From 44c900810d902454870963181f9ac1cca356517d Mon Sep 17 00:00:00 2001 From: winston Date: Sat, 6 May 2023 06:49:46 +0200 Subject: [PATCH] feat: init --- .gitignore | 2 + config/acme.nix | 13 + config/default.nix | 11 + config/games/default.nix | 5 + config/games/valheim.nix | 20 ++ config/network.nix | 11 + config/nix.nix | 3 + config/secrets/.identities/yubikey5ci.txt | 9 + config/secrets/containers/faerber.env.age | Bin 0 -> 564 bytes config/secrets/containers/ghcr-token.age | 10 + config/secrets/containers/pepperjack.env.age | Bin 0 -> 483 bytes config/secrets/default.nix | 7 + config/secrets/lego/porkbun-credentials.age | 11 + config/secrets/secrets.nix | 13 + .../services/invidious/config.json.age | 9 + .../services/invidious/password-database.age | 9 + config/services/containers.nix | 45 +++ config/services/default.nix | 7 + config/services/invidious.nix | 35 +++ config/services/nginx.nix | 38 +++ config/users.nix | 18 ++ flake.lock | 290 ++++++++++++++++++ flake.nix | 77 +++++ hosts/main-node/default.nix | 39 +++ hosts/main-node/hardware-configuration.nix | 47 +++ 25 files changed, 729 insertions(+) create mode 100644 .gitignore create mode 100644 config/acme.nix create mode 100644 config/default.nix create mode 100644 config/games/default.nix create mode 100644 config/games/valheim.nix create mode 100644 config/network.nix create mode 100644 config/nix.nix create mode 100644 config/secrets/.identities/yubikey5ci.txt create mode 100644 config/secrets/containers/faerber.env.age create mode 100644 config/secrets/containers/ghcr-token.age create mode 100644 config/secrets/containers/pepperjack.env.age create mode 100644 config/secrets/default.nix create mode 100644 config/secrets/lego/porkbun-credentials.age create mode 100644 config/secrets/secrets.nix create mode 100644 config/secrets/services/invidious/config.json.age create mode 100644 config/secrets/services/invidious/password-database.age create mode 100644 config/services/containers.nix create mode 100644 config/services/default.nix create mode 100644 config/services/invidious.nix create mode 100644 config/services/nginx.nix create mode 100644 config/users.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/main-node/default.nix create mode 100644 hosts/main-node/hardware-configuration.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9c7a426 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/.pre-commit-config.yaml +/result diff --git a/config/acme.nix b/config/acme.nix new file mode 100644 index 0000000..8cf3576 --- /dev/null +++ b/config/acme.nix @@ -0,0 +1,13 @@ +{config, ...}: { + security.acme = { + acceptTerms = true; + defaults.email = "hey@winston.sh"; + certs."winston.sh" = { + extraDomainNames = [ + "*.winston.sh" + ]; + dnsProvider = "porkbun"; + credentialsFile = config.age.secrets."lego/porkbun-credentials".path; + }; + }; +} diff --git a/config/default.nix b/config/default.nix new file mode 100644 index 0000000..975edcc --- /dev/null +++ b/config/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ + ./games + ./secrets + ./services + ./acme.nix + ./network.nix + ./nix.nix + ./users.nix + ]; +} diff --git a/config/games/default.nix b/config/games/default.nix new file mode 100644 index 0000000..920e354 --- /dev/null +++ b/config/games/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./valheim.nix + ]; +} diff --git a/config/games/valheim.nix b/config/games/valheim.nix new file mode 100644 index 0000000..634e01d --- /dev/null +++ b/config/games/valheim.nix @@ -0,0 +1,20 @@ +{lib, ...