init mikan

2024-12-25 17:51:47 -05:00 · 2024-12-25 17:51:47 -05:00 · a413aa02e5
parent 23dbd54950
commit a413aa02e5
9 changed files with 223 additions and 18 deletions
--- a/bin/mkhost
+++ b/bin/mkhost
@ -12,7 +12,7 @@ if [ -e "$HOST" ]; then
  exit 2
 fi
 mkdir "$HOST"
-nixos-generate-config --show-hardware-config > "$HOST/hardware-configuration.nix"
+nixos-generate-config --show-hardware-config --no-filesystems > "$HOST/hardware-configuration.nix"
 cat << EOF > "$HOST/default.nix"
 {...}: {
  imports = [
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734088167,
+        "narHash": "sha256-snPBgTqwn3FPZVdFC5yt7Bnk3squim1vZOZ8CObWykk=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "65a441502c9382d41ada1adbc9bd31d6c9b00fe2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
@ -26,11 +47,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1734395804,
-        "narHash": "sha256-m75doN+grfAo8pO2s2wwnsUwSxZGElY/Fcpo3RZ80D4=",
+        "lastModified": 1735066341,
+        "narHash": "sha256-CWWyjOgIMv08M/WScUL1Dvd3cFTSMLJEXyHlArsJ2ZI=",
        "owner": "wamserma",
        "repo": "flake-programs-sqlite",
-        "rev": "42f6a8859142dc7dcb05502015913106fc77251f",
+        "rev": "832b4e206b87761d5e46fb0ff4df8c13dac93fde",
        "type": "github"
      },
      "original": {
@ -46,11 +67,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734344598,
-        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
+        "lastModified": 1735053786,
+        "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
+        "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84",
        "type": "github"
      },
      "original": {
@ -68,11 +89,11 @@
        "umu": "umu"
      },
      "locked": {
-        "lastModified": 1734313951,
-        "narHash": "sha256-DCjhmX5dVn11J8Ss+5Py4yMh8k7a63HakMENccGZBr4=",
+        "lastModified": 1735090720,
+        "narHash": "sha256-Abx/6obaYLgFio8g06pcmMaRPwjKo/bOn1P+gsDMVg0=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "a5f8dee3f7e6864da0d69a227bc8a90a3cbf9d0f",
+        "rev": "95f1cc7ebe63b5a5af6c2d206ffd422739c5959e",
        "type": "github"
      },
      "original": {
@ -83,11 +104,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734119587,
-        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "lastModified": 1734649271,
+        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
        "type": "github"
      },
      "original": {
@ -111,11 +132,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1734083684,
-        "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
+        "lastModified": 1734875076,
+        "narHash": "sha256-Pzyb+YNG5u3zP79zoi8HXYMs15Q5dfjDgwCdUI5B0nY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
+        "rev": "1807c2b91223227ad5599d7067a61665c52d1295",
        "type": "github"
      },
      "original": {
@ -127,6 +148,7 @@
    },
    "root": {
      "inputs": {
+        "disko": "disko",
        "flake-programs-sqlite": "flake-programs-sqlite",
        "home-manager": "home-manager",
        "nix-gaming": "nix-gaming",
--- a/flake.nix
+++ b/flake.nix
@ -16,6 +16,10 @@
      url = "github:fufexan/nix-gaming";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {
@ -38,6 +42,7 @@
          specialArgs = {
            inherit pkgs-stable;
            inherit flake-programs-sqlite;
+            inherit inputs;
          };
          modules = [(./hosts + "/${host}")];
        };
--- a/hosts/mikan/config.nix
+++ b/hosts/mikan/config.nix
@ -0,0 +1,92 @@
+{...}: {
+  services.openssh = {
+    enable = true;
+    ports = [2291];
