+2

README.md

··· 2 2 3 3 nix flake for my desktop and server (soon). 4 4 5 5 + todo: agenix 6 6 + 5 7 ## copying 6 8 7 9 this is licensed under the gnu gplv3. you can find the full license text in

+18

hosts/default.nix

··· 35 35 }) inputs; 36 36 }; 37 37 }; 38 38 + 39 39 + ivy = inputs.nixpkgs.lib.nixosSystem { 40 40 + system = "x86_64-linux"; 41 41 + modules = [ 42 42 + ./ivy 43 43 + ./ivy/_hware-config.nix 44 44 + inputs.home-manager.nixosModules.home-manager 45 45 + ]; 46 46 + specialArgs = { 47 47 + inherit inputs; 48 48 + hostname = "ivy"; 49 49 + inputs' = builtins.mapAttrs (_: flake: { 50 50 + legacyPackages = flake.legacyPackages."x86_64-linux" or { }; 51 51 + packages = flake.packages."x86_64-linux" or { }; 52 52 + }) inputs; 53 53 + }; 54 54 + }; 55 55 + 38 56 }; 39 57 }

+64

hosts/ivy/_hware-config.nix

··· 1 1 + # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 2 + # and may be overwritten by future invocations. Please make changes 3 3 + # to /etc/nixos/configuration.nix instead. 4 4 + { 5 5 + config, 6 6 + lib, 7 7 + pkgs, 8 8 + modulesPath, 9 9 + ... 10 10 + }: 11 11 + 12 12 + { 13 13 + imports = [ 14 14 + (modulesPath + "/installer/scan/not-detected.nix") 15 15 + ]; 16 16 + 17 17 + boot.initrd.availableKernelModules = [ 18 18 + "xhci_pci" 19 19 + "ehci_pci" 20 20 + "uhci_hcd" 21 21 + "hpsa" 22 22 + "usbhid" 23 23 + "usb_storage" 24 24 + "sd_mod" 25 25 + ]; 26 26 + boot.initrd.kernelModules = [ ]; 27 27 + boot.kernelModules = [ "kvm-intel" ]; 28 28 + boot.extraModulePackages = [ ]; 29 29 + 30 30 + fileSystems."/" = { 31 31 + device = "/dev/disk/by-uuid/36220e08-4a8d-4327-a9e2-3f0c29868ce6"; 32 32 + fsType = "ext4"; 33 33 + }; 34 34 + 35 35 + fileSystems."/boot" = { 36 36 + device = "/dev/disk/by-uuid/C4C4-4141"; 37 37 + fsType = "vfat"; 38 38 + options = [ 39 39 + "fmask=0077" 40 40 + "dmask=0077" 41 41 + ]; 42 42 + }; 43 43 + 44 44 + swapDevices = [ 45 45 + { device = "/dev/disk/by-uuid/dceac273-3f1b-45d7-949f-c469eb5af518"; } 46 46 + ]; 47 47 + 48 48 + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 49 49 + # (the default) this is the recommended approach. When using systemd-networkd it's 50 50 + # still possible to use this option, but it's recommended to use it in conjunction 51 51 + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 52 52 + networking.useDHCP = lib.mkDefault true; 53 53 + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; 54 54 + # networking.interfaces.eno2.useDHCP = lib.mkDefault true; 55 55 + # networking.interfaces.eno3.useDHCP = lib.mkDefault true; 56 56 + # networking.interfaces.eno4.useDHCP = lib.mkDefault true; 57 57 + # networking.interfaces.eno49.useDHCP = lib.mkDefault true; 58 58 + # networking.interfaces.eno50.useDHCP = lib.mkDefault true; 59 59 + # networking.interfaces.eno51.useDHCP = lib.mkDefault true; 60 60 + # networking.interfaces.eno52.useDHCP = lib.mkDefault true; 61 61 + 62 62 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 63 63 + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 64 64 + }

+72

hosts/ivy/caddy.nix

··· 1 1 + { ... }: 2 2 + { 3 3 + services.caddy = { 4 4 + enable = true; 5 5 + email = "hai@wlo.moe"; 6 6 + virtualHosts = { 7 7 + "pds.wlo.moe" = { 8 8 + serverAliases = [ "*.pds.wlo.moe" ]; 9 9 + extraConfig = '' 10 10 + tls { 11 11 + on_demand 12 12 + } 13 13 + 14 14 + handle /xrpc/app.bsky.unspecced.getAgeAssuranceState { 15 15 + header content-type "application/json" 16 16 + header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 17 17 + header access-control-allow-origin "*" 18 18 + respond `{ "lastInitiatedAt": "2025-07-14T14:22:43.912Z", "status": "assured" }` 200 19 19 + } 20 20 + 21 21 + @backend { 22 22 + path /xrpc/* /.well-known/* /robots.txt /oauth/* /@* 23 23 + } 24 24 + 25 25 + handle @backend { 26 26 + reverse_proxy localhost:8090 27 27 + } 28 28 + 29 29 + handle { 30 30 + reverse_proxy localhost:8090 31 31 + } 32 32 + ''; 33 33 + }; 34 34 + "vaultwarden.wlo.moe" = { 35 35 + hostName = "vaultwarden.wlo.moe"; 36 36 + extraConfig = '' 37 37 + encode zstd gzip 38 38 + reverse_proxy :8222 { 39 39 + header_up X-Real-IP {remote_host} 40 40 + } 41 41 + ''; 42 42 + }; 43 43 + "wlo.moe" = { 44 44 + extraConfig = '' 45 45 + encode zstd gzip 46 46 + root * /var/www/wlo.moe 47 47 + try_files {path} /index.html 48 48 + file_server 49 49 + ''; 50 50 + }; 51 51 + }; 52 52 + 53 53 + globalConfig = '' 54 54 + on_demand_tls { 55 55 + ask http://localhost:8090/tls-check 56 56 + } 57 57 + ''; 58 58 + 59 59 + extraConfig = '' 60 60 + (static-common) { 61 61 + encode gzip zstd 62 62 + try_files {path} /index.html 63 63 + file_server 64 64 + } 65 65 + ''; 66 66 + }; 67 67 + 68 68 + systemd.services.caddy.serviceConfig = { 69 69 + ReadWritePaths = [ "/home/willow/things/www/dist" ]; 70 70 + }; 71 71 + 72 72 + }

