From 61537d472206f5cc92e0039bde924deb33bd19ac Mon Sep 17 00:00:00 2001 From: Anthony Rodriguez Date: Wed, 23 Oct 2024 18:04:37 +0200 Subject: [PATCH] hosts/anastacia: add VPS host, searx and forgejo commit b761f7218b697da8f58e57faa5ffa90ccd72d35d Author: Anthony Rodriguez Date: Wed Oct 23 18:03:43 2024 +0200 system/services/searx: setup default search settings commit c58816d17a2c26bcfe223fedb7fefc797c04e74a Author: Anthony Rodriguez Date: Wed Oct 23 17:38:06 2024 +0200 browsers/firefox: switch to my own searx commit 006daa6ebc4c7d7ebe7a3f38397800518a2a1f90 Author: Anthony Rodriguez Date: Wed Oct 23 17:35:17 2024 +0200 system/services/forgejo: enable on ipv4 commit 6c75a3644fdfc9815849d24214d71049b37b56ba Author: Anthony Rodriguez Date: Wed Oct 23 17:35:05 2024 +0200 system/services: add searx commit d472424a4ea063db0655bf507c2e45937c6cfb60 Author: Anthony Rodriguez Date: Wed Oct 23 13:22:36 2024 +0200 system/services: add forgejo commit 43e754db72ce552be256a24463ab77056337429c Author: Anthony Rodriguez Date: Wed Oct 23 11:25:01 2024 +0200 hosts/anastacia: init with generated configuration --- flake.lock | 124 +++++++++++++++++---- flake.nix | 2 + home/programs/browsers/firefox.nix | 6 +- hosts/anastacia/default.nix | 19 ++++ hosts/anastacia/hardware-configuration.nix | 10 ++ hosts/anastacia/networking.nix | 52 +++++++++ hosts/default.nix | 8 ++ nodes/default.nix | 14 +++ system/services/forgejo.nix | 54 +++++++++ system/services/searx.nix | 55 +++++++++ 10 files changed, 322 insertions(+), 22 deletions(-) create mode 100644 hosts/anastacia/default.nix create mode 100644 hosts/anastacia/hardware-configuration.nix create mode 100644 hosts/anastacia/networking.nix create mode 100644 nodes/default.nix create mode 100644 system/services/forgejo.nix create mode 100644 system/services/searx.nix diff --git a/flake.lock b/flake.lock index 55329f8..57ebe2b 100644 --- a/flake.lock +++ b/flake.lock @@ -60,6 +60,26 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_3", + "utils": "utils" + }, + "locked": { + "lastModified": 1727447169, + "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "firefox-addons": { "inputs": { "flake-utils": "flake-utils", @@ -115,6 +135,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -207,7 +243,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -225,7 +261,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, @@ -243,7 +279,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1710146030, @@ -338,7 +374,7 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-parts": "flake-parts_2", "flake-utils": "flake-utils_2", "nixpkgs": [ @@ -447,7 +483,7 @@ "flake-parts": "flake-parts_3", "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -636,16 +672,16 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1729256560, - "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=", + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -667,6 +703,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1729256560, + "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1726871744, "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", @@ -682,7 +734,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1656753965, "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=", @@ -698,7 +750,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1726871744, "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", @@ -736,7 +788,7 @@ "flake-utils": "flake-utils_3", "mnw": "mnw", "nil": "nil", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "nmd": "nmd", "plugin-alpha-nvim": "plugin-alpha-nvim", "plugin-bufdelete-nvim": "plugin-bufdelete-nvim", @@ -840,7 +892,7 @@ "plugin-vim-vsnip": "plugin-vim-vsnip", "plugin-which-key": "plugin-which-key", "rnix-lsp": "rnix-lsp", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1728378979, @@ -2526,8 +2578,8 @@ "rnix-lsp": { "inputs": { "naersk": "naersk", - "nixpkgs": "nixpkgs_6", - "utils": "utils" + "nixpkgs": "nixpkgs_7", + "utils": "utils_2" }, "locked": { "lastModified": 1669555118, @@ -2547,16 +2599,17 @@ "inputs": { "ags": "ags", "basix": "basix", + "deploy-rs": "deploy-rs", "firefox-addons": "firefox-addons", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "niri": "niri", "nix-index-db": "nix-index-db", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nvf": "nvf", "plasma-manager": "plasma-manager", - "systems": "systems_5", + "systems": "systems_6", "treefmt-nix": "treefmt-nix", "wezterm": "wezterm" } @@ -2695,6 +2748,21 @@ } }, "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -2709,7 +2777,7 @@ "type": "github" } }, - "systems_6": { + "systems_7": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -2726,7 +2794,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1729242555, @@ -2743,6 +2811,24 @@ } }, "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { "locked": { "lastModified": 1656928814, "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", diff --git a/flake.nix b/flake.nix index 4a92ffc..7b73681 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,7 @@ formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper); nixosModules = import ./modules; nixosConfigurations = import ./hosts {inherit self inputs;}; + deploy.nodes = import ./nodes {inherit self inputs;}; }; inputs = { # nix related @@ -44,6 +45,7 @@ # other ags.url = "github:Aylur/ags"; basix.url = "github:notashelf/basix"; + deploy-rs.url = "github:serokell/deploy-rs"; firefox-addons = { url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/home/programs/browsers/firefox.nix b/home/programs/browsers/firefox.nix index f4eaa5b..885a3f0 