initial commit

2026-04-01 08:50:01 +03:00 · 2026-04-01 08:50:01 +03:00 · 30ce0dafc2
commit 30ce0dafc2
195 changed files with 8902 additions and 0 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  modulesPath,
+  hostname,
+  lib,
+  config,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ../../modules/direnv.nix
+    ../../modules/fonts.nix
+    ../../modules/motd.nix
+    ../../modules/nh.nix
+    ../../modules/nix.nix
+    ../../modules/nixos-update.nix
+    ../../modules/sops.nix
+    ../../modules/ssh.nix
+    ../../modules/remote-build.nix
+    ../../modules/security.nix
+    ../../modules/tmux.nix
+    ../../services
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  system.stateVersion = "25.11";
+  environment.systemPackages = with pkgs; [
+    atool
+    curl
+    cmake
+    dig
+    eza
+    fastfetch
+    git
+    ripgrep
+    bat
+    rmtrash
+  ];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+  };
+
+  console = {
+    font = "cyr-sun16";
+    keyMap = "ruwin_alt_sh-UTF-8";
+  };
+
+  programs.nix-ld = {
+    enable = true;
+    libraries = [ ];
+  };
+
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  time.timeZone = lib.mkDefault "Europe/Moscow";
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/elaris/default.nix
+++ b/hosts/elaris/default.nix
@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./secrets.nix
+    ./machine.nix
+    ../../modules/audio.nix
+    ../../modules/throne.nix
+    ../../modules/opentablet.nix
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sdc";
+    useOSProber = true;
+  };
+
+  programs.dconf.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    android-tools
+  ];
+}
--- a/hosts/elaris/hardware-configuration.nix
+++ b/hosts/elaris/hardware-configuration.nix
@ -0,0 +1,30 @@
+{
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5a3b4297-3879-4adc-a8eb-6b7c13bfcb81";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/ba42c990-1896-4a4d-8a08-d5ada45c4b72"; }
+  ];
+
+  hardware = {
+    graphics.enable = true;
+    nvidia.modesetting.enable = true;
+  };
+}
--- a/hosts/elaris/machine.nix
+++ b/hosts/elaris/machine.nix
@ -0,0 +1,7 @@
+{
+  machine.xray-3x-ui = {
+    enable = true;
+    domain = "3x-ui.ruject.fun";
+    subscriptions.domain = "sub.3x-ui.ruject.fun";
+  };
+}
--- a/hosts/elaris/secrets.nix
+++ b/hosts/elaris/secrets.nix
@ -0,0 +1,16 @@
+{
+  sops.secrets = {
+    "elaris/publicKey" = {
+      sopsFile = ./../../secrets/elaris.yaml;
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "elaris/privateKey" = {
+      sopsFile = ./../../secrets/elaris.yaml;
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+}
--- a/hosts/velarion/default.nix
+++ b/hosts/velarion/default.nix
@ -0,0 +1,25 @@
+{ modulesPath, ... }:
+{
+  imports = [
+    ./disk.nix
+    ./machine.nix
+    ./secrets.nix
+    ../../modules/podman.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    useOSProber = true;
+  };
+
+  programs.dconf.enable = true;
+
+  # Setup DKIM key directory
+  systemd.tmpfiles.rules = [
+    "d /var/dkim 0755 root root - -"
+  ];
+}
--- a/hosts/velarion/disk.nix
+++ b/hosts/velarion/disk.nix
@ -0,0 +1,37 @@
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/vda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/velarion/machine.nix
+++ b/hosts/velarion/machine.nix
@ -0,0 +1,161 @@
+{dns, ...}: let
+  domain = "ruject.fun";
+  database = {
+    host = "127.0.0.1";
+    port = 5432;
+  };
+  ipv4 = "94.156.112.0";
+in {
+  services.nginx.enable = true;
+  machine = {
+    gateway = "10.0.0.1";
+    inherit ipv4;
+    bind = {
+      enable = true;
+      inherit domain;
+      zones = with dns.lib.combinators; {
+        ${domain} = {
+          SOA = {
+            nameServer = "ns1";
+            adminEmail = "hostmaster";
+            serial = 2019030800;
+            refresh = 3 * 60 * 60; # 3 hours
+            retry = 1 * 60 * 60; # 1 hour
