initial server config

configuration.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./system.nix
+    ./services/caddy.nix
+    ./services/immich.nix
+    ./services/vaultwarden.nix
+    ./services/forgejo.nix
+  ];
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/data 0775 daniel users -"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+  ];
+
+  environment.shellAliases = {
+    rebuild = "sudo nixos-rebuild switch --flake ~/server-config#server";
+    rebuild-test = "sudo nixos-rebuild test --flake ~/server-config#server";
+    rebuild-dry = "nixos-rebuild dry-run --flake ~/server-config#server";
+  };
+
+}
+

flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1769900590,
+        "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,20 @@
+{
+  description = "Headless server NixOS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+  };
+
+  outputs = { self, nixpkgs, ... }:
+    let
+      system = "x86_64-linux";
+    in {
+      nixosConfigurations.server = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [
+          ./configuration.nix
+        ];
+      };
+    };
+}
+

hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8f34107e-94ce-4f6b-b054-c29b04ee6f4d";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7A33-918A";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  fileSystems."/var/lib/data" =
+    { device = "/dev/disk/by-uuid/6ecf1d4e-b107-4b41-b5e9-e620278caffc";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

services/backup.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+
+{
+ 
+  services.postgresql.backup = {
+    enable = true;
+    location = "/var/lib/data/backups/postgres";
+    databases = [ "immich" "paperless" "nextcloud" "vaultwarden" ];
+  };
+ 
+  services.borgbackup.jobs."daily-backup" = {
+   
+    paths = [
+      "/var/lib/data"          
+      "/var/lib/vaultwarden"   
+      "/etc/nixos"             
+    ];
+    
+    exclude = [
+      "**/cache"
+      "**/.cache"
+      "/var/lib/data/immich/thumbs"
+    ];
+   
+    repo = "/var/lib/backup/borg-repo";
+   
+    encryption.mode = "none"; 
+
+    compression = "zstd,1";
+    startAt = "daily";
+
+    prune.keep = {
+      within = "1d";
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+    };
+  };
+}

services/caddy.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.caddy.extraGroups = [ "users" ];
+  systemd.tmpfiles.rules = [
+    "d /var/www/website 0755 daniel users - -"
+    "d /var/www/website/public 0755 daniel users - -"
+  ];
+  services.caddy = {
+    enable = true;
+    virtualHosts."danielk.me" = {
+      extraConfig = ''
+        handle_path /graphs/* {
+          root * /var/www/danielk.me/betterGraphs
+          file_server
+        }
+  
+        handle_path /tails/* {
+          root * /var/www/danielk.me/tails
+          file_server
+        }
+  
+        handle_path /public/* {
+          root * /var/www/danielk.me/public
+          file_server browse
+        }
+  
+        handle_path /git/* {
+          root * /var/www/danielk.me/git
+          file_server
+        }
+        reverse_proxy localhost:3333
+      '';
+    };
+  };
+}

services/forgejo.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";    
+    settings = {
+      server = {
+        DOMAIN = "git.danielk.me";
+        ROOT_URL = "https://git.danielk.me/";
+        HTTP_PORT = 3723;
+      };
+    };
+  };
+
+  services.caddy.virtualHosts."git.danielk.me" = {
+    extraConfig = ''
+      reverse_proxy 127.0.0.1:3723
+    '';
+  };
+}

services/immich.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+{
+  services.immich = {
+    enable = true;
+    mediaLocation = "/var/lib/data/immich";
+    host = "127.0.0.1";
+    port = 2283;
+    machine-learning.environment.MACHINE_LEARNING_REQUEST_THREADS = "2";
+  };
+
+
+  services.caddy.virtualHosts."photos.danielk.me" = {
+    extraConfig = ''
+      reverse_proxy 127.0.0.1:2283
+    '';
+  };
+
+  # Thumbnails on ssd for faster loading
+  fileSystems."/var/lib/data/immich/thumbs" = {
+    device = "/var/lib/immich-thumbnails";
+    options = [ "bind" ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/data/immich 0750 immich immich -"
+    "d /var/lib/immich-thumbnails 0750 immich immich -"
+  ];
+}

services/vaultwarden.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://passwords.danielk.me";
+      SIGNUPS_ALLOWED = false;
+      
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+    };
+  };
+
+  services.caddy.virtualHosts."passwords.danielk.me" = {
+    extraConfig = ''
+      reverse_proxy 127.0.0.1:8222
+    '';
+  };
+
+  # environment.persistence."/persistent".directories = [ "/var/lib/bitwarden_rs" ];
+}

system.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, ... }:
+
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmp.cleanOnBoot = true;
+
+  networking.hostName = "server";
+  networking.networkmanager.enable = true;
+
+  services.openssh.enable = true;
+  services.journald.extraConfig = "SystemMaxUse=500M";
+
+  users.users.daniel = {
+    isNormalUser = true;
+    description = "Daniel Kauss Serna";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = [];
+  };
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+  system.stateVersion = "25.11";
+
+  time.timeZone = "Europe/Madrid";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "es_ES.UTF-8";
+    LC_IDENTIFICATION = "es_ES.UTF-8";
+    LC_MEASUREMENT = "es_ES.UTF-8";
+    LC_MONETARY = "es_ES.UTF-8";
+    LC_NAME = "es_ES.UTF-8";
+    LC_NUMERIC = "es_ES.UTF-8";
+    LC_PAPER = "es_ES.UTF-8";
+    LC_TELEPHONE = "es_ES.UTF-8";
+    LC_TIME = "es_ES.UTF-8";
+  };
+
+  console.keyMap = "de";
+
+  services.xserver.xkb = {
+    layout = "de";
+  };
+}