# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, inputs, ... } @ args:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.systemd-boot.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
# boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.download-buffer-size = 500000000;
nix.gc = {
automatic = true;
options = "--delete-older-than 30d";
};
nix.optimise.automatic = true;
system.autoUpgrade = {
enable = true;
allowReboot = true;
flake = inputs.self.outPath;
flags = [ "-L" ];
dates = "02:00";
randomizedDelaySec = "45min";
};
networking.hostName = "netcup"; # Define your hostname.
networking.firewall = {
enable = true;
allowedTCPPorts = [
80 443 # http(s)
7777 # terraria
9418 # syncthing (?)
25565 # minecraft
];
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de-latin1-nodeadkeys";
# useXkbConfig = true; # use xkb.options in tty.
};
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.ps = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
packages = with pkgs; [
];
};
users.users.live = {
isSystemUser = true;
group = "live";
home = "/srv/live";
createHome = true;
useDefaultShell = true;
};
users.groups.live = {};
security = {
polkit.enable = true;
sudo.wheelNeedsPassword = false;
};
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
(inputs.ps-flakes.overlays.cgit)
(inputs.ps-flakes.overlays.gitweb)
(inputs.nix-minecraft.overlay)
];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim wget file git fzf bat
openssh
helix
gitui
bintools
btop htop
systemctl-tui
tmux
md4c
highlight
multimarkdown
python312Packages.pygments
pkg-config
];
environment.shellAliases = {
snrs = "sudo nixos-rebuild switch --flake /etc/nixos#default";
snrt = "sudo nixos-rebuild test --flake /etc/nixos#default";
snrb = "sudo nixos-rebuild boot --flake /etc/nixos#default";
senc = "sudo ${pkgs.helix}/bin/hx /etc/nixos/configuration.nix";
};
# git-hooks
system.activationScripts.githook =
let
githooksRepo = pkgs.fetchgit {
url = "git://psch.dev/git-hooks";
rev = "1a40e097c8854d5a0e65c070addaa7e3337635c0";
hash = "sha256-KNKnP/3hhQQlildzRF+skYHtV+7Xg1MQMPi2DDEHGAI=";
};
in
{
text = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.git pkgs.sudo pkgs.python3 ]} sudo -u git ${githooksRepo}/git-hooks/post-receive
'';
};
# git
users.users.git = {
isSystemUser = true;
group = "git";
home = "/srv/git";
createHome = true;
homeMode = "750";
shell = "${pkgs.git}/bin/git-shell";
packages = with pkgs; [
python3 # for blog git-hook
];
};
users.groups.git = {};
programs.git = {
enable = true;
config = {
init.defaultBranch = "main";
user.name = "Patrick";
user.email = "patrick.schoenberger@posteo.de";
};
};
services.gitDaemon = {
enable = true;
basePath = "/srv/git";
repositories = [ "/srv/git" ];
exportAll = true;
port = 9418;
};
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
extraConfig = ''
Match user git
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication no
PermitTTY no
X11Forwarding no
'';
};
services.qemuGuest.enable = true;
# virtualisation.qemu.guestAgent.enable = true;
programs.mosh.enable = true;
services.minecraft-servers = {
enable = true;
eula = true;
servers.fabric = {
enable = true;
serverProperties = {
difficulty = 2;
motd = "A Place on Earth";
white-list = true;
};
package = pkgs.fabricServers.fabric-1_20_1;
