Initial commit

2026-01-13 15:34:28 +03:00 · 2026-01-13 15:34:28 +03:00 · b79d352847
commit b79d352847
37 changed files with 2191 additions and 0 deletions
--- a/hosts/captain/configuration.nix
+++ b/hosts/captain/configuration.nix
@ -0,0 +1,23 @@
+{
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  custom.desktop.enable = true;
+
+  home-manager.users.flygrounder = {
+    custom = {
+      catppuccin.enable = true;
+      cli.enable = true;
+      gui.enable = true;
+      hyprland.enable = true;
+      neovim.enable = true;
+      waybar.enable = true;
+    };
+  };
+}
--- a/hosts/captain/disko-config.nix
+++ b/hosts/captain/disko-config.nix
@ -0,0 +1,33 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/nvme0n1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/captain/hardware-configuration.nix
+++ b/hosts/captain/hardware-configuration.nix
@ -0,0 +1,18 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/home/configuration.nix
+++ b/hosts/home/configuration.nix
@ -0,0 +1,60 @@
+{
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  custom.desktop.enable = true;
+
+  services = {
+    desktopManager.plasma6.enable = true;
+    printing = {
+      enable = true;
+      drivers = with pkgs; [ hplipWithPlugin ];
+    };
+  };
+
+  home-manager.users.flygrounder = {
+    custom = {
+      catppuccin.enable = true;
+      cli.enable = true;
+      gui.enable = true;
+      hyprland.enable = true;
+      neovim.enable = true;
+      waybar.enable = true;
+    };
+    wayland.windowManager.hyprland.settings = {
+      monitor = [
+        "DP-1, 2560x1440@180.00Hz, 0x0, 1"
+      ];
+      exec-once = [
+        "${pkgs.kdePackages.kwallet-pam}/libexec/pam_kwallet_init"
+      ];
+    };
+  };
+
+  users.users = {
+    dmitry = {
+      isNormalUser = true;
+      description = "Дмитрий";
+      extraGroups = [ "networkmanager" ];
+      packages = with pkgs; [
+        brave
+        blender
+        libreoffice
+      ];
+    };
+  };
+
+  security.pam.services = {
+    greetd.kwallet = {
+      enable = true;
+      package = pkgs.kdePackages.kwallet-pam;
+      forceRun = true;
+    };
+  };
+}
--- a/hosts/home/disko-config.nix
+++ b/hosts/home/disko-config.nix
@ -0,0 +1,33 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/nvme0n1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/home/hardware-configuration.nix
+++ b/hosts/home/hardware-configuration.nix
@ -0,0 +1,18 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/laptop/configuration.nix
+++ b/hosts/laptop/configuration.nix
@ -0,0 +1,23 @@
+{
+  ...
+}:
+{
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  custom.desktop.enable = true;
+
+  home-manager.users.flygrounder = {
+    custom = {
+      catppuccin.enable = true;
+      cli.enable = true;
+      gui.enable = true;
+      hyprland.enable = true;
+      neovim.enable = true;
+      waybar.enable = true;
+      low-battery-notify.enable = true;
+    };
+  };
+}
--- a/hosts/laptop/disko-config.nix
+++ b/hosts/laptop/disko-config.nix
@ -0,0 +1,39 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                settings.allowDiscards = true;
+                askPassword = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/laptop/hardware-configuration.nix
+++ b/hosts/laptop/hardware-configuration.nix
@ -0,0 +1,18 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -0,0 +1,195 @@
+{ ... }:
+let
+  myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
+in
+{
+  age.secrets.stalwart-admin-password = {
+    file = ../../secrets/stalwart-admin-password.age;
+    owner = "stalwart-mail";
+  };
+
+  users.users = {
+    flygrounder = {
+      openssh.authorizedKeys.keys = [
+        myKey
+      ];
+    };
+    root = {
+      openssh.authorizedKeys.keys = [
+        myKey
+      ];
+    };
+  };
+
+  home-manager.users.flygrounder.custom = {
+    catppuccin.enable = true;
+    cli.enable = true;
+    neovim.enable = true;
+  };
+
+  services = {
+    caddy = {
+      enable = true;
+      virtualHosts = {
+        "flygrounder.ru" = {
+          extraConfig = ''
+            reverse_proxy localhost:1234
