From 50015669e10018b267ec36d9fa640fceb12d27f7 Mon Sep 17 00:00:00 2001 From: Oleksandr Smirnov Date: Wed, 14 Jan 2026 21:45:55 +0200 Subject: [PATCH] nix: add vps setup --- nix/flake.lock | 130 +++++++++++++++++++ nix/flake.nix | 33 +++++ nix/hosts/thought/configuration.nix | 69 ++++++++++ nix/hosts/thought/default.nix | 11 ++ nix/hosts/thought/digitalocean.nix | 70 ++++++++++ nix/hosts/thought/disko-config.nix | 55 ++++++++ nix/hosts/thought/hardware-configuration.nix | 25 ++++ nix/modules/forgejo.nix | 28 ++++ nix/modules/soju.nix | 0 nix/users/q.nix | 12 ++ 10 files changed, 433 insertions(+) create mode 100644 nix/flake.lock create mode 100644 nix/flake.nix create mode 100644 nix/hosts/thought/configuration.nix create mode 100644 nix/hosts/thought/default.nix create mode 100644 nix/hosts/thought/digitalocean.nix create mode 100644 nix/hosts/thought/disko-config.nix create mode 100644 nix/hosts/thought/hardware-configuration.nix create mode 100644 nix/modules/forgejo.nix create mode 100644 nix/modules/soju.nix create mode 100644 nix/users/q.nix diff --git a/nix/flake.lock b/nix/flake.lock new file mode 100644 index 0000000..ad123cf --- /dev/null +++ b/nix/flake.lock @@ -0,0 +1,130 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "owner": "ryantm", + "repo": "agenix", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1766150702, + "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "owner": "nix-community", + "repo": "disko", + "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1767313136, + "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "disko": "disko", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/flake.nix b/nix/flake.nix new file mode 100644 index 0000000..bfa944c --- /dev/null +++ b/nix/flake.nix @@ -0,0 +1,33 @@ +{ + description = "my nix"; + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { + self, + nixpkgs, + agenix, + disko, + ... + }@inputs: + { + nixosConfigurations."thought" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/thought + agenix.nixosModules.default + disko.nixosModules.disko + ]; + }; + }; +} diff --git a/nix/hosts/thought/configuration.nix b/nix/hosts/thought/configuration.nix new file mode 100644 index 0000000..e6ad684 --- /dev/null +++ b/nix/hosts/thought/configuration.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./disko-config.nix + ./hardware-configuration.nix + ]; + + system.stateVersion = "24.05"; + + swapDevices = [ + { + device = "/swapfile"; + size = 2048; # MB + } + ]; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + time.timeZone = "Europe/Kyiv"; + i18n.defaultLocale = "en_US.UTF-8"; + + networking = { + hostName = "vps"; + useDHCP = true; + # Interface names will be auto-detected in hardware-configuration.nix + # Using generic DHCP setting + interfaces = {}; + firewall = { + enable = true; + allowedTCPPorts = [80 443]; + }; + }; + + environment.systemPackages = with pkgs; [ + neovim + git + htop + tmux + ]; + + services = { + caddy.enable = true; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + }; + + nix = { + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + settings = { + auto-optimise-store = true; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; +} diff --git a/nix/hosts/thought/default.nix b/nix/hosts/thought/default.nix new file mode 100644 index 0000000..656d02d --- /dev/null +++ b/nix/hosts/thought/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = [ + ./digitalocean.nix + ./configuration.nix + ./hardware-configuration.nix + + ../../users/q.nix + ../../modules/forgejo.nix + ]; +} diff --git a/nix/hosts/thought/digitalocean.nix b/nix/hosts/thought/digitalocean.nix new file mode 100644 index 0000000..b2d5eef --- /dev/null +++ b/nix/hosts/thought/digitalocean.nix @@ -0,0 +1,70 @@ +{ lib, modulesPath, ... }: +{ + imports = [ + "${modulesPath}/virtualisation/digital-ocean-config.nix" + ]; + + # do not use DHCP, as DigitalOcean provisions IPs using cloud-init + networking.useDHCP = lib.mkForce false; + + # Disables all modules that do not work with NixOS + services.cloud-init = { + enable = true; + network.enable = true; + settings = { + datasource_list = [ + "ConfigDrive" + "Digitalocean" + ]; + datasource.ConfigDrive = { }; + datasource.Digitalocean = { }; + # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl + cloud_init_modules = [ + "seed_random" + "bootcmd" + "write_files" + "growpart" + "resizefs" + "set_hostname" + "update_hostname" + # Not support on NixOS + #"update_etc_hosts" + # throws error + #"users-groups" + # tries to edit /etc/ssh/sshd_config + #"ssh" + "set_password" + ]; + cloud_config_modules = [ + "ssh-import-id" + "keyboard" + # doesn't work with nixos + #"locale" + "runcmd" + "disable_ec2_metadata" + ]; + ## The modules that run in the 'final' stage + cloud_final_modules = [ + "write_files_deferred" + "puppet" + "chef" + "ansible" + "mcollective" + "salt_minion" + "reset_rmc" + # install dotty agent fails + #"scripts_vendor" + "scripts_per_once" + "scripts_per_boot" + # /var/lib/cloud/scripts/per-instance/machine_id.sh has broken shebang + #"scripts_per_instance" + "scripts_user" + "ssh_authkey_fingerprints" + "keys_to_console" + "install_hotplug" + "phone_home" + "final_message" + ]; + }; + }; +} diff --git a/nix/hosts/thought/disko-config.nix b/nix/hosts/thought/disko-config.nix new file mode 100644 index 0000000..a51111a --- /dev/null +++ b/nix/hosts/thought/disko-config.nix @@ -0,0 +1,55 @@ +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/hosts/thought/hardware-configuration.nix b/nix/hosts/thought/hardware-configuration.nix new file mode 100644 index 0000000..8c7f810 --- /dev/null +++ b/nix/hosts/thought/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + # networking.interfaces.ens4.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix/modules/forgejo.nix b/nix/modules/forgejo.nix new file mode 100644 index 0000000..68779f1 --- /dev/null +++ b/nix/modules/forgejo.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: +let + domain = "git.olexsmir.xyz"; +in +{ + services.caddy.virtualHosts.${domain}.extraConfig = '' + reverse_proxy http://localhost:3001 + ''; + + services.forgejo = { + enable = true; + database.type = "sqlite3"; + settings = { + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 3001; + # TODO: ? setup ssh + }; + DEFAULT.APP_NAME = "my git"; + repository.DISABLE_STARS = true; + service.DISABLE_REGISTRATION = true; + actions.ENABLED = false; # TODO: + }; + }; + + # TODO: setup woodpecker +} diff --git a/nix/modules/soju.nix b/nix/modules/soju.nix new file mode 100644 index 0000000..e69de29 diff --git a/nix/users/q.nix b/nix/users/q.nix new file mode 100644 index 0000000..5306244 --- /dev/null +++ b/nix/users/q.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users.users.q = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + # initialPassword = "qwerty123"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLLJdkVYKZgsayw+sHanKPKZbI0RMS2CakqBCEi5Trz" # laptop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINeXccmMQ9jfLG2Z8CITaZZ+pUgYVNVYDFtmdkBHd3xk u0_a930@localhost" # phone + ]; + }; +}