commit db321b49448867823a172a827820a2b16223eaac · ptr.pet/ark

+18 -10

flake.lock

···

       46
        
               ]

     

       47
        
             },

     

       48
        
             "locked": {

     

       49
       -
               "narHash": "sha256-s54wF24xA0vSjoEJ5/duD5XGr55JUtH4R71WiWgPyBk=",

     

       50
       -
               "type": "tarball",

     

       51
       -
               "url": "https://git.gaze.systems/dusk/website/archive/master.zip"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
             },

     

       53
        
             "original": {

     

       54
       -
               "type": "tarball",

     

       55
       -
               "url": "https://git.gaze.systems/dusk/website/archive/master.zip"

     

       56
        
             }

     

       57
        
           },

     

       58
        
           "crane": {

     
···

       761
        
               ]

     

       762
        
             },

     

       763
        
             "locked": {

     

       764
       -
               "narHash": "sha256-3PHw4aioOmhAPAL7PGbf/At0E+1rrENtRbLVkjLctxA=",

     

       765
       -
               "type": "tarball",

     

       766
       -
               "url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       767
        
             },

     

       768
        
             "original": {

     

       769
       -
               "type": "tarball",

     

       770
       -
               "url": "https://git.gaze.systems/dusk/html.nix/archive/master.zip"

     

       771
        
             }

     

       772
        
           },

     

       773
        
           "hyprland": {

···

       46
        
               ]

     

       47
        
             },

     

       48
        
             "locked": {

     

       49
       +
               "lastModified": 1660175414,

     

       50
       +
               "narHash": "sha256-x/Biv9kkFq4qHaxi9hU0Nl7E/3IlEVBJnxIge/ltgvA=",

     

       51
       +
               "ref": "refs/heads/master",

     

       52
       +
               "rev": "dc1b24e7521b1329f8f5ac93703e18649716cc70",

     

       53
       +
               "revCount": 58,

     

       54
       +
               "type": "git",

     

       55
       +
               "url": "https://git.gaze.systems/dusk/website.git"

     

       56
        
             },

     

       57
        
             "original": {

     

       58
       +
               "type": "git",

     

       59
       +
               "url": "https://git.gaze.systems/dusk/website.git"

     

       60
        
             }

     

       61
        
           },

     

       62
        
           "crane": {

     
···

       765
        
               ]

     

       766
        
             },

     

       767
        
             "locked": {

     

       768
       +
               "lastModified": 1659251276,

     

       769
       +
               "narHash": "sha256-rHhaPtyH1hBcZxd6nXxyg59wL6ilqJqsfuHh8Ebd+rA=",

     

       770
       +
               "ref": "refs/heads/master",

     

       771
       +
               "rev": "d30b07841100278a1d7901001ecec038c5448be2",

     

       772
       +
               "revCount": 50,

     

       773
       +
               "type": "git",

     

       774
       +
               "url": "https://git.gaze.systems/dusk/html.nix.git"

     

       775
        
             },

     

       776
        
             "original": {

     

       777
       +
               "type": "git",

     

       778
       +
               "url": "https://git.gaze.systems/dusk/html.nix.git"

     

       779
        
             }

     

       780
        
           },

     

       781
        
           "hyprland": {

+1 -1

flake.nix

···

       19
        
           hyprland.url = "github:hyprwm/Hyprland";

     

       20
        
           hyprland.inputs.nixpkgs.follows = "nixpkgs";

     

       21
        
           fufexan.url = "github:fufexan/dotfiles";

     

       22
       -
           blog.url = "https://git.gaze.systems/dusk/website/archive/master.zip";

     

       23
        
           blog.inputs.nixpkgs.follows = "nixpkgs";

     

       24
        
           bernbot.url = "github:yusdacra/bernbot";

     

       25
        
           bernbot.inputs.nixpkgs.follows = "nixpkgs";

···

       19
        
           hyprland.url = "github:hyprwm/Hyprland";

     

       20
        
           hyprland.inputs.nixpkgs.follows = "nixpkgs";

     

       21
        
           fufexan.url = "github:fufexan/dotfiles";

     

       22
       +
           blog.url = "git+https://git.gaze.systems/dusk/website.git";

     

       23
        
           blog.inputs.nixpkgs.follows = "nixpkgs";

     

       24
        
           bernbot.url = "github:yusdacra/bernbot";

     

       25
        
           bernbot.inputs.nixpkgs.follows = "nixpkgs";

+14

hosts/wolumonde/blog.nix

···

       1
       +
       {

     

       2
       +
         pkgs,

     

       3
       +
         inputs,

     

       4
       +
         ...