+84

hosts/ivy/default.nix

··· 1 1 + { 2 2 + pkgs, 3 3 + ... 4 4 + }: 5 5 + { 6 6 + imports = [ 7 7 + ../../modules/shared 8 8 + ../../user 9 9 + ./caddy.nix 10 10 + ./services/pds.nix 11 11 + ./services/vaultwarden.nix 12 12 + ]; 13 13 + 14 14 + boot = { 15 15 + loader = { 16 16 + systemd-boot.enable = true; 17 17 + efi.canTouchEfiVariables = true; 18 18 + }; 19 19 + kernelPackages = pkgs.linuxPackages_latest; 20 20 + }; 21 21 + networking = { 22 22 + hostName = "ivy"; 23 23 + networkmanager.enable = true; 24 24 + 25 25 + firewall = { 26 26 + allowedTCPPorts = [ 27 27 + 22 28 28 + 80 29 29 + 443 30 30 + ]; 31 31 + allowedUDPPorts = [ ]; 32 32 + enable = true; 33 33 + }; 34 34 + }; 35 35 + security.sudo.wheelNeedsPassword = false; 36 36 + 37 37 + time.timeZone = "Europe/London"; 38 38 + i18n = { 39 39 + defaultLocale = "en_GB.UTF-8"; 40 40 + extraLocaleSettings = { 41 41 + LC_ADDRESS = "en_GB.UTF-8"; 42 42 + LC_IDENTIFICATION = "en_GB.UTF-8"; 43 43 + LC_MEASUREMENT = "en_GB.UTF-8"; 44 44 + LC_MONETARY = "en_GB.UTF-8"; 45 45 + LC_NAME = "en_GB.UTF-8"; 46 46 + LC_NUMERIC = "en_GB.UTF-8"; 47 47 + LC_PAPER = "en_GB.UTF-8"; 48 48 + LC_TELEPHONE = "en_GB.UTF-8"; 49 49 + LC_TIME = "en_GB.UTF-8"; 50 50 + }; 51 51 + }; 52 52 + 53 53 + nixpkgs.config.allowUnfree = true; 54 54 + environment.systemPackages = with pkgs; [ 55 55 + vim 56 56 + wget 57 57 + neofetch 58 58 + git 59 59 + home-manager 60 60 + ]; 61 61 + 62 62 + users = { 63 63 + mutableUsers = false; 64 64 + users."willow" = { 65 65 + isNormalUser = true; 66 66 + hashedPassword = null; 67 67 + extraGroups = [ 68 68 + "wheel" 69 69 + "docker" 70 70 + ]; 71 71 + openssh.authorizedKeys.keys = [ 72 72 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWD6wk95qNhk/36vEH34qIRp/TPCcQ+D+u5Xd9/N0m1 hai@wlo.moe" 73 73 + ]; 74 74 + }; 75 75 + users.root.openssh.authorizedKeys.keys = [ 76 76 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWD6wk95qNhk/36vEH34qIRp/TPCcQ+D+u5Xd9/N0m1 hai@wlo.moe" 77 77 + ]; 78 78 + }; 79 79 + 80 80 + services.openssh = { 81 81 + enable = true; 82 82 + ports = [ 22 ]; 83 83 + }; 84 84 + }

+15

hosts/ivy/services/pds.nix

··· 1 1 + { 2 2 + services.bluesky-pds = { 3 3 + enable = true; 4 4 + 5 5 + environmentFiles = [ 6 6 + "/etc/pds/pds.env" 7 7 + ]; 8 8 + 9 9 + settings = { 10 10 + PDS_HOSTNAME = "pds.wlo.moe"; 11 11 + PDS_PORT = 8090; 12 12 + PDS_DATA_DIRECTORY = "/var/lib/pds"; 13 13 + }; 14 14 + }; 15 15 + }

+25

hosts/ivy/services/vaultwarden.nix

··· 1 1 + { ... }: 2 2 + { 3 3 + services.vaultwarden = { 4 4 + enable = true; 5 5 + backupDir = "/var/backups/vaultwarden"; 6 6 + environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; 7 7 + config = { 8 8 + DOMAIN = "https://vaultwarden.wlo.moe"; 9 9 + SIGNUPS_ALLOWED = false; 10 10 + 11 11 + ROCKET_ADDRESS = "127.0.0.1"; 12 12 + ROCKET_PORT = 8222; 13 13 + ROCKET_LOG = "critical"; 14 14 + 15 15 + SMTP_HOST = "smtp.resend.com"; 16 16 + SMTP_PORT = 2587; 17 17 + SMTP_SECURITY = "starttls"; 18 18 + 19 19 + SMTP_FROM = "meow@mail.wlo.moe"; 20 20 + SMTP_FROM_NAME = "vaultmeowden"; 21 21 + SMTP_USER = "resend"; 22 22 + SMTP_USERNAME = "resend"; 23 23 + }; 24 24 + }; 25 25 + }