]> gitweb.ps.run Git - flake_server/blobdiff - configuration.nix
projects / flake_server / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update
[flake_server] / configuration.nix
diff --git a/configuration.nix b/configuration.nix
index 3015dc83d33b0a43af4f4e0401675e1ddda9f4c2..3c0e603af71bcf8bb238f56a8ca266bff8184106 100644 (file)
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,7 +2,7 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... } @ args:
 
 {
   imports =
 
 {
   imports =
@@ -19,15 +19,32 @@
   # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 500000000;
 
 
-  networking.hostName = "nixos"; # Define your hostname.
-  # Pick only one of the below networking options.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-than 30d";
+  };
+  nix.optimise.automatic = true;
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = true;
+    flake = inputs.self.outPath;
+    flags = [ "-L" ];
+    dates = "02:00";
+    randomizedDelaySec = "45min";
+  };
+
+  networking.hostName = "netcup"; # Define your hostname.
 
   networking.firewall = {
     enable = true;
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 ];
+    allowedTCPPorts = [
+      80 443 # http(s)
+      7777   # terraria
+      9418   # syncthing (?)
+      25565  # minecraft
+    ];
   };
 
   # Set your time zone.
   };
 
   # Set your time zone.
@@ -45,30 +62,6 @@
     # useXkbConfig = true; # use xkb.options in tty.
   };
 
     # useXkbConfig = true; # use xkb.options in tty.
   };
 
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
-
-
-  
-
-  # Configure keymap in X11
-  # services.xserver.xkb.layout = "us";
-  # services.xserver.xkb.options = "eurosign:e,caps:escape";
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # hardware.pulseaudio.enable = true;
-  # OR
-  # services.pipewire = {
-  #   enable = true;
-  #   pulse.enable = true;
-  # };
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.libinput.enable = true;
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.ps = {
     isNormalUser = true;
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.ps = {
     isNormalUser = true;
@@ -77,36 +70,79 @@
     ];
   };
 
     ];
   };
 
+  users.users.live = {
+    isSystemUser = true;
+    group = "live";
+    home = "/srv/live";
+    createHome = true;
+    useDefaultShell = true;
+  };
+  users.groups.live = {};
+
   security = {
     polkit.enable = true;
     sudo.wheelNeedsPassword = false;
   };
 
   security = {
     polkit.enable = true;
     sudo.wheelNeedsPassword = false;
   };
 
-  # nixpkgs.config.allowUnfree = true;
+  nixpkgs.config.allowUnfree = true;
+
+  nixpkgs.overlays = [
+    (inputs.ps-flakes.overlays.cgit)
+    (inputs.ps-flakes.overlays.gitweb)
+    (inputs.nix-minecraft.overlay)
+  ];
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    vim neovim wget file git
-    zig fzf bat
+    vim wget file git fzf bat
+    openssh
+    helix
+    gitui
     bintools
     bintools
-    htop
+    btop htop
+    systemctl-tui
     tmux
     tmux
+    md4c
+    highlight
+    multimarkdown
+    python312Packages.pygments
 
 
-    forgejo
-    mbedtls
     pkg-config
   ];
 
     pkg-config
   ];
 