+    extraConfig = "AuthorizedKeysFile %h/.local/ssh/authorized_keys";
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [2291 80 443];
+  services.qemuGuest.enable = true;
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";
+    settings = {
+      DEFAULT.APP_NAME = "g.twoha.cc";
+      server = {
+        DOMAIN = "g.twoha.cc";
+        ROOT_URL = "https://g.twoha.cc";
+        HTTP_PORT = 3333;
+        LANDING_PAGE = "explore";
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin+acme@twoha.cc";
+    certs."twoha.cc" = {
+      dnsProvider = "porkbun";
+      environmentFile = "/root/porkbun-creds";
+      extraDomainNames = ["*.twoha.cc"];
+    };
+  };
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."twoha.cc" = {
+      useACMEHost = "twoha.cc";
+      forceSSL = true;
+      serverName = "twoha.cc";
+      locations."/".return = 502;
+    };
+    virtualHosts."u.twoha.cc" = {
+      useACMEHost = "twoha.cc";
+      forceSSL = true;
+      serverName = "u.twoha.cc";
+      root = "/var/www/u";
+      locations."/".extraConfig = ''
+        disable_symlinks off;
+        if ($request_uri ~ ^/(.*)\.html) {
+          return 302 /$1;
+        }
+        try_files $uri $uri.html $uri/ =404;
+      '';
+      locations."/_/".proxyPass = "http://127.0.0.1:5000";
+    };
+    virtualHosts."mu.twoha.cc" = {
+      useACMEHost = "twoha.cc";
+      forceSSL = true;
+      serverName = "mu.twoha.cc";
+      root = "/var/www/mu";
+      locations."/".extraConfig = ''
+        disable_symlinks off;
+        if ($request_uri ~ ^/(.*)\.html) {
+          return 302 /$1;
+        }
+        try_files $uri $uri.html $uri/ =404;
+      '';
+    };
+    virtualHosts."*.twoha.cc" = {
+      useACMEHost = "twoha.cc";
+      serverName = "*.twoha.cc";
+      forceSSL = true;
+      locations."/".return = 502;
+    };
+    virtualHosts."g.twoha.cc" = {
+      forceSSL = true;
+      useACMEHost = "twoha.cc";
+      serverName = "g.twoha.cc";
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:3333";
+    };
+  };
+  users.users.nginx.extraGroups = ["acme"];
+}
--- a/hosts/mikan/default.nix
+++ b/hosts/mikan/default.nix
@ -0,0 +1,27 @@
+{inputs, ...}: {
+  imports = [
+    ../../system
+    ./hardware-configuration.nix
+    ./disk.nix
+    ./config.nix
+    inputs.disko.nixosModules.disko
+  ];
+
+  networking.hostName = "mikan";
+  time.timeZone = "America/New_York";
+  users.users.ahnwuoa = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+  };
+  u.has = {
+    graphical = false;
+    wine = false;
+    virt = false;
+    container = false;
+  };
+  boot.loader.grub = {
+    useOSProber = false;
+    efiSupport = false;
+  };
+  boot.loader.efi.canTouchEfiVariables = false;
+}
--- a/hosts/mikan/disk.nix
+++ b/hosts/mikan/disk.nix
@ -0,0 +1,23 @@
+{...}: {
+  disko.devices.disk.main = {
+    device = "/dev/sda";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+          size = "1M";
+          type = "EF02"; # for grub MBR
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/mikan/hardware-configuration.nix
+++ b/hosts/mikan/hardware-configuration.nix
@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/mikan/users/ahnwuoa/default.nix
+++ b/hosts/mikan/users/ahnwuoa/default.nix
@ -0,0 +1,12 @@
+{...}: {
+  imports = [
+    ../../../../user
+  ];
+
+  home.username = "ahnwuoa";
+  u.has = {
+    graphical = false;
+    wine = false;
+    prog = false;
+  };
+}
--- a/system/boot.nix
+++ b/system/boot.nix
@ -1,5 +1,5 @@
-{...}: {
-  boot.loader = {
+{lib, ...}: {
+  boot.loader = lib.mkDefault {
    grub.enable = true;
    grub.device = "nodev";
    grub.efiSupport = true;