X-Git-Url: https://gitweb.ps.run/flake_server/blobdiff_plain/eacd07da1b91fc1dc317b6da7fe8d22179e20d89..refs/heads/main:/configuration.nix
diff --git a/configuration.nix b/configuration.nix
index 5017789..3c0e603 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-{ config, lib, pkgs, chirp, ... }:
+{ config, lib, pkgs, inputs, ... } @ args:
{
imports =
@@ -19,16 +19,32 @@
# boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
nix.settings.experimental-features = [ "nix-command" "flakes" ];
- nix.package = pkgs.nixVersions.nix_2_28;
+ nix.settings.download-buffer-size = 500000000;
- networking.hostName = "nixos"; # Define your hostname.
- # Pick only one of the below networking options.
- # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
- # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
+ nix.gc = {
+ automatic = true;
+ options = "--delete-older-than 30d";
+ };
+ nix.optimise.automatic = true;
+ system.autoUpgrade = {
+ enable = true;
+ allowReboot = true;
+ flake = inputs.self.outPath;
+ flags = [ "-L" ];
+ dates = "02:00";
+ randomizedDelaySec = "45min";
+ };
+
+ networking.hostName = "netcup"; # Define your hostname.
networking.firewall = {
enable = true;
- allowedTCPPorts = [ 80 443 9418 ];
+ allowedTCPPorts = [
+ 80 443 # http(s)
+ 7777 # terraria
+ 9418 # syncthing (?)
+ 25565 # minecraft
+ ];
};
# Set your time zone.
@@ -46,27 +62,6 @@
# useXkbConfig = true; # use xkb.options in tty.
};
- # Enable the X11 windowing system.
- # services.xserver.enable = true;
-
- # Configure keymap in X11
- # services.xserver.xkb.layout = "us";
- # services.xserver.xkb.options = "eurosign:e,caps:escape";
-
- # Enable CUPS to print documents.
- # services.printing.enable = true;
-
- # Enable sound.
- # hardware.pulseaudio.enable = true;
- # OR
- # services.pipewire = {
- # enable = true;
- # pulse.enable = true;
- # };
-
- # Enable touchpad support (enabled default in most desktopManager).
- # services.libinput.enable = true;
-
# Define a user account. Don't forget to set a password with âpasswdâ.
users.users.ps = {
isNormalUser = true;
@@ -75,36 +70,79 @@
];
};
+ users.users.live = {
+ isSystemUser = true;
+ group = "live";
+ home = "/srv/live";
+ createHome = true;
+ useDefaultShell = true;
+ };
+ users.groups.live = {};
+
security = {
polkit.enable = true;
sudo.wheelNeedsPassword = false;
};
- # nixpkgs.config.allowUnfree = true;
+ nixpkgs.config.allowUnfree = true;
+
+ nixpkgs.overlays = [
+ (inputs.ps-flakes.overlays.cgit)
+ (inputs.ps-flakes.overlays.gitweb)
+ (inputs.nix-minecraft.overlay)
+ ];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
- vim neovim wget file git
- zig fzf bat
+ vim wget file git fzf bat
+ openssh
+ helix
+ gitui
bintools
- htop
+ btop htop
+ systemctl-tui
tmux
+ md4c
+ highlight
+ multimarkdown
+ python312Packages.pygments
- forgejo
- mbedtls
pkg-config
];
+ environment.shellAliases = {
+ snrs = "sudo nixos-rebuild switch --flake /etc/nixos#default";
+ snrt = "sudo nixos-rebuild test --flake /etc/nixos#default";
+ snrb = "sudo nixos-rebuild boot --flake /etc/nixos#default";
+ senc = "sudo ${pkgs.helix}/bin/hx /etc/nixos/configuration.nix";
+ };
+
+ # git-hooks
+ system.activationScripts.githook =
+ let
+ githooksRepo = pkgs.fetchgit {
+ url = "git://psch.dev/git-hooks";
+ rev = "1a40e097c8854d5a0e65c070addaa7e3337635c0";
+ hash = "sha256-KNKnP/3hhQQlildzRF+skYHtV+7Xg1MQMPi2DDEHGAI=";
+ };
+ in
+ {
+ text = ''
+ PATH=$PATH:${lib.makeBinPath [ pkgs.git pkgs.sudo pkgs.python3 ]} sudo -u git ${githooksRepo}/git-hooks/post-receive
+ '';
+ };
+
# git
users.users.git = {
isSystemUser = true;
group = "git";
home = "/srv/git";
createHome = true;
+ homeMode = "750";
shell = "${pkgs.git}/bin/git-shell";
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQOPefMnq0qvFjYxlrdlSmUgyCbvV85gkfRykVlTnrn ps@nixos"
+ packages = with pkgs; [
+ python3 # for blog git-hook
];
};
users.groups.git = {};
@@ -118,15 +156,13 @@
};
};
- # Some programs need SUID wrappers, can be configured further or are
- # started in user sessions.