}: { + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "valheim-server" + "steamworks-sdk-redist" + ]; + + services.valheim = { + enable = true; + crossplay = true; + openFirewall = true; + password = "hunter2"; + serverName = "Nixheim"; + worldName = "Owoheim"; + }; + + users.users.valheim = { + createHome = true; + }; +} diff --git a/config/network.nix b/config/network.nix new file mode 100644 index 0000000..1ea5310 --- /dev/null +++ b/config/network.nix @@ -0,0 +1,11 @@ +{ + networking.firewall.enable = true; + services = { + fail2ban.enable = true; + openssh = { + enable = true; + ports = [1322]; + settings.PasswordAuthentication = false; + }; + }; +} diff --git a/config/nix.nix b/config/nix.nix new file mode 100644 index 0000000..5e60558 --- /dev/null +++ b/config/nix.nix @@ -0,0 +1,3 @@ +{ + nix.settings.experimental-features = ["nix-command" "flakes"]; +} diff --git a/config/secrets/.identities/yubikey5ci.txt b/config/secrets/.identities/yubikey5ci.txt new file mode 100644 index 0000000..3ddb7a1 --- /dev/null +++ b/config/secrets/.identities/yubikey5ci.txt @@ -0,0 +1,9 @@ +# Serial: 17700673, Slot: 1 +# Name: age identity 30be8d70 +# Created: Sun, 02 Jul 2023 11:06:17 +0000 +# PIN policy: Once (A PIN is required once per session, if set) +# Touch policy: Always (A physical touch is required for every decryption) +# Recipient: age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls +AGE-PLUGIN-YUBIKEY-1GYTSUQVZXZLG6UQYHVHNU + + diff --git a/config/secrets/containers/faerber.env.age b/config/secrets/containers/faerber.env.age new file mode 100644 index 0000000000000000000000000000000000000000..0234a9e954d2e424392476e04e147ddc07013049 GIT binary patch literal 564 zcmWm7OKZ~r007`oaA45m<^zPtbg-4!q)pQnhAwNHwQ18fO}eB}#I#A8SMzR~27EB| zB6t*!iU=MZ;z{%{a2`}fMN!Zp>^wc|K~VPnflnOBkZkq6i4$nHb;0%qsSp96i=gkT zkSwLMS)>5QdKypTU}mJCWhM-`q(0nG2An}`aB&8&MtrA6Ql{x<>KrWCgEbBXBA+4F zi#e7}Yq(KLssvkB-J~BejvHD+4)a;JolO!AJ%$fAM++e*oy9<^jy3u?i0e#As*x>3 zWIMXAl@P%o$y%V1nKt9O-J;}4k)4w3Wv{{jXij5OIGm^Yg$~tYc#C9d(~sRXMMYE- zS0jrXs${_l(Ej0-S`H^274gZw3ooev&%gYuf#yrW%1NVlMJ3k>#aQ9vUQ4S zRB0w@(d`yNjVoOQQ~Fwj@}*{TO}DfpEKy31@CdI=nJiF3hG-X)^tDgYV!OrKcZ=Kqu(22L@zXG0D>TJJYY>!XuHL76o`|S<0%sB za%rSqgM(7FLm|0!b*ziNfE&Ql@XzNTGpD}Hy*!xzOKjen4S%lgUA}R3XKP`OdUf;3 z;~8mEPt5;Itf>2UXWo9?-I{%B9GEBW{d#un{_B(H-(NfOVsraSd3yBw>Crjw&i>*z m?o<3``+>wvzkYxdtHJZzXQrFN-tR{b=iXgfSlQu^U;hvAhsZAg literal 0 HcmV?d00001 diff --git a/config/secrets/containers/ghcr-token.age b/config/secrets/containers/ghcr-token.age new file mode 100644 index 0000000..1229655 --- /dev/null +++ b/config/secrets/containers/ghcr-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 zj2A2A 1dnkWG8Ic+DVFRirpo9Hz8J1CbLW78igaa67ftcEEmw +9QI26X2BtxrUVio0D4PmV1BiR5GhF2lmGbFWFghUbgo +-> piv-p256 ML6NcA AoEmMFTu3hck1RApBe9jgTWYxM+U6Icum3P/cYjxtDHF +gbn+RbHuvjVnowcj2ut0/u7qU4t9fwu2bOnY3zzdeaM +-> %}]%Q(-grease 3 t^3 VxG \V{K%:pS +XVFJBwehSiw +--- zjRwouGqjn//jgr4Glva3Jx8jQo+TAGt2nMacZvT8Aw +k T6W۠oV-{&s4a\th#VJ +}}{?5Z+/ԙ \ No newline at end of file diff --git a/config/secrets/containers/pepperjack.env.age b/config/secrets/containers/pepperjack.env.age new file mode 100644 index 0000000000000000000000000000000000000000..1a3430781f445a48bf22234f110f257c95144918 GIT binary patch literal 483 zcmWm8J&V&|003YQPLPNv>VboTIXG~LF>TThvlPX?~sDqQ@Bxv2l4!XLCiUk)J!Re5@TXhq>`vuR_8$uGAvK=B3|sJ3o&50g@n+QSs+r*7^4EsE|=S0hpWqgjuBS2qw&%P{Ux%Mt;|ITQ@9(PK&$WvyyP0q6pPpxC2W#hoNAl$-ua^Ei zmM$fhzv_oiFT7ivpWb`%_wK`1X8Xo=du9G{@B5V{FyFba&Ymr1gH!4%dO2G^`VlA2 V?p$3xdaIm%J>R?bPk3|Y;6M1@t^EK1 literal 0 HcmV?d00001 diff --git a/config/secrets/default.nix b/config/secrets/default.nix new file mode 100644 index 0000000..f583c7b --- /dev/null +++ b/config/secrets/default.nix @@ -0,0 +1,7 @@ +{ + age.secrets = with builtins; + listToAttrs (map (k: { + name = substring 0 (stringLength k - 4) k; + value = {file = ./. + "/${k}";}; + }) (attrNames (import ./secrets.nix))); +} diff --git a/config/secrets/lego/porkbun-credentials.age b/config/secrets/lego/porkbun-credentials.age new file mode 100644 index 0000000..bda5fae --- /dev/null +++ b/config/secrets/lego/porkbun-credentials.