tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: tuxcord/tuxcord.nix:931ee4f8624c709966c159f3248f8a3591a48fa8
Branches Tags
tuxcord/tuxcord.nix:main tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik
..
compare: tuxcord/tuxcord.nix:styling/forgejo
Branches Tags
tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik tuxcord/tuxcord.nix:main

34 Commits
931ee4f862 .. styling/forgejo

Author SHA1 Message Date
javalsai 22ec729583 nixos/services: swap gitea with forgejo
Check / Nix flake (push) Failing after 10s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-06 14:34:55 +02:00
javalsai c5579fbd9c nixos/services: lay ground for gitea branding
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 10s
Details 
also makes adds gitea persistence
 2026-05-06 03:59:58 +02:00
javalsai c830cc1f96 treewide: upgrade npins to support lfs
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 9s
Details 
this has the side effect of making the root site's favicon work
 2026-05-06 03:57:25 +02:00
ErrorNoInternet 00e815c003 treewide: use flake with direnv
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 12s
Details
2026-05-05 13:18:25 -04:00
ErrorNoInternet 3910f14eef nixos/openssh: dynamically use openssh port for firewall 2026-05-05 13:18:25 -04:00
javalsai 82c76dc390 nixos/users: port tuxcord.net motd
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-04 20:50:25 +02:00
javalsai edf7aab2f0 nixos/services: serve a strict robots.txt everywhere
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 9s
Details
2026-05-04 12:36:34 -04:00
ErrorNoInternet 760c5c8284 nixos/hardware: add kvm-amd module
Check / Nix flake (push) Failing after 10s
Details
Lint / Nix expressions (push) Failing after 10s
Details 
From running the virtual machine on an AMD system.
 2026-05-04 01:36:59 -04:00
ErrorNoInternet 3a5d5d27f4 nixos/networking: fix extraHosts generation 2026-05-04 01:31:27 -04:00
ErrorNoInternet 015bbc3d66 npins: update website 2026-05-04 01:31:27 -04:00
ErrorNoInternet dc374e8c04 nixos/hosts: declare fileSystems for testing hosts 2026-05-04 01:31:27 -04:00
ErrorNoInternet a708c04a9a nixos/services/openssh: enable X11 forwarding 2026-05-04 01:31:27 -04:00
javalsai a2534a3dab nixos/hosts: enable autologin for testing hosts 2026-05-04 01:31:15 -04:00
javalsai b78c41a5f7 nixos/services: add default website on nginx 2026-05-04 01:27:11 -04:00
javalsai e1f2dc3161 nixos/services: disable nginx proxy buffering 2026-05-04 01:27:11 -04:00
ErrorNoInternet f1c5f038ec nixos/impermanence: remove ssh host key persistence 
The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ae0d4f5958 shells: remove neovim 
Some users may be using self-contained Neovim executables.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ded0374c57 agenix: import initial user dns keys 2026-05-04 01:27:10 -04:00
ErrorNoInternet ab0f9a2ff2 treewide: create global user list 2026-05-04 01:27:10 -04:00
javalsai fb9526fec2 docs: add sections and fix typos/errors 2026-05-04 00:45:22 -04:00
ErrorNoInternet 0692e680b8 treewide: initialize npins 2026-05-04 00:45:22 -04:00
ErrorNoInternet 3a940586d5 treewide: refactor code 2026-05-04 00:45:21 -04:00
javalsai 7e7097f457 nixos/security: add acme through dns challenge 
few side refactors of this:
- no more `dns.domain`, it all must rely on `fqdn`, prevents
  inconsistencies.
- also added an specific host `tuxcord-acmetest` that uses the key zone
  for `nix.tuxcord.net` to test certificate pulling.
 2026-05-04 00:45:21 -04:00
javalsai 22b3a95bf8 docs: document installation, secrets, and setup steps 2026-05-04 00:45:21 -04:00
javalsai de4b8833bd nixos/services: make dns configuration easier 2026-05-04 00:45:21 -04:00
javalsai ac9b80573f nixos/service: add dns (bind named server) 2026-05-04 00:45:21 -04:00
javalsai 66a15a5d19 nixos/programs: add bind utils 2026-05-04 00:45:21 -04:00
javalsai 7e331f5e1a nixos/services: add gitea server 2026-05-04 00:45:21 -04:00
javalsai a8374e231f nixos/services: add nginx base configuration 2026-05-04 00:45:21 -04:00
javalsai 27b861d5a5 nixos/networking: add own fqdn to extraHosts 2026-05-04 00:45:21 -04:00
javalsai 6a29ac005c nixos/hosts: add tuxcord-vm host configuration 2026-05-04 00:45:21 -04:00
ErrorNoInternet 0b9f76dcb4 nixos: separate openssh firewall port 2026-05-04 00:45:21 -04:00
javalsai cc52b0e6cb lib/ssh: add more ssh keys 2026-05-04 00:41:23 -04:00
javalsai d4d560c30f nixos/vm: enable qemu network bridge 2026-05-04 01:55:29 +02:00
36 changed files with 705 additions and 210 deletions
Expand all files Collapse all files
.envrc
+1
View File
@@ -0,0 +1 @@
use flake
.gitignore
+2 -1
View File
@@ -1,3 +1,4 @@
# Nix
/result
/*.qcow2
/.direnv
/result
agenix/dns/nix.tuxcord.net/nix.tuxcord.net.key.age
BIN
View File
Binary file not shown.
agenix/dns/tuxcord.net/error.tuxcord.net.key.age
BIN
View File
Binary file not shown.
agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age
+7
View File
@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
ä3ÛÿÉèŸP>gòh@­ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍòã¿y?•ÉŽUSNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OΉPuh‹½ŽÞ=t¶5|¿×“s×€ú&!­‰Î-æTÝSÆfÕ™-j"#žwzºš›ãjö¯“HŒí
agenix/dns/tuxcord.net/tuxcord.net.key.age
BIN
View File
Binary file not shown.
agenix/dns/tuxcord.test/sub.tuxcord.test.key.age
BIN
View File
Binary file not shown.
agenix/dns/tuxcord.test/tuxcord.test.key.age
BIN
View File
Binary file not shown.
agenix/ntfy.age
+17 -31
View File
@@ -1,34 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
-> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
-> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
-> ssh-rsa eFi+Zw
uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB
Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
-> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
-> ssh-rsa OFkEIg
IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
--- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
óE¬dGs;’Ž°À± ü
ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.
--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
]
ý­¢Ôÿi¹‡7c·f`b@%X”¿J )û[<+;x-ÇKmTõ@ãÌ„ýŸK]7sc*ë­Ÿ‡¼2Ý®5
agenix/secrets.nix
+17 -9
View File
@@ -1,17 +1,25 @@
let
users = import ../lib/ssh/keys.nix;
inherit (import ../lib)
users
adminSSHKeys
attrsToList
getSSHKeys
;
tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
in
{
"ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
"ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
# tsig-keygen etc.sub.domain.tld.
"dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
# "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
"dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
"dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
"dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
"dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
"dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
"dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
"dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
}
// builtins.listToAttrs (
map (user: {
name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
}) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
)
assets/branding/logo-head.svg
+112
View File
File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

assets/branding/logo.svg
+109
View File
File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

assets/forgejo/templates/home.tmpl
+12
View File
@@ -0,0 +1,12 @@
{{template "base/head" .}}
<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}"
class="page-content home tw-mb-8 tw-px-8 center" style="height: 100%; flex-direction: column; display: flex; align-items: center; justify-content: space-around;">
<img width="500" height="500" src="{{AssetUrlPrefix}}/images/full-logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
<div class="hero">
<h1 class="ui icon header title">
{{AppName}}
</h1>
<!-- <h2>My own gitea server 😎</h2> -->
</div>
</div>
{{template "base/footer" .}}
assets/forgejo/theme.css
+51
View File
@@ -0,0 +1,51 @@
@import "/assets/css/theme-forgejo-dark.css";
/* :root { */
/* --is-dark-theme: true; */
/* --accent-color: 221, 85, 85; */
/* /1* #d55 *1/ */
/* --gitea-color-primary-dark-4: 221, 85, 85; */
/* --accent-color-secondary: 96, 72, 10; */
/* --accent-color-hover: 170, 68, 68; */
/* --color-primary: rgb(var(--accent-color)); */
/* --color-secondary: rgb(var(--accent-color-secondary)); */
/* --button-color: rgb(var(--accent-color)); */
/* --button-color-hover: rgb(var(--accent-color-hover)); */
/* } */
:root {
--is-dark-theme: true;
--color-primary: #d162a4;
--color-primary-contrast: #fff;
--color-primary-dark-1: #ba3283;
--color-primary-dark-2: #b55690;
--color-primary-dark-3: #ac2c79;
--color-primary-dark-4: #a30262;
--color-primary-dark-5: #8a0253;
--color-primary-dark-6: #710144;
--color-primary-dark-7: #570135;
--color-primary-light-1: #d776af;
--color-primary-light-2: #dd89bb;
--color-primary-light-3: #e29dc6;
--color-primary-light-4: #e8b1d2;
--color-primary-light-5: #eec5dd;
--color-primary-light-6: #f4d8e9;
--color-primary-light-7: #f9ecf4;
--color-primary-alpha-10: #d162a419;
--color-primary-alpha-20: #d162a433;
--color-primary-alpha-30: #d162a44b;
--color-primary-alpha-40: #d162a466;
--color-primary-alpha-50: #d162a480;
--color-primary-alpha-60: #d162a499;
--color-primary-alpha-70: #d162a4b3;
--color-primary-alpha-80: #d162a4cc;
--color-primary-alpha-90: #d162a4e1;
}
.navbar-left > #navbar-logo.item,
.navbar-right > #navbar-logo.item,
.navbar-mobile-right > #navbar-logo.item {
padding: 3px;
}
flake.nix
+5
View File
@@ -52,6 +52,11 @@
formatter = pkgs.nixfmt;
};
flake = {
lib = import ./lib;
pins = import ./npins;
};
systems = [
"x86_64-linux"
"aarch64-linux"
lib/default.nix
+24
View File
@@ -0,0 +1,24 @@
rec {
toList = x: if builtins.isList x then x else [ x ];
nameValuePair = name: value: { inherit name value; };
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
attrsToList = mapAttrsToList nameValuePair;
getSSHKeys =
username:
if (builtins.hasAttr "ssh" users.${username}) then
toList users.${username}.ssh
else
builtins.warn "user ${username} declared without ssh keys" [ ];
users = import ./users.nix;
adminSSHKeys = builtins.concatLists (
map (user: getSSHKeys user.name) (
builtins.filter (user: user.value.admin or false) (attrsToList users)
)
);
}
lib/ssh/keys.nix
-8
View File
@@ -1,8 +0,0 @@
{
error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
}
lib/users.nix
+26
View File
@@ -0,0 +1,26 @@
{
error = {
ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
admin = true;
ddns = true;
};
javalsai = {
ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
admin = true;
ddns = true;
};
max = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
admin = true;
};
vectorum = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
};
pickzelle = {
ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
};
}
nixos/common.nix
+8 -15
View File
@@ -99,22 +99,15 @@ in
extraHosts =
let
subdomains = [
""
".git"
];
subdomains = [ "git" ];
inherit (config.networking) fqdn;
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
in
builtins.foldl' (
hosts-acc: domain-prefix:
let
host = "${domain-prefix}${config.networking.fqdn}";
in
hosts-acc
+ ''
127.0.0.1 ${host}
::1 ${host}
''
) "" subdomains;
lib.concatMapStrings (host: ''
127.0.0.1 ${host}
::1 ${host}
'') hosts;
};
virtualisation.podman.enable = true;
nixos/hardware.nix
+4 -1
View File
@@ -15,7 +15,10 @@
"xhci_pci"
];
kernelModules = [ "kvm-intel" ];
kernelModules = [
"kvm-amd"
"kvm-intel"
];
};
hardware = {
nixos/hosts/tuxcord-acmetest/default.nix
+8 -5
View File
@@ -1,11 +1,14 @@
{
acme = {
enable = true;
rfc2136.nameserver = "tuxcord.net";
};
imports = [
./storage.nix
];
dns.enable = true;
networking.fqdn = "nix.tuxcord.net";
acme.rfc2136.nameserver = "tuxcord.net";
dns.enable = true;
services.getty.autologinUser = "root";
time.timeZone = "Europe/Madrid";
}
nixos/hosts/tuxcord-acmetest/storage.nix
+6
View File
@@ -0,0 +1,6 @@
{
fileSystems."/" = {
device = "/dev/vda";
fsType = "ext4";
};
}
nixos/hosts/tuxcord-ca/storage.nix
+1
View File
@@ -32,6 +32,7 @@
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@persist" ] ++ defaultOptions;
neededForBoot = true;
};
};
}
nixos/hosts/tuxcord-test/default.nix
+7 -1
View File
@@ -1,6 +1,12 @@
{
imports = [
./storage.nix
];
networking.fqdn = "tuxcord.test";
acme.enable = false;
dns.enable = true;
networking.fqdn = "tuxcord.test";
services.getty.autologinUser = "root";
}
nixos/hosts/tuxcord-test/storage.nix
+6
View File
@@ -0,0 +1,6 @@
{
fileSystems."/" = {
device = "/dev/vda";
fsType = "ext4";
};
}
nixos/impermanence.nix
-6
View File
@@ -55,8 +55,6 @@
};
};
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
@@ -72,10 +70,6 @@
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
nixos/modules/default.nix
+1 -1
View File
@@ -3,7 +3,7 @@
./acme.nix
./dns.nix
./fail2ban.nix
./gitea.nix
./forgejo.nix
./host.nix
./nginx.nix
./snapper.nix
nixos/modules/forgejo.nix
+125
View File
@@ -0,0 +1,125 @@
{ config, pkgs, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
themeName = "tuxcord";
forgejoPublic = pkgs.linkFarm "forgejo-public" [
{
name = "assets/css/theme-${themeName}.css";
path = ../../assets/forgejo/theme.css;
}
{
name = "assets/img";
path = makeForgejoImages {
big = ../../assets/branding/logo.svg;
small = ../../assets/branding/logo-head.svg;
rasterWidth = 1024;
};
}
{
name = "assets/images/full-logo.svg";
path = ../../assets/branding/logo.svg;
}
];
forgejoTemplates = ../../assets/forgejo/templates;
makeForgejoImages =
{
big,
small,
rasterWidth,
}:
pkgs.stdenv.mkDerivation rec {
name = "forgejo-images";
srcs = [
big
small
];
unpackPhase = "true";
buildInputs = with pkgs; [
inkscape
];
# https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
buildPhase = ''
mkdir -p $out
cp "${big}" $out/logo.svg
inkscape -w ${toString rasterWidth} ${big} -o $out/logo.png
cp "${small}" $out/favicon.svg
inkscape -w ${toString rasterWidth} ${small} -o $out/favicon.png
'';
};
in
{
services.forgejo = {
enable = true;
database.type = "mysql";
lfs.enable = true;
settings = {
DEFAULT = {
APP_NAME = "TuxCord Code Forge";
};
server = {
DOMAIN = fqdn;
ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
HTTP_PORT = 3000;
};
service = {
DISABLE_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main";
};
ui = {
DEFAULT_THEME = themeName;
};
# TODO: once we have email setup this would be nice
mailer.ENABLED = true;
actions = {
ENABLED = true;
# DEFAULT_ACTIONS_URL = "github";
};
};
};
systemd.services.forgejo-branding = {
enable = true;
wantedBy = [ "forgejo.service" ];
before = [ "forgejo.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "forgejo-branding.oneshot" ''
${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoPublic}/ ${config.services.forgejo.customDir}/public
${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoTemplates}/ ${config.services.forgejo.customDir}/templates
'';
};
};
environment.persistence."/persist".directories = [
{
directory = config.services.forgejo.stateDir;
group = "forgejo";
user = "forgejo";
}
];
}
nixos/modules/gitea.nix
-40
View File
@@ -1,40 +0,0 @@
{ config, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
in
{
services.gitea = {
enable = true;
appName = "TuxCord Gitea";
database.type = "mysql";
lfs.enable = true;
settings = {
server = {
DOMAIN = fqdn;
ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
HTTP_PORT = 3000;
};
service = {
DISABLE_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main";
};
# ui.DEFAULT_THEME = "...";
# TODO: once we have email setup this would be nice
mailer.ENABLED = true;
};
};
}
nixos/modules/nginx.nix
+34 -9
View File
@@ -1,21 +1,46 @@
{ config, ... }:
{ config, self, ... }:
let
inherit (config.networking) fqdn;
mkVhost =
attrs:
attrs: locations:
let
acmeEnabled = config.acme.enable;
in
{
forceSSL = acmeEnabled;
useACMEHost = if acmeEnabled then fqdn else null;
locations = {
"= /robots.txt" = {
alias = disallowedRobotsTxt;
};
}
// locations;
}
// attrs;
mkProxy = port: {
proxyPass = "http://127.0.0.1:${toString port}/";
extraConfig = ''
proxy_buffering off;
proxy_request_buffering off;
'';
};
mkSsi = webRoot: {
root = webRoot;
extraConfig = ''
ssi on;
'';
};
disallowedRobotsTxt = builtins.toFile "robots.txt" ''
User-agent: *
Disallow: /
'';
in
{
services.nginx = {
@@ -27,14 +52,14 @@ in
recommendedGzipSettings = true;
recommendedOptimisation = true;
# services.nginx.virtualHosts."${fqdn}" = {
# addSSL = true;
# root = "/var/www/myhost.org";
# default = true;
# };
virtualHosts = {
"${fqdn}" = mkVhost { default = true; } {
"/" = mkSsi "${self.pins.website}/web-root";
};
virtualHosts."git.${fqdn}" = mkVhost {
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
