diff --git a/cachix.nix b/cachix.nix new file mode 100644 index 0000000..ecd2d39 --- /dev/null +++ b/cachix.nix @@ -0,0 +1,13 @@ + +# WARN: this file will get overwritten by $ cachix use +{ pkgs, lib, ... }: + +let + folder = ./cachix; + toImport = name: value: folder + ("/" + name); + filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; + imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); +in { + inherit imports; + nix.settings.substituters = ["https://cache.nixos.org/"]; +} diff --git a/cachix/rgit.nix b/cachix/rgit.nix new file mode 100644 index 0000000..0f37960 --- /dev/null +++ b/cachix/rgit.nix @@ -0,0 +1,13 @@ + +{ + nix = { + settings = { + substituters = [ + "https://rgit.cachix.org" + ]; + trusted-public-keys = [ + "rgit.cachix.org-1:3Wva/GHhrlhbYx+ObbEYQSYq1Yzk8x9OAvEvcYazgL0=" + ]; + }; + }; +} diff --git a/configuration.nix b/configuration.nix index 637bc8c..2a1abe6 100755 --- a/configuration.nix +++ b/configuration.nix @@ -12,7 +12,8 @@ networking.domain = ""; networking.firewall = { enable = true; - allowedTCPPorts = [80 443]; + allowedTCPPorts = [80 443 9418]; + allowedUDPPorts = [80 443 9418]; }; boot.loader.grub.devices = ["nodev"]; @@ -34,12 +35,6 @@ ''; }; - services.fail2ban = { - enable = true; - maxretry = 10; - bantime-increment.enable = true; - }; - users.users.mtgmonkey = { isNormalUser = true; description = "mtgmonkey"; diff --git a/flake.lock b/flake.lock index 6e720ed..5b7f556 100755 --- a/flake.lock +++ b/flake.lock @@ -1,15 +1,46 @@ { "nodes": { + "advisory-db": { + "flake": false, + "locked": { + "lastModified": 1747937073, + "narHash": "sha256-52H8P6jAHEwRvg7rXr4Z7h1KHZivO8T1Z9tN6R0SWJg=", + "owner": "rustsec", + "repo": "advisory-db", + "rev": "bccf313a98c034573ac4170e6271749113343d97", + "type": "github" + }, + "original": { + "owner": "rustsec", + "repo": "advisory-db", + "type": "github" + } + }, + "crane": { + "locked": { + "lastModified": 1748047550, + "narHash": "sha256-t0qLLqb4C1rdtiY8IFRH5KIapTY/n3Lqt57AmxEv9mk=", + "owner": "ipetkov", + "repo": "crane", + "rev": "b718a78696060df6280196a6f992d04c87a16aef", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "elmskell-blog": { "inputs": { "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1749395936, - "narHash": "sha256-tEqZKBzQbENlyIDvVMWcnhifjEQkaEzK3eKDQWCbt58=", + "lastModified": 1749494299, + "narHash": "sha256-I6/TSz5ciJTEZNFCyrCXWRYqBkNIh3fZy67UErIw3fk=", "ref": "refs/heads/master", - "rev": "36fa8afd57449cacdc0535417c8d20fb6b702348", - "revCount": 9, + "rev": "596af4a7318d60816ee995526d571643e21744b5", + "revCount": 11, "type": "git", "url": "file:///var/lib/git-server/blog.git" }, @@ -20,7 +51,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -36,6 +67,79 @@ "type": "github" } }, + "helix": { + "flake": false, + "locked": { + "lastModified": 1727654850, + "narHash": "sha256-du6Vy5Yxy6aZFP7ad5guz5GOD/8uMY+Pgse1ZM+K2Jo=", + "owner": "JordanForks", + "repo": "helix", + "rev": "1603715cc91bf6fdffb4aedfb5b76fb69fd10e28", + "type": "github" + }, + "original": { + "owner": "JordanForks", + "repo": "helix", + "type": "github" + } + }, + "jank-client": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1749606892, + "narHash": "sha256-ZGUUWNORko3QFy9p/2mc4voJ65/11Joy6Au79+TwxPw=", + "ref": "refs/heads/main", + "rev": "0e59a339c813bcf1e9969344d8b50ed380231552", + "revCount": 1179, + "type": "git", + "url": "file:///var/lib/git-server/jank-client-fork.git" + }, + "original": { + "type": "git", + "url": "file:///var/lib/git-server/jank-client-fork.git" + } + }, + "math-project": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1750258769, + "narHash": "sha256-BazJgo04yFqFfp2AA0Tfba+nBAeaNddQJBdLghVJskk=", + "ref": "refs/heads/master", + "rev": "fa0e8ca47dd5341d24d8aae90a0bc28a689c3d46", + "revCount": 6, + "type": "git", + "url": "file:///var/lib/git-server/math-project.git" + }, + "original": { + "type": "git", + "url": "file:///var/lib/git-server/math-project.git" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "rgit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737420293, + "narHash": "sha256-F1G5ifvqTpJq7fdkT34e/Jy9VCyzd5XfJ9TO8fHhJWE=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "f4158fa080ef4503c8f4c820967d946c2af31ec9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1749143949, @@ -53,21 +157,50 