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 zj2A2A F7giWWpkO4uib8YrTUUzjsiHBVEDF7Zr+l0r3PfXNWU +VRryBJU5hX8YJ9G2qadqwac5rQAsCOi2+zk/ZQC8AB4 +-> piv-p256 ML6NcA A9kB33XAGcnv5fE4DU8t80COVFcj1F52+/yqnKrhp6zb +CBN7fYeRzpV1mkSyySZ6yXcI0/TDmL0kW6f9i6G4+i0 +-> f5eV-grease 7a'rDO> `"f !a2 +98yuvIuXcXNbBHRIp+AqecZz0X0rjgTCerkwJR7VcnxtTwr66MTAwoeIv3LpVYT/ +8okBLxhmhhh57GJwMSJDI04UHubtl3dNQsZGDXVYp/xqK7GlhYob +--- hzqeb35v+5Go+1CqJU9yk+VfsZriQUKcswVqXF+Cxhw +ր 0f +G?$g3lZ%g PA<_w4T!q)B37V1G_s)sbG -wDMv%&ڿoGGί?Φ;B؆"Jp[]mC2@ېY@I1(3x=K)h/H8'z@b˫ \ No newline at end of file diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix new file mode 100644 index 0000000..0d00d2f --- /dev/null +++ b/config/secrets/secrets.nix @@ -0,0 +1,13 @@ +let + users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls"; + systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y"; + + default = [users.winston systems.main-node]; +in { + "containers/faerber.env.age".publicKeys = default; + "containers/pepperjack.env.age".publicKeys = default; + "containers/ghcr-token.age".publicKeys = default; + "lego/porkbun-credentials.age".publicKeys = default; + "services/invidious/config.json.age".publicKeys = default; + "services/invidious/password-database.age".publicKeys = default; +} diff --git a/config/secrets/services/invidious/config.json.age b/config/secrets/services/invidious/config.json.age new file mode 100644 index 0000000..abc122d --- /dev/null +++ b/config/secrets/services/invidious/config.json.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 zj2A2A uy090JTFBmjPc0j2Em0zNPcCHe9Seei2srS4Ee/SxA8 +PwovctZhzN5/qz/CBsbhZM24hR96nXBJP+kVgqTpU+A +-> piv-p256 ML6NcA AtNqkaYFpMfoN1rERuJ70sMvdYmJnE/Aaf+NYBzeIQ9M +FmDGncGbmWKx72XslOUvZEShtYoM4iuUhlHQqcD7hIc +-> pP3QG-grease |8 4 h gp4`[ +SUMev8xAjCCR/rqf +--- deAzSOQkmifm4lVq1rI4aFX6aizyIk1zeczOZ70NQB4 +ZL{| =vJKԊNHѺ>g y7]$o$apNBs7 \ No newline at end of file diff --git a/config/secrets/services/invidious/password-database.age b/config/secrets/services/invidious/password-database.age new file mode 100644 index 0000000..76d5d73 --- /dev/null +++ b/config/secrets/services/invidious/password-database.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 zj2A2A xD77WFTcXcFVc0eYiUO23mM6eUyzAq89Fqj6ZbnysC8 +dsf0iHniJD81xO1/5QyrMrbBTVA5Pp+EnzbRJnqNijQ +-> piv-p256 ML6NcA AqgOiVHO21MZ2VAmRhYZO7Kuwuv2RVT2MyGj2JTNZ4Ub +nvybVN766NUkoEgpfLlJdoMOIVsOY94tIhF+wHMESf0 +-> n-grease v5D,E1 Xs1 ; )apR +ZMbnYAWO9fyMXeZMChugD+kTbKcU+j3kyT+5lPfizhwc9LAn4Ql50Afc +--- 1HswhlIJWOU/Lj5jBUu8tNfw68a3MUgPb2pGy5dn0rI +,gҷȧ(}"tߓc[+W:gSWlƇ1a* !(6$ \ No newline at end of file diff --git a/config/services/containers.nix b/config/services/containers.nix new file mode 100644 index 0000000..116f261 --- /dev/null +++ b/config/services/containers.nix @@ -0,0 +1,45 @@ +{config, ...}: let + ghcrLogin = { + registry = "ghcr.io"; + username = "nekowinston"; + passwordFile = config.age.secrets."containers/ghcr-token".path; + }; + websitePort = "14139"; +in { + virtualisation.oci-containers.containers = { + faerber-bot = { + image = "ghcr.io/nekowinston/faerber/faerber-discord-bot:latest"; + environmentFiles = [ + config.age.secrets."containers/faerber.env".path + ]; + }; + + pepperjack = { + image = "docker.io/phasecorex/red-discordbot:latest"; + environment = { + TOKEN = "~"; + OWNER = "505490445468696576"; + }; + environmentFiles = [ + config.age.secrets."containers/pepperjack.env".path + ]; + volumes = [ + "/srv/data-pepperjack:/data" + ]; + }; + + website = { + image = "ghcr.io/nekowinston/winston.sh/winston-sh:latest"; + login = ghcrLogin; + ports = ["127.0.0.1:${websitePort}:3000"]; + }; + }; + + services.nginx.virtualHosts."winston.sh" = { + locations."