npins: update website

nixos/hosts: declare fileSystems for testing hosts
nixos/services/openssh: enable X11 forwarding
2026-05-04 00:45:23 -04:00 · 2026-05-04 00:45:23 -04:00 · 2026-05-04 00:45:22 -04:00 · 2026-05-04 00:45:22 -04:00 · 2026-05-04 00:45:22 -04:00 · 2026-05-04 00:45:22 -04:00
7 changed files with 41 additions and 211 deletions
@@ -1,19 +1,4 @@
 rec {
  toList = x: if builtins.isList x then x else [ x ];
  nameValuePair = name: value: { inherit name value; };
  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
  attrsToList = mapAttrsToList nameValuePair;
  getSSHKeys =
    username:
    if (builtins.hasAttr "ssh" users.${username}) then
      toList users.${username}.ssh
    else
      builtins.warn "user ${username} declared without ssh keys" [ ];
  users = import ./users.nix;
  adminSSHKeys = builtins.concatLists (
@@ -21,4 +6,16 @@ rec {
      builtins.filter (user: user.value.admin or false) (attrsToList users)
    )
  );
  attrsToList = mapAttrsToList nameValuePair;
  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
  nameValuePair = name: value: { inherit name value; };
  toList = x: if builtins.isList x then x else [ x ];
  getSSHKeys =
    username:
    if (builtins.hasAttr "ssh" users.${username}) then
      toList users.${username}.ssh
    else
      builtins.warn "user ${username} declared without ssh key" [ ];
 }
@@ -100,17 +100,21 @@ in
    extraHosts =
      let
        subdomains = [
-          "git"
+          ""
-          "auth"
+          ".git"
        ];
        inherit (config.networking) fqdn;
        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
      in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
        hosts-acc: domain-prefix:
        let
          host = "${domain-prefix}${config.networking.fqdn}";
        in
        hosts-acc
        + ''
          127.0.0.1 ${host}
          ::1 ${host}
-      '') hosts;
+        ''
      ) "" subdomains;
  };
  virtualisation.podman.enable = true;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];
-    kernelModules = [
+    kernelModules = [ "kvm-intel" ];
      "kvm-amd"
      "kvm-intel"
    ];
  };
  hardware = {
@@ -1,136 +0,0 @@
 { config, ... }:
 let
  inherit (config.networking) fqdn;
  acmeEnabled = config.acme.enable;
 in
 {
  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
    };
    settings = {
      theme = "dark";
      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
      server.address = "127.0.0.1:3001";
      log = {
        level = "debug";
        format = "text";
      };
      authentication_backend = {
        file = {
          path = "/var/lib/authelia-main/users_database.yml";
        };
      };
      access_control = {
        default_policy = "deny";
        rules = [
          {
            domain = [ "auth.${fqdn}" ];
            policy = "bypass";
          }
          {
            domain = [ "*.${fqdn}" ];
            policy = "one_factor";
          }
        ];
      };
      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me = "1M";
        domain = "${fqdn}";
        redis.host = "/run/redis-authelia-main/redis.sock";
      };
      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };
      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
    };
  };
  services.redis.servers.authelia-main = {
    enable = true;
    user = "authelia-main";
    port = 0;
    unixSocket = "/run/redis-authelia-main/redis.sock";
    unixSocketPerm = 600;
  };
  # services.openldap = {
  #   enable = true;
  #   # enable plain connections only
  #   urlList = [ "ldap:///" ];
  #   settings = {
  #     attrs = {
  #       olcLogLevel = "conns config";
  #     };
  #     children = {
  #       # "cn=schema".includes = [
  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
  #       # ];
  #       "olcDatabase={1}mdb".attrs = {
  #         objectClass = [
  #           "olcDatabaseConfig"
  #           "olcMdbConfig"
  #         ];
  #         olcDatabase = "{1}mdb";
  #         olcDbDirectory = "/var/lib/openldap/data";
  #         olcSuffix = "dc=example,dc=com";
  #         # your admin account, do not use writeText on a production system
  #         olcRootDN = "cn=admin,dc=example,dc=com";
  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
  #         olcAccess = [
  #           # custom access rules for userPassword attributes
  #           ''
  #             {0}to attrs=userPassword
  #                           by self write
  #                           by anonymous auth
  #                           by * none''
  #           # allow read on anything else
  #           ''
  #             {1}to *
  #                           by * read''
  #         ];
  #       };
  #     };
  #   };
  # };
 }
@@ -1,7 +1,6 @@
 {
  imports = [
    ./acme.nix
    ./authelia.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -3,20 +3,13 @@ let
  inherit (config.networking) fqdn;
  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
      locations = {
        "= /robots.txt" = {
          alias = disallowedRobotsTxt;
        };
      }
      // locations;
    }
    // attrs;
@@ -28,19 +21,6 @@ let
      proxy_request_buffering off;
    '';
  };
  mkSsi = webRoot: {
    root = webRoot;
    extraConfig = ''
      ssi on;
    '';
  };
  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
    User-agent: *
    Disallow: /
  '';
 in
 {
  services.nginx = {
@@ -52,18 +32,20 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
-    virtualHosts = {
+    virtualHosts."${fqdn}" = mkVhost {
-      "${fqdn}" = mkVhost { default = true; } {
+      default = true;
-        "/" = mkSsi "${self.pins.website}/web-root";
+
      locations."/" = {
        root = "${self.pins.website}/web-root";
        extraConfig = ''
          ssi on;
        '';
      };
    };
-      "git.${fqdn}" = mkVhost { } {
+    virtualHosts."git.${fqdn}" = mkVhost {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
      };
      "auth.${fqdn}" = mkVhost { } {
        "/" = mkProxy 3001;
      };
    };
  };
@@ -45,21 +45,8 @@ lib.recursiveUpdate
    (lib.attrsToList users)
  ).options
  {
-    users = {
+    users.users.root = {
      motd = ''
                  __                                          __                      __
        ---------/\ \__                                      /\ \                    /\ \__
        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
                                                    A friendly Linux community - est. July 2023
      '';
      users.root = {
      initialPassword = "tuxcord";
      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
    };
    };
  }
Author	SHA1	Message	Date
ErrorNoInternet	b32e506f54	npins: update website Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-04 00:45:23 -04:00
ErrorNoInternet	91733ce19f	nixos/hosts: declare fileSystems for testing hosts	2026-05-04 00:45:23 -04:00
ErrorNoInternet	bb97397e6b	nixos/services/openssh: enable X11 forwarding	2026-05-04 00:45:22 -04:00
javalsai	a02d935fd0	nixos/hosts: add autologin for testing hosts	2026-05-04 00:45:22 -04:00
javalsai	62b9a39599	nixos/services: add default website on nginx	2026-05-04 00:45:22 -04:00
javalsai	ee17ef91ed	nixos/services: disable nginx proxy buffering	2026-05-04 00:45:22 -04:00
ErrorNoInternet	a2065702a4	nixos/impermanence: remove ssh host key persistence The SSH host key files are already defined in the OpenSSH module, so there is no need to persist them with impermanence.nix.	2026-05-04 00:45:22 -04:00
ErrorNoInternet	869fc59c6f	shells: remove neovim Some users may be using self-contained Neovim executables.	2026-05-04 00:45:22 -04:00
ErrorNoInternet	8824b565ba	agenix: import initial user dns keys	2026-05-04 00:45:22 -04:00
ErrorNoInternet	9b7453b0b4	treewide: create global user list	2026-05-04 00:45:22 -04:00