+  environment.shellAliases = {
+    snrs = "sudo nixos-rebuild switch --flake /etc/nixos#default";
+    snrt = "sudo nixos-rebuild test --flake /etc/nixos#default";
+    snrb = "sudo nixos-rebuild boot --flake /etc/nixos#default";
+    senc = "sudo ${pkgs.helix}/bin/hx /etc/nixos/configuration.nix";
+  };
+
+  # git-hooks
+  system.activationScripts.githook =
+    let
+      githooksRepo = pkgs.fetchgit {
+        url = "git://psch.dev/git-hooks";
+        rev = "1a40e097c8854d5a0e65c070addaa7e3337635c0";
+        hash = "sha256-KNKnP/3hhQQlildzRF+skYHtV+7Xg1MQMPi2DDEHGAI=";
+      };
+    in
+    {
+    text = ''
+      PATH=$PATH:${lib.makeBinPath [ pkgs.git pkgs.sudo pkgs.python3 ]} sudo -u git ${githooksRepo}/git-hooks/post-receive
+    '';
+  };
+
   # git
   users.users.git = {
     isSystemUser = true;
     group = "git";
     home = "/srv/git";
     createHome = true;
   # git
   users.users.git = {
     isSystemUser = true;
     group = "git";
     home = "/srv/git";
     createHome = true;
+    homeMode = "750";
     shell = "${pkgs.git}/bin/git-shell";
     shell = "${pkgs.git}/bin/git-shell";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQOPefMnq0qvFjYxlrdlSmUgyCbvV85gkfRykVlTnrn ps@nixos"
+    packages = with pkgs; [
+      python3 # for blog git-hook
     ];
   };
   users.groups.git = {};
     ];
   };
   users.groups.git = {};
@@ -115,18 +151,18 @@
     enable = true;
     config = {
       init.defaultBranch = "main";
     enable = true;
     config = {
       init.defaultBranch = "main";
+      user.name = "Patrick";
+      user.email = "patrick.schoenberger@posteo.de";
     };
   };
 
     };
   };
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    repositories = [ "/srv/git" ];
+    exportAll = true;
+    port = 9418;
+  };
 
   # Enable the OpenSSH daemon.
   services.openssh = {
 
   # Enable the OpenSSH daemon.
   services.openssh = {
@@ -142,25 +178,310 @@
   };
   services.qemuGuest.enable = true;
   # virtualisation.qemu.guestAgent.enable = true;
   };
   services.qemuGuest.enable = true;
   # virtualisation.qemu.guestAgent.enable = true;
+  programs.mosh.enable = true;
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+    servers.fabric = {
+      enable = true;
+
+      serverProperties = {
+        difficulty = 2;
+        motd = "A Place on Earth";
+        white-list = true;
+      };
+      
+      package = pkgs.fabricServers.fabric-1_20_1;
+      # .override {
+      #   loaderVersion = "";
+      # }
+      symlinks = {
+        mods = pkgs.linkFarmFromDrvs "mods" (
+          builtins.attrValues {
+            Fabric-API = pkgs.fetchurl {
+              url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/UapVHwiP/fabric-api-0.92.6%2B1.20.1.jar";
+              sha256 = "sha256-Ds5QR22jaSERqwS3WUXFRY5w2YzQae78BEqz5Xl33us=";
+            };
+            GlitchCore = pkgs.fetchurl {
+              url = "https://cdn.modrinth.com/data/s3dmwKy5/versions/25HLOiOl/GlitchCore-fabric-1.20.1-0.0.1.1.jar";
+              sha256 = "sha256-+359QjXKv4OVR4vEKu9rv9u++JUd3x9w9zcZ4LJMmcw=";
+            };
+            TerraBlender = pkgs.fetchurl {
+              url = "https://cdn.modrinth.com/data/kkmrDlKT/versions/J1S3aA8i/TerraBlender-fabric-1.20.1-3.0.1.10.jar";
+              sha256 = "sha256-0C2aoszwkSZLD87wdkQSi4I7NCGgK/xAORoBqhzNCiQ=";
+            };
+            BiomesOPlenty = pkgs.fetchurl {
+              url = "https://cdn.modrinth.com/data/HXF82T3G/versions/eZaag2ca/BiomesOPlenty-fabric-1.20.1-19.0.0.96.jar";
+              sha256 = "sha256-A4Kp4TNMtzbE8Nhs8NACEG1qmEU6cJlQ678Ok5gx6nI=";
+            };
+          }
+        );
+      };
+    };
+  };
 
   services.caddy = {
     enable = true;
 
