refactor: move host configs under hosts/

6 files changed, 488 insertions, 0 deletions

diff --git a/nixos/hosts/ev/default.nix b/nixos/hosts/ev/default.nix
new file mode 100644
index 0000000..d8b4b24
--- /dev/null
+++ b/nixos/hosts/ev/default.nix
@@ -0,0 +1,50 @@
+# channel="nixos-small"
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../sanix.nix
+    ../../parts/server.nix
+    ../../parts/tailscale.nix
+    ../../parts/basics.nix
+    ../../parts/basics-physical.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "ev";
+
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Vienna";
+
+  users.users.martin = {
+    isNormalUser = true;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    # Enabling openssh automatically opens its port in the firewall.
+    # For all other services we need to manually list the ports here.
+  ];
+  networking.firewall.allowedUDPPorts = [];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
diff --git a/nixos/hosts/ev/hardware-configuration.nix b/nixos/hosts/ev/hardware-configuration.nix
new file mode 100644
index 0000000..65300c8
--- /dev/null
+++ b/nixos/hosts/ev/hardware-configuration.nix
@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2c273b8a-7f40-41dd-ab63-2194d4bfd328";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-d9d95f9b-5f7d-4193-859f-d36dae4ed814".device = "/dev/disk/by-uuid/d9d95f9b-5f7d-4193-859f-d36dae4ed814";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/83DB-4251";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s21f0u4.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos/hosts/hamac/default.nix b/nixos/hosts/hamac/default.nix
new file mode 100644
index 0000000..c8f40e1
--- /dev/null
+++ b/nixos/hosts/hamac/default.nix
@@ -0,0 +1,86 @@
+# channel="nixos"
+# See the configuration.nix(5) man page and the NixOS manual (accessible by running `nixos-help`).
+
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../sanix.nix
+    ../../parts/basics.nix
+    ../../parts/basics-physical.nix
+    ../../parts/graphical.nix
+    ../../parts/tailscale.nix
+    ../../parts/dev.nix
+    ../../parts/create.nix
+  ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "hamac";
+
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Vienna";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  users.users.martin = {
+    isNormalUser = true;
+    description = "Martin";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = with pkgs; [];
+  };
+
+  services.getty = {
+    autologinUser = "martin";
+    autologinOnce = true; # only in the first tty once per boot
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}
diff --git a/nixos/hosts/hamac/hardware-configuration.nix b/nixos/hosts/hamac/hardware-configuration.nix
new file mode 100644
index 0000000..54b9d60
--- /dev/null
+++ b/nixos/hosts/hamac/hardware-configuration.nix
@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7b33d046-ffd6-4baf-8bd8-a88e3c04d538";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-cf2639e7-1f9c-4c2d-989a-ef2d9950f751".device = "/dev/disk/by-uuid/cf2639e7-1f9c-4c2d-989a-ef2d9950f751";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3FA1-5306";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
new file mode 100644
index 0000000..b38d1ea
--- /dev/null
+++ b/nixos/hosts/tente/default.nix
@@ -0,0 +1,239 @@
+# channel="nixos-small"
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+let
+  domains =
+    let
+      domain = "push-f.com";
+    in
+    {
+      personalWebsite = domain;
+      tailscaleControlServer = "tailscale.${domain}";
+      gitWebsite = "git.${domain}";
+      matrixServer = "matrix.${domain}";
+    };
+  acmeEmail = "martin@push-f.com";
+in
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../sanix.nix
+    ../../parts/server.nix
+    ../../parts/basics.nix
+  ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "tente"; # Define your hostname.
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Vienna";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+  users.users.martin = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel" # Enable ‘sudo’ for the user.
+      "www-data"
+    ];
+    packages = with pkgs; [
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+   environment.systemPackages = with pkgs; [
+     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+     wget
+   ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    # Enabling openssh automatically opens its port in the firewall.
+    # For all other services we need to manually list the ports here.
+    80 443
+  ];
+  networking.firewall.allowedUDPPorts = [];
+
+  users.groups.www-data = {};
+
+  systemd.tmpfiles.rules = [
+    "d /srv/www 2770 root www-data -"
+  ];
+
+  services = {
+    gitolite = {
+      enable = true;
+      adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional
+      user = "git";
+      group = "git";
+      dataDir = "/srv/gitolite";
+      extraGitoliteRc = ''
+        $RC{UMASK} = 0027;
+        $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*';
+
+        # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS
+        # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config
+      '';
+    };
+
+    nginx = {
+      enable = true;
+      group = "www-data";
+    };
+
+    headscale = {
+      enable = true;
+      port = 8080;
+      # TODO: make dataDir configurable and set it to /srv/
+      settings = {
+        server_url = "https://${domains.tailscaleControlServer}";
+        dns = { base_domain = "tailnet"; };
+      };
+    };
+
+    nginx.virtualHosts.${domains.tailscaleControlServer} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      authentication = pkgs.lib.mkOverride 10 ''
+        #type database  DBuser  auth-method
+        local sameuser  all     peer
+      '';
+    };
+
+    matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = domains.personalWebsite;
+      };
+    };
+
+    nginx.virtualHosts.${domains.matrixServer} = {
+      enableACME = true;
+      forceSSL = true;
+
+      # TODO: add locations."/" with some message
+
+      # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+      # *must not* be used here.
+      locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
+      # Forward requests for e.g. SSO and password-resets.
+      locations."/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+    };
+
+    nginx.virtualHosts.${domains.personalWebsite} =
+      let
+        mkWellKnown = data: ''
+          default_type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON data}';
+        '';
+      in
+      {
+        enableACME = true;
+        forceSSL = true;
+        root = "/srv/www/${domains.personalWebsite}";
+
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
+          "m.server" = "${domains.matrixServer}:443";
+        };
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
+          "m.homeserver" = { base_url = "https://${domains.matrixServer}"; };
+        };
+      };
+
+    nginx.virtualHosts.${domains.gitWebsite} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    cgit.main = {
+      enable = true;
+      # running as the gitolite user because otherwise cloning a repo via cgit fails with:
+      #   fatal: detected dubious ownership in repository
+      user = config.services.gitolite.user;
+      group = config.services.gitolite.group;
+      nginx.virtualHost = domains.gitWebsite;
+      scanPath = "${config.services.gitolite.dataDir}/repositories";
+      settings = {
+        remove-suffix = 1;
+        enable-git-config = 1;
+        root-title = "push-f.com repositories";
+        root-desc = "My various repositories.";
+        enable-index-owner = 0;
+        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+        clone-prefix = "https://${domains.gitWebsite}";
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true; # https://letsencrypt.org/repository/
+    defaults.email = acmeEmail;
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
+
diff --git a/nixos/hosts/tente/hardware-configuration.nix b/nixos/hosts/tente/hardware-configuration.nix
new file mode 100644
index 0000000..576ca76
--- /dev/null
+++ b/nixos/hosts/tente/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/47b134dc-3b9a-4892-8fd5-eadef3d9e7b0";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}