Initial commit

This commit is contained in:
Charlotte Som 2024-11-19 05:15:20 +00:00
commit 3e4a52e6dd
16 changed files with 257 additions and 0 deletions

0
.gitignore vendored Normal file
View file

5
README.md Normal file
View file

@ -0,0 +1,5 @@
# plinth slashfiles
- repo root: `/srv`
- symlink `flake` to `/etc/nixos`

3
flake/activate.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/env bash
sudo nixos-rebuild --verbose --flake path:/srv/flake switch

44
flake/flake.lock Normal file
View file

@ -0,0 +1,44 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1731797254,
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1731676054,
"narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}
}
},
"root": "root",
"version": 7
}

28
flake/flake.nix Normal file
View file

@ -0,0 +1,28 @@
{
description = "plinth system flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
nixosConfigurations = {
plinth = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable-pkgs = nixpkgs-unstable.legacyPackages."x86_64-linux";
};
modules = [
# lix.nixosModules.default
({...}: { system.stateVersion = "23.11"; })
./system/hardware-configuration.nix
./system/base.nix
./system/software.nix
./system/nginx.nix
./system/borg.nix
];
};
};
};
}

29
flake/system/base.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }: {
nix = {
settings.experimental-features = [
"nix-command"
"flakes"
];
package = pkgs.lix;
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "plinth";
time.timeZone = "UTC";
networking.firewall.enable = false;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiGDjT86bf2DNsVPOgtvT1SGCsI5EE5bLhxiJnMaDJQ charlotte@crystal'' ]; # failsafe
programs.zsh.enable = true;
users.users.charlotte = {
isNormalUser = true;
description = "charlotte";
extraGroups = ["wheel"];
shell = pkgs.zsh;
};
security.sudo.wheelNeedsPassword = false;
}

26
flake/system/borg.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, ... }: {
services.borgmatic = {
enable = true;
configurations = {
default = {
repositories = [
{ label = "plinth"; path = "ssh://backup@100.66.18.84/./plinth"; }
];
source_directories = [
"/srv/pds"
];
encryption_passcommand = "${pkgs.coreutils}/bin/cat /root/.borg_password";
compression = "auto,zstd,10";
relocated_repo_access_is_ok = true;
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 6;
keep_yearly = 4;
exclude_if_present = ["CACHEDIR.tag"];
};
};
};
}

View file

@ -0,0 +1,14 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/6623-8E77"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
}

46
flake/system/nginx.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs, lib, ... }: {
environment.systemPackages = with pkgs; [
certbot
];
systemd.services.certbot-renew = {
description = "certbot auto renew service";
serviceConfig = {
ExecStart = "${pkgs.certbot}/bin/certbot renew --quiet --post-hook 'systemctl reload nginx.service'";
};
};
systemd.timers.certbot-renew = {
description = "certbot auto renew timer";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
services.nginx = {
enable = true;
user = "root";
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.nginx.appendHttpConfig = "include /srv/ngx/out/*.conf;";
services.nginx.appendConfig = "user root;";
systemd.services.nginx.serviceConfig = lib.mkForce {
User = "root";
Group = "root";
ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf";
ExecReload = [
"${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf -t"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
LogsDirectory = "nginx";
RuntimeDirectory = "nginx";
};
}

18
flake/system/software.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, unstable-pkgs, ... }: {
environment.systemPackages = with pkgs; [
vim
tmux
] ++ [ unstable-pkgs.deno ];
programs.vim.defaultEditor = true;
environment.variables = {
EDITOR = "vim";
VISUAL = "vim";
SYSTEMD_EDITOR = "vim";
};
services.tailscale.enable = true;
programs.git.enable = true;
programs.nix-ld.enable = true; # for Deno :)
}

1
ngx/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
/out

12
ngx/default.ts Normal file
View file

@ -0,0 +1,12 @@
import ngx from "jsr:@char/ngx@0.1";
export const config = ngx("server", [
[
"listen 80 default_server",
"listen [::]:80 default_server"
],
ngx("location '/.well-known/acme-challenge'", ["root /srv/www/acme"]),
ngx("location /", ["return 302 https://$host$request_uri"]),
]);
if (import.meta.main) console.log(config.build());

28
ngx/pds.ts Normal file
View file

@ -0,0 +1,28 @@
import ngx from "jsr:@char/ngx@0.1";
export const config = ngx("", [
ngx("map $http_upgrade $connection_upgrade", [
"default upgrade",
"'' close"
]),
[],
ngx("server", [
[
"server_name pds.bun.how",
...ngx.listen(),
...ngx.letsEncrypt("pds.bun.how"),
],
ngx("location /", [
"client_max_body_size 1G",
"proxy_pass http://127.0.0.7:2583",
"proxy_http_version 1.1",
"proxy_set_header Upgrade $http_upgrade",
"proxy_set_header Connection $connection_upgrade",
"proxy_set_header Host $host",
]),
ngx("location = /hi-res-bnuy.png", ["root /srv/www/pds.bun.how"]),
ngx("location = /", ["root /srv/www/pds.bun.how", "index hi-res-bnuy.png"]),
]),
]);
if (import.meta.main) console.log(config.build());

1
pds/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
/data

2
www/acme/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*
!.gitignore

Binary file not shown.

After

Width:  |  Height:  |  Size: 778 KiB