   services.caddy = {
     enable = true;
-    virtualHosts."chirp.psch.dev".extraConfig = ''
-      reverse_proxy http://127.0.0.1:8080
-      tls {
-        protocols tls1.3 tls1.3
+
+    extraConfig = ''
+    psch.dev ps.run pasch.cc {
+      rewrite /src /src/
+      handle_path /src/* {
+        reverse_proxy http://localhost:3000
       }
       }
+      rewrite /git /git/
+      handle_path /git/* {
+        encode gzip zstd
+
+        @assets path /cgit.css /cgit.png /favicon.ico /robots.txt
+        handle /cgithub/* {
+          file_server {
+            root /srv/cgithub
+          }
+        }
+        handle @assets {
+          file_server {
+            root ${pkgs.cgit}/cgit
+          }
+        }
+        handle {
+          reverse_proxy unix//run/fcgiwrap-git.sock {
+            transport fastcgi {
+              env CGIT_CONFIG ${pkgs.writeText "cgitrc" ''
+                snapshots=tar tar.gz zip
+                enable-git-config=1
+                enable-index-owner=0
+                enable-log-filecount=1
+                enable-log-linecount=1
+                section-from-path=1
+                virtual-root=/git
+                css=/git/cgit.css
+                logo=/git/cgit.png
+                favicon=/git/favicon.ico
+                module-link=/%s/commit/?id=%s
+                clone-url=https://$HTTP_HOST/git/$CGIT_REPO_URL git://$HTTP_HOST/$CGIT_REPO_URL git@$HTTP_HOST:$CGIT_REPO_URL
+                noplainemail=1
+                repository-sort=age
+                about-filter=${pkgs.writeShellScript "markdown-filter" ''
+                  echo '<div class="markdown-body">'
+                  ${pkgs.md4c}/bin/md2html --github --ftables
+                  echo '</div>'
+                ''}
+                # source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+                head-include=/srv/cgithub/head-include.html
+                footer=/srv/cgithub/footer.html
+                readme=:readme.md
+                readme=:Readme.md
+                readme=:ReadMe.md
+                readme=:README.md
+                scan-path=/srv/git
+              ''}
+              env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi
+            }
+          }
+        }
+      }
+
+      basic_auth /julius_cam/* { test $2a$14$iKv0GlwavCunG0zQbaf2fOl4r4/8k8gDKUVUouu9Q3o.MfSDkp6Te }
+      root * /srv/www
+      file_server
+    }
+    tnx.sh {
+      respond "The Website is under Construction."
+    }
+    chirp.ps.run {
+      reverse_proxy http://localhost:8080 {
+        request_buffers 8192
+      }
+    }
+    mail.psch.dev {
+      respond mail
+    }
     '';
     '';
-    virtualHosts."git.psch.dev".extraConfig = ''
-      reverse_proxy http://127.0.0.1:3000
-    '';
+  };
+  # virtualHosts."git.psch.dev".extraConfig = ''
+  #   reverse_proxy unix//run/anubis/anubis-cgit.sock
+  # '';
+  services.caddy.virtualHosts."gitweb.ps.run".extraConfig = ''
+    handle /static/* {
+      file_server {
+        root ${pkgs.gitweb}
+      }
+    }
+    handle {
+      reverse_proxy unix//run/fcgiwrap-git.sock {
+        transport fastcgi {
+          env GITWEB_CONFIG ${pkgs.writeText "gitweb.conf" ''
+            $projectroot = "/srv/git";
+            $base_url = "/";
+            $feature{'pathinfo'}{'default'} = [1];
+            $default_projects_order = "age";
+            $omit_owner = true;
+            $site_html_head_string = "<meta xmlns=\"http://www.w3.org/1999/xhtml\" name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />";
+          ''}
+          env SCRIPT_FILENAME ${pkgs.gitweb}/gitweb.cgi
+        }
+      }
+    }
+  '';
+  # virtualHosts."gitweb.psch.dev".extraConfig = ''
+  #   reverse_proxy unix//run/anubis/anubis-gitweb.sock
+  # '';
+
+  services.anubis = {
+    defaultOptions = {
+      user = "caddy";
+      group = "caddy";
+    };
+    
+    # instances.cgit.settings.TARGET = "http://localhost:8082/cgit";
+    # instances.gitweb.settings.TARGET = "http://localhost:8082";
+  };
+
+  services.fcgiwrap.instances."git" = {