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1749373575, - "narHash": "sha256-/3nvhGaUMG1A6zG185QHyTFR2fMiyffxU7VdMYk5qj0=", - "owner": "nixos", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6a8d437617048567166f83b32d07ba73aeb2d125", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { - "owner": "nixos", - "ref": "release-25.05", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" } }, "nixpkgs_3": { + "locked": { + "lastModified": 1748889542, + "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-25.05", + "type": "indirect" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1749794982, + "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1714253743, "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", @@ -83,7 +216,38 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_6": { + "locked": { + "lastModified": 1748159586, + "narHash": "sha256-xeCMAhKjhDjVFsfJcftv+CWcExYo+X8IBUW8L947ww4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7382d075365a977c4a9c8aa4c5e4abed15f00ee1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { + "locked": { + "lastModified": 1745377448, + "narHash": "sha256-jhZDfXVKdD7TSEGgzFJQvEEZ2K65UMiqW5YJ2aIqxMA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "507b63021ada5fee621b6ca371c4fca9ca46f52c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_8": { "locked": { "lastModified": 1746141548, "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", @@ -101,7 +265,7 @@ }, "noshell": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1717396029, @@ -117,18 +281,45 @@ "type": "github" } }, + "rgit": { + "inputs": { + "advisory-db": "advisory-db", + "crane": "crane", + "helix": "helix", + "nix-github-actions": "nix-github-actions", + "nixpkgs": "nixpkgs_6", + "treefmt-nix": "treefmt-nix", + "utils": "utils" + }, + "locked": { + "lastModified": 1748169485, + "narHash": "sha256-JxPNDrvpqgpz6MQp6LKT3cbK4bl7/E9+eST1cEhl/jA=", + "owner": "w4", + "repo": "rgit", + "rev": "9224aa1a006acb6af6da8cfbee82278612bd05d0", + "type": "github" + }, + "original": { + "owner": "w4", + "repo": "rgit", + "type": "github" + } + }, "root": { "inputs": { "elmskell-blog": "elmskell-blog", - "nixpkgs": "nixpkgs_2", + "jank-client": "jank-client", + "math-project": "math-project", + "nixpkgs": "nixpkgs_4", "noshell": "noshell", + "rgit": "rgit", "spacebar-server": "spacebar-server" } }, "spacebar-server": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1748414795, @@ -158,6 +349,57 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": "nixpkgs_7" + }, + "locked": { + "lastModified": 1747912973, + "narHash": "sha256-XgxghfND8TDypxsMTPU2GQdtBEsHTEc3qWE6RVEk8O0=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "020cb423808365fa3f10ff4cb8c0a25df35065a3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 06490e0..05c8e9d 100755 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,10 @@ { description = "server flake"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/release-25.05"; + nixpkgs.url = "nixpkgs/nixos-unstable"; noshell.url = "github:viperML/noshell"; spacebar-server.url = "github:spacebarchat/server"; + rgit.url = "github:w4/rgit"; elmskell-blog.url = "git+file:///var/lib/git-server/blog.git"; jank-client.url = "git+file:///var/lib/git-server/jank-client-fork.git"; @@ -18,6 +19,7 @@ spacebar-server, jank-client, math-project, + rgit, ... }: let system = "x86_64-linux"; @@ -29,6 +31,8 @@ inherit system; inherit elmskell-blog; inherit spacebar-server; + inherit math-project; + inherit rgit; ssh-pub-keys = import ./ssh-pub-keys.nix; }; modules = [ @@ -39,15 +43,16 @@ jank-client.nixosModules.x86_64-linux.default ./services/spacebar.nix - ./services/rgit.nix + # ./services/rgit.nix + ./services/gitea.nix ./services/translate.nix noshell.nixosModules.default {programs.noshell.enable = true;} - math-project.nixosModules.default - {programs.math-project.enable = true;} + math-project.nixosModules.x86_64-linux.default + {services.math-project.enable = true;} ./services/math-project.nix ./configuration.nix diff --git a/services/blog.nix b/services/blog.nix index cc303d7..aa85420 100755 --- a/services/blog.nix +++ b/services/blog.nix @@ -49,7 +49,12 @@ in { Type = "simple"; ExecStart = "${lib.getExe pkgs.ferron} --config=/etc/blog.ferron.yaml"; RemainAfterExit = true; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; }; + wantedBy = ["multi-user.target"]; }; environment.etc."blog.ferron.yaml" = { source = (pkgs.formats.yaml {}).generate "" ferron-conf-nix; diff --git a/services/elmskell.nix b/services/elmskell.nix