From 0a728445ab3651d7519417a074f0cd75f22467d1 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Thu, 23 May 2024 16:59:18 +0100
Subject: [PATCH] [yevaud] Add current config to source control

---
 flake.nix                               |  18 ++-
 hosts/yevaud/configuration.nix          | 150 ++++++++++++++++++++++++
 hosts/yevaud/hardware-configuration.nix |  54 +++++++++
 3 files changed, 217 insertions(+), 5 deletions(-)
 create mode 100644 hosts/yevaud/configuration.nix
 create mode 100644 hosts/yevaud/hardware-configuration.nix

diff --git a/flake.nix b/flake.nix
index 7c6769c..5c0c2d6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,11 +4,19 @@
   };
 
   outputs = { self, nixpkgs, ... }@inputs: {
-    nixosConfigurations.tohru = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./hosts/tohru/configuration.nix
-      ];
+    nixosConfigurations = {
+      tohru = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/tohru/configuration.nix
+        ];
+      };
+      yevaud = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/yevaud/configuration.nix
+        ];
+      };
     };
   };
 }
diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix
new file mode 100644
index 0000000..bae4bde
--- /dev/null
+++ b/hosts/yevaud/configuration.nix
@@ -0,0 +1,150 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "yevaud";
+  networking.hostId = "09673d65";
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  time.timeZone = "Etc/UTC";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.bluebird = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on bluebird@tohru"
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  # environment.systemPackages = with pkgs; [
+  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #   wget
+  # ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  services.fail2ban.enable = true;
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
+      add_header X-Frame-Options SAMEORIGIN;
+      add_header X-Content-Type-Options nosniff;
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+
+    virtualHosts = let
+      base = {
+        forceSSL = true;
+        enableACME = true;
+      };
+      proxy = port: {
+        locations."/".proxyPass = "http://[::1]:${toString(port)}/";
+      };
+    in {
+      "git.katherina.rocks" = base // proxy 3000;
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "accounts@katherina.rocks";
+  };
+
+  services.forgejo = {
+    enable = true;
+    stateDir = "/data/forgejo";
+    settings = {
+      DEFAULT.APP_NAME = "git.katherina.rocks";
+      cache = {
+        ADAPTER = "twoqueue";
+        HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
+      };
+      database = {
+        DB_TYPE = "sqlite3";
+        SQLITE_JOURNAL_MODE = "WAL";
+      };
+      security.LOGIN_REMEMBER_DAYS = 365;
+      server = {
+        DOMAIN = "git.katherina.rocks";
+        HTTP_PORT = 3000;
+        ROOT_URL = "https://git.katherina.rocks/";
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}
+
diff --git a/hosts/yevaud/hardware-configuration.nix b/hosts/yevaud/hardware-configuration.nix
new file mode 100644
index 0000000..c11d3fc
--- /dev/null
+++ b/hosts/yevaud/hardware-configuration.nix
@@ -0,0 +1,54 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "rpool/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/107D-5AB3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  fileSystems."/data/forgejo" =
+    { device = "rpool/forgejo";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f8b6eb35-33ad-4e19-bf3d-cac5ec38a8dc"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}