toufy/adonis
toufy/adonis
1
Fork 0
Code Activity Actions

initial commit, after deletion :)

Browse source
This commit is contained in:
toufic ar 2026-01-07 06:25:07 +02:00
commit 9ec37597b3
Signed by: toufic ar
SSH key fingerprint: SHA256:/NaO5I1nG3gYKzrzSiTYIdRyaIYxDWfr1U+d+yfJ/4k
20 changed files with 1006 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
config/configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{config, ...}: {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental-features = ["nix-command" "flakes"];
networking.hostName = "adonis";
networking.firewall.logRefusedPackets = true;
customOps.owner = "toufy";
customOps.domain = "toufy.me";
sops.secrets."ssh/authorizedKeys/owner" = {};
users.users.root.openssh.authorizedKeys.keyFiles = [
config.sops.secrets."ssh/authorizedKeys/owner".path
];
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AllowUsers = null;
UseDns = true;
X11Forwarding = false;
PermitRootLogin = "prohibit-password";
};
};
}

23
config/default.nix Normal file
View file

@ -0,0 +1,23 @@
{inputs, ...}: {
imports = [
./disks.nix
./hardware-configuration.nix
./configuration.nix
./options.nix
./devops
./mail
./nvim
./http
./search
];
system.stateVersion = "25.05";
system.autoUpgrade = {
enable = true;
flake = inputs.self.outPath;
flags = ["--print-build-logs"];
dates = "00:00";
runGarbageCollection = true;
operation = "switch";
};
}

31
config/devops/actions_runner.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
pkgs,
...
}: {
sops.secrets."actions_runner/token" = {};
virtualisation.docker.enable = true;
sops.secrets."ssh/authorizedKeys/nix-deploy" = {};
users.users.root.openssh.authorizedKeys.keyFiles = [
config.sops.secrets."ssh/authorizedKeys/nix-deploy".path
];
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = "monolith";
url = config.services.forgejo.settings.actions.DEFAULT_ACTIONS_URL;
tokenFile = config.sops.secrets."actions_runner/token".path;
labels = [
"debian-latest:docker://debian:latest"
"ubuntu-latest:docker://node:current-bullseye"
"alpine-latest:docker://node:current-alpine"
"nix-latest:docker://nixos/nix:latest"
];
};
};
}

6
config/devops/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./forgejo.nix
./actions_runner.nix
];
}