+            expire = 7 * 24 * 60 * 60; # 7 days
+          };
+          useOrigin = false;
+          NS = [
+            "ns1"
+            "ns2"
+          ];
+
+          A = [ipv4];
+
+          subdomains = rec {
+            ns1 = host ipv4 null;
+            ns2 = ns1;
+            "3x-ui" = ns1;
+            "sub.3x-ui" = ns1;
+            git = ns1;
+            music = ns1;
+            bitwarden = ns1;
+            roundcube = ns1;
+            status = ns1;
+            irc = ns1;
+            "upload.irc" = ns1;
+            nextcloud = ns1;
+            code = ns1;
+            mail = ns1;
+            matrix = ns1;
+            chat = ns1;
+            turn = ns1;
+          };
+
+          TXT = [
+            (with spf; strict ["a:mail.ruject.fun"])
+          ];
+
+          MX = with mx; [(mx 10 "mail.ruject.fun.")];
+
+          DMARC = [
+            {
+              p = "quarantine";
+              adkim = "strict";
+              aspf = "strict";
+            }
+          ];
+          DKIM = [
+            {
+              selector = "mail";
+              k = "rsa";
+              p = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0L14rM/ObA5WwVlPpCMiy3ESOhqo9Ye0edtc52sjt+YxJxpDgT1oo1yCdoXWbF38/f2RfqgmBCKg0+N9YQFsAL8FbBcAlkERXbt52T/5A5gBkfUnwB1I646WQdT43JsCWiSYgDc4IcVM/tG8Quj/oKois+b8W6dco6NWLET7bBcnBCEfJYL7TLnG+O83poB+gHef3g0WqwMMqXqbgvJutGb4uevJ327Ywa77fcUp7oYrMvgz6ESmetgmsizTwJadwuXC2k4E50ZmlM3tdjpisQgaUImJBqEa311SXfkhD9AbKjfp5tmOjinPMZwqVM09GFkIn89X7U6LDykh85zBNwIDAQAB";
+            }
+          ];
+        };
+      };
+    };
+    code-server = {
+      enable = true;
+      port = 4444;
+      domain = "code.${domain}";
+      user = "rus07tam";
+      hashedPassword = "$argon2i$v=19$m=4096,t=3,p=1$Z29zNjNOalFobUwyak1YY3pwYlYwL0IrN053PQ$hmRE46O8UM9zTgINjt5/xn35xypU+MMxNNq1r7xPXqo";
+    };
+    coturn = {
+      enable = true;
+      startPort = 49000;
+      endPort = 50000;
+      realm = "turn.${domain}";
+    };
+    forgejo = {
+      enable = true;
+      enableRunner = true;
+      domain = "git.${domain}";
+      port = 3000;
+      inherit database;
+    };
+    mail = {
+      enable = true;
+      inherit domain;
+      fqdn = "mail.${domain}";
+    };
+    minecraft-server = {
+      enable = false;
+      port = 25565;
+    };
+    mysql = {
+      enable = true;
+      port = 3306;
+    };
+    navidrome = {
+      enable = true;
+      domain = "music.${domain}";
+      port = 4533;
+      folder = "/mnt/music";
+    };
+    postgresql = {
+      enable = true;
+      port = 5432;
+    };
+    prosody = {
+      enable = true;
+      port = 5347;
+      domain = "irc.${domain}";
+    };
+    nextcloud = {
+      enable = true;
+      host = "nextcloud.${domain}";
+    };
+    redis = {
+      enable = true;
+      port = 6379;
+    };
+    roundcube = {
+      enable = true;
+      domain = "roundcube.${domain}";
+    };
+    synapse = {
+      enable = true;
+      element = {
+        enable = true;
+        domain = "chat.${domain}";
+      };
+      domain = "matrix.${domain}";
+      port = 8008;
+      metrics = {
+        enable = true;
+        port = 9000;
+      };
+    };
+    uptime-kuma = {
+      enable = true;
+      domain = "status.${domain}";
+      port = 4000;
+    };
+    vaultwarden = {
+      enable = true;
+      domain = "bitwarden.${domain}";
+      port = 4534;
+    };
+  };
+}
--- a/hosts/velarion/secrets.nix
+++ b/hosts/velarion/secrets.nix
@ -0,0 +1,25 @@
+{
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.bind;
+in
+with lib; mkIf cfg.enable {
+  sops.secrets = {
+    "velarion/publicKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key.pub";
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "velarion/privateKey" = {
+      sopsFile = ./../../secrets/velarion.yaml;
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+}