"git.${fqdn}" = mkVhost { } {
"/" = mkProxy config.services.forgejo.settings.server.HTTP_PORT;
};
};
};
nixos/openssh.nix
+3 -1
View File
@@ -1,9 +1,11 @@
{ config, ... }:
{
services.openssh = {
enable = true;
settings = {
ClientAliveInterval = 300;
X11Forwarding = true;
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
@@ -11,5 +13,5 @@
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
networking.firewall.allowedTCPPorts = config.services.openssh.ports;
}
nixos/users.nix
+37 -61
View File
@@ -1,25 +1,6 @@
{ lib, self, ... }:
let
users = [
{
name = "error";
options.admin = true;
}
{
name = "javalsai";
options.admin = true;
}
{
name = "max";
options.admin = true;
}
{
name = "vectorum";
}
{
name = "pickzelle";
}
];
inherit (self.lib) users;
adminGroups = [
"adm"
@@ -30,60 +11,55 @@ let
"wheel"
];
getSSHKeys =
username:
let
sshKeys = import "${self}/lib/ssh/keys.nix";
in
if (builtins.hasAttr username sshKeys) then
lib.lists.toList sshKeys.${username}
else
lib.warn "user ${username} declared without ssh key" [ ];
mkUser =
name: uid: options:
let
admin = options.admin or false;
in
{
users.users.${name} = {
isNormalUser = true;
extraGroups = lib.optionals admin adminGroups;
inherit uid;
openssh.authorizedKeys.keys = getSSHKeys name;
};
systemd.slices."user-${builtins.toString uid}".sliceConfig = {
CPUQuota = "50%";
CPUWeight = "10";
IOAccounting = true;
IOWeight = "10";
MemoryMax = "2G";
MemorySwapMax = "1G";
TasksMax = "100";
};
mkUser = name: uid: admin: {
users.users.${name} = {
inherit uid;
isNormalUser = true;
extraGroups = lib.optionals admin adminGroups;
openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
};
systemd.slices."user-${builtins.toString uid}".sliceConfig = {
CPUQuota = "50%";
CPUWeight = "10";
IOAccounting = true;
IOWeight = "10";
MemoryMax = "2G";
MemorySwapMax = "1G";
TasksMax = "100";
};
};
in
lib.recursiveUpdate
(builtins.foldl'
(attrs: user: {
options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
options = lib.recursiveUpdate attrs.options (
mkUser user.name attrs.uid (user.value.admin or false)
);
uid = attrs.uid + 1;
})
{
options = { };
uid = 1000;
}
users
(lib.attrsToList users)
).options
{
users.users.root = {
initialPassword = "tuxcord";
users = {
motd = ''
__ __ __
---------/\ \__ /\ \ /\ \__
---------\ \ ,_\ __ __ __ _ ___ ___ _ __ \_\ \ ___ __\ \ ,_\
----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \ /'_ `\ /'__`\ \ \/
-----------\ \ \_\ \ \_\ \/> <//\ \__//\ \L\ \ \ \//\ \L\ \ __/\ \/\ \/\ __/\ \ \_
------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-------------\/__/ \/___/ \//\/_/\/____/\/___/ \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
A friendly Linux community - est. July 2023
'';
openssh.authorizedKeys.keys = lib.lists.concatLists (
map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
);
users.root = {
initialPassword = "tuxcord";
openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
};
};
}
nixos/vm.nix
+2 -2
View File
@@ -7,8 +7,8 @@
memorySize = 4096;
qemu.networkingOptions = lib.mkForce [
"-net nic,netdev=user.0,model=virtio"
"-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
"-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=\${QEMU_BRIDGE_HELPER_PATH}"
"-device virtio-net-pci,netdev=hn0,id=nic1,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
];
};
}
npins/default.nix
+25 -15
View File
@@ -65,7 +65,9 @@ let
if pkgs == null then
{
inherit (builtins) fetchTarball fetchurl;
# For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
# Frustratingly, due to flakes and `fetchTree`, `fetchGit`
# has a different signature than the other builtin
# fetchers
fetchGit = args: (builtins.fetchGit args).outPath;
}
else
@@ -86,16 +88,16 @@ let
submodules,
rev,
name,
lfs,
narHash,
}:
pkgs.fetchgit {
inherit url rev name;
inherit url rev name lfs;
fetchSubmodules = submodules;
hash = narHash;
};
};
# Dispatch to the correct code path based on the type
path =
if spec.type == "Git" then
mkGitSource fetchers spec
@@ -105,8 +107,8 @@ let
mkPyPiSource fetchers spec
else if spec.type == "Channel" then
mkChannelSource fetchers spec
else if spec.type == "Tarball" then
mkTarballSource fetchers spec
else if spec.type == "Url" || spec.type == "MutableUrl" then
mkUrlSource fetchers spec
else if spec.type == "Container" then
mkContainerSource pkgs spec
else
@@ -126,6 +128,7 @@ let
url ? null,
submodules,
hash,
lfs,
...
}:
assert repository ? type;
@@ -165,7 +168,7 @@ let
rev = revision;
narHash = hash;
inherit name submodules url;
inherit name submodules url lfs;
};
mkPyPiSource =
@@ -192,16 +195,20 @@ let
sha256 = hash;
};
mkTarballSource =
{ fetchTarball, ... }:
mkUrlSource =
{
url,
locked_url ? url,
hash,
fetchTarball,
fetchurl,
...
}:
fetchTarball {
url = locked_url;
{
url,
hash,
unpack,
...
}:
(if unpack then fetchTarball else fetchurl) {
inherit url;
sha256 = hash;
};
@@ -211,6 +218,7 @@ let
image_name,
image_tag,
image_digest,
hash,
...
}:
if pkgs == null then
@@ -220,7 +228,9 @@ let
imageName = image_name;
imageDigest = image_digest;
finalImageTag = image_tag;
hash = hash;
};
in
mkFunctor (
{
@@ -231,7 +241,7 @@ mkFunctor (
if builtins.isPath input then
# while `readFile` will throw an error anyways if the path doesn't exist,
# we still need to check beforehand because *our* error can be caught but not the one from the builtin
# *piegames sighs*
# See: <https://git.lix.systems/lix-project/lix/issues/1098>
if builtins.pathExists input then
builtins.fromJSON (builtins.readFile input)
else
@@ -242,7 +252,7 @@ mkFunctor (
throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
version = data.version;
in
if version == 7 then
if version == 8 then
builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
npins/sources.json
+16 -2
View File
@@ -1,4 +1,18 @@
{
"pins": {},
"version": 7
"pins": {
"website": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
},
"branch": "main",
"submodules": false,
"lfs": true,
"revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
"url": null,
"hash": "sha256-xYH9RXYZDVotUW8fKIEC9u0GJeEg2nV/23aQlEyeQso="
}
},
"version": 8
}
shells/default.nix
+39 -2
View File
@@ -2,9 +2,47 @@
{
perSystem =
{ pkgs, ... }:
let
npins' = pkgs.npins.overrideAttrs (
final: old: {
src = pkgs.fetchFromGitHub {
owner = "javalsai";
repo = "npins";
rev = "f3def7dfeecc16884cb0601f6c904d5142f47383";
hash = "sha256-ejeOGmDw+D4KddFJ5OAPradqoS+p2eAhhS4fOLQOWOk=";
};
cargoHash = null;
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
src = final.src;
hash = "sha256-mG4UClFBgiWBraWQ12N3CSyapaIpuXI9F8wQGwh/ooQ=";
};
cargoBuildFeatures = [ ];
}
);
in
{
devShells.default = pkgs.mkShell {
name = "configuration.nix";
shellHook = ''
for path in \
/usr/lib/qemu/qemu-bridge-helper \
/run/wrappers/bin/qemu-bridge-helper
do
if [ -x "$path" ]; then
export QEMU_BRIDGE_HELPER_PATH="$path"
break
fi
done
if [ -z "$QEMU_BRIDGE_HELPER_PATH" ]; then
printf "\033[1;33m%s\033[0m\n" \
"WARN: 'qemu-bridge-helper' not found, make sure it is installed and the nix shell hook is looking for it" >&2
fi
'';
packages = with pkgs; [
bat
cachix
@@ -13,10 +51,9 @@
git
inputs.agenix.packages.${stdenv.hostPlatform.system}.default
jujutsu
neovim
nix-output-monitor
nixfmt
npins
npins'
parted
smartmontools
statix