initial commit

modules/nixos/alditalk-extender/default.nix

@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.alditalk-extender;
+
+  inherit (lib)
+    getExe
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    types
+    ;
+in
+{
+  options.services.alditalk-extender = {
+    enable = mkEnableOption "AldiTalk True Unlimited Extender service";
+
+    package = mkPackageOption pkgs "alditalk-true-unlimited" { };
+
+    envFile = mkOption {
+      type = types.path;
+      example = "/run/architect/alditalk.env";
+      description = ''
+        Path to the environment file containing USERNAME and PASSWORD.
+        The file should look like:
+        USERNAME=0151...
+        PASSWORD=yourpassword
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        alditalk = {
+          isSystemUser = true;
+          group = "alditalk";
+          home = "/var/lib/alditalk";
+          createHome = true;
+          description = "AldiTalk Extender Service User";
+        };
+      };
+      groups.alditalk = { };
+    };
+
+    systemd.services.alditalk-extender = {
+      description = "AldiTalk True Unlimited Extender";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        EnvironmentFile = cfg.envFile;
+        Environment = "HOME=/var/lib/alditalk";
+
+        Restart = "always";
+        RestartSec = "30s";
+        User = "alditalk";
+        Group = "alditalk";
+        WorkingDirectory = "/var/lib/alditalk";
+
+        RuntimeDirectory = "alditalk";
+        ProtectSystem = "full";
+        PrivateTmp = true;
+        NoNewPrivileges = false;
+      };
+    };
+  };
+}

modules/nixos/common/default.nix

@@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    ./nix.nix
+    ./overlays.nix
+
+    inputs.synix.nixosModules.device.server
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+}

modules/nixos/common/nix.nix

@@ -0,0 +1,31 @@
+{
+  nix = {
+    # TODO: add distributed build support for portuus.de
+    # distributedBuilds = true;
+    # buildMachines = [
+    #   {
+    #     hostName = "portuus.de";
+    #     supportedFeatures = [
+    #       "benchmark"
+    #       "big-parallel"
+    #       "kvm"
+    #       "nixos-test"
+    #     ];
+    #     maxJobs = 8;
+    #     system = "x86_64-linux";
+    #   }
+    # ];
+
+    settings = {
+      # binary caches
+      # substituters = [
+      #   "https://cache.portuus.de"
+      # ];
+      # trusted-public-keys = [
+      #   "cache.portuus.de:INZRjwImLIbPbIx8Qp38gTVmSNL0PYE4qlkRzQY2IAU="
+      # ];
+
+      trusted-users = [ "root" ];
+    };
+  };
+}

modules/nixos/common/overlays.nix

@@ -0,0 +1,11 @@
+{ outputs, ... }:
+
+{
+  nixpkgs.overlays = [
+    outputs.overlays.synix-packages
+    outputs.overlays.local-packages
+    outputs.overlays.modifications
+    outputs.overlays.old-stable-packages
+    outputs.overlays.unstable-packages
+  ];
+}

modules/nixos/default.nix

@@ -0,0 +1,11 @@
+{
+  alditalk-extender = import ./alditalk-extender;
+  common = import ./common;
+  deploy = import ./deploy;
+  forgejo = import ./forgejo;
+  forgejo-runner = import ./forgejo-runner;
+  gnome = import ./gnome;
+  monero = import ./monero;
+  tailscale = import ./tailscale;
+  xfce = import ./xfce;
+}

modules/nixos/deploy/default.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+
+{
+  # ssh-keygen -t ed25519 -f ./deploy_key -N "" -C "forgejo-deploy-runner"
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ./deploy_key.pub
+  ];
+
+  nix.settings.trusted-users = [ "root" ];
+
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
+}

modules/nixos/deploy/deploy_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICi5KG9LTU7gDWm4mkpkvvNYoQWD3/i0Yq26NYyAav3C forgejo-deploy-runner

modules/nixos/forgejo-runner/default.nix

@@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.forgejo-runner;
+
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+in
+{
+  options.services.forgejo-runner = {
+    enable = mkEnableOption "Nix-based Forgejo Runner service";
+    url = mkOption {
+      type = types.str;
+      description = "Forgejo instance URL.";
+    };
+    tokenFile = mkOption {
+      type = types.path;
+      description = "Path to EnvironmentFile containing TOKEN=...";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nix.settings.trusted-users = [ "gitea-runner" ];
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-runner;
+      instances.default = {
+        enable = true;
+        name = "${config.networking.hostName}-nix";
+        inherit (cfg) url tokenFile;
+
+        labels = [ "host:host" ];
+
+        hostPackages = with pkgs; [
+          bash
+          coreutils
+          curl
+          gitMinimal
+          gnused
+          nix
+          nodejs
+          openssh
+          deploy-rs
+        ];
+
+        settings = {
+          log.level = "info";
+          runner = {
+            capacity = 1;
+            envs = {
+              NIX_CONFIG = "extra-experimental-features = nix-command flakes";
+              NIX_REMOTE = "daemon";
+            };
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/forgejo/default.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.forgejo;
+
+  inherit (cfg) settings;
+  inherit (lib)
+    getExe
+    head
+    mkDefault
+    mkIf
+    ;
+in
+{
+  config = mkIf cfg.enable {
+    services.forgejo = {
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "git.${config.networking.domain}";
+          PROTOCOL = "http";
+          ROOT_URL = "https://${settings.server.DOMAIN}/";
+          HTTP_ADDR = "0.0.0.0";
+          HTTP_PORT = 3456;
+          SSH_PORT = head config.services.openssh.ports;
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        ui = {
+          DEFAULT_THEME = "forgejo-dark";
+        };
+        actions = {
+          ENABLED = true;
+        };
+        mailer = {
+          ENABLED = mkDefault false;
+          SMTP_ADDR = "mail.${config.networking.domain}";
+          FROM = "git@${settings.server.DOMAIN}";
+          USER = "git@${settings.server.DOMAIN}";
+        };
+      };
+      secrets = {
+        mailer.PASSWD = mkIf settings.mailer.ENABLED config.sops.secrets."forgejo/mail-pw".path;
+      };
+    };
+
+    environment.shellAliases = {
+      forgejo = "sudo -u ${cfg.user} ${getExe cfg.package} --config ${cfg.stateDir}/custom/conf/app.ini";
+    };
+
+    sops.secrets."forgejo/mail-pw" = mkIf settings.mailer.ENABLED {
+      owner = cfg.user;
+      group = cfg.group;
+      mode = "0400";
+    };
+  };
+}

