nixos-config/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
    home-manager.url = "github:nix-community/home-manager/release-22.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    private.url = "git+ssh://git@git.tempest.dev/ashe/nixos-config-private";
    tmpfiles.url = "git+http://git.tempest.dev/ashe/tmpfiles";
    tempestdev.url = "git+http://git.tempest.dev/ashe/tempest.dev";
    tempest-secret.url = "git+ssh://git@git.tempest.dev/ashe/tempest-skycord-secret";
    tempest-contact.url = "git+http://git.tempest.dev/ashe/contact-api";
    gotosocial.url = "git+http://git.tempest.dev/ashe/nixos-wrapper-gotosocial";
    ashen-earth.url = "git+ssh://git@git.tempest.dev/ashe/ashen-earth?ref=post/wasm-gol-2";
    drowning.url = "git+http://git.tempest.dev/ashe/drowning-among-stars";
  };

  outputs = { self, nixpkgs, home-manager, private, tmpfiles, tempestdev, tempest-secret, tempest-contact, gotosocial, ashen-earth, drowning }: {
    nixosConfigurations = {

      nyx = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/nyx/configuration.nix
          home-manager.nixosModules.home-manager
          private.nixosModules.nyx

          ashen-earth.nixosModule
          tmpfiles.nixosModule
          tempestdev.nixosModule
          tempest-secret.nixosModule
          tempest-contact.nixosModule
          gotosocial.nixosModule
          drowning.nixosModule

          ({ pkgs, ...}: {
            networking.firewall.allowedTCPPorts = [ 80 443 ];

            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;

            services.nginx.enable = true;
            services.nginx.recommendedProxySettings = true;
            services.nginx.appendHttpConfig = ''
              types {
                text/plain wat;
              }
            '';

            security.acme.acceptTerms = true;
            security.acme.defaults.email = "acme@tempest.dev";

            ashe.services."ashen.earth".enable = true;
            ashe.services."ashen.earth".domain = "ashen.earth";

            ashe.services.tmpfiles.enable = true;
            ashe.services.tmpfiles.domain = "files.tempest.dev";
            ashe.services.tmpfiles.port = 4441;

            ashe.services."tempest.dev".enable = true;
            ashe.services."tempest.dev".domain = "tempest.dev";
            ashe.services."tempest.dev".port = 4442;

            ashe.services.tempest-secret.enable = true;
            ashe.services.tempest-secret.domain = "tempest.dev";
            ashe.services.tempest-secret.path = "/secret";
            ashe.services.tempest-secret.port = 4443;

            ashe.services.tempest-api-contact.enable = true;
            ashe.services.tempest-api-contact.domain = "contact.tempest.dev";
            ashe.services.tempest-api-contact.configFile = "/etc/tempest/contact.json";
            ashe.services.tempest-api-contact.port = 4444;

            ashe.services.social.enable = true;
            ashe.services.social.appDomain = "social.tempest.dev";
            ashe.services.social.accountDomain = "tempest.dev";
            ashe.services.social.port = 4445;

            ashe.services.drowning.enable = true;
            ashe.services.drowning.domain = "drowning.ashen.earth";

            services.nginx.virtualHosts."static.tempest.dev" = {
              root = "/var/www/static";
              forceSSL = true;
              enableACME = true;

              locations."/" = {
                extraConfig = ''
                  if ($request_method = GET) {
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Credentials true;
                    add_header Access-Control-Allow-Methods "GET, OPTIONS";
                    add_header Access-Control-Allow-Headers "origin, accept, range";
                  }

                  if ($request_method = OPTIONS ) {
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Credentials true;
                    add_header Access-Control-Allow-Methods "GET, OPTIONS";
                    add_header Access-Control-Allow-Headers "origin, accept, range";
                    add_header Content-Length 0;
                    add_header Content-Type text/plain;
                    return 204;
                  }
                '';
              };
            };

            services.nginx.virtualHosts."phantomthieves.net" = {
              locations."/" = { proxyPass = "http://necronomicon.tempest.local:4000"; };
              forceSSL = true;
              enableACME = true;
            };

            services.nginx.virtualHosts."forum.phantomthieves.net" = {
              locations."/" = { proxyPass = "http://melete.tempest.local:8999"; };
              forceSSL = true;
              enableACME = true;
            };
          })
        ];
      };

      hemera = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/hemera/configuration.nix
          private.nixosModules.hemera

