known/acme-challenge'", ["root /srv/www/acme"]),
|
||||
ngx("location /", ["return 302 https://$host$request_uri"]),
|
||||
]);
|
||||
|
||||
if (import.meta.main) console.log(config.build());
|
28
ngx/pds.ts
Normal file
28
ngx/pds.ts
Normal file
|
@ -0,0 +1,28 @@
|
|||
import ngx from "jsr:@char/ngx@0.1";
|
||||
|
||||
export const config = ngx("", [
|
||||
ngx("map $http_upgrade $connection_upgrade", [
|
||||
"default upgrade",
|
||||
"'' close"
|
||||
]),
|
||||
[],
|
||||
ngx("server", [
|
||||
[
|
||||
"server_name pds.bun.how",
|
||||
...ngx.listen(),
|
||||
...ngx.letsEncrypt("pds.bun.how"),
|
||||
],
|
||||
ngx("location /", [
|
||||
"client_max_body_size 1G",
|
||||
"proxy_pass http://127.0.0.7:2583",
|
||||
"proxy_http_version 1.1",
|
||||
"proxy_set_header Upgrade $http_upgrade",
|
||||
"proxy_set_header Connection $connection_upgrade",
|
||||
"proxy_set_header Host $host",
|
||||
]),
|
||||
ngx("location = /hi-res-bnuy.png", ["root /srv/www/pds.bun.how"]),
|
||||
ngx("location = /", ["root /srv/www/pds.bun.how", "index hi-res-bnuy.png"]),
|
||||
]),
|
||||
]);
|
||||
|
||||
if (import.meta.main) console.log(config.build());
|
1
pds/.gitignore
vendored
Normal file
1
pds/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/data
|
2
www/acme/.gitignore
vendored
Normal file
2
www/acme/.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
*
|
||||
!.gitignore
|
BIN
www/pds.bun.how/hi-res-bnuy.png
Normal file
BIN
www/pds.bun.how/hi-res-bnuy.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 778 KiB |
Loading…
Reference in a new issue