# .override {
# loaderVersion = "";
# }
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (
builtins.attrValues {
Fabric-API = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/UapVHwiP/fabric-api-0.92.6%2B1.20.1.jar";
sha256 = "sha256-Ds5QR22jaSERqwS3WUXFRY5w2YzQae78BEqz5Xl33us=";
};
GlitchCore = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/s3dmwKy5/versions/25HLOiOl/GlitchCore-fabric-1.20.1-0.0.1.1.jar";
sha256 = "sha256-+359QjXKv4OVR4vEKu9rv9u++JUd3x9w9zcZ4LJMmcw=";
};
TerraBlender = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/kkmrDlKT/versions/J1S3aA8i/TerraBlender-fabric-1.20.1-3.0.1.10.jar";
sha256 = "sha256-0C2aoszwkSZLD87wdkQSi4I7NCGgK/xAORoBqhzNCiQ=";
};
BiomesOPlenty = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/HXF82T3G/versions/eZaag2ca/BiomesOPlenty-fabric-1.20.1-19.0.0.96.jar";
sha256 = "sha256-A4Kp4TNMtzbE8Nhs8NACEG1qmEU6cJlQ678Ok5gx6nI=";
};
}
);
};
};
};
services.caddy = {
enable = true;
extraConfig = ''
psch.dev ps.run pasch.cc {
rewrite /src /src/
handle_path /src/* {
reverse_proxy http://localhost:3000
}
rewrite /git /git/
handle_path /git/* {
encode gzip zstd
@assets path /cgit.css /cgit.png /favicon.ico /robots.txt
handle /cgithub/* {
file_server {
root /srv/cgithub
}
}
handle @assets {
file_server {
root ${pkgs.cgit}/cgit
}
}
handle {
reverse_proxy unix//run/fcgiwrap-git.sock {
transport fastcgi {
env CGIT_CONFIG ${pkgs.writeText "cgitrc" ''
snapshots=tar tar.gz zip
enable-git-config=1
enable-index-owner=0
enable-log-filecount=1
enable-log-linecount=1
section-from-path=1
virtual-root=/git
css=/git/cgit.css
logo=/git/cgit.png
favicon=/git/favicon.ico
module-link=/%s/commit/?id=%s
clone-url=https://$HTTP_HOST/git/$CGIT_REPO_URL git://$HTTP_HOST/$CGIT_REPO_URL git@$HTTP_HOST:$CGIT_REPO_URL
noplainemail=1
repository-sort=age
about-filter=${pkgs.writeShellScript "markdown-filter" ''
echo ''
${pkgs.md4c}/bin/md2html --github --ftables
echo '
'
''}
# source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
head-include=/srv/cgithub/head-include.html
footer=/srv/cgithub/footer.html
readme=:readme.md
readme=:Readme.md
readme=:ReadMe.md
readme=:README.md
scan-path=/srv/git
''}
env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi
}
}
}
}
basic_auth /julius_cam/* { test $2a$14$iKv0GlwavCunG0zQbaf2fOl4r4/8k8gDKUVUouu9Q3o.MfSDkp6Te }
root * /srv/www
file_server
}
tnx.sh {
respond "The Website is under Construction."
}
chirp.ps.run {
reverse_proxy http://localhost:8080 {
request_buffers 8192
}
}
mail.psch.dev {
respond mail
}
'';
};
# virtualHosts."git.psch.dev".extraConfig = ''
# reverse_proxy unix//run/anubis/anubis-cgit.sock
# '';
services.caddy.virtualHosts."gitweb.ps.run".extraConfig = ''
handle /static/* {
file_server {
root ${pkgs.gitweb}
}
}
handle {
reverse_proxy unix//run/fcgiwrap-git.sock {
transport fastcgi {
env GITWEB_CONFIG ${pkgs.writeText "gitweb.conf" ''
$projectroot = "/srv/git";
$base_url = "/";
$feature{'pathinfo'}{'default'} = [1];
$default_projects_order = "age";
$omit_owner = true;
$site_html_head_string = "";
''}
env SCRIPT_FILENAME ${pkgs.gitweb}/gitweb.cgi
}
}
}
'';
# virtualHosts."gitweb.psch.dev".extraConfig = ''
# reverse_proxy unix//run/anubis/anubis-gitweb.sock
# '';
services.anubis = {
defaultOptions = {
user = "caddy";
group = "caddy";
};