          ({ config, pkgs, ...}: {
            services.nix-serve = {
              enable = true;
              secretKeyFile = "/etc/tempest/bincache/key-priv.pem";
            };

            services.nginx = {
              enable = true;
              recommendedProxySettings = true;
              virtualHosts."hemera.tempest.local" = {
                locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
              };
            };
          })
        ];
      };
    };
  };
}
Add flake-based configuration 1 year ago			`{`
			`inputs = {`
			`nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";`
Home manager uses flake 1 year ago			`home-manager.url = "github:nix-community/home-manager/release-22.11";`
			`home-manager.inputs.nixpkgs.follows = "nixpkgs";`
Move password into private repository 1 year ago			`private.url = "git+ssh://git@git.tempest.dev/ashe/nixos-config-private";`
Add /secret service 1 year ago			`tmpfiles.url = "git+http://git.tempest.dev/ashe/tmpfiles";`
			`tempestdev.url = "git+http://git.tempest.dev/ashe/tempest.dev";`
			`tempest-secret.url = "git+ssh://git@git.tempest.dev/ashe/tempest-skycord-secret";`
Add contact api service 1 year ago			`tempest-contact.url = "git+http://git.tempest.dev/ashe/contact-api";`
Moved GTS to its own repo for better consistencty 1 year ago			`gotosocial.url = "git+http://git.tempest.dev/ashe/nixos-wrapper-gotosocial";`
Add branch for unlisted post 1 year ago			`ashen-earth.url = "git+ssh://git@git.tempest.dev/ashe/ashen-earth?ref=post/wasm-gol-2";`
Add config for drowning.tempest.dev 1 year ago			`drowning.url = "git+http://git.tempest.dev/ashe/drowning-among-stars";`
Add flake-based configuration 1 year ago			`};`

Add config for drowning.tempest.dev 1 year ago			`outputs = { self, nixpkgs, home-manager, private, tmpfiles, tempestdev, tempest-secret, tempest-contact, gotosocial, ashen-earth, drowning }: {`
Add flake-based configuration 1 year ago			`nixosConfigurations = {`

			`nyx = nixpkgs.lib.nixosSystem {`
			`system = "x86_64-linux";`
			`modules = [`
			`./hosts/nyx/configuration.nix`
Home manager uses flake 1 year ago			`home-manager.nixosModules.home-manager`
Move password into private repository 1 year ago			`private.nixosModules.nyx`
Add flake-based configuration 1 year ago
Add ashen.earth 1 year ago			`ashen-earth.nixosModule`
Add flake-based configuration 1 year ago			`tmpfiles.nixosModule`
Added tempest.dev service (currently at test domain) 1 year ago			`tempestdev.nixosModule`
Add /secret service 1 year ago			`tempest-secret.nixosModule`
Add contact api service 1 year ago			`tempest-contact.nixosModule`
Added config for GTS instance 1 year ago			`gotosocial.nixosModule`
Add config for drowning.tempest.dev 1 year ago			`drowning.nixosModule`
Add contact api service 1 year ago
Add flake-based configuration 1 year ago			`({ pkgs, ...}: {`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`

Home manager uses flake 1 year ago			`home-manager.useGlobalPkgs = true;`
			`home-manager.useUserPackages = true;`

Add flake-based configuration 1 year ago			`services.nginx.enable = true;`
Added config for GTS instance 1 year ago			`services.nginx.recommendedProxySettings = true;`
Nyx: Serve .wat files as plaintext 1 year ago			`services.nginx.appendHttpConfig = ''`
			`types {`
			`text/plain wat;`
			`}`
			`'';`

Add flake-based configuration 1 year ago			`security.acme.acceptTerms = true;`
			`security.acme.defaults.email = "acme@tempest.dev";`

