From 592faafe86ae4c780f4c3f1cef9ec5a858aa9bc0 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Tue, 28 Oct 2025 11:26:01 +0100 Subject: [PATCH] loptland: babysteps --- modules/desktop/niri.nix | 3 +- modules/hosts/loptland/default.nix | 66 ++++++++++++++++++++++++- modules/hosts/loptland/hardware.nix | 55 +++++++++++++++++++++ modules/hosts/loptland/nginx.nix | 76 +++++++++++++++++++++++++++++ modules/server/acme.nix | 8 +-- modules/users/cholli/default.nix | 1 + 6 files changed, 202 insertions(+), 7 deletions(-) create mode 100644 modules/hosts/loptland/hardware.nix create mode 100644 modules/hosts/loptland/nginx.nix diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix index d6efbbe..c7fec4b 100644 --- a/modules/desktop/niri.nix +++ b/modules/desktop/niri.nix @@ -28,7 +28,8 @@ ... }: { - config = lib.mkIf osConfig.programs.niri.enable { + + config = lib.mkIf (osConfig.networking.hostName == "yggdrasil") { programs.niri.settings = { input = { keyboard = { diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix index 1ef31a6..48a97e8 100644 --- a/modules/hosts/loptland/default.nix +++ b/modules/hosts/loptland/default.nix @@ -5,7 +5,69 @@ let in { - flake.modules.nixos."hosts/loptland" = { + flake.modules.nixos."hosts/loptland" = + { + inputs, + lib, + pkgs, + modulesPath, + ... + }: + let + sopsFile = ../../../secrets/secrets-loptland.yaml; - }; + in + { + nixpkgs.config.allowUnfree = true; + services.qemuGuest.enable = true; + + imports = + with config.flake.modules.nixos; + [ + (modulesPath + "/profiles/qemu-guest.nix") + inputs.catppuccin.nixosModules.catppuccin + + # System modules + base + server + dev + + # apps + + # Users + cholli + ] + ++ [ + { + home-manager.users.cholli = { + imports = with config.flake.modules.homeManager; [ + inputs.catppuccin.homeModules.catppuccin + + # components + base + dev + + # Activate all user based config + cholli + ]; + }; + } + + ]; + + sops = { + secrets = { + "forgejo/db/password" = { + inherit sopsFile; + }; + "forgejo/mail/password" = { + inherit sopsFile; + }; + "forgejo/mail/passwordHash" = { + inherit sopsFile; + }; + }; + }; + + }; } diff --git a/modules/hosts/loptland/hardware.nix b/modules/hosts/loptland/hardware.nix new file mode 100644 index 0000000..fa5e7d1 --- /dev/null +++ b/modules/hosts/loptland/hardware.nix @@ -0,0 +1,55 @@ +{ + config, + ... +}: +let +in +{ + flake.modules.nixos."hosts/loptland" = + { + inputs, + lib, + pkgs, + ... + }: + { + boot = { + kernelPackages = pkgs.linuxPackages_latest; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/26b098dd-0a15-49c5-9998-75f43d17eb26"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/30AB-7309"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/b9bcb425-cb1c-40a1-89bb-d7fe6b421834"; } ]; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + }; + +} diff --git a/modules/hosts/loptland/nginx.nix b/modules/hosts/loptland/nginx.nix new file mode 100644 index 0000000..9f374ed --- /dev/null +++ b/modules/hosts/loptland/nginx.nix @@ -0,0 +1,76 @@ +{ + flake.modules.nixos."hosts/loptland" = + { + config, + lib, + pkgs, + ... + }: + let + domainName = "christophhollizeck.dev"; + forgejoPort = 3000; + hydraPort = 2000; + in + { + services.nginx = { + enable = true; + recommendedProxySettings = true; + + virtualHosts = { + "git.${domainName}" = { + forceSSL = true; + useACMEHost = domainName; + + locations."/" = { + extraConfig = '' + client_max_body_size 200M; + ''; + proxyPass = "http://localhost:${toString forgejoPort}/"; + }; + }; + + "hydra.${domainName}" = lib.mkIf config.services.hydra.enable { + forceSSL = true; + useACMEHost = domainName; + + locations."/" = { + proxyPass = "http://localhost:${toString hydraPort}/"; + }; + }; + + "ha.${domainName}" = { + forceSSL = true; + useACMEHost = domainName; + + locations."/" = { + # tailscale ip + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + proxyPass = "http://100.86.23.74:8123"; + }; + }; + + "nixcache.${domainName}" = lib.mkIf config.services.nix-serve.enable { + forceSSL = true; + useACMEHost = domainName; + + locations."/" = { + proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + + "_" = { + forceSSL = true; + useACMEHost = domainName; + + locations."/" = { + proxyPass = "https://${domainName}"; + }; + }; + }; + }; + + }; +} diff --git a/modules/server/acme.nix b/modules/server/acme.nix index 23b47fa..2c63600 100644 --- a/modules/server/acme.nix +++ b/modules/server/acme.nix @@ -1,4 +1,4 @@ -{ +topLevel: { flake.modules.nixos.server = { config, @@ -41,10 +41,10 @@ security.acme = { acceptTerms = true; defaults = { - inherit (config.flake.meta.users.cholli) email; + inherit (topLevel.config.flake.meta.users.cholli) email; - group = lib.optional config.services.nginx.enable "nginx"; - reloadServices = lib.optional config.services.nginx.enable "nginx.service"; + group = lib.mkIf config.services.nginx.enable "nginx"; + reloadServices = lib.mkIf config.services.nginx.enable "nginx.service"; dnsProvider = "netcup"; environmentFile = config.sops.templates."netcup.env".path; diff --git a/modules/users/cholli/default.nix b/modules/users/cholli/default.nix index 5e3a14d..2299d9e 100644 --- a/modules/users/cholli/default.nix +++ b/modules/users/cholli/default.nix @@ -14,6 +14,7 @@ authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFrDiO5+vMfD5MimkzN32iw3MnSMLZ0mHvOrHVVmLD0" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Pr7p0jizrvIl0UhcvrmL5SHRQQQWIcHLAnRFyUZS6" ]; };