# instances.cgit.settings.TARGET = "http://localhost:8082/cgit";
# instances.gitweb.settings.TARGET = "http://localhost:8082";
};
services.fcgiwrap.instances."git" = {
process.user = "git";
process.group = "git";
socket.user = "caddy";
socket.group = "caddy";
};
services.forgejo = {
enable = true;
repositoryRoot = "/srv/git2";
settings = {
server = {
DOMAIN = "ps.run";
ROOT_URL = "https://ps.run/src";
};
repository = {
REQUIRE_SIGNIN_VIEW = false;
};
service = {
REQUIRE_SIGNIN_VIEW = false;
DISABLE_REGISTRATION = true;
};
};
};
users.users.forgejo.extraGroups = [ "git" ];
users.users.chirp = {
isSystemUser = true;
group = "chirp";
home = "/var/lib/chirp";
createHome = true;
};
users.groups.chirp = {};
systemd.services.poster-splitter =
let
poster-splitter-src = "/var/lib/postersplitter/repo";
in
{
description = "Poster Splitter";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
User = "poster";
Group = "poster";
WorkingDirectory = "${poster-splitter-src}";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=$PATH:${lib.makeBinPath [ pkgs.bash pkgs.python3 ]} LD_LIBRARY_PATH=${pkgs.stdenv.cc.cc.lib}/lib/ /var/lib/postersplitter/run.sh'";
Restart = "on-failure";
};
};
services.webhook = {
enable = true;
port = 8102;
user = "root";
group = "root";
hooks = {
"deploy-poster-splitter" = {
id = "deploy-poster-splitter";
response-message = "Deployed Poster Splitter";
execute-command = "/var/lib/postersplitter/deploy.sh";
command-working-directory = "/var/lib/postersplitter";
pass-environment-to-command = [
{ source = "string"; envname = "PATH"; name = "${lib.makeBinPath [ pkgs.coreutils pkgs.sudo pkgs.systemd pkgs.openssh pkgs.git pkgs.bash pkgs.python3 pkgs.git ]}"; }
];
trigger-rule = {
match = {
type = "payload-hmac-sha1";
secret = "mysecret";
parameter = {
source = "header";
name = "X-Hub-Signature";
};
};
};
};
};
};
services.caddy.virtualHosts."postersplitter.de".extraConfig = ''
# Route 1: Der Webhook
# Leitet Anfragen an /hooks/ an den Webhook-Dienst
@webhook path /hooks/*
handle @webhook {
reverse_proxy 127.0.0.1:8102
}
# Route 2: Die Flask App (alles andere)
# Muss NACH der Webhook-Route kommen
@all not path /hooks/*
handle @all {
reverse_proxy 127.0.0.1:8101
}
'';
users.users.poster = {
isSystemUser = true;
group = "poster";
home = "/var/lib/postersplitter";
createHome = true;
useDefaultShell = true;
packages = with pkgs; [
python314
];
};
users.groups.poster = {};
systemd.services.chirp = {
description = "Chirp SystemD Service";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
WorkingDirectory = "/var/lib/chirp";
ExecStart = "${args.inputs.chirp.packages.${pkgs.system}.default}/bin/chirp";
Restart = "always";
Type = "simple";
User = "chirp";
Group = "chirp";
};
};
# Mail Server
mailserver = {
enable = true;
# stateVersion = 1;
fqdn = "mail.psch.dev";
domains = [ "psch.dev" ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"ps@psch.dev" = {
hashedPassword = "$2b$05$dd65mMjWxZNc.MK4YUwLgeRMInJHvwNTazptImrw4paRqyX/p4TQG";
aliases = ["p@psch.dev" "patrick@psch.dev"];
};
};
certificateScheme = "manual";
certificateFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.crt";
keyFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.key";
};
# security.acme.acceptTerms = true;
# security.acme.defaults.email = "patrick.schoenberger@posteo.de";
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}