Adjust spacing 1 year ago			`ashe.services."ashen.earth".enable = true;`
			`ashe.services."ashen.earth".domain = "ashen.earth";`
Add ashen.earth 1 year ago
Add flake-based configuration 1 year ago			`ashe.services.tmpfiles.enable = true;`
			`ashe.services.tmpfiles.domain = "files.tempest.dev";`
			`ashe.services.tmpfiles.port = 4441;`
Added tempest.dev service (currently at test domain) 1 year ago
			`ashe.services."tempest.dev".enable = true;`
Added config for GTS instance 1 year ago			`ashe.services."tempest.dev".domain = "tempest.dev";`
Added tempest.dev service (currently at test domain) 1 year ago			`ashe.services."tempest.dev".port = 4442;`
Add /secret service 1 year ago
			`ashe.services.tempest-secret.enable = true;`
Added config for GTS instance 1 year ago			`ashe.services.tempest-secret.domain = "tempest.dev";`
Add /secret service 1 year ago			`ashe.services.tempest-secret.path = "/secret";`
			`ashe.services.tempest-secret.port = 4443;`
Add contact api service 1 year ago
			`ashe.services.tempest-api-contact.enable = true;`
			`ashe.services.tempest-api-contact.domain = "contact.tempest.dev";`
			`ashe.services.tempest-api-contact.configFile = "/etc/tempest/contact.json";`
			`ashe.services.tempest-api-contact.port = 4444;`
Add static root 1 year ago
Added config for GTS instance 1 year ago			`ashe.services.social.enable = true;`
			`ashe.services.social.appDomain = "social.tempest.dev";`
			`ashe.services.social.accountDomain = "tempest.dev";`
			`ashe.services.social.port = 4445;`

Add config for drowning.tempest.dev 1 year ago			`ashe.services.drowning.enable = true;`
Move drowning among stars 1 year ago			`ashe.services.drowning.domain = "drowning.ashen.earth";`
Add config for drowning.tempest.dev 1 year ago
Add static root 1 year ago			`services.nginx.virtualHosts."static.tempest.dev" = {`
			`root = "/var/www/static";`
			`forceSSL = true;`
			`enableACME = true;`
Allow range headers and respond to option requests 1 year ago
			`locations."/" = {`
			`extraConfig = ''`
			`if ($request_method = GET) {`
			`add_header Access-Control-Allow-Origin *;`
			`add_header Access-Control-Allow-Credentials true;`
			`add_header Access-Control-Allow-Methods "GET, OPTIONS";`
			`add_header Access-Control-Allow-Headers "origin, accept, range";`
			`}`

			`if ($request_method = OPTIONS ) {`
			`add_header Access-Control-Allow-Origin *;`
			`add_header Access-Control-Allow-Credentials true;`
			`add_header Access-Control-Allow-Methods "GET, OPTIONS";`
			`add_header Access-Control-Allow-Headers "origin, accept, range";`
			`add_header Content-Length 0;`
			`add_header Content-Type text/plain;`
			`return 204;`
			`}`
			`'';`
			`};`
Add static root 1 year ago			`};`
Add phantomthieves forwarding for taba 1 year ago
Fix whitespace 1 year ago			`services.nginx.virtualHosts."phantomthieves.net" = {`
Add phantomthieves forwarding for taba 1 year ago			`locations."/" = { proxyPass = "http://necronomicon.tempest.local:4000"; };`
Fix whitespace 1 year ago			`forceSSL = true;`
			`enableACME = true;`
			`};`
Add preverse proxying for phantom thieves forum 1 year ago
			`services.nginx.virtualHosts."forum.phantomthieves.net" = {`
			`locations."/" = { proxyPass = "http://melete.tempest.local:8999"; };`
			`forceSSL = true;`
			`enableACME = true;`
			`};`
Add flake-based configuration 1 year ago			`})`
			`];`
			`};`

Add hemera configuration 1 year ago			`hemera = nixpkgs.lib.nixosSystem {`
			`system = "x86_64-linux";`
			`modules = [`
			`./hosts/hemera/configuration.nix`
			`private.nixosModules.hemera`

			`({ config, pkgs, ...}: {`
			`services.nix-serve = {`
			`enable = true;`
			`secretKeyFile = "/etc/tempest/bincache/key-priv.pem";`
			`};`

			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`virtualHosts."hemera.tempest.local" = {`
			`locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";`
			`};`
			`};`
			`})`
			`];`
			`};`
Add flake-based configuration 1 year ago			`};`
			`};`
			`}`