     

       5
       +
       }: {

     

       6
       +
         services.nginx.virtualHosts."gaze.systems" = {

     

       7
       +
           enableACME = true;

     

       8
       +
           forceSSL = true;

     

       9
       +
           root = "${inputs.blog.packages.${pkgs.system}.website}";

     

       10
       +
           locations."/".extraConfig = ''

     

       11
       +
             add_header cache-control max-age=1800;

     

       12
       +
           '';

     

       13
       +
         };

     

       14
       +
       }

+19 -74

hosts/wolumonde/default.nix

···

       4
        
         config,

     

       5
        
         lib,

     

       6
        
         ...

     

       7
       -
       }: let

     

       8
       -
         personal = import "${inputs.self}/personal.nix";

     

       9
       -
         email = personal.emails.short;

     

       10
       -
       in {

     

       11
       -
         imports = [

     

       12
       -
           ./hardware-configuration.nix

     

       13
       -
           ./bernbot.nix

     

       14
       -
         ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       

     

       16
        
         boot.cleanTmpDir = true;

     

       17
        
         zramSwap.enable = true;

     

       18
        
       

     

       19
       -
         # ssh config

     

       20
       -
         services.fail2ban.enable = true;

     

       21
       -
         services.openssh = {

     

       22
       -
           enable = true;

     

       23
       -
           passwordAuthentication = false;

     

       24
       -
         };

     

       25
       -
         users.users.root.openssh.authorizedKeys.keys = [

     

       26
       -
           (builtins.readFile "${inputs.self}/secrets/ssh-key.pub")

     

       27
       -
         ];

     

       28
       -
       

     

       29
       -
         # nginx

     

       30
       -
         services.nginx = {

     

       31
       -
           enable = true;

     

       32
       -
           recommendedTlsSettings = true;

     

       33
       -
           recommendedOptimisation = true;

     

       34
       -
           recommendedGzipSettings = true;

     

       35
       -
           recommendedProxySettings = true;

     

       36
       -
           virtualHosts."gaze.systems" = {

     

       37
       -
             enableACME = true;

     

       38
       -
             forceSSL = true;

     

       39
       -
             root = "${inputs.blog.packages.${pkgs.system}.website}";

     

       40
       -
             locations."/".extraConfig = ''

     

       41
       -
               add_header cache-control max-age=1800;

     

       42
       -
             '';

     

       43
       -
           };

     

       44
       -
           virtualHosts."git.gaze.systems" = {

     

       45
       -
             enableACME = true;

     

       46
       -
             forceSSL = true;

     

       47
       -
             locations."/".proxyPass = "http://localhost:3001";

     

       48
       -
           };

     

       49
       -
         };

     

       50
       -
         security.acme = {

     

       51
       -
           acceptTerms = true;

     

       52
       -
           certs = {

     

       53
       -
             "gaze.systems".email = email;

     

       54
       -
             "git.gaze.systems".email = email;

     

       55
       -
           };

     

       56
       -
         };

     

       57
       -
       

     

       58
       -
         # gitea

     

       59
       -
         services.gitea = {

     

       60
       -
           enable = true;

     

       61
       -
           cookieSecure = true;

     

       62
       -
           disableRegistration = true;

     

       63
       -
           domain = "git.gaze.systems";

     

       64
       -
           rootUrl = "https://git.gaze.systems/";

     

       65
       -
           httpPort = 3001;

     

       66
       -
         };

     

       67
       -
       

     

       68
        
         # firewall stuffs

     

       69
        
         networking.firewall = {

     

       70
        
           enable = true;

     

       71
       -
           allowedTCPPorts = lib.flatten [

     

       72
       -
             [22 80 443]

     

       73
       -
             (

     

       74
       -
               lib.optional

     

       75
       -
               config.services.gitea.enable

     

       76
       -
               config.services.gitea.httpPort

     

       77
       -
             )

     

       78
       -
           ];

     

       79
        
           allowedUDPPortRanges = [];

     

       80
       -
         };

     

       81
       -
       

     

       82
       -
         # nixinate for deployment

     

       83
       -
         _module.args.nixinate = {

     

       84
       -
           host = "gaze.systems";

     

       85
       -
           sshUser = "root";

     

       86
       -
           buildOn = "local"; # valid args are "local" or "remote"

     

       87
       -
           substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"

     

       88
       -
           hermetic = true;

     

       89
        
         };

     

       90
        
       

     

       91
        
         system.stateVersion = "22.05";

···

       4
        
         config,

     

       5
        
         lib,

     

       6
        
         ...

