fix: inconsistent hostnames

fixes #2
2026-01-11 17:24:24 +00:00 · 2026-01-11 17:24:24 +00:00 · 2637817c9c
commit 2637817c9c
parent f037d1dd80
20 changed files with 8 additions and 12 deletions
--- a/hosts/cl-00-00/system/configuration/default.nix
+++ b/hosts/cl-00-00/system/configuration/default.nix
@ -0,0 +1,27 @@
+{ outputs
+, ...
+}:
+
+let
+  modules = outputs.nixosModules;
+in
+{
+  imports = [
+    modules.shells
+
+    ./sops.nix
+    ./forgejo.nix
+    ./gc.nix
+    ./postgres.nix
+    ./ssh.nix
+    ./traefik.nix
+    ./users.nix
+  ];
+
+  custom = {
+    shells.fish = {
+      enable = true;
+      defaultFor = [ "root" "kurisu" ];
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/forgejo.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo.nix
@ -0,0 +1,90 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  
+  services.traefik.dynamicConfigOptions.http = {
+    routers.forgejo = {
+      rule = "Host(`git.dokkae.com`)";
+      service = "forgejo";
+      entryPoints = [ "websecure" ];
+      tls = { certResolver = "letsencrypt"; };
+    };
+
+    services.forgejo = {
+      loadBalancer.servers = [
+        { url = "http://localhost:3000"; }
+      ];
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    user = "forgejo";
+    group = "forgejo";
+    
+    database = {
+      type = "postgres";
+      host = "/run/postgresql";
+      name = "forgejo";
+      user = "forgejo";
+    };
+
+    lfs.enable = false;
+
+    settings = {
+      server = {
+        DOMAIN = "localhost";
+        PROTOCOL = "http";
+        HTTP_PORT = 3000;
+
+        # Used for web-displayed URL references.
+        ROOT_URL = "https://git.dokkae.com/";
+
+        # SSH Settings
+        SSH_DOMAIN = "ssh.dokkae.com";
+        SSH_PORT = 22;
+        START_SSH_SERVER = false;
+      };
+
+      services = {
+        # Can be temporarily disabled to allow registration of an admin user.
+        # Admin account can manually create new users via web interface.
+        DISABLE_REGISTRATION = true;
+      };
+
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+
+      # Optional email server configuration.
+      # Test mails can be sent via: Profile Picture > Site Administration > Configuration >  Mailer Configuration
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = "smtp.gmail.com";
+        FROM = "noreply@git.dokkae.com";
+        USER = "finnliry@gmail.com";
+        PROTOCOL = "smtps";
+        SMTP_PORT = 465;
+      };
+    };
+
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."forgejo/mailer/password".path;
+    };
+  };
+
+  systemd.services.forgejo.preStart = let
+    adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+    pwdPath = config.sops.secrets."forgejo/admin/dokkae.cat/password".path;
+    user = "dokkae.cat";
+  in ''
+    PASSWORD="$(cat "${pwdPath}" | tr -d '\n')"
+    ${adminCmd} create --admin --email "finnliry@gmail.com" --username ${user} --password "$PASSWORD" || true
+  '';
+}
--- a/hosts/cl-00-00/system/configuration/gc.nix
+++ b/hosts/cl-00-00/system/configuration/gc.nix
@ -0,0 +1,13 @@
+{ ...
+}:
+
+{
+  nix.gc = {
+    # Enable automatic garbage collection
+    automatic = true;
+    # Run daily at 03:00 AM
+    dates = "03:00";
+    # Keep only the latest generations (safety net for rollbacks)
+    options = "--delete-older-than 7d";
+  };
+}
--- a/hosts/cl-00-00/system/configuration/postgres.nix
+++ b/hosts/cl-00-00/system/configuration/postgres.nix
@ -0,0 +1,31 @@
+{ pkgs
+, ...
+}:
+
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_18;
+
+    ensureDatabases = [
+      "forgejo"
+    ];
+
+    ensureUsers = [
+      { name = "forgejo"; ensureDBOwnership = true; }
+    ];
+
+    authentication = ''
+      # Socket connections
+      local     forgejo     forgejo                       peer
+
+      # Localhost connections
+      host      forgejo     forgejo     127.0.0.1/32      trust
+      host      forgejo     forgejo     ::1/128           trust
+
+      # Deny everything else
+      host      all         all         0.0.0.0/0         reject
+      host      all         all         ::0/0             reject
+    '';
+  };
+}
--- a/hosts/cl-00-00/system/configuration/sops.nix
+++ b/hosts/cl-00-00/system/configuration/sops.nix
@ -0,0 +1,41 @@
+{ inputs
+, ...
+}:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../../secrets/default.yaml;
+    defaultSopsFormat = "yaml";
+
+    gnupg.sshKeyPaths = [ ];
+    age.sshKeyPaths = [
+      "/persist/etc/ssh/ssh_host_ed25519_key"
+    ];
+
+    secrets = {
+      "users/admin/password_hash" = {
+        owner = "admin";
+        neededForUsers =  true;
+      };
+      "users/kurisu/password_hash" = {
+        owner = "kurisu";
+        neededForUsers =  true;
+      };
+
+      "forgejo/admin/dokkae.cat/password" = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "400";
+      };
+      "forgejo/mailer/password" = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "400";
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/ssh.nix
+++ b/hosts/cl-00-00/system/configuration/ssh.nix
@ -0,0 +1,13 @@
+{ ...
