Initial Commit

.gitignore

@@ -0,0 +1,5 @@
+# direnv:
+.direnv/
+
+# result:
+result/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Lorenzo Good
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

nixos/common/caddy.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+}: let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.foehammer.caddy;
+in {
+  options.foehammer.caddy.enable = mkEnableOption "Enable caddy with default configuration.";
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      email = "foehammer127+acme@gmail.com";
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}

nixos/common/nix.nix

@@ -0,0 +1,26 @@
+{...}: {
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+
+    settings = {
+      experimental-features = [
+        "auto-allocate-uids"
+        "flakes"
+        "nix-command"
+      ];
+
+      trusted-users = ["root" "@wheel"];
+
+      substituters = ["https://cache.nixos.org" "https://cache.garnix.io"];
+      trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="];
+    };
+  };
+}

nixos/common/nixos.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+}: let
+  inherit (lib) mkIf;
+in {
+  config = {
+    users.mutableUsers = false;
+
+    environment.systemPackages = with pkgs; [neovim git];
+
+    networking = {
+      firewall = {
+        enable = true;
+      };
+
+      nameservers = ["1.1.1.1" "8.8.8.8"];
+      # If using dhcpcd:
+      dhcpcd.extraConfig = mkIf config.networking.dhcpcd.enable "nohook resolv.conf";
+      # If using NetworkManager:
+      networkmanager.dns = mkIf config.networking.networkmanager.enable "none";
+    };
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+      };
+    };
+  };
+}

nixos/common/services/vaultwarden.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption;
+
+  cfg = config.foehammer.services.vaultwarden;
+in {
+  options.foehammer.services.vaultwarden = {
+    enable = mkEnableOption "Enable Vaultwarden Server";
+
+    port = mkOption {
+      type = lib.types.port;
+      default = 8222;
+      description = ''
+        What external port to serve over.
+      '';
+    };
+
+    signups = mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+
+    envPath = mkOption {
+      type = lib.types.port;
+    };
+
+    domain = mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config.services.vaultwarden = mkIf cfg.enable {
+    enable = true;
+
+    config = {
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = cfg.port;
+      DOMAIN = cfg.domain;
+      ROCKET_LOG = "critical";
+      SIGNUPS_ALLOWED = cfg.signups;
+    };
+
+    environmentFile = cfg.envPath;
+  };
+}

nixos/flake.lock

@@ -0,0 +1,58 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1736143030,
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1737672001,
+        "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1735774519,
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nixos/flake.nix

@@ -0,0 +1,41 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
+    flake-parts.url = "github:hercules-ci/flake-parts";
+  };
+
+  outputs = inputs @ {self, ...}:
+    inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: {
+      systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"];
+
+      perSystem = {
+        config,
+        self',
+        inputs',
+        pkgs,
+        system,
+        ...
+      }: {
+        _module.args.pkgs = import inputs.nixpkgs {
+          localSystem = system;
+          config = {
+            allowUnfree = true;
+            allowAliases = true;
+          };
+          overlays = [self.overlays.default];
+        };
+
+        packages = import ./lib/packages.nix pkgs;
+      };
+
+      flake = {
+        lib = import ./lib;
+        overlays.default = final: prev: (import ./lib/packages.nix prev);
+
+        nixosModules.default = {...}: {
+          imports = self.lib.utils.findNixFiles ./nixos;
+        };
+      };
+    });
+}

nixos/keys/foehammer.nix

@@ -0,0 +1,5 @@
+{
+  leni = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8KV91FpgTjTySEvM1Wj3eDrM8PpVZ6qoOHyAvDOdIj foehammer@euclid";
+
+  yubikey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtCcKS1jN/WSb4Ggvpz11pkUdE4kMgrN0xwptXLgSBX openpgp:0x79EFAC41";
+}

nixos/lib/default.nix

@@ -0,0 +1,4 @@
+{
+  utils = import ./utils.nix;
+  getSSHKeys = (import ./keys.nix).getSSHKeys;
+}

nixos/lib/keys.nix

@@ -0,0 +1,28 @@
+rec {
+  getSSHKeys = name: (getKeySets ../keys)."${name}";
+
+  getKeySets = dir: let
+    entries = builtins.readDir dir;
+
+    procEntry = name: type: let
+      path = dir + "/${name}";
+    in
+      if type == "regular"
+      then [
+        {
+          name = getName name;
+          value = builtins.attrValues (import path);
+        }
+      ]
+      else [];
+  in
+    builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries)));
+
+  getName = filename: let
+    parts = builtins.split "\\." filename;
+    base = builtins.head (builtins.split "\\." filename);
+  in
+    if builtins.length parts == 1
+    then filename
+    else base;
+}

nixos/lib/packages.nix

@@ -0,0 +1,28 @@
+pkgs: let
+  getPackages = dir: let
+    entries = builtins.readDir dir;
+
+    procEntry = name: type: let
+      path = dir + "/${name}";
+    in
+      if type == "directory"
+      then
+        (
+          if builtins.pathExists (path + "/default.nix")
+          then [path]
+          else []
+        )
+      else [];
+  in
+    builtins.concatLists (
+      builtins.attrValues (
+        builtins.mapAttrs procEntry entries
+      )
+    );
+
+  buildPackage = path: {
+    name = builtins.baseNameOf (toString path);
+    value = pkgs.callPackage (path + "/default.nix") {};
+  };
+in
+  builtins.listToAttrs (builtins.map buildPackage (getPackages ../packages))

nixos/lib/utils.nix

@@ -0,0 +1,26 @@
+rec {
+  findNixFiles = dir: let
+    inherit (builtins) attrNames readDir pathExists concatMap hasSuffix;
+
+    # Helper function to build full paths
+    fullPath = name: dir + "/${name}";
+
+    # Get directory contents
+    contents = readDir dir;
+
+    # Convert contents attrset to list of names
+    names = attrNames contents;
+
+    # Filter and process each item
+    processItem = name: let
+      path = fullPath name;
+      type = contents.${name};
+    in
+      if type == "regular" && hasSuffix ".nix" name
+      then [path]
+      else if type == "directory" && pathExists path
+      then findNixFiles path
+      else [];
+  in
+    concatMap processItem names;
+}

nixos/packages/gpodder/default.nix

@@ -0,0 +1,21 @@
+{
+  buildGoModule,
+  fetchFromGitHub,
+}:
+buildGoModule rec {
+  pname = "gpodder2go";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "oxtyped";
+    repo = "gpodder2go";
+    rev = "v${version}";
+    hash = "sha256-DLUVANrePlnzEGmyjmrtQbus8zjPytBJUIg2MSqD8go=";
+  };
+
+  checkPhase = false;
+
+  vendorHash = "sha256-7VkpRyoqWFfZODrNq5YjgHFKM3/7u/4G5b/930aoqyA=";
+
+  CGO_ENABLED = 0;
+}