commit 8f6d63909a8289c82f52bbf221539cee8af44ed1 Author: Daniel Kauss Serna Date: Tue Feb 3 13:22:21 2026 +0100 initial server config diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..9bc1a83 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./system.nix + ./services/caddy.nix + ./services/immich.nix + ./services/vaultwarden.nix + ./services/forgejo.nix + ]; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/data 0775 daniel users -" + ]; + + environment.systemPackages = with pkgs; [ + neovim + git + ]; + + environment.shellAliases = { + rebuild = "sudo nixos-rebuild switch --flake ~/server-config#server"; + rebuild-test = "sudo nixos-rebuild test --flake ~/server-config#server"; + rebuild-dry = "nixos-rebuild dry-run --flake ~/server-config#server"; + }; + +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..42349e7 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1769900590, + "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..74ab420 --- /dev/null +++ b/flake.nix @@ -0,0 +1,20 @@ +{ + description = "Headless server NixOS configuration"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + }; + + outputs = { self, nixpkgs, ... }: + let + system = "x86_64-linux"; + in { + nixosConfigurations.server = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration.nix + ]; + }; + }; +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..edde06b --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8f34107e-94ce-4f6b-b054-c29b04ee6f4d"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/7A33-918A"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + fileSystems."/var/lib/data" = + { device = "/dev/disk/by-uuid/6ecf1d4e-b107-4b41-b5e9-e620278caffc"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/services/backup.nix b/services/backup.nix new file mode 100644 index 0000000..a92eb24 --- /dev/null +++ b/services/backup.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + + services.postgresql.backup = { + enable = true; + location = "/var/lib/data/backups/postgres"; + databases = [ "immich" "paperless" "nextcloud" "vaultwarden" ]; + }; + + services.borgbackup.jobs."daily-backup" = { + + paths = [ + "/var/lib/data" + "/var/lib/vaultwarden" + "/etc/nixos" + ]; + + exclude = [ + "**/cache" + "**/.cache" + "/var/lib/data/immich/thumbs" + ]; + + repo = "/var/lib/backup/borg-repo"; + + encryption.mode = "none"; + + compression = "zstd,1"; + startAt = "daily"; + + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = 6; + }; + }; +} diff --git a/services/caddy.nix b/services/caddy.nix new file mode 100644 index 0000000..9aba63f --- /dev/null +++ b/services/caddy.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: + +{ + users.users.caddy.extraGroups = [ "users" ]; + systemd.tmpfiles.rules = [ + "d /var/www/website 0755 daniel users - -" + "d /var/www/website/public 0755 daniel users - -" + ]; + services.caddy = { + enable = true; + virtualHosts."danielk.me" = { + extraConfig = '' + handle_path /graphs/* { + root * /var/www/danielk.me/betterGraphs + file_server + } + + handle_path /tails/* { + root * /var/www/danielk.me/tails + file_server + } + + handle_path /public/* { + root * /var/www/danielk.me/public + file_server browse + } + + handle_path /git/* { + root * /var/www/danielk.me/git + file_server + } + reverse_proxy localhost:3333 + ''; + }; + }; +} diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..a4327d5 --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + services.forgejo = { + enable = true; + database.type = "sqlite3"; + settings = { + server = { + DOMAIN = "git.danielk.me"; + ROOT_URL = "https://git.danielk.me/"; + HTTP_PORT = 3723; + }; + }; + }; + + services.caddy.virtualHosts."git.danielk.me" = { + extraConfig = '' + reverse_proxy 127.0.0.1:3723 + ''; + }; +} diff --git a/services/immich.nix b/services/immich.nix new file mode 100644 index 0000000..ed0230a --- /dev/null +++ b/services/immich.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: +{ + services.immich = { + enable = true; + mediaLocation = "/var/lib/data/immich"; + host = "127.0.0.1"; + port = 2283; + machine-learning.environment.MACHINE_LEARNING_REQUEST_THREADS = "2"; + }; + + + services.caddy.virtualHosts."photos.danielk.me" = { + extraConfig = '' + reverse_proxy 127.0.0.1:2283 + ''; + }; + + # Thumbnails on ssd for faster loading + fileSystems."/var/lib/data/immich/thumbs" = { + device = "/var/lib/immich-thumbnails"; + options = [ "bind" ]; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/data/immich 0750 immich immich -" + "d /var/lib/immich-thumbnails 0750 immich immich -" + ]; +} diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix new file mode 100644 index 0000000..eb7e52e --- /dev/null +++ b/services/vaultwarden.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: + +{ + services.vaultwarden = { + enable = true; + config = { + DOMAIN = "https://passwords.danielk.me"; + SIGNUPS_ALLOWED = false; + + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + }; + }; + + services.caddy.virtualHosts."passwords.danielk.me" = { + extraConfig = '' + reverse_proxy 127.0.0.1:8222 + ''; + }; + + # environment.persistence."/persistent".directories = [ "/var/lib/bitwarden_rs" ]; +} diff --git a/system.nix b/system.nix new file mode 100644 index 0000000..87e9ca7 --- /dev/null +++ b/system.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: + +{ + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.cleanOnBoot = true; + + networking.hostName = "server"; + networking.networkmanager.enable = true; + + services.openssh.enable = true; + services.journald.extraConfig = "SystemMaxUse=500M"; + + users.users.daniel = { + isNormalUser = true; + description = "Daniel Kauss Serna"; + extraGroups = [ "networkmanager" "wheel" ]; + packages = []; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + system.stateVersion = "25.11"; + + time.timeZone = "Europe/Madrid"; + + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "es_ES.UTF-8"; + LC_IDENTIFICATION = "es_ES.UTF-8"; + LC_MEASUREMENT = "es_ES.UTF-8"; + LC_MONETARY = "es_ES.UTF-8"; + LC_NAME = "es_ES.UTF-8"; + LC_NUMERIC = "es_ES.UTF-8"; + LC_PAPER = "es_ES.UTF-8"; + LC_TELEPHONE = "es_ES.UTF-8"; + LC_TIME = "es_ES.UTF-8"; + }; + + console.keyMap = "de"; + + services.xserver.xkb = { + layout = "de"; + }; +}