From d07ba813bfb69423a6d3e57470abfa36a6e3c7b3 Mon Sep 17 00:00:00 2001 From: foehammer127 Date: Sun, 26 Jan 2025 18:49:45 -0600 Subject: [PATCH] Initial Commit --- .gitignore | 5 +++ LICENSE | 21 ++++++++++ nixos/common/caddy.nix | 17 ++++++++ nixos/common/nix.nix | 26 ++++++++++++ nixos/common/nixos.nix | 32 +++++++++++++++ nixos/common/services/vaultwarden.nix | 48 ++++++++++++++++++++++ nixos/flake.lock | 58 +++++++++++++++++++++++++++ nixos/flake.nix | 41 +++++++++++++++++++ nixos/keys/foehammer.nix | 5 +++ nixos/lib/default.nix | 4 ++ nixos/lib/keys.nix | 28 +++++++++++++ nixos/lib/packages.nix | 28 +++++++++++++ nixos/lib/utils.nix | 26 ++++++++++++ nixos/packages/gpodder/default.nix | 21 ++++++++++ 14 files changed, 360 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 nixos/common/caddy.nix create mode 100644 nixos/common/nix.nix create mode 100644 nixos/common/nixos.nix create mode 100644 nixos/common/services/vaultwarden.nix create mode 100644 nixos/flake.lock create mode 100644 nixos/flake.nix create mode 100644 nixos/keys/foehammer.nix create mode 100644 nixos/lib/default.nix create mode 100644 nixos/lib/keys.nix create mode 100644 nixos/lib/packages.nix create mode 100644 nixos/lib/utils.nix create mode 100644 nixos/packages/gpodder/default.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..09bd556 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +# direnv: +.direnv/ + +# result: +result/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..62ddedb --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Lorenzo Good + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/nixos/common/caddy.nix b/nixos/common/caddy.nix new file mode 100644 index 0000000..1e7130b --- /dev/null +++ b/nixos/common/caddy.nix @@ -0,0 +1,17 @@ +{ + config, + lib, +}: let + inherit (lib) mkIf mkEnableOption; + cfg = config.foehammer.caddy; +in { + options.foehammer.caddy.enable = mkEnableOption "Enable caddy with default configuration."; + config = mkIf cfg.enable { + services.caddy = { + enable = true; + email = "foehammer127+acme@gmail.com"; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + }; +} diff --git a/nixos/common/nix.nix b/nixos/common/nix.nix new file mode 100644 index 0000000..d1e5a04 --- /dev/null +++ b/nixos/common/nix.nix @@ -0,0 +1,26 @@ +{...}: { + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + settings = { + experimental-features = [ + "auto-allocate-uids" + "flakes" + "nix-command" + ]; + + trusted-users = ["root" "@wheel"]; + + substituters = ["https://cache.nixos.org" "https://cache.garnix.io"]; + trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="]; + }; + }; +} diff --git a/nixos/common/nixos.nix b/nixos/common/nixos.nix new file mode 100644 index 0000000..6ee5147 --- /dev/null +++ b/nixos/common/nixos.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + pkgs, +}: let + inherit (lib) mkIf; +in { + config = { + users.mutableUsers = false; + + environment.systemPackages = with pkgs; [neovim git]; + + networking = { + firewall = { + enable = true; + }; + + nameservers = ["1.1.1.1" "8.8.8.8"]; + # If using dhcpcd: + dhcpcd.extraConfig = mkIf config.networking.dhcpcd.enable "nohook resolv.conf"; + # If using NetworkManager: + networkmanager.dns = mkIf config.networking.networkmanager.enable "none"; + }; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + }; + }; + }; +} diff --git a/nixos/common/services/vaultwarden.nix b/nixos/common/services/vaultwarden.nix new file mode 100644 index 0000000..1c0d5b4 --- /dev/null +++ b/nixos/common/services/vaultwarden.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, +}: let + inherit (lib) mkEnableOption mkIf mkOption; + + cfg = config.foehammer.services.vaultwarden; +in { + options.foehammer.services.vaultwarden = { + enable = mkEnableOption "Enable Vaultwarden Server"; + + port = mkOption { + type = lib.types.port; + default = 8222; + description = '' + What external port to serve over. + ''; + }; + + signups = mkOption { + type = lib.types.bool; + default = false; + }; + + envPath = mkOption { + type = lib.types.port; + }; + + domain = mkOption { + type = lib.types.str; + }; + }; + + config.services.vaultwarden = mkIf cfg.enable { + enable = true; + + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = cfg.port; + DOMAIN = cfg.domain; + ROCKET_LOG = "critical"; + SIGNUPS_ALLOWED = cfg.signups; + }; + + environmentFile = cfg.envPath; + }; +} diff --git a/nixos/flake.lock b/nixos/flake.lock new file mode 100644 index 0000000..7cd45d6 --- /dev/null +++ b/nixos/flake.lock @@ -0,0 +1,58 @@ +{ + "nodes": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1737672001, + "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nixos/flake.nix b/nixos/flake.nix new file mode 100644 index 0000000..a8c6397 --- /dev/null +++ b/nixos/flake.nix @@ -0,0 +1,41 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + }; + + outputs = inputs @ {self, ...}: + inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { + systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; + + perSystem = { + config, + self', + inputs', + pkgs, + system, + ... + }: { + _module.args.pkgs = import inputs.nixpkgs { + localSystem = system; + config = { + allowUnfree = true; + allowAliases = true; + }; + overlays = [self.overlays.default]; + }; + + packages = import ./lib/packages.nix pkgs; + }; + + flake = { + lib = import ./lib; + overlays.default = final: prev: (import ./lib/packages.nix prev); + + nixosModules.default = {...}: { + imports = self.lib.utils.findNixFiles ./nixos; + }; + }; + }); +} diff --git a/nixos/keys/foehammer.nix b/nixos/keys/foehammer.nix new file mode 100644 index 0000000..56f42e2 --- /dev/null +++ b/nixos/keys/foehammer.nix @@ -0,0 +1,5 @@ +{ + leni = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8KV91FpgTjTySEvM1Wj3eDrM8PpVZ6qoOHyAvDOdIj foehammer@euclid"; + + yubikey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtCcKS1jN/WSb4Ggvpz11pkUdE4kMgrN0xwptXLgSBX openpgp:0x79EFAC41"; +} diff --git a/nixos/lib/default.nix b/nixos/lib/default.nix new file mode 100644 index 0000000..b7360c1 --- /dev/null +++ b/nixos/lib/default.nix @@ -0,0 +1,4 @@ +{ + utils = import ./utils.nix; + getSSHKeys = (import ./keys.nix).getSSHKeys; +} diff --git a/nixos/lib/keys.nix b/nixos/lib/keys.nix new file mode 100644 index 0000000..35df1f1 --- /dev/null +++ b/nixos/lib/keys.nix @@ -0,0 +1,28 @@ +rec { + getSSHKeys = name: (getKeySets ../keys)."${name}"; + + getKeySets = dir: let + entries = builtins.readDir dir; + + procEntry = name: type: let + path = dir + "/${name}"; + in + if type == "regular" + then [ + { + name = getName name; + value = builtins.attrValues (import path); + } + ] + else []; + in + builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries))); + + getName = filename: let + parts = builtins.split "\\." filename; + base = builtins.head (builtins.split "\\." filename); + in + if builtins.length parts == 1 + then filename + else base; +} diff --git a/nixos/lib/packages.nix b/nixos/lib/packages.nix new file mode 100644 index 0000000..1aee83b --- /dev/null +++ b/nixos/lib/packages.nix @@ -0,0 +1,28 @@ +pkgs: let + getPackages = dir: let + entries = builtins.readDir dir; + + procEntry = name: type: let + path = dir + "/${name}"; + in + if type == "directory" + then + ( + if builtins.pathExists (path + "/default.nix") + then [path] + else [] + ) + else []; + in + builtins.concatLists ( + builtins.attrValues ( + builtins.mapAttrs procEntry entries + ) + ); + + buildPackage = path: { + name = builtins.baseNameOf (toString path); + value = pkgs.callPackage (path + "/default.nix") {}; + }; +in + builtins.listToAttrs (builtins.map buildPackage (getPackages ../packages)) diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix new file mode 100644 index 0000000..100701e --- /dev/null +++ b/nixos/lib/utils.nix @@ -0,0 +1,26 @@ +rec { + findNixFiles = dir: let + inherit (builtins) attrNames readDir pathExists concatMap hasSuffix; + + # Helper function to build full paths + fullPath = name: dir + "/${name}"; + + # Get directory contents + contents = readDir dir; + + # Convert contents attrset to list of names + names = attrNames contents; + + # Filter and process each item + processItem = name: let + path = fullPath name; + type = contents.${name}; + in + if type == "regular" && hasSuffix ".nix" name + then [path] + else if type == "directory" && pathExists path + then findNixFiles path + else []; + in + concatMap processItem names; +} diff --git a/nixos/packages/gpodder/default.nix b/nixos/packages/gpodder/default.nix new file mode 100644 index 0000000..6803ffe --- /dev/null +++ b/nixos/packages/gpodder/default.nix @@ -0,0 +1,21 @@ +{ + buildGoModule, + fetchFromGitHub, +}: +buildGoModule rec { + pname = "gpodder2go"; + version = "0.2.0"; + + src = fetchFromGitHub { + owner = "oxtyped"; + repo = "gpodder2go"; + rev = "v${version}"; + hash = "sha256-DLUVANrePlnzEGmyjmrtQbus8zjPytBJUIg2MSqD8go="; + }; + + checkPhase = false; + + vendorHash = "sha256-7VkpRyoqWFfZODrNq5YjgHFKM3/7u/4G5b/930aoqyA="; + + CGO_ENABLED = 0; +}