/".proxyPass = "http://127.0.0.1:${websitePort}"; + forceSSL = true; + + enableACME = false; + useACMEHost = "winston.sh"; + }; +} diff --git a/config/services/default.nix b/config/services/default.nix new file mode 100644 index 0000000..edc90c8 --- /dev/null +++ b/config/services/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./containers.nix + ./invidious.nix + ./nginx.nix + ]; +} diff --git a/config/services/invidious.nix b/config/services/invidious.nix new file mode 100644 index 0000000..cde014e --- /dev/null +++ b/config/services/invidious.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + ... +}: { + services.invidious = { + enable = true; + package = pkgs.unstable.invidious; + + database.passwordFile = config.age.secrets."services/invidious/password-database".path; + domain = "iv.winston.sh"; + port = 3030; + nginx.enable = true; + + settings = { + external_port = lib.mkForce 443; + popular_enabled = false; + statistics_enabled = false; + use_pubsub_feeds = true; + default_user_preferences = { + region = "US"; + }; + }; + extraSettingsFile = config.age.secrets."services/invidious/config.json".path; + }; + + services.nginx.virtualHosts.${config.services.invidious.domain} = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + }; + + age.secrets."services/invidious/config.json".mode = "777"; +} diff --git a/config/services/nginx.nix b/config/services/nginx.nix new file mode 100644 index 0000000..3f11d56 --- /dev/null +++ b/config/services/nginx.nix @@ -0,0 +1,38 @@ +{pkgs, ...}: { + services.nginx = { + enable = true; + package = pkgs.nginxMainline; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811 + virtualHosts = { + "defaultDummy404" = { + default = true; + serverName = "_"; + locations."/".extraConfig = "return 404;"; + locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; + }; + "defaultDummy404ssl" = let + snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' + mkdir "$out" + openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" + ''; + in { + default = true; + serverName = "_"; + locations."/".extraConfig = "return 404;"; + locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; + # Dummy SSL config + onlySSL = true; + sslCertificate = "${snakeoilCert}/cert.pem"; + sslCertificateKey = "${snakeoilCert}/cert.key"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; + users.users.nginx.extraGroups = ["acme"]; +} diff --git a/config/users.nix b/config/users.nix new file mode 100644 index 0000000..52e3ca4 --- /dev/null +++ b/config/users.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: { + i18n.defaultLocale = "en_US.UTF-8"; + + users.users.winston = { + isNormalUser = true; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh" + ]; + shell = pkgs.bashInteractive; + }; + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh" + ]; + shell = pkgs.bashInteractive; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..662841f --- /dev/null +++ b/flake.lock @@ -0,0 +1,290 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": [], + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixinate": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688141737, + "narHash": "sha256-qHrNMYWukOKmKVf6wXOGKj1xxUnOGjvTRbt/PLLXuBE=", + "owner": "matthewcroughan", + "repo": "nixinate", + "rev": "7902ae845e6cc5bd450e510cdf5e009a6e4a44d9", + "type": "github" + }, + "original": { + "owner": "matthewcroughan", + "repo": "nixinate", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1688188316, + "narHash": "sha256-CXuQllDKCxtZaB/umnZOvoJ/d4kJguYgffeTA9l1B3o=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8277b539d371bf4308fc5097911aa58bfac1794f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1688109178, + "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1681303793, + "narHash": "sha256-JEdQHsYuCfRL2PICHlOiH/2ue3DwoxUX7DJ6zZxZXFk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe2ecaf706a5907b5e54d979fbde4924d84b65fc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "fb58866e20af98779017134319b5663b8215d912", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "nixinate": "nixinate", + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable", + "pre-commit-hooks": "pre-commit-hooks", + "valheim-server": "valheim-server" + } + }, + "steam-fetcher": { + "inputs": { + "flake-utils": [ + "valheim-server", + "flake-utils" + ], + "nixpkgs": [ + "valheim-server", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1686720327, + "narHash": "sha256-tXr09buKDKv81pnmcIwJ7eq2MaaU+4qfYrp6Mvb8buw=", + "owner": "nix-community", + "repo": "steam-fetcher", + "rev": "30964171f7c1711dc6edbe98f0839a40477a6f54", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "steam-fetcher", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "valheim-server": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "steam-fetcher": "steam-fetcher" + }, + "locked": { + "lastModified": 1686971068, + "narHash": "sha256-0EePXsNXJf+Ipt4AdWRbHbK2gSgLO9f6oeKUaugbUIk=", + "owner": "aidalgol", + "repo": "valheim-server-flake", + "rev": "8934c7fd73bf7cec262cc05fba92bb5e79ec195c", + "type": "github" + }, + "original": { + "owner": "aidalgol", + "repo": "valheim-server-flake", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0a7d1aa --- /dev/null +++ b/flake.nix @@ -0,0 +1,77 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + + agenix = { + url = "github:ryantm/agenix"; + inputs.darwin.follows = ""; + inputs.home-manager.follows = ""; + }; + valheim-server = { + url = "github:aidalgol/valheim-server-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixinate = { + url = "github:matthewcroughan/nixinate"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; + }; + + outputs = { + self, + nixpkgs, + ... + } @ inputs: let + system = "x86_64-linux"; + overlays = final: prev: { + unstable = inputs.nixpkgs-unstable.legacyPackages.${prev.system}; + }; + in { + apps = inputs.nixinate.nixinate.${system} self; + + nixosConfigurations.main-node = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + { + _module.args.nixinate = { + host = "main-node"; + buildOn = "remote"; + hermetic = false; + }; + nixpkgs.overlays = [overlays]; + } + ./hosts/main-node + ./config + inputs.agenix.nixosModules.default + inputs.valheim-server.nixosModules.default + ]; + }; + + checks.${system}.pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + alejandra.enable = true; + deadnix.enable = true; + shellcheck.enable = true; + stylua.enable = true; + }; + settings.deadnix = { + noLambdaPatternNames = true; + noLambdaArg = true; + }; + }; + + devShells.${system}.default = let + pkgs = nixpkgs.legacyPackages.${system}; + in + pkgs.mkShell { + inherit (self.checks.${system}.pre-commit-check) shellHook; + buildInputs = [ + inputs.agenix.packages.${system}.agenix + ]; + }; + }; +} diff --git a/hosts/main-node/default.nix b/hosts/main-node/default.nix new file mode 100644 index 0000000..34f0f67 --- /dev/null +++ b/hosts/main-node/default.nix @@ -0,0 +1,39 @@ +{pkgs, ...}: { + imports = [./hardware-configuration.nix]; + + boot = { + loader = { + grub.enable = true; + grub.device = "/dev/sda"; + }; + kernelPackages = pkgs.linuxPackages_latest; + }; + + networking = { + hostName = "main-node"; + nameservers = [ + "46.38.225.230" + "46.38.252.230" + "2a03:4000:0:1::e1e6" + "2a03:4000:8000::fce6" + ]; + interfaces.ens3 = { + useDHCP = true; + ipv4.addresses = [ + { + address = "188.68.44.196"; + prefixLength = 32; + } + ]; + }; + }; + time.timeZone = "Europe/Vienna"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; +} diff --git a/hosts/main-node/hardware-configuration.nix b/hosts/main-node/hardware-configuration.nix new file mode 100644 index 0000000..cb9bfc1 --- /dev/null +++ b/hosts/main-node/hardware-configuration.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8"; + fsType = "btrfs"; + options = ["subvol=home"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + services.qemuGuest.enable = true; +}