admin: add group www

server: move caddy to seperate module

flake.lock

@@ -166,6 +166,24 @@
         "type": "github"
       }
     },
+    "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_3"
+      },
+      "locked": {
+        "lastModified": 1726153070,
+        "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1629284811,
@@ -201,7 +219,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_7"
       },
       "locked": {
         "lastModified": 1726560853,
@@ -679,6 +697,21 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1710156097,
+        "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "3342559a24e85fc164b295c3444e8a139924675b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nix-index-db": {
       "inputs": {
         "nixpkgs": [
@@ -739,6 +772,18 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
       }
     },
+    "nixpkgs-lib_3": {
+      "locked": {
+        "lastModified": 1725233747,
+        "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1720386169,
@@ -985,6 +1030,29 @@
         "type": "github"
       }
     },
+    "ooknet-website": {
+      "inputs": {
+        "flake-parts": "flake-parts_3",
+        "nix-filter": "nix-filter",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1728305902,
+        "narHash": "sha256-761elKy4m30bx9+3QTlc2MGlRbESek/klbufIP75UqI=",
+        "ref": "refs/heads/master",
+        "rev": "b0ed4617e28b40e43cc286c9cd50d75d0e204668",
+        "revCount": 4,
+        "type": "git",
+        "url": "ssh://git@github.com/ooks-io/website"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@github.com/ooks-io/website"
+      }
+    },
     "ooks-scripts": {
       "inputs": {
         "nixpkgs": [
@@ -2793,8 +2861,9 @@
         "nix-index-db": "nix-index-db",
         "nixpkgs": "nixpkgs_3",
         "nvf": "nvf",
+        "ooknet-website": "ooknet-website",
         "ooks-scripts": "ooks-scripts",
-        "systems": "systems_5",
+        "systems": "systems_6",
         "zjstatus": "zjstatus"
       }
     },
@@ -2922,6 +2991,21 @@
       }
     },
     "systems_6": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "systems_7": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

flake.nix

@@ -30,6 +30,10 @@
       url = "git+ssh://git@github.com/ooks-io/scripts";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    ooknet-website = {
+      url = "git+ssh://git@github.com/ooks-io/website";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     nvf.url = "github:notashelf/nvf/v0.7";
 

hosts/ooksdesk/hardware.nix

@@ -3,7 +3,7 @@
     cpu.type = "amd";
     cpu.amd.pstate.enable = true;
     gpu.type = "amd";
-    features = ["ssd" "audio" "video"];
+    features = ["printing" "ssd" "audio" "video"];
     monitors = [
       {
         name = "DP-3";

modules/home/console/tools/ssh.nix

@@ -17,6 +17,12 @@ in {
           hostname = "github.com";
           identityFile = "${osConfig.age.secrets.github_key.path}";
         };
+        "git.ooknet.org" = {
+          user = "forgejo";
+          port = 2222;
+          hostname = "git.ooknet.org";
+          identityFile = "${osConfig.age.secrets.ooknet_org.path}";
+        };
       };
     };
   };

modules/home/workstation/gaming/options.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkOption;
+  inherit (lib.types) str;
+  cfg = config.ooknet.gaming;
+in {
+  options.ooknet.gaming = {
+    enable = mkEnableOption;
+
+    gamesPath = mkOption {
+      type = str;
+      default = "${config.home.homeDirectory}/Games";
+      description = "Location where games will be stored.";
+    };
+
+    prefixPath = mkOption {
+      type = str;
+      default = "${cfg.gamesPath}/prefixes";
+    };
+    compatDataPath = mkOption {
+      type = str;
+      default = "${cfg.prefixPath}/compatdata";
+    };
+  };
+  config = mkIf cfg.enable {
+    xdg.userDirs.XDG_GAMES_DIR = cfg.gamesPath;
+  };
+}