+    process.user = "git";
+    process.group = "git";
+    socket.user = "caddy";
+    socket.group = "caddy";
+  };
+
+  services.forgejo = {
+    enable = true;
+    repositoryRoot = "/srv/git2";
+    settings = {
+      server = {
+        DOMAIN = "ps.run";
+        ROOT_URL = "https://ps.run/src";
+      };
+      repository = {
+        REQUIRE_SIGNIN_VIEW = false; 
+      };
+      service = {
+        REQUIRE_SIGNIN_VIEW = false; 
+        DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+  users.users.forgejo.extraGroups = [ "git" ];
+
+  users.users.chirp = {
+    isSystemUser = true;
+    group = "chirp";
+    home = "/var/lib/chirp";
+    createHome = true;
+  };
+  users.groups.chirp = {};
+
+  systemd.services.poster-splitter =
+    let
+      poster-splitter-src = "/var/lib/postersplitter/repo";
+    in
+    {
+      description = "Poster Splitter";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "poster";
+        Group = "poster";
+        WorkingDirectory = "${poster-splitter-src}";
+      
+        ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=$PATH:${lib.makeBinPath [ pkgs.bash pkgs.python3 ]} LD_LIBRARY_PATH=${pkgs.stdenv.cc.cc.lib}/lib/ /var/lib/postersplitter/run.sh'";
+        Restart = "on-failure";
+      };
+    };
+  services.webhook = {
+    enable = true;
+    port = 8102;
+    user = "root";
+    group = "root";
+    hooks = {
+      "deploy-poster-splitter" = {
+        id = "deploy-poster-splitter";
+        response-message = "Deployed Poster Splitter";
+        execute-command = "/var/lib/postersplitter/deploy.sh";
+        command-working-directory = "/var/lib/postersplitter";
+        pass-environment-to-command = [
+          { source = "string"; envname = "PATH"; name = "${lib.makeBinPath [ pkgs.coreutils pkgs.sudo pkgs.systemd pkgs.openssh pkgs.git pkgs.bash pkgs.python3 pkgs.git ]}"; }
+        ];
+        trigger-rule = {
+          match = {
+            type = "payload-hmac-sha1";
+            secret = "mysecret";
+            parameter = {
+              source = "header";
+              name = "X-Hub-Signature";
+            };
+          };
+        };
+      };
+    };
+  };
+  services.caddy.virtualHosts."postersplitter.de".extraConfig = ''
+    # Route 1: Der Webhook
+    # Leitet Anfragen an /hooks/ an den Webhook-Dienst
+    @webhook path /hooks/*
+    handle @webhook {
+      reverse_proxy 127.0.0.1:8102
+    }
+
+    # Route 2: Die Flask App (alles andere)
+    # Muss NACH der Webhook-Route kommen
+    @all not path /hooks/*
+    handle @all {
+      reverse_proxy 127.0.0.1:8101
+    }
+  '';
+  users.users.poster = {
+    isSystemUser = true;
+    group = "poster";
+    home = "/var/lib/postersplitter";
+    createHome = true;
+    useDefaultShell = true;
+    packages = with pkgs; [
+      python314
+    ];
+  };
+  users.groups.poster = {};
+  
+  systemd.services.chirp = {
+    description = "Chirp SystemD Service";
+    wantedBy = ["multi-user.target"];
+    after = ["network.target"];
+    serviceConfig = {
+      WorkingDirectory = "/var/lib/chirp";
+      ExecStart = "${args.inputs.chirp.packages.${pkgs.system}.default}/bin/chirp";
+      Restart = "always";
+      Type = "simple";
+      User = "chirp";
+      Group = "chirp";
+    };
   };
 
   };
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  # Mail Server
+  mailserver = {
+    enable = true;
+    # stateVersion = 1;
+    fqdn = "mail.psch.dev";
+    domains = [ "psch.dev" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "ps@psch.dev" = {
+        hashedPassword = "$2b$05$dd65mMjWxZNc.MK4YUwLgeRMInJHvwNTazptImrw4paRqyX/p4TQG";
+        aliases = ["p@psch.dev" "patrick@psch.dev"];
+      };
+    };
+
+    certificateScheme = "manual";
+    certificateFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.crt";
+    keyFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.key";
+  };
+  # security.acme.acceptTerms = true;
+  # security.acme.defaults.email = "patrick.schoenberger@posteo.de";
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
NixOS Config