- # programs.mtr.enable = true;
- # programs.gnupg.agent = {
- # enable = true;
- # enableSSHSupport = true;
- # };
-
- # List services that you want to enable:
+ services.gitDaemon = {
+ enable = true;
+ basePath = "/srv/git";
+ repositories = [ "/srv/git" ];
+ exportAll = true;
+ port = 9418;
+ };
# Enable the OpenSSH daemon.
services.openssh = {
@@ -142,27 +178,193 @@
};
services.qemuGuest.enable = true;
# virtualisation.qemu.guestAgent.enable = true;
+ programs.mosh.enable = true;
+
+ services.minecraft-servers = {
+ enable = true;
+ eula = true;
+ servers.fabric = {
+ enable = true;
+
+ serverProperties = {
+ difficulty = 2;
+ motd = "A Place on Earth";
+ white-list = true;
+ };
+
+ package = pkgs.fabricServers.fabric-1_20_1;
+ # .override {
+ # loaderVersion = "";
+ # }
+ symlinks = {
+ mods = pkgs.linkFarmFromDrvs "mods" (
+ builtins.attrValues {
+ Fabric-API = pkgs.fetchurl {
+ url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/UapVHwiP/fabric-api-0.92.6%2B1.20.1.jar";
+ sha256 = "sha256-Ds5QR22jaSERqwS3WUXFRY5w2YzQae78BEqz5Xl33us=";
+ };
+ GlitchCore = pkgs.fetchurl {
+ url = "https://cdn.modrinth.com/data/s3dmwKy5/versions/25HLOiOl/GlitchCore-fabric-1.20.1-0.0.1.1.jar";
+ sha256 = "sha256-+359QjXKv4OVR4vEKu9rv9u++JUd3x9w9zcZ4LJMmcw=";
+ };
+ TerraBlender = pkgs.fetchurl {
+ url = "https://cdn.modrinth.com/data/kkmrDlKT/versions/J1S3aA8i/TerraBlender-fabric-1.20.1-3.0.1.10.jar";
+ sha256 = "sha256-0C2aoszwkSZLD87wdkQSi4I7NCGgK/xAORoBqhzNCiQ=";
+ };
+ BiomesOPlenty = pkgs.fetchurl {
+ url = "https://cdn.modrinth.com/data/HXF82T3G/versions/eZaag2ca/BiomesOPlenty-fabric-1.20.1-19.0.0.96.jar";
+ sha256 = "sha256-A4Kp4TNMtzbE8Nhs8NACEG1qmEU6cJlQ678Ok5gx6nI=";
+ };
+ }
+ );
+ };
+ };
+ };
services.caddy = {
enable = true;
- virtualHosts."psch.dev".extraConfig = ''
- respond "hello :D"
- '';
- virtualHosts."chirp.psch.dev".extraConfig = ''
+
+ extraConfig = ''
+ psch.dev ps.run pasch.cc {
+ rewrite /src /src/
+ handle_path /src/* {
+ reverse_proxy http://localhost:3000
+ }
+ rewrite /git /git/
+ handle_path /git/* {
+ encode gzip zstd
+
+ @assets path /cgit.css /cgit.png /favicon.ico /robots.txt
+ handle /cgithub/* {
+ file_server {
+ root /srv/cgithub
+ }
+ }
+ handle @assets {
+ file_server {
+ root ${pkgs.cgit}/cgit
+ }
+ }
+ handle {
+ reverse_proxy unix//run/fcgiwrap-git.sock {
+ transport fastcgi {
+ env CGIT_CONFIG ${pkgs.writeText "cgitrc" ''
+ snapshots=tar tar.gz zip
+ enable-git-config=1
+ enable-index-owner=0
+ enable-log-filecount=1
+ enable-log-linecount=1
+ section-from-path=1
+ virtual-root=/git
+ css=/git/cgit.css
+ logo=/git/cgit.png
+ favicon=/git/favicon.ico
+ module-link=/%s/commit/?id=%s
+ clone-url=https://$HTTP_HOST/git/$CGIT_REPO_URL git://$HTTP_HOST/$CGIT_REPO_URL git@$HTTP_HOST:$CGIT_REPO_URL
+ noplainemail=1
+ repository-sort=age
+ about-filter=${pkgs.writeShellScript "markdown-filter" ''
+ echo ''
+ ${pkgs.md4c}/bin/md2html --github --ftables