128
config/devops/forgejo.nix Normal file
View file

@ -0,0 +1,128 @@
{
config,
lib,
...
}: let
customDomain = config.customOps.domain;
mail = "forgejo@${customDomain}";
cfg = config.services.forgejo;
srv = cfg.settings.server;
in {
sops.secrets = {
"forgejo/mail".owner = "forgejo";
"forgejo/admin".owner = "forgejo";
"mailserver/forgejo".owner = "dovecot2";
};
mailserver.loginAccounts.${mail} = lib.mkIf config.mailserver.enable {
hashedPasswordFile = config.sops.secrets."mailserver/forgejo".path;
sendOnly = true;
};
services.nginx.virtualHosts.${srv.DOMAIN} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
};
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
DEFAULT = {
APP_NAME = "git.${customDomain}";
APP_SLOGAN = "the git repositories of ${config.customOps.owner}'s projects";
APP_DISPLAY_NAME_FORMAT = "${config.customOps.owner}'s forge | {APP_NAME}";
};
server = {
DOMAIN = "git.${customDomain}";
ROOT_URL = "https://${srv.DOMAIN}/";
HTTP_PORT = 3000;
SSH_PORT = lib.head config.services.openssh.ports;
LANDING_PAGE = "/${config.customOps.owner}";
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://${srv.DOMAIN}";
};
repository = {
DISABLE_STARS = true;
};
ui = {
DEFAULT_THEME = "forgejo-auto";
THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
DEFAULT_SHOW_FULL_NAME = true;
PREFERRED_TIMESTAMP_TENSE = "absolute";
};
"ui.meta" = {
AUTHOR = cfg.settings.DEFAULT.APP_NAME;
DESCRIPTION = cfg.settings.DEFAULT.APP_SLOGAN;
};
admin = {
DISABLE_REGULAR_ORG_CREATION = true;
};
security = {
INSTALL_LOCK = true;
GLOBAL_TWO_FACTOR_REQUIREMENT = "all";
PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
DISABLE_QUERY_AUTH_TOKEN = true;
};
service = {
DISABLE_REGISTRATION = true;
VALID_SITE_URL_SCHEMES = "https";
};
"service.explore" = {
DISABLE_USERS_PAGE = true;
};
picture = {
ENABLE_FEDERATED_AVATAR = true;
AVATAR_MAX_FILE_SIZE = 10485760;
REPOSITORY_AVATAR_FALLBACK = "random";
};
federation = {
ENABLED = true;
};
mailer = lib.mkIf config.mailserver.enable {
ENABLED = true;
SMTP_ADDR = config.mailserver.fqdn;
FROM = mail;
USER = mail;
};
i18n = {
LANGS =
"en-US,zh-CN,zh-HK,zh-TW,da,de-DE,nds,fr-FR"
+ ",nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR"
+ ",pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR"
+ ",cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,"
+ "id-ID,ar";
NAMES =
"English,,"
+ ",,Dansk,Deutsch,Plattdüütsch"
+ ",Français,Nederlands,Latviešu,Русский,Українська"
+ ",,Español,Português do Brasil"
+ ",Português de Portugal,Polski,Български,Italiano"
+ ",Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina"
+ ",Svenska,,Ελληνικά,فارسی,Magyar nyelv"
+ ",Bahasa Indonesia,العربية";
};
other = {
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
};
secrets = lib.mkIf config.mailserver.enable {
mailer.PASSWD = config.sops.secrets."forgejo/mail".path;
};
};
systemd.services.forgejo.preStart = let
adminCmd = "${lib.getExe cfg.package} admin user";
passwd = config.sops.secrets."forgejo/admin".path;
user = config.customOps.owner;
email = "root@${config.mailserver.fqdn}";
in ''
${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${passwd})" || true
'';
}

60
config/disks.nix Normal file
View file

@ -0,0 +1,60 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["fmask=0022" "dmask=0022"];
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountOptions = ["compress=zstd"];
mountpoint = "/";
};
"/home" = {
mountOptions = ["compress=zstd"];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
"/swap" = {
mountpoint = "/swap";
mountOptions = ["noatime"];
swap.swapfile = {
size = "8G";
path = "swapfile";
};
};
};
};
};
};
};
};
};
};
}

16
config/hardware-configuration.nix Normal file
View file

@ -0,0 +1,16 @@
{
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

29
config/http/default.nix Normal file
View file

@ -0,0 +1,29 @@
{config, ...}: let
customDomain = config.customOps.domain;
in {
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedUwsgiSettings = true;
recommendedProxySettings = true;
recommendedBrotliSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts.${customDomain} = {
root = "/var/www/${customDomain}";
forceSSL = true;
enableACME = true;
};
};
security.acme = {
acceptTerms = true;
defaults.email = "security@${config.mailserver.fqdn}";
};
}

60
config/mail/default.nix Normal file
View file

@ -0,0 +1,60 @@
{config, ...}: let
mailDomain = config.customOps.domain;
in {
sops.secrets = {
"mailserver/contact".owner = "dovecot2";
};
mailserver = {
enable = true;
stateVersion = 3;
fqdn = mailDomain;
domains = [mailDomain];
systemDomain = mailDomain;
systemName = mailDomain;
dmarcReporting.enable = true;
fullTextSearch.enable = true;
mailboxes = {
Archive = {
auto = "subscribe";
specialUse = "Archive";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "subscribe";
specialUse = "Trash";
};
};
loginAccounts = {
"contact@${mailDomain}" = {
hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
aliases = [
"root@${mailDomain}"
"postmaster@${mailDomain}"
"security@${mailDomain}"
"abuse@${mailDomain}"
"webmaster@${mailDomain}"
"admin@${mailDomain}"
"info@${mailDomain}"
"support@${mailDomain}"
];
};
};
certificateScheme = "acme";
};
}

27
config/nvim/config.lua Normal file
View file

@ -0,0 +1,27 @@
-- global
vim.g.mapleader = " "
vim.g.maplocalleader = "\\"
-- opts
vim.opt.nu = true
vim.opt.relativenumber = true
vim.opt.shiftwidth = 4
vim.opt.tabstop = 4
vim.opt.softtabstop = 4
vim.opt.expandtab = false
vim.opt.smartindent = true
vim.opt.wrap = false
vim.opt.hlsearch = false
vim.opt.incsearch = true
vim.opt.scrolloff = 6
vim.opt.cursorline = true
vim.opt.cursorcolumn = true
vim.opt.mouse = nil
vim.opt.clipboard = "unnamedplus"
vim.opt.completeopt = { "menu", "menuone", "noselect" }
vim.opt.winborder = "rounded"
-- keymap
vim.keymap.set("n", "<leader>cd", vim.cmd.Ex)
vim.keymap.set("n", "<leader>|", vim.cmd.vsplit)
vim.keymap.set("n", "<leader>_", vim.cmd.split)

14
config/nvim/default.nix Normal file
View file

@ -0,0 +1,14 @@
{
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
customRC = ''
luafile ${./config.lua}
'';
};
};
}

21
config/options.nix Normal file
View file

@ -0,0 +1,21 @@
{lib, ...}: {
options = with lib; {
customOps = mkOption {
description = "custom options";
type = types.submodule {
options = {
owner = mkOption {
type = types.str;
default = null;
description = "machine owner username";
};
domain = mkOption {
type = types.str;
default = null;
description = "machine domain name";
};
};
};
};
};
}

95
config/search/default.nix Normal file
View file

@ -0,0 +1,95 @@
{config, ...}: let
searxDomain = "search.${config.customOps.domain}";
in {
imports = [./engines.nix];
sops.secrets.searx.owner = "searx";
services.searx = {
enable = true;
redisCreateLocally = true;
limiterSettings = {
real_ip = {
x_for = 1;
ipv4_prefix = 32;
ipv6_prefix = 56;
};
botdetection = {
ip_limit = {
filter_link_local = true;
link_token = true;
};
};
};
settings = {
general = {
debug = false;
instance_name = "${config.customOps.owner}'s search";
donation_url = false;
contact_url = false;
privacypolicy_url = false;
enable_metrics = false;
};
ui = {
static_use_hash = true;
default_locale = "en";
query_in_title = false;
infinite_scroll = true;
center_alignment = false;
default_theme = "simple";
theme_args.simple_style = "auto";
search_on_category_select = true;
hotkeys = "vim";
url_formatting = "full";
};
search = {
safe_search = 0;
autocomplete_min = 2;
autocomplete = "duckduckgo";
favicon_resolver = "";
ban_time_on_fail = 5;
max_ban_time_on_fail = 120;
};
server = {
base_url = "https://${searxDomain}";
port = 8888;
bind_address = "127.0.0.1";
secret_key = config.sops.secrets.searx.path;
limiter = true;
public_instance = true;
image_proxy = false;
method = "POST";
};
outgoing = {
request_timeout = 5.0;
max_request_timeout = 15.0;
pool_connections = 100;
pool_maxsize = 15;
enable_http2 = true;
};
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
};
};
services.nginx.virtualHosts.${searxDomain} = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:8888";
};
}