+}:
+
+{
+  services.openssh = {
+    enable = true;
+
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/traefik.nix
+++ b/hosts/cl-00-00/system/configuration/traefik.nix
@ -0,0 +1,39 @@
+{ ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.traefik = {
+    enable = true;
+    dataDir = "/var/lib/traefik";
+
+    staticConfigOptions = {
+      global = {
+        checkNewVersion = false;
+        sendAnonymousUsage = false;
+      };
+      
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure.address = ":443";
+      };
+
+      certificatesResolvers = {
+        letsencrypt = {
+          acme = {
+            email = "finnliry+acme-cl-00-00@gmail.com";
+            storage = "/var/lib/traefik/acme.json";
+            httpChallenge = { entryPoint = "web"; };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/users.nix
+++ b/hosts/cl-00-00/system/configuration/users.nix
@ -0,0 +1,38 @@
+{ config
+, ...
+}:
+
+{
+  users = {
+    mutableUsers = false;
+
+    users = {
+      root = {
+        # Disables password based authentication
+        hashedPassword = "!";
+      };
+
+      admin = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+
+        hashedPasswordFile = config.sops.secrets."users/admin/password_hash".path;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZa7mIXvsHouMb3I9gq2uQjNZKsMV43bpWc7yX/RH/X finnliry@gmail.com"
+        ];
+      };
+
+      kurisu = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+
+        hashedPasswordFile = config.sops.secrets."users/kurisu/password_hash".path;
+
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZa7mIXvsHouMb3I9gq2uQjNZKsMV43bpWc7yX/RH/X finnliry@gmail.com"
+        ];
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/disk-configuration.nix
+++ b/hosts/cl-00-00/system/disk-configuration.nix
@ -0,0 +1,124 @@
+{ inputs
+, lib
+, ...
+}:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+  ];
+  
+  # !!! DANGER !!!
+  # You have to carefully configure your partitions here.
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/disk/by-label/nixos /btrfs_tmp
+    
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/roots.old
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/roots.old/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/roots.old/ -maxdepth 1 -mtime +7); do
+        delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+  '';
+
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              name = "boot";
+              size = "1M";
+              type = "EF02";
+              priority = 1;
+            };
+            esp = {
+              name = "ESP";
+              end = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-L" "nixos" "-f" ]; # Override existing partition
+                # Subvolumes must set a mountpoint in order to be mounted,
+                # unless their parent is mounted
+                subvolumes = {
+                  "/root" = {
+                    mountpoint = "/";
+                    mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
+                  };
+                  "/home" = {
+                    mountpoint = "/home";
+                    mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
+                  };
+                  "/persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
+                  };
+                  "/var-lib" = {
+                    mountpoint = "/var/lib";
+                    mountOptions = [ "subvol=var-lib" "compress=zstd" "noatime" ];
+                  };
+                  "/var-log" = {
+                    mountpoint = "/var/log";
+                    mountOptions = [ "subvol=var-log" "compress=zstd" "noatime" ];
+                  };
+                  "/var-tmp" = {
+                    mountpoint = "/var/tmp";
+                    mountOptions = [ "subvol=var-tmp" "compress=zstd" "noatime" ];
+                  };
+                  "/swap" = {
+                    mountpoint = "/.swap";
+                    swap.swapfile.size = "4G";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems = {
+    # /, /nix/, /nix/store, /var, /var/log, /var/lib, /var/lib/nixos, /etc, /usr
+    # are all automatically mounted marked as needed for boot.
+
+    "/boot".neededForBoot = true;
+    
+    "/persist".neededForBoot = true;
+
+    # Possibly not required
+    "/home".neededForBoot = true;
+  };
+}
--- a/hosts/cl-00-00/system/hardware-configuration.nix
+++ b/hosts/cl-00-00/system/hardware-configuration.nix
@ -0,0 +1,49 @@
+{ lib
+, modulesPath
+, ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    loader = {
+      grub = {
+        enable = true;
+        efiSupport = true;
+        efiInstallAsRemovable = true;
+      };
+      
+      limine = {
+        enable = false;
+        efiSupport = true;
+        efiInstallAsRemovable = true;
+      };
+    };
+
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "xhci_pci"
+        "virtio_pci"
+        "virtio_scsi"
+        "sd_mod"
+        "sr_mod"
+      ];
+
+      kernelModules = [ ];
+    };
+    
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+  networking.hostName = "cl-00-00";
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/cl-00-00/system/impermanence-configuration.nix
+++ b/hosts/cl-00-00/system/impermanence-configuration.nix
@ -0,0 +1,24 @@
+{ inputs
+, ...
+}:
+
+{
+  imports = [
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  environment.persistence."/persist" = {
+    enable = true;
+    hideMounts = true;
+
+    directories = [
+      "/root/.ssh"
+
+      "/etc/nixos"
+      "/etc/ssh"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+  };
+}
--- a/hosts/cl-00-00/system/system.nix
+++ b/hosts/cl-00-00/system/system.nix
@ -0,0 +1,53 @@
+{ inputs
+, pkgs
+, lib
+, ...
+}:
+
+{
+  imports = [
+    ./disk-configuration.nix
+    ./hardware-configuration.nix
+    ./impermanence-configuration.nix
+
+    ./configuration
+  ];
+
+  nixpkgs = {
+    overlays = [ ];
+    
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  nix = let
+    flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+  in {
+    settings = {
+      # Enable flakes and new 'nix' command
+      experimental-features = "nix-command flakes";
+
+      # Disable global registry
+      flake-registry = "";
+
+      trusted-users = ["root" "@wheel"];
+    };
+
+    # Disable channels in favor of flakes
+    channel.enable = false;
+
+    # Make flake registry and nix path match flake inputs
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+
+  # Relevant core programs
+  environment.systemPackages = with pkgs; [
+    home-manager
+    nix
+  ];
+
+  # !!! DO NOT TOUCH !!!
+  system.stateVersion = "26.05";
+}