modules/home/workstation/gaming/world-of-warcraft.nix

@@ -0,0 +1,55 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkOption;
+  inherit (lib.types) str package;
+  inherit (config.ooknet) gaming;
+  gamesDir = config.xdg.userDirs.extraConfig.XDG_GAMES_DIR;
+  cfg = config.ooknet.gaming.world-of-warcraft;
+in {
+  options.ooknet.gaming.world-of-warcraft = {
+    enable = mkEnableOption "Enable the World of Warcraft module";
+
+    proton = {
+      package = mkOption {
+        type = package;
+        default = pkgs.proton-ge-custom;
+      };
+      prefix = {
+        path = mkOption {
+          type = str;
+          default = "${gaming.prefixPath}/WoW";
+        };
+      };
+      compatDataPath = mkOption {
+        type = str;
+        default = "${gaming.compatDataPath}/";
+      };
+    };
+
+    gamePrefixPath = mkOption {
+      type = str;
+      default = "${cfg.winePrefixesPath}/WoW";
+      description = "Location where the World of Warcraft prefix will be stored.";
+    };
+
+    gamePath = mkOption {
+      type = str;
+      default = "${cfg.world-of-warcraft.gamePrefixPath}/drive_c/Program Files (x86)/World of Warcraft";
+      description = "Location where the World of Warcraft installation will be symlinked.";
+    };
+
+    gameSharedPath = mkOption {
+      type = str;
+      default = "${cfg.wineProgramsPath}/World Of Warcraft";
+      description = "Location where World of Warcraft game files are stored.";
+    };
+  };
+  config =
+    mkIf cfg.enable {
+    };
+}
+

modules/home/workstation/gaming/wow.nix

@@ -2,6 +2,7 @@
   lib,
   osConfig,
   pkgs,
+  self',
   ...
 }: let
   inherit (lib) mkIf elem;

modules/nixos/base/admin.nix

@@ -30,6 +30,7 @@ in {
           "libvirtd"
           "streamer"
           "torrenter"
+          "www"
         ];
     };
   };

modules/nixos/base/builder.nix

@@ -0,0 +1,12 @@
+{
+  keys,
+  config,
+  ...
+}: let
+  inherit (config.ooknet.host) admin;
+in {
+  users = {
+    groups.builder = {};
+    users.builder = (key: ''command="nix-daemon --stdio",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}'') keys.users.${admin.name};
+  };
+}

modules/nixos/base/nix.nix

@@ -27,7 +27,7 @@ in {
     variables = paths;
   };
   nix = {
-    # package = pkgs.lix;
+    package = pkgs.lix;
 
     # collect garbage
     gc = {

modules/nixos/base/secrets.nix

@@ -25,6 +25,12 @@ in {
       owner = "${admin.name}";
       group = "users";
     };
+    ooknet_org = mkIf admin.homeManager {
+      file = "${self}/secrets/ooknet_org.age";
+      path = "/home/${admin.name}/.ssh/ooknet_org";
+      owner = "${admin.name}";
+      group = "users";
+    };
     spotify_key = mkIf admin.homeManager {
       file = "${self}/secrets/spotify_key.age";
       owner = "${admin.name}";

modules/nixos/server/database/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./postgresql.nix
+  ];
+}

modules/nixos/server/database/postgresql.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf elem optionals;
+  inherit (config.ooknet.server) services database;
+in {
+  config = mkIf database.postgresql.enable {
+    services.postgresql = {
+      enable = true;
+
+      checkConfig = true;
+
+      ensureDatabases = optionals (elem "forgejo" services) ["forgejo"];
+
+      ensureUsers =
+        [
+          {
+            name = "postgres";
+            ensureClauses = {
+              login = true;
+              superuser = true;
+              replication = true;
+              createdb = true;
+              createrole = true;
+            };
+          }
+        ]
+        ++ (optionals (elem "forgejo" services) [
+          {
+            name = "forgejo";
+            ensureDBOwnership = true;
+          }
+        ]);
+    };
+  };
+}

modules/nixos/server/debloat.nix

@@ -0,0 +1,16 @@
+{lib, ...}: let
+  inherit (lib) mkDefault;
+in {
+  # from github:nix-community/srvos
+
+  # disable fonts
+  fonts.fontconfig.enable = false;
+
+  # dont generate documentation
+  documentation = {
+    enable = mkDefault false;
+    info.enable = mkDefault false;
+    man.enable = mkDefault false;
+    nixos.enable = mkDefault false;
+  };
+}

modules/nixos/server/default.nix

@@ -1,7 +1,9 @@
 {
   imports = [
     ./options.nix
+    ./debloat.nix
     ./services
-    ./profiles
+    ./webserver
+    ./database
   ];
 }

modules/nixos/server/options.nix

@@ -1,6 +1,6 @@
 {lib, ...}: let
-  inherit (lib) mkOption;
+  inherit (lib) mkOption mkEnableOption;
-  inherit (lib.types) nullOr listOf enum bool;
+  inherit (lib.types) str nullOr listOf enum bool;
 in {
   options.ooknet.server = {
     exitNode = mkOption {
@@ -14,9 +14,20 @@ in {
       description = "The server profile the host will use as a base";
     };
     services = mkOption {
-      type = listOf (enum ["website"]);
+      type = listOf (enum ["website" "forgejo"]);
       default = [];
       description = "List of services the server will host";
     };
+    domain = mkOption {
+      type = str;
+      default = "";
+    };
+
+    webserver = {
+      caddy.enable = mkEnableOption "";
+    };
+    database = {
+      postgresql.enable = mkEnableOption "";
+    };
   };
 }