index 86d154b..da1bd4e 100755 --- a/services/elmskell.nix +++ b/services/elmskell.nix @@ -39,7 +39,12 @@ in { Type = "simple"; ExecStart = "/etc/nixos/services/elmskell/elmskell"; RemainAfterExit = true; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; }; + wantedBy = ["multi-user.target"]; }; services.tor = { enable = true; diff --git a/services/ferron.nix b/services/ferron.nix index c694a57..d182d9d 100755 --- a/services/ferron.nix +++ b/services/ferron.nix @@ -50,6 +50,7 @@ in { ExecStart = "${lib.getExe pkgs.ferron} --config=/etc/ferron.yaml"; RemainAfterExit = true; }; + wantedBy = ["multi-user.target"]; }; environment.etc."ferron.yaml" = { diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100755 index 0000000..6d2e135 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,28 @@ +{ + pkgs, + lib, + ... +}: { + systemd.services.gitea = { + serviceConfig = { + Type = "simple"; + ExecStart = "${lib.getExe pkgs.forgejo} -c /etc/gitea/config.ini"; + RemainAfterExit = true; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; + User = "git"; + Group = "git"; + }; + wantedBy = ["multi-user.target"]; + }; + environment.etc."gitea/config.ini.default" = { + text = '' + WORK_PATH = /var/lib/git-server + [server] + HTTP_PORT = 8000 + ''; + mode = "644"; + }; +} diff --git a/services/math-project.nix b/services/math-project.nix index af31585..c3e577d 100755 --- a/services/math-project.nix +++ b/services/math-project.nix @@ -29,7 +29,7 @@ in { METRICS_BIND = "[::1]:9283"; METRICS_BIND_NETWORK = "tcp"; POLICY_FNAME = "/etc/anubis/math-project.botPolicies.yaml"; - TARGET = "http://localhost:8080"; + TARGET = "http://localhost:8081"; }; }; }; @@ -42,8 +42,13 @@ in { systemd.services.math-project = { serviceConfig = { Type = "simple"; - ExecStart = "${lib.getExe math-project}"; + ExecStart = "${lib.getExe math-project.packages.x86_64-linux.default}"; RemainAfterExit = true; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; }; + wantedBy = ["multi-user.target"]; }; } diff --git a/services/rgit.nix b/services/rgit.nix index 96c628e..faccc74 100755 --- a/services/rgit.nix +++ b/services/rgit.nix @@ -1,23 +1,16 @@ -{ - virtualisation.docker = { - enable = true; - }; - virtualisation.oci-containers.backend = "docker"; - virtualisation.oci-containers.containers.rgit = { - image = "ghcr.io/w4/rgit:main"; - ports = [ - "8000:8000" - ]; - volumes = [ - "/var/lib/git-server:/git:ro" - ]; - cmd = [ - "[::]:8000" - "/git" - "-d /tmp/rgit-cache.db" - ]; - environment = { - REFRESH_INTERVAL = "5m"; +{rgit, ...}: { + systemd.services.rgit = { + serviceConfig = { + Type = "simple"; + ExecStart = "${rgit.packages.x86_64-linux.default}/bin/rgit -d /var/lib/git-server/.db/rgit-cache.db [::1]:8000 /var/lib/git-server"; + RemainAfterExit = true; + Restart = "always"; + RestartMaxDelay = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; + User = "git"; + Group = "git"; }; + wantedBy = ["multi-user.target"]; }; } diff --git a/services/rgit.nix.bak b/services/rgit.nix.bak new file mode 100755 index 0000000..96c628e --- /dev/null +++ b/services/rgit.nix.bak @@ -0,0 +1,23 @@ +{ + virtualisation.docker = { + enable = true; + }; + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers.rgit = { + image = "ghcr.io/w4/rgit:main"; + ports = [ + "8000:8000" + ]; + volumes = [ + "/var/lib/git-server:/git:ro" + ]; + cmd = [ + "[::]:8000" + "/git" + "-d /tmp/rgit-cache.db" + ]; + environment = { + REFRESH_INTERVAL = "5m"; + }; + }; +} diff --git a/services/spacebar.nix b/services/spacebar.nix index 1a3cd0f..dea6f39 100644 --- a/services/spacebar.nix +++ b/services/spacebar.nix @@ -45,7 +45,12 @@ in { RemainAfterExit = true; User = "spacebar"; Group = "spacebar"; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; }; + wantedBy = ["multi-user.target"]; environment = { DATABASE = "/var/lib/spacebar-server/database.db"; STORAGE_LOCATION = "/var/lib/spacebar-server/files/"; diff --git a/services/translate.nix b/services/translate.nix index f9be6c0..2362e06 100755 --- a/services/translate.nix +++ b/services/translate.nix @@ -41,8 +41,13 @@ in { systemd.services.translate = { serviceConfig = { Type = "simple"; - ExecStart = "${lib.getExe pkgs.libretranslate}"; + ExecStart = "${lib.getExe pkgs.libretranslate} --port 8108"; RemainAfterExit = true; + Restart = "always"; + RestartMaxDelaySec = "1m"; + RestartSec = "100ms"; + RestartSteps = 9; }; + wantedBy = ["multi-user.target"]; }; }