     

       7
       +
       }: {

     

       8
       +
         imports = let

     

       9
       +
           files =

     

       10
       +
             lib.filterAttrs

     

       11
       +
             (name: type: type == "regular" && name != "default.nix")

     

       12
       +
             (builtins.readDir (toString ./.));

     

       13
       +
           filesToImport =

     

       14
       +
             builtins.map

     

       15
       +
             (

     

       16
       +
               name:

     

       17
       +
                 builtins.path {

     

       18
       +
                   inherit name;

     

       19
       +
                   path = "${toString ./.}/${name}";

     

       20
       +
                 }

     

       21
       +
             )

     

       22
       +
             (builtins.attrNames files);

     

       23
       +
         in

     

       24
       +
           filesToImport;

     

       25
        
       

     

       26
        
         boot.cleanTmpDir = true;

     

       27
        
         zramSwap.enable = true;

     

       28
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       29
        
         # firewall stuffs

     

       30
        
         networking.firewall = {

     

       31
        
           enable = true;

     

       32
       +
           allowedTCPPorts = [22 80 443];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       33
        
           allowedUDPPortRanges = [];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
         };

     

       35
        
       

     

       36
        
         system.stateVersion = "22.05";

+20

hosts/wolumonde/gitea.nix

···

       1
       +
       {config, ...}: {

     

       2
       +
         services.gitea = {

     

       3
       +
           enable = true;

     

       4
       +
           cookieSecure = true;

     

       5
       +
           disableRegistration = true;

     

       6
       +
           domain = "git.gaze.systems";

     

       7
       +
           rootUrl = "https://git.gaze.systems/";

     

       8
       +
           httpPort = 3001;

     

       9
       +
         };

     

       10
       +
       

     

       11
       +
         services.nginx.virtualHosts."git.gaze.systems" = {

     

       12
       +
           enableACME = true;

     

       13
       +
           forceSSL = true;

     

       14
       +
           locations."/".proxyPass = "http://localhost:3001";

     

       15
       +
         };

     

       16
       +
       

     

       17
       +
         networking.firewall.allowedTCPPorts = [

     

       18
       +
           config.services.gitea.httpPort

     

       19
       +
         ];

     

       20
       +
       }

+13

hosts/wolumonde/nginx.nix

···

       1
       +
       {inputs, ...}: {

     

       2
       +
         services.nginx = {

     

       3
       +
           enable = true;

     

       4
       +
           recommendedTlsSettings = true;

     

       5
       +
           recommendedOptimisation = true;

     

       6
       +
           recommendedGzipSettings = true;

     

       7
       +
           recommendedProxySettings = true;

     

       8
       +
         };

     

       9
       +
         security.acme = {

     

       10
       +
           acceptTerms = true;

     

       11
       +
           defaults.email = (import "${inputs.self}/personal.nix").emails.primary;

     

       12
       +
         };

     

       13
       +
       }

+9

hosts/wolumonde/nixinate.nix

···

       1
       +
       {...}: {

     

       2
       +
         _module.args.nixinate = {

     

       3
       +
           host = "gaze.systems";

     

       4
       +
           sshUser = "root";

     

       5
       +
           buildOn = "local"; # valid args are "local" or "remote"

     

       6
       +
           substituteOnTarget = true; # if buildOn is "local" then it will substitute on the target, "-s"

     

       7
       +
           hermetic = true;

     

       8
       +
         };

     

       9
       +
       }

+10

hosts/wolumonde/ssh.nix

···

       1
       +
       {inputs, ...}: {

     

       2
       +
         services.fail2ban.enable = true;

     

       3
       +
         services.openssh = {

     

       4
       +
           enable = true;

     

       5
       +
           passwordAuthentication = false;

     

       6
       +
         };

     

       7
       +
         users.users.root.openssh.authorizedKeys.keys = [

     

       8
       +
           (builtins.readFile "${inputs.self}/secrets/ssh-key.pub")

     

       9
       +
         ];

     

       10
       +
       }