modules/nixos/server/profiles/linode.nix

@@ -1,94 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}: let
-  inherit (builtins) attrValues;
-  inherit (lib) mkForce getExe' mkIf;
-  inherit (config.ooknet.server) profile;
-in {
-  config = mkIf (profile == "linode") {
-    services.qemuGuest.enable = true;
-
-    networking = {
-      tempAddresses = "disabled";
-      usePredictableInterfaceNames = mkForce false;
-      interfaces.eth0 = {
-        tempAddress = "disabled";
-        useDHCP = true;
-      };
-    };
-    fileSystems."/" = {
-      device = "/dev/sda";
-      fsType = "ext4";
-      autoResize = true;
-    };
-    swapDevices = [{device = "/dev/sdb";}];
-
-    boot = {
-      kernelPackages = pkgs.linuxPackages_latest;
-      kernelModules = [];
-      # LISH console support
-      kernelParams = ["console=ttyS0,19200n8"];
-      extraModulePackages = [];
-      growPartition = true;
-      initrd = {
-        availableKernelModules = [
-          # modules generated by nixos-generate-config
-          "virtio_pci"
-          "virtio_scsi"
-          "ahci"
-          "sd_mod"
-
-          # qemu guest modules
-          "virtio_net"
-          "virtio_mmio"
-          "virtio_blk"
-          "virtio_scsi"
-          "9p"
-          "9pnet_virtio"
-        ];
-        kernelModules = [
-          "virtio_balloon"
-          "virtio_console"
-          "virtio_rng"
-          "virtio_gpu"
-        ];
-      };
-      loader = {
-        grub = {
-          enable = true;
-          device = "nodev";
-          forceInstall = true;
-          copyKernels = true;
-          fsIdentifier = "label";
-          splashImage = null;
-          extraConfig = ''
-            serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
-            terminal_input serial;
-            terminal_output serial
-          '';
-
-          extraInstallCommands = "${getExe' pkgs.coreutils "ln"} -fs /boot/grub /boot/grub2";
-        };
-        timeout = mkForce 10;
-        # disable base settings
-        efi.canTouchEfiVariables = mkForce false;
-        systemd-boot.enable = mkForce false;
-      };
-    };
-
-    environment = {
-      systemPackages = attrValues {
-        inherit
-          (pkgs)
-          inetutils
-          mtr
-          sysstat
-          linode-cli
-          ;
-      };
-    };
-  };
-}

modules/nixos/server/profiles/linode/base/networking.nix

@@ -8,5 +8,6 @@ in {
       tempAddress = "disabled";
       useDHCP = true;
     };
+    firewall.allowedUDPPorts = [443];
   };
 }

modules/nixos/server/profiles/linode/postgresql.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.ooknet.server) database;
+in {
+  # hardware based postgresql configuration for: linode nano
+  # 4GB RAM 1 Core
+  # generated with: <http://pgconfigurator.cybertec.at>
+  config = mkIf database.postgresql {
+    services.postgresql = {
+      settings = {
+        # Connectivity
+        max_connections = 20;
+        superuser_reserved_connections = 3;
+
+        # Memory Settings
+        shared_buffers = "256 MB";
+        work_mem = "32 MB";
+        maintenance_work_mem = "320 MB";
+        huge_pages = "off";
+        effective_cache_size = "1 GB";
+        effective_io_concurrency = 100; # concurrent IO only really activated if OS supports posix_fadvise function
+        random_page_cost = 1.25; # speed of random disk access relative to sequential access (1.0)
+
+        # Monitoring
+        shared_preload_libraries = "pg_stat_statements"; # per statement resource usage stats
+        track_io_timing = "on"; # measure exact block IO times
+        track_functions = "pl"; # track execution times of pl-language procedures if any
+
+        # Replication
+        wal_level = "replica"; # consider using at least 'replica'
+        max_wal_senders = 0;
+        synchronous_commit = "on";
+
+        # Checkpointing:
+        checkpoint_timeout = "15 min";
+        checkpoint_completion_target = 0.9;
+        max_wal_size = "1024 MB";
+        min_wal_size = "512 MB";
+
+        # WAL writing
+        wal_compression = "on";
+        wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default)
+        wal_writer_delay = "200ms";
+        wal_writer_flush_after = "1MB";
+
+        # Background writer
+        bgwriter_delay = "200ms";
+        bgwriter_lru_maxpages = 100;
+        bgwriter_lru_multiplier = 2.0;
+        bgwriter_flush_after = 0;
+
+        # Parallel queries:
+        max_worker_processes = 1;
+        max_parallel_workers_per_gather = 1;
+        max_parallel_maintenance_workers = 1;
+        max_parallel_workers = 1;
+        parallel_leader_participation = "on";
+
+        # Advanced features
+        enable_partitionwise_join = "on";
+        enable_partitionwise_aggregate = "on";
+        jit = "on";
+        max_slot_wal_keep_size = "1000 MB";
+        track_wal_io_timing = "on";
+        maintenance_io_concurrency = 100;
+        wal_recycle = "on";
+      };
+    };
+  };
+}