modules/nixos/gnome/default.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+{
+  services.displayManager.gdm.enable = true;
+  services.desktopManager.gnome.enable = true;
+
+  services.gnome.core-apps.enable = false;
+  services.gnome.core-developer-tools.enable = false;
+  services.gnome.games.enable = false;
+  services.gnome.gnome-remote-desktop.enable = true;
+  environment.gnome.excludePackages = with pkgs; [
+    gnome-tour
+    gnome-user-docs
+  ];
+
+  # https://github.com/NixOS/nixpkgs/issues/266774#issuecomment-2525412206
+  systemd.services.gnome-remote-desktop.wantedBy = [ "graphical.target" ];
+  networking.firewall = {
+    allowedTCPPorts = [ 3389 ];
+    allowedUDPPorts = [ 3389 ];
+  };
+
+  programs.firefox.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    networkmanagerapplet
+  ];
+}

modules/nixos/monero/default.nix

@@ -0,0 +1,111 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.monero;
+  sops = config.sops;
+
+  inherit (lib) mkDefault mkIf getExe;
+in
+{
+  config = mkIf cfg.enable {
+    services.monero = {
+      environmentFile = sops.templates."monero/environment-file".path;
+      mining.enable = false; # use XMRig + P2Pool
+      rpc = {
+        address = mkDefault "127.0.0.1";
+        port = mkDefault 18081;
+        user = mkDefault "monero";
+        password = mkDefault "$MONERO_RPC_PASSWORD";
+      };
+      extraConfig = ''
+        zmq-pub=tcp://127.0.0.1:18083
+        out-peers=32
+        in-peers=64
+        prune-blockchain=1
+        sync-pruned-blocks=1
+        add-priority-node=p2pmd.xmrvsbeast.com:18080
+        add-priority-node=nodes.hashvault.pro:18080
+        enforce-dns-checkpointing=1
+        enable-dns-blocklist=1
+      '';
+    };
+
+    systemd.services.p2pool = {
+      description = "P2Pool Monero Sidechain Node";
+      after = [
+        "monero.service"
+        "network.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.p2pool ];
+
+      serviceConfig = {
+        User = "p2pool";
+        Group = "p2pool";
+        WorkingDirectory = "/var/lib/p2pool";
+        ExecStart = "${getExe pkgs.p2pool} --host 127.0.0.1 --wallet ${cfg.mining.address}";
+        Restart = "always";
+        RestartSec = 10;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+      };
+    };
+
+    users.users.p2pool = {
+      isSystemUser = true;
+      group = "p2pool";
+      home = "/var/lib/p2pool";
+      createHome = true;
+    };
+    users.groups.p2pool = { };
+
+    services.xmrig = {
+      enable = true;
+      settings = {
+        autosave = true;
+        cpu = {
+          enabled = true;
+          huge-pages = true;
+          hw-aes = null;
+          asm = true;
+          yield = true;
+        };
+        opencl.enabled = false;
+        cuda.enabled = false;
+        pools = [
+          {
+            url = "127.0.0.1:3333";
+            user = "";
+            pass = "";
+          }
+        ];
+        api.enable = true;
+      };
+    };
+
+    sops =
+      let
+        owner = "monero";
+        group = "monero";
+        mode = "0440";
+      in
+      {
+        secrets."monero/rpc-password" = {
+          inherit owner group mode;
+        };
+        templates."monero/environment-file" = {
+          inherit owner group mode;
+          content = ''
+            MONERO_RPC_PASSWORD=${sops.placeholder."monero/rpc-password"}
+          '';
+        };
+      };
+  };
+}

modules/nixos/tailscale/default.nix

@@ -0,0 +1,11 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.tailscale ];
+
+  services.tailscale = {
+    enable = true;
+    enableSSH = true;
+    loginServer = "https://hs.sid.ovh";
+  };
+}

modules/nixos/xfce/default.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.desktopManager.xterm.enable = false;
+  services.xserver.desktopManager.xfce.enable = true;
+  services.xserver.displayManager.lightdm.enable = true;
+  services.displayManager.defaultSession = "xfce";
+
+  programs.firefox.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    networkmanagerapplet
+  ];
+
+  services.xrdp.enable = true;
+  services.xrdp.defaultWindowManager = "${pkgs.xfce.xfce4-session}/bin/xfce4-session";
+  services.xrdp.openFirewall = true;
+
+  systemd.targets.sleep.enable = false;
+  systemd.targets.suspend.enable = false;
+  systemd.targets.hibernate.enable = false;
+  systemd.targets.hybrid-sleep.enable = false;
+}