163
config/search/engines.nix Normal file
View file

@ -0,0 +1,163 @@
{lib, ...}: {
services.searx.settings.engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
# unnecessary
"dictzone".disabled = true;
"lingva".disabled = true;
"mymemory translated".disabled = true;
"mozhi".disabled = true;
"presearch".disabled = true;
"presearch images".disabled = true;
"presearch videos".disabled = true;
"presearch news".disabled = true;
"seznam".disabled = true;
"goo".disabled = true;
"naver".disabled = true;
"naver videos".disabled = true;
"naver images".disabled = true;
"naver news".disabled = true;
"alexandria".disabled = true;
"ask".disabled = true;
"crowdview".disabled = true;
"mwmbl".disabled = true;
"searchmysite".disabled = true;
"stract".disabled = true;
"bpb".disabled = true;
"tagesschau".disabled = true;
"wikimini".disabled = true;
"findthatmeme".disabled = true;
"frinkiac".disabled = true;
"livespace".disabled = true;
"sepiasearch".disabled = true;
"mediathekviewweb".disabled = true;
"ina".disabled = true;
"niconio".disabled = true;
"acfun".disabled = true;
"iqiyi".disabled = true;
"wolframalpha".disabled = true;
"ansa".disabled = true;
"il post".disabled = true;
"deezer".disabled = true;
"habrahabr".disabled = true;
"btdigg".disabled = true;
"duden".disabled = true;
"woxikon.de synonyme".disabled = true;
"jisho".disabled = true;
"moviepilot".disabled = true;
"senscritique".disabled = true;
"geizhals".disabled = true;
"duckduckgo weather".disabled = true;
"openmeteo".disabled = true;
"fyyd".disabled = true;
"yummly".disabled = true;
"chefkoch".disabled = true;
"destatis".disabled = true;
# big brother
"google".disabled = true;
"google play movies".disabled = true;
"google play apps".disabled = true;
"google news".disabled = true;
"google images".disabled = true;
"google videos".disabled = true;
"google scholar".disabled = true;
"youtube".disabled = true;
"bing".disabled = true;
"bing images".disabled = true;
"bing videos".disabled = true;
"bing news".disabled = true;
"microsoft learn".disabled = true;
"material icons".disabled = true;
"apple maps".disabled = true;
"apple app store".disabled = true;
"goodreads".disabled = true;
# captcha
"mojeek".disabled = true;
"mojeek images".disabled = true;
"mojeek news".disabled = true;
"qwant".disabled = true;
"qwant images".disabled = true;
"qwant videos".disabled = true;
"qwant news".disabled = true;
"cppreference".disabled = true;
"lib.rs".disabled = true;
"sourcehut".disabled = true;
"free software directory".disabled = true;
"searchcode code".disabled = true;
"pdbe".disabled = true;
"1337x".disabled = true;
"kickass".disabled = true;
"library genesis".disabled = true;
"openrepos".disabled = true;
"tokyotoshokan".disabled = true;
"startpage".disabled = true;
"mulvaddelta".disabled = true;
"mulvaddelta brave".disabled = true;
"brave".disabled = true;
# non-free
"tineye".disabled = true;
"1x".disabled = true;
"adobe stock".disabled = true;
"adobe stock video".disabled = true;
"adobe stock audio".disabled = true;
"deviantart".disabled = true;
"flickr".disabled = true;
"imgur".disabled = true;
"library of congress".disabled = true;
"pinterest".disabled = true;
"unsplash".disabled = true;
"bilibili".disabled = true;
"dailymotion".disabled = true;
"vimeo".disabled = true;
"yahoo".disabled = true;
"yahoo news".disabled = true;
"genius".disabled = true;
"mixcloud".disabled = true;
"soundcloud".disabled = true;
"huggingface".disabled = true;
"huggingface datasets".disabled = true;
"huggingface spaces".disabled = true;
"9gag".disabled = true;
"reddit".disabled = true;
"imdb".disabled = true;
"rottentomatoes".disabled = true;
# shady
"right dao".disabled = true;
"quark".disabled = true;
"quark images".disabled = true;
"sogou".disabled = true;
"sogou images".disabled = true;
"sogou wechat".disabled = true;
"sogou videos".disabled = true;
# LLM
"cloudflareai".disabled = true;
"yacy".disabled = true;
"yacy images".disabled = true;
"yep".disabled = true;
"yep images".disabled = true;
"yep news".disabled = true;
"360search".disabled = true;
"360search videos".disabled = true;
"baidu".disabled = true;
"baidu images".disabled = true;
"baidu kaifa".disabled = true;
"seekr images".disabled = true;
"seekr news".disabled = true;
"seekr videos".disabled = true;
"github".disabled = true;
# censorship
"reuters".disabled = true;
# far-right/disinformation/misinformation
"bitchute".disabled = true;
"rumble".disabled = true;
"bandcamp".disabled = true;
# slow
"crossref".disabled = true;
"wikidata".disabled = true;
# enabled
"wiby".disabled = false;
"duckduckgo".disabled = false;
"duckduckgo images".disabled = false;
"duckduckgo videos".disabled = false;
"duckduckgo news".disabled = false;
};
}