Initial commit

README.md

@@ -0,0 +1,5 @@
+# plinth slashfiles
+
+- repo root: `/srv`
+- symlink `flake` to `/etc/nixos`
+

flake/activate.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo nixos-rebuild --verbose --flake path:/srv/flake switch

flake/flake.lock

@@ -0,0 +1,44 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1731797254,
+        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1731676054,
+        "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake/flake.nix

@@ -0,0 +1,28 @@
+{
+  description = "plinth system flake";
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
+    nixosConfigurations = {
+      plinth = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {
+          unstable-pkgs = nixpkgs-unstable.legacyPackages."x86_64-linux";
+        };
+
+        modules = [
+          # lix.nixosModules.default
+          ({...}: { system.stateVersion = "23.11"; })
+          ./system/hardware-configuration.nix
+          ./system/base.nix
+          ./system/software.nix
+          ./system/nginx.nix
+          ./system/borg.nix
+        ];
+      };
+    };
+  };
+}

flake/system/base.nix

@@ -0,0 +1,29 @@
+{ pkgs, ... }: {
+  nix = {
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    package = pkgs.lix;
+  };
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  networking.hostName = "plinth";
+  time.timeZone = "UTC";
+  networking.firewall.enable = false;
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiGDjT86bf2DNsVPOgtvT1SGCsI5EE5bLhxiJnMaDJQ charlotte@crystal'' ]; # failsafe
+
+  programs.zsh.enable = true;
+  users.users.charlotte = {
+    isNormalUser = true;
+    description = "charlotte";
+    extraGroups = ["wheel"];
+    shell = pkgs.zsh;
+  };
+  security.sudo.wheelNeedsPassword = false;
+}

flake/system/borg.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }: {
+  services.borgmatic = {
+    enable = true;
+    configurations = {
+      default = {
+        repositories = [
+          { label = "plinth"; path = "ssh://backup@100.66.18.84/./plinth"; }
+        ];
+        source_directories = [
+          "/srv/pds"
+        ];
+        encryption_passcommand = "${pkgs.coreutils}/bin/cat /root/.borg_password";
+
+        compression = "auto,zstd,10";
+        relocated_repo_access_is_ok = true;
+
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+        keep_yearly = 4;
+
+        exclude_if_present = ["CACHEDIR.tag"];
+      };
+    };
+  };
+}

flake/system/hardware-configuration.nix

@@ -0,0 +1,14 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/6623-8E77"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
+  
+}

flake/system/nginx.nix

@@ -0,0 +1,46 @@
+{ pkgs, lib, ... }: {
+  environment.systemPackages = with pkgs; [
+    certbot
+  ];
+
+  systemd.services.certbot-renew = {
+    description = "certbot auto renew service";
+    serviceConfig = {
+      ExecStart = "${pkgs.certbot}/bin/certbot renew --quiet --post-hook 'systemctl reload nginx.service'";
+    };
+  };
+  systemd.timers.certbot-renew = {
+    description = "certbot auto renew timer";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    user = "root";
+    enableReload = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+  services.nginx.appendHttpConfig = "include /srv/ngx/out/*.conf;";
+
+  services.nginx.appendConfig = "user root;"; 
+  
+  systemd.services.nginx.serviceConfig = lib.mkForce {
+    User = "root";
+    Group = "root";
+    ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf";
+    ExecReload = [
+      "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf -t"
+      "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
+    ];
+    LogsDirectory = "nginx";
+    RuntimeDirectory = "nginx";
+  };
+}

flake/system/software.nix

@@ -0,0 +1,18 @@
+{ pkgs, unstable-pkgs, ... }: { 
+  environment.systemPackages = with pkgs; [
+    vim
+    tmux
+  ] ++ [ unstable-pkgs.deno ];
+
+  programs.vim.defaultEditor = true;
+  environment.variables = {
+    EDITOR = "vim";
+    VISUAL = "vim";
+    SYSTEMD_EDITOR = "vim";
+  };
+
+  services.tailscale.enable = true;
+
+  programs.git.enable = true;
+  programs.nix-ld.enable = true; # for Deno :)
+}

ngx/.gitignore

@@ -0,0 +1 @@
+/out

ngx/default.ts

@@ -0,0 +1,12 @@
+import ngx from "jsr:@char/ngx@0.1";
+
+export const config = ngx("server", [
+  [
+    "listen 80 default_server",
+    "listen [::]:80 default_server"
+  ],
+  ngx("location '/.well-known/acme-challenge'", ["root /srv/www/acme"]),
+  ngx("location /", ["return 302 https://$host$request_uri"]),
+]);
+
+if (import.meta.main) console.log(config.build());

ngx/pds.ts

@@ -0,0 +1,28 @@
+import ngx from "jsr:@char/ngx@0.1";
+
+export const config = ngx("", [
+  ngx("map $http_upgrade $connection_upgrade", [
+    "default upgrade",
+    "'' close"
+  ]),
+  [],
+  ngx("server", [
+    [
+      "server_name pds.bun.how",
+      ...ngx.listen(),
+      ...ngx.letsEncrypt("pds.bun.how"),
+    ],
+    ngx("location /", [
+      "client_max_body_size 1G",
+      "proxy_pass http://127.0.0.7:2583",
+      "proxy_http_version 1.1",
+      "proxy_set_header Upgrade $http_upgrade",
+      "proxy_set_header Connection $connection_upgrade",
+      "proxy_set_header Host $host",
+    ]),
+    ngx("location = /hi-res-bnuy.png", ["root /srv/www/pds.bun.how"]),
+    ngx("location = /", ["root /srv/www/pds.bun.how", "index hi-res-bnuy.png"]),
+  ]),
+]);
+
+if (import.meta.main) console.log(config.build());

pds/.gitignore

@@ -0,0 +1 @@
+/data

www/acme/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore