Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
2b2f5b223d
nixos-config/modules/sv1.nix

255 lines
6.3 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}: {
imports = with lib.nixosModules; [
disko
impermanence
];
disko.devices.disk.NixOS = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
BSP = {
type = "EF02";
size = "1M";
};
Crypt = {
size = "100%";
content = {
type = "luks";
name = "crypt";
extraFormatArgs = ["--type luks1"];
content = {
type = "btrfs";
postCreateHook = ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
umount "$btrfs"
rm -rf "$btrfs"
boot="$(mktemp -d)"
mount -o subvol=/boot /dev/mapper/crypt "$boot"
dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
cryptsetup luksAddKey \
/dev/disk/by-partlabel/disk-NixOS-Crypt \
"$boot/luks.bin"
umount "$boot"
rm -rf "$boot"
'';
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/boot" = {
mountpoint = "/boot";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/swap" = {
mountpoint = "/.swap";
swap.swapfile.size = "4G";
};
};
};
};
};
};
};
};
fileSystems = {
"/persist".neededForBoot = true;
"/var/log".neededForBoot = true;
};
boot = {
loader = {
grub = {
enable = true;
enableCryptodisk = true;
};
};
initrd = {
availableKernelModules = [
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
secrets."/luks.bin" = "/boot/luks.bin";
luks.devices.crypt = {
device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
keyFile = "/luks.bin";
};
postDeviceCommands = lib.mkBefore ''
btrfs="$(mktemp -d)"
mount -o subvol=/ /dev/mapper/crypt "$btrfs"
trap "umount $btrfs_root; rm -rf $btrfs" EXIT
btrfs subvolume list -o "$btrfs/root" \
| cut -f9 -d' ' \
| while read subvolume; do \
btrfs subvolume delete "$btrfs/$subvolume"
done \
&& btrfs subvolume delete "$btrfs/root"
btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
'';
};
};
networking = {
hostName = "sv1";
networkmanager.enable = true;
firewall.allowedTCPPorts = [
80
443
];
};
security.acme = {
acceptTerms = true;
defaults.email = "acme.evict519@simplelogin.com";
certs."dylanblades.com".extraDomainNames = ["gitea.dylanblades.com"];
};
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
users = {
mutableUsers = false;
users = {
root = {
isSystemUser = true;
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
user = {
isNormalUser = true;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = with lib.sshKeys; [
lp1.user
lp2.user
];
};
};
};
services = {
openssh = {
enable = true;
settings.PermitRootLogin = "without-password";
};
gitea = {
enable = true;
appName = "Gitea";
settings = {
server.DOMAIN = "gitea.dylanblades.com";
ui.DEFAULT_THEME = "gitea-dark";
};
};
nginx = {
enable = true;
virtualHosts = {
"dylanblades.com" = {
forceSSL = true;
enableACME = true;
root = pkgs.my-site;
};
"gitea.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
};
};
nixpkgs.overlays = [lib.overlays.pkgs];
environment = {
persistence."/persist" = {
hideMounts = true;
directories = ["/var/lib/nixos"];
};
systemPackages = with pkgs; [
git
my-vim
];
};
nix.settings = {
trusted-users = ["root"];
experimental-features = [
"nix-command"
"flakes"
];
};
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink