{ lib, pkgs, ... }: { imports = with lib.nixosModules; [ disko impermanence ]; disko.devices.disk.NixOS = { device = "/dev/sda"; type = "disk"; content = { type = "gpt"; partitions = { BSP = { type = "EF02"; size = "1M"; }; Crypt = { size = "100%"; content = { type = "luks"; name = "crypt"; extraFormatArgs = ["--type luks1"]; content = { type = "btrfs"; postCreateHook = '' btrfs="$(mktemp -d)" mount -o subvol=/ /dev/mapper/crypt "$btrfs" btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank" umount "$btrfs" rm -rf "$btrfs" boot="$(mktemp -d)" mount -o subvol=/boot /dev/mapper/crypt "$boot" dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4 cryptsetup luksAddKey \ /dev/disk/by-partlabel/disk-NixOS-Crypt \ "$boot/luks.bin" umount "$boot" rm -rf "$boot" ''; subvolumes = { "/root" = { mountpoint = "/"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/boot" = { mountpoint = "/boot"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/home" = { mountpoint = "/home"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/nix" = { mountpoint = "/nix"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/persist" = { mountpoint = "/persist"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/log" = { mountpoint = "/var/log"; mountOptions = [ "compress=zstd" "noatime" ]; }; "/swap" = { mountpoint = "/.swap"; swap.swapfile.size = "4G"; }; }; }; }; }; }; }; }; fileSystems = { "/persist".neededForBoot = true; "/var/log".neededForBoot = true; }; boot = { loader = { grub = { enable = true; enableCryptodisk = true; }; }; initrd = { availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" "virtio_gpu" ]; secrets."/luks.bin" = "/boot/luks.bin"; luks.devices.crypt = { device = "/dev/disk/by-partlabel/disk-NixOS-Crypt"; keyFile = "/luks.bin"; }; postDeviceCommands = lib.mkBefore '' btrfs="$(mktemp -d)" mount -o subvol=/ /dev/mapper/crypt "$btrfs" trap "umount $btrfs_root; rm -rf $btrfs" EXIT btrfs subvolume list -o "$btrfs/root" \ | cut -f9 -d' ' \ | while read subvolume; do \ btrfs subvolume delete "$btrfs/$subvolume" done \ && btrfs subvolume delete "$btrfs/root" btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root" ''; }; }; networking = { hostName = "sv1"; networkmanager.enable = true; firewall.allowedTCPPorts = [ 80 443 ]; }; security.acme = { acceptTerms = true; defaults.email = "acme.evict519@simplelogin.com"; certs."dylanblades.com".extraDomainNames = ["gitea.dylanblades.com"]; }; time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; users = { mutableUsers = false; users = { root = { isSystemUser = true; openssh.authorizedKeys.keys = with lib.sshKeys; [ lp1.user lp2.user ]; }; user = { isNormalUser = true; extraGroups = ["wheel"]; openssh.authorizedKeys.keys = with lib.sshKeys; [ lp1.user lp2.user ]; }; }; }; services = { openssh = { enable = true; settings.PermitRootLogin = "without-password"; }; gitea = { enable = true; appName = "Gitea"; settings = { server = { DOMAIN = "gitea.dylanblades.com"; ROOT_URL = "https://gitea.dylanblades.com/"; }; ui.DEFAULT_THEME = "gitea-dark"; }; }; nginx = { enable = true; virtualHosts = { "dylanblades.com" = { forceSSL = true; enableACME = true; root = pkgs.my-site; }; "gitea.dylanblades.com" = { forceSSL = true; useACMEHost = "dylanblades.com"; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' client_max_body_size 512M; proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }; }; }; nixpkgs.overlays = [lib.overlays.pkgs]; environment = { persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos" "/var/lib/gitea" ]; }; systemPackages = with pkgs; [ git my-vim ]; }; nix.settings = { trusted-users = ["root"]; experimental-features = [ "nix-command" "flakes" ]; }; system.stateVersion = "24.11"; }