modules/nixos/server/services/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
     ./website
+    ./forgejo
   ];
 }

modules/nixos/server/services/forgejo/default.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.ooknet.server) services domain;
+  inherit (lib) mkIf elem;
+in {
+  config = mkIf (elem "forgejo" services) {
+    networking.firewall.allowedTCPPorts = [2222];
+
+    ooknet.server = {
+      webserver.caddy.enable = true;
+      database.postgresql.enable = true;
+    };
+    services = {
+      forgejo = {
+        enable = true;
+
+        settings = {
+          server = {
+            DOMAIN = "git.${domain}";
+            ROOT_URL = "https://git.${domain}";
+            HTTP_PORT = 3000;
+            LANDING_PAGE = "explore";
+
+            START_SSH_SERVER = true;
+            SSH_PORT = 2222;
+            SSH_LISTEN_PORT = 2222;
+          };
+          database = {
+            type = "postgres";
+            createDatabase = true;
+          };
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+          security = {
+            INSTALL_LOCK = true;
+          };
+        };
+      };
+      caddy.virtualHosts = {
+        "git.${domain}".extraConfig = ''
+          header {
+            Strict-Transport-Security "max-age=31536000;"
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+            -Server
+            Referrer-Policy "no-referrer"
+          }
+
+          # Handle proxying
+          handle_path /* {
+            reverse_proxy localhost:3000 {
+              header_up X-Real-IP {remote_host}
+              header_up X-Forwarded-For {remote_host}
+              header_up X-Forwarded-Proto {scheme}
+            }
+          }
+        '';
+      };
+    };
+  };
+}

modules/nixos/server/services/website/default.nix

@@ -9,8 +9,7 @@
   inherit (self'.packages) website;
 in {
   config = mkIf (elem "website" services) {
-    users.groups.www = {};
+    ooknet.server.webserver.caddy.enable = true;
-
     systemd.tmpfiles.rules = [
       "d /var/www 0775 caddy www"
       "d /var/www/ooknet.org 0775 caddy www"
@@ -40,11 +39,7 @@ in {
     };
 
     # using caddy because it makes my life easy
-    services.caddy = {
+    services.caddy.virtualHosts = {
-      enable = true;
-      group = "www";
-
-      virtualHosts = {
       "ooknet.org".extraConfig =
         # sh
         ''
@@ -69,5 +64,4 @@ in {
       '';
     };
   };
-  };
 }

modules/nixos/server/webserver/caddy.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.ooknet.server.webserver) caddy;
+in {
+  config = mkIf caddy.enable {
+    users.groups.www = {};
+    services.caddy = {
+      enable = true;
+      group = "www";
+    };
+  };
+}

modules/nixos/server/webserver/default.nix

@@ -1,5 +1,5 @@
 {
   imports = [
-    ./linode.nix
+    ./caddy.nix
   ];
 }

outputs/hosts/servers.nix

@@ -10,9 +10,10 @@ in {
       inherit withSystem;
       system = "x86_64-linux";
       hostname = "ooknode";
+      domain = "ooknet.org";
       type = "vm";
       profile = "linode";
-      services = ["website"];
+      services = ["website" "forgejo"];
     };
   };
 }

outputs/lib/builders.nix

@@ -89,6 +89,7 @@
     type,
     profile,
     services,
+    domain ? "",
     additionalModules ? [],
     specialArgs ? {},
   }:
@@ -98,7 +99,7 @@
       additionalModules = concatLists [
         (singleton {
           ooknet.server = {
-            inherit services;
+            inherit domain services;
           };
         })
         core

secrets/secrets.nix

@@ -5,4 +5,5 @@ in {
   "tailscale-auth.age".publicKeys = [users.ooks] ++ workstations;
   "github_key.age".publicKeys = [users.ooks] ++ workstations;
   "spotify_key.age".publicKeys = [users.ooks] ++ workstations;
+  "ooknet_org.age".publicKeys = [users.ooks] ++ workstations;
 }