commit c062f35d86385227880b07a6ab813a540da09d9c Author: Stefan Kempinger Date: Wed Jul 23 15:39:09 2025 +0200 le versionierung diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..2fb1753 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,117 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, specialArgs, ... }: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./services.nix + specialArgs.inputs.vscode-server.nixosModules.default + ]; + + # System basics + time.timeZone = "Europe/Vienna"; + + # Bootloader and kernel + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = [ "vga=791" "nomodeset" ]; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + # "net.bridge.bridge-nf-call-iptables" = 1; + # "net.bridge.bridge-nf-call-ip6tables" = 1; + }; + + # Console and locale + console = { + font = "Lat2-Terminus16"; + keyMap = "de"; + # useXkbConfig = true; # use xkb.options in tty. + }; + # i18n.defaultLocale = "en_US.UTF-8"; + + # Networking + networking.hostName = "nixos-server"; + networking.useDHCP = false; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "192.168.69.69"; + prefixLength = 24; + }]; + networking.defaultGateway = "192.168.69.1"; + networking.nameservers = [ "1.1.1.1" ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 22 80 443 9000 ]; + + # Users + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at" + ]; + }; + # Service users for containers + users.users.docker-user = { + isSystemUser = true; + group = "docker-user"; + extraGroups = [ "docker" ]; + }; + users.groups.docker-user = { }; + + # Security + # security.sudo.wheelNeedsPassword = false; + + # Enable SSH for root + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only + }; + }; + + # Packages + environment.systemPackages = with pkgs; [ + vim + nano + wget + curl + git + htop + docker-compose + nixd + nixfmt + ]; + + # Nix settings + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + # Documentation for stateVersion + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + + system.stateVersion = "25.05"; # Did you read the comment? +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..da34cdc --- /dev/null +++ b/flake.lock @@ -0,0 +1,94 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1752950548, + "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1682134069, + "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "vscode-server": "vscode-server" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "vscode-server": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1750353031, + "narHash": "sha256-Bx7DOPLhkr8Z60U9Qw4l0OidzHoqLDKQH5rDV5ef59A=", + "owner": "nix-community", + "repo": "nixos-vscode-server", + "rev": "4ec4859b12129c0436b0a471ed1ea6dd8a317993", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-vscode-server", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..38ad326 --- /dev/null +++ b/flake.nix @@ -0,0 +1,29 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + vscode-server.url = "github:nix-community/nixos-vscode-server"; + }; + outputs = { self, nixpkgs, vscode-server, ... }@inputs: + let + system = "x86_64-linux"; + + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = false; + }; + nixosSystem = { ... }@args: + (nixpkgs.lib.nixosSystem ({ + inherit pkgs system; + # pass flake inputs to individual module files + specialArgs = { inherit inputs; }; + } // args)); + in { + + packages."${system}".default = + self.nixosConfigurations.nixos-server.config.system.build.toplevel; + # NixOS configuration + nixosConfigurations.nixos-server = + nixosSystem { modules = [ ./configuration.nix ]; }; + }; +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..8e22173 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/79665f95-3f79-499d-98f2-99077f2b8d52"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/467A-A4E4"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp39s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp41s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/services.nix b/services.nix new file mode 100644 index 0000000..2149f16 --- /dev/null +++ b/services.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + + security.acme = { + acceptTerms = true; + defaults.email = "mail@kempinger.xyz"; # Replace with your email + }; + + services.resolved.enable = true; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts."192.168.69.69" = { + default = true; + root = "/srv/website/public_html"; + locations."/" = { index = "index.html"; }; + }; + # Optional: Add a domain-based virtual host + virtualHosts."kempinger.at" = { + root = "/srv/website/public_html"; + locations."/" = { index = "index.html"; }; + forceSSL = true; + enableACME = true; + }; + }; + + services.vscode-server.enable = true; + + # Virtualisation + virtualisation.docker = { + enable = true; + enableOnBoot = true; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; +}