+ echo '
'
+ ''}
+ # source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+ head-include=/srv/cgithub/head-include.html
+ footer=/srv/cgithub/footer.html
+ readme=:readme.md
+ readme=:Readme.md
+ readme=:ReadMe.md
+ readme=:README.md
+ scan-path=/srv/git
+ ''}
+ env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi
+ }
+ }
+ }
+ }
+
+ basic_auth /julius_cam/* { test $2a$14$iKv0GlwavCunG0zQbaf2fOl4r4/8k8gDKUVUouu9Q3o.MfSDkp6Te }
+ root * /srv/www
+ file_server
+ }
+ tnx.sh {
+ respond "The Website is under Construction."
+ }
+ chirp.ps.run {
reverse_proxy http://localhost:8080 {
request_buffers 8192
}
- tls {
- protocols tls1.3 tls1.3
- }
- '';
- virtualHosts."git.psch.dev".extraConfig = ''
+ }
+ mail.psch.dev {
+ respond mail
+ }
'';
};
+ # virtualHosts."git.psch.dev".extraConfig = ''
+ # reverse_proxy unix//run/anubis/anubis-cgit.sock
+ # '';
+ services.caddy.virtualHosts."gitweb.ps.run".extraConfig = ''
+ handle /static/* {
+ file_server {
+ root ${pkgs.gitweb}
+ }
+ }
+ handle {
+ reverse_proxy unix//run/fcgiwrap-git.sock {
+ transport fastcgi {
+ env GITWEB_CONFIG ${pkgs.writeText "gitweb.conf" ''
+ $projectroot = "/srv/git";
+ $base_url = "/";
+ $feature{'pathinfo'}{'default'} = [1];
+ $default_projects_order = "age";
+ $omit_owner = true;
+ $site_html_head_string = "";
+ ''}
+ env SCRIPT_FILENAME ${pkgs.gitweb}/gitweb.cgi
+ }
+ }
+ }
+ '';
+ # virtualHosts."gitweb.psch.dev".extraConfig = ''
+ # reverse_proxy unix//run/anubis/anubis-gitweb.sock
+ # '';
+
+ services.anubis = {
+ defaultOptions = {
+ user = "caddy";
+ group = "caddy";
+ };
+
+ # instances.cgit.settings.TARGET = "http://localhost:8082/cgit";
+ # instances.gitweb.settings.TARGET = "http://localhost:8082";
+ };
+
+ services.fcgiwrap.instances."git" = {
+ process.user = "git";
+ process.group = "git";
+ socket.user = "caddy";
+ socket.group = "caddy";
+ };
+
+ services.forgejo = {
+ enable = true;
+ repositoryRoot = "/srv/git2";
+ settings = {
+ server = {
+ DOMAIN = "ps.run";
+ ROOT_URL = "https://ps.run/src";
+ };
+ repository = {
+ REQUIRE_SIGNIN_VIEW = false;
+ };
+ service = {
+ REQUIRE_SIGNIN_VIEW = false;
+ DISABLE_REGISTRATION = true;
+ };
+ };
+ };
+ users.users.forgejo.extraGroups = [ "git" ];
- # services.chirp = {
- # enable = true;
- # };
users.users.chirp = {
isSystemUser = true;
group = "chirp";
@@ -170,6 +372,79 @@
createHome = true;
};
users.groups.chirp = {};
+
+ systemd.services.poster-splitter =
+ let
+ poster-splitter-src = "/var/lib/postersplitter/repo";
+ in
+ {
+ description = "Poster Splitter";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ serviceConfig = {
+ Type = "simple";
+ User = "poster";
+ Group = "poster";
+ WorkingDirectory = "${poster-splitter-src}";
+
+ ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=$PATH:${lib.makeBinPath [ pkgs.bash pkgs.python3 ]} LD_LIBRARY_PATH=${pkgs.stdenv.cc.cc.lib}/lib/ /var/lib/postersplitter/run.sh'";
+ Restart = "on-failure";
+ };
+ };
+ services.webhook = {
+ enable = true;
+ port = 8102;
+ user = "root";
+ group = "root";
+ hooks = {
+ "deploy-poster-splitter" = {
+ id = "deploy-poster-splitter";
+ response-message = "Deployed Poster Splitter";
+ execute-command = "/var/lib/postersplitter/deploy.sh";
+ command-working-directory = "/var/lib/postersplitter";
+ pass-environment-to-command = [
+ { source = "string"; envname = "PATH"; name = "${lib.makeBinPath [ pkgs.coreutils pkgs.sudo pkgs.systemd pkgs.openssh pkgs.git pkgs.bash pkgs.python3 pkgs.git ]}"; }
+ ];
+ trigger-rule = {
+ match = {
+ type = "payload-hmac-sha1";
+ secret = "mysecret";
+ parameter = {
+ source = "header";
+ name = "X-Hub-Signature";
+ };
+ };
+ };
+ };
+ };
+ };
+ services.caddy.virtualHosts."postersplitter.de".extraConfig = ''
+ # Route 1: Der Webhook
+ # Leitet Anfragen an /hooks/ an den Webhook-Dienst
+ @webhook path /hooks/*
+ handle @webhook {
+ reverse_proxy 127.0.0.1:8102
+ }
+
+ # Route 2: Die Flask App (alles andere)
+ # Muss NACH der Webhook-Route kommen
+ @all not path /hooks/*
+ handle @all {
+ reverse_proxy 127.0.0.1:8101
+ }
+ '';
+ users.users.poster = {
+ isSystemUser = true;
+ group = "poster";
+ home = "/var/lib/postersplitter";
+ createHome = true;
+ useDefaultShell = true;
+ packages = with pkgs; [
+ python314
+ ];
+ };
+ users.groups.poster = {};
systemd.services.chirp = {
description = "Chirp SystemD Service";
@@ -177,7 +452,7 @@
after = ["network.target"];
serviceConfig = {
WorkingDirectory = "/var/lib/chirp";
- ExecStart = "${chirp.packages.${pkgs.system}.default}/bin/chirp";
+ ExecStart = "${args.inputs.chirp.packages.${pkgs.system}.default}/bin/chirp";
Restart = "always";
Type = "simple";
User = "chirp";
@@ -185,19 +460,28 @@
};
};
- services.gitDaemon = {
+ # Mail Server
+ mailserver = {
enable = true;
- basePath = "/srv/git";
- repositories = [ "/srv/git" ];
- exportAll = true;
- port = 9418;
- };
+ # stateVersion = 1;
+ fqdn = "mail.psch.dev";
+ domains = [ "psch.dev" ];
+
+ # A list of all login accounts. To create the password hashes, use
+ # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+ loginAccounts = {
+ "ps@psch.dev" = {
+ hashedPassword = "$2b$05$dd65mMjWxZNc.MK4YUwLgeRMInJHvwNTazptImrw4paRqyX/p4TQG";
+ aliases = ["p@psch.dev" "patrick@psch.dev"];
+ };
+ };
- # Open ports in the firewall.
- # networking.firewall.allowedTCPPorts = [ ... ];
- # networking.firewall.allowedUDPPorts = [ ... ];
- # Or disable the firewall altogether.
- # networking.firewall.enable = false;
+ certificateScheme = "manual";
+ certificateFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.crt";
+ keyFile = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.psch.dev/mail.psch.dev.key";
+ };
+ # security.acme.acceptTerms = true;
+ # security.acme.defaults.email = "patrick.schoenberger@posteo.de";
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you