100644 --- a/home/programs/browsers/firefox.nix +++ b/home/programs/browsers/firefox.nix @@ -82,7 +82,7 @@ in { urls = [ { rels = ["results"]; - template = "https://searx.tiekoetter.com/search"; + template = "https://search.nezia.dev/search"; params = [ { name = "q"; @@ -92,7 +92,7 @@ in { } { rels = ["suggestions"]; - template = "https://searx.tiekoetter.com/autocompleter"; + template = "https://search.nezia.dev/autocompleter"; params = [ { name = "q"; @@ -102,7 +102,7 @@ in { "type" = "application/x-suggestions+json"; } ]; - iconUpdateURL = "https://searx.tiekoetter.com/favicon.ico"; + iconUpdateURL = "https://search.nezia.dev/favicon.ico"; updateInterval = 24 * 60 * 60 * 1000; definedAliases = ["@s"]; }; diff --git a/hosts/anastacia/default.nix b/hosts/anastacia/default.nix new file mode 100644 index 0000000..53778ef --- /dev/null +++ b/hosts/anastacia/default.nix @@ -0,0 +1,19 @@ +{self, ...}: let + mod = "${self}/system"; +in { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + + "${mod}/services/forgejo.nix" + "${mod}/services/searx.nix" + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "anastacia"; + networking.domain = ""; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzs7SQH0Vjt9JHoXXmWy9fPU1I3rrRWV5magZFrI5al'']; + system.stateVersion = "23.11"; +} diff --git a/hosts/anastacia/hardware-configuration.nix b/hosts/anastacia/hardware-configuration.nix new file mode 100644 index 0000000..329ed8a --- /dev/null +++ b/hosts/anastacia/hardware-configuration.nix @@ -0,0 +1,10 @@ +{modulesPath, ...}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + boot.initrd.kernelModules = ["nvme"]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/hosts/anastacia/networking.nix b/hosts/anastacia/networking.nix new file mode 100644 index 0000000..6dcffe8 --- /dev/null +++ b/hosts/anastacia/networking.nix @@ -0,0 +1,52 @@ +{lib, ...}: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ + "8.8.8.8" + ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { + address = "78.47.146.254"; + prefixLength = 32; + } + ]; + ipv6.addresses = [ + { + address = "2a01:4f8:1c1c:8495::1"; + prefixLength = 64; + } + { + address = "fe80::9400:3ff:fecb:6deb"; + prefixLength = 64; + } + ]; + ipv4.routes = [ + { + address = "172.31.1.1"; + prefixLength = 32; + } + ]; + ipv6.routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } + ]; + }; + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:03:cb:6d:eb", NAME="eth0" + + ''; +} diff --git a/hosts/default.nix b/hosts/default.nix index e2b4ddd..6433749 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -28,4 +28,12 @@ in { self.nixosModules.theme ]; }; + + anastacia = nixosSystem { + system = "x86_64-linux"; + inherit specialArgs; + modules = [ + ./anastacia + ]; + }; } diff --git a/nodes/default.nix b/nodes/default.nix new file mode 100644 index 0000000..8ed1e95 --- /dev/null +++ b/nodes/default.nix @@ -0,0 +1,14 @@ +{ + self, + inputs, + ... +}: { + anastacia = { + hostname = "2a01:4f8:1c1c:8495::1"; + profiles.system = { + sshUser = "root"; + user = "root"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.anastacia; + }; + }; +} diff --git a/system/services/forgejo.nix b/system/services/forgejo.nix new file mode 100644 index 0000000..fca61b0 --- /dev/null +++ b/system/services/forgejo.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + ... +}: let + srv = config.services.forgejo.settings.server; +in { + services = { + forgejo = { + enable = true; + package = pkgs.forgejo; + lfs.enable = true; + database.type = "postgres"; + dump = { + enable = true; + type = "tar.xz"; + }; + settings = { + server = { + DOMAIN = "git.nezia.dev"; + HTTP_PORT = 1849; + ROOT_URL = "https://${srv.DOMAIN}/"; + HTTP_ADDR = "localhost"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + federation = { + ENABLED = true; + }; + }; + }; + + caddy = { + enable = true; + virtualHosts."git.nezia.dev".extraConfig = '' + reverse_proxy * localhost:${toString srv.HTTP_PORT} + ''; + }; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [80 443]; + + # If you're using nftables (default in newer NixOS) + extraForwardRules = '' + ip6 saddr { ::/0 } accept + ''; + }; + + # Ensure IPv6 is enabled + networking.enableIPv6 = true; +} diff --git a/system/services/searx.nix b/system/services/searx.nix new file mode 100644 index 0000000..19ef833 --- /dev/null +++ b/system/services/searx.nix @@ -0,0 +1,55 @@ +{pkgs, ...}: { + services = { + searx = { + enable = true; + package = pkgs.searxng; + settings = { + search = { + safe_search = 1; # 0 = None, 1 = Moderate, 2 = Strict + autocomplete = "google"; # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off by default + default_lang = "en"; + }; + server = { + secret_key = "TODO_USE_SOPS_INSTEAD"; + port = 8888; # Internal port + bind_address = "localhost"; # Only listen locally + base_url = "https://search.nezia.dev/"; + image_proxy = true; + default_http_headers = { + X-Content-Type-Options = "nosniff"; + X-XSS-Protection = "1; mode=block"; + X-Download-Options = "noopen"; + X-Robots-Tag = "noindex, nofollow"; + Referrer-Policy = "no-referrer"; + }; + }; + engines = [ + { + name = "qwant"; + disabled = true; + } + ]; + }; + }; + + caddy = { + enable = true; + virtualHosts."search.nezia.dev" = { + extraConfig = '' + encode gzip + reverse_proxy localhost:8888 { + header_up Host {host} + header_up X-Real-IP {remote_addr} + header_up X-Forwarded-For {remote_addr} + header_up X-Forwarded-Proto {scheme} + } + ''; + }; + }; + }; + + # Open required ports + networking.firewall = { + allowedTCPPorts = [80 443]; # For Caddy + }; +}