+          '';
+        };
+        "mtg-bot.flygrounder.ru" = {
+          extraConfig = ''
+            reverse_proxy localhost:3000
+          '';
+        };
+        "syncthing.flygrounder.ru" = {
+          extraConfig = ''
+            reverse_proxy localhost:8384 {
+              header_up Host localhost
+            }
+          '';
+        };
+        "vaultwarden.flygrounder.ru" = {
+          extraConfig = ''
+            encode zstd gzip
+
+            reverse_proxy localhost:8222 {
+              header_up X-Real-IP {remote_host}
+            }
+          '';
+        };
+        "mail.flygrounder.ru" = {
+          extraConfig = ''
+            reverse_proxy localhost:8080
+          '';
+        };
+      };
+    };
+    stalwart = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        server = {
+          hostname = "mail.flygrounder.ru";
+          tls = {
+            enable = true;
+            implicit = true;
+          };
+          listener = {
+            smtp = {
+              protocol = "smtp";
+              bind = "0.0.0.0:25";
+            };
+            submissions = {
+              bind = "0.0.0.0:465";
+              protocol = "smtp";
+              tls.implicit = true;
+            };
+            imaps = {
+              bind = "0.0.0.0:993";
+              protocol = "imap";
+              tls.implicit = true;
+            };
+            jmap = {
+              bind = "127.0.0.1:8080";
+              protocol = "http";
+            };
+          };
+        };
+        certificate."default" = {
+          cert = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.crt}%";
+          private-key = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.key}%";
+        };
+
+        authentication.fallback-admin = {
+          user = "admin";
+          secret = "%{file:/run/agenix/stalwart-admin-password}%";
+        };
+        tracer."log" = {
+          type = "log";
+          path = "/var/log/stalwart-mail";
+        };
+      };
+    };
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+      };
+    };
+    vaultwarden = {
+      enable = true;
+      config = {
+        DOMAIN = "https://vaultwarden.flygrounder.ru";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        ROCKET_LOG = "critical";
+      };
+    };
+  };
+
+  systemd.paths.stalwart-certs = {
+    wantedBy = [ "multi-user.target" ];
+    pathConfig = {
+      PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt";
+    };
+  };
+
+  systemd.services.stalwart-certs = {
+    after = [ "caddy.service" ];
+    before = [ "stalwart.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+    };
+    script = ''
+      mkdir -p /var/lib/stalwart-mail/certs
+      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/
+      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/
+      chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/*
+      chmod 600 /var/lib/stalwart-mail/certs/*
+    '';
+    postStop = ''
+      if systemctl is-active --quiet stalwart.service; then
+        systemctl --no-block restart stalwart.service
+      fi
+    '';
+  };
+
+  systemd.services.stalwart.after = [ "stalwart-certs.service" ];
+  systemd.services.stalwart.requires = [ "stalwart-certs.service" ];
+
+  imports = [
+    ./hardware-configuration.nix
+    ./disko-config.nix
+  ];
+
+  nix.settings.trusted-users = [ "flygrounder" ];
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [
+        80
+        443
+        25
+        465
+        993
+      ];
+    };
+    nameservers = [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+    interfaces.ens3.ipv4.addresses = [
+      {
+        address = "62.109.27.62";
+        prefixLength = 32;
+      }
+    ];
+    defaultGateway = {
+      address = "10.0.0.1";
+      interface = "ens3";
+    };
+  };
+}
--- a/hosts/server/disko-config.nix
+++ b/hosts/server/disko-config.nix
@ -0,0 +1,33 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/server/hardware-configuration.nix
+++ b/hosts/server/hardware-configuration.nix
@ -0,0 +1,17 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}