[rulkc] [PATCH] nix: introduce initial generic configuration
Maxim Moskalets
maximmosk4 at gmail.com
Sun May 24 02:47:21 MSK 2026
>From b79db7775ef24c75cd85becf98618d16344d2daf Mon Sep 17 00:00:00 2001
From: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
Date: Fri, 22 May 2026 23:55:35 +0300
Subject: [PATCH] nix: introduce initial generic configuration
Signed-off-by: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
---
config/default.nix | 8 +++++
config/disko.nix | 33 +++++++++++++++++
config/nix.nix | 8 +++++
config/programs/default.nix | 5 +++
config/programs/neovim.nix | 8 +++++
config/services/default.nix | 6 ++++
config/services/firewall.nix | 3 ++
config/services/ssh.nix | 21 +++++++++++
flake.lock | 48 +++++++++++++++++++++++++
flake.nix | 37 +++++++++++++++++++
modules/admins.nix | 39 ++++++++++++++++++++
modules/default.nix | 7 ++++
modules/hostings/beget.nix | 34 ++++++++++++++++++
modules/hostings/default.nix | 6 ++++
modules/hostings/selectel.nix | 29 +++++++++++++++
modules/services/default.nix | 3 ++
modules/services/landau-cgit.nix | 42 ++++++++++++++++++++++
servers/cgit-hardware-configuration.nix | 2 ++
servers/cgit.nix | 21 +++++++++++
19 files changed, 360 insertions(+)
create mode 100644 config/default.nix
create mode 100644 config/disko.nix
create mode 100644 config/nix.nix
create mode 100644 config/programs/default.nix
create mode 100644 config/programs/neovim.nix
create mode 100644 config/services/default.nix
create mode 100644 config/services/firewall.nix
create mode 100644 config/services/ssh.nix
create mode 100644 flake.lock
create mode 100644 flake.nix
create mode 100644 modules/admins.nix
create mode 100644 modules/default.nix
create mode 100644 modules/hostings/beget.nix
create mode 100644 modules/hostings/default.nix
create mode 100644 modules/hostings/selectel.nix
create mode 100644 modules/services/default.nix
create mode 100644 modules/services/landau-cgit.nix
create mode 100644 servers/cgit-hardware-configuration.nix
create mode 100644 servers/cgit.nix
diff --git a/config/default.nix b/config/default.nix
new file mode 100644
index 0000000..764f222
--- /dev/null
+++ b/config/default.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./disko.nix
+ ./nix.nix
+ ./programs
+ ./services
+ ];
+}
diff --git a/config/disko.nix b/config/disko.nix
new file mode 100644
index 0000000..7366aee
--- /dev/null
+++ b/config/disko.nix
@@ -0,0 +1,33 @@
+{
+ disko.devices.disk.main = {
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ size = "256M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/config/nix.nix b/config/nix.nix
new file mode 100644
index 0000000..5b8037c
--- /dev/null
+++ b/config/nix.nix
@@ -0,0 +1,8 @@
+{
+ nix.settings.experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+
+ system.stateVersion = "25.11";
+}
diff --git a/config/programs/default.nix b/config/programs/default.nix
new file mode 100644
index 0000000..73b5f39
--- /dev/null
+++ b/config/programs/default.nix
@@ -0,0 +1,5 @@
+{
+ imports = [
+ ./neovim.nix
+ ];
+}
diff --git a/config/programs/neovim.nix b/config/programs/neovim.nix
new file mode 100644
index 0000000..d4abca3
--- /dev/null
+++ b/config/programs/neovim.nix
@@ -0,0 +1,8 @@
+{
+ programs.neovim = {
+ enable = true;
+ defaultEditor = true;
+ viAlias = true;
+ vimAlias = true;
+ };
+}
diff --git a/config/services/default.nix b/config/services/default.nix
new file mode 100644
index 0000000..88c5d35
--- /dev/null
+++ b/config/services/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./firewall.nix
+ ./ssh.nix
+ ];
+}
diff --git a/config/services/firewall.nix b/config/services/firewall.nix
new file mode 100644
index 0000000..09045f4
--- /dev/null
+++ b/config/services/firewall.nix
@@ -0,0 +1,3 @@
+{
+ networking.firewall.enable = true;
+}
diff --git a/config/services/ssh.nix b/config/services/ssh.nix
new file mode 100644
index 0000000..edf5651
--- /dev/null
+++ b/config/services/ssh.nix
@@ -0,0 +1,21 @@
+let
+ ports = [
+ 22
+ 8822
+ ];
+in
+{
+ services.openssh = {
+ enable = true;
+ allowSFTP = false;
+ inherit ports;
+ settings = {
+ PasswordAuthentication = false;
+ PermitRootLogin = "no";
+ AllowGroups = [ "wheel" ];
+ KbdInteractiveAuthentication = false;
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = ports;
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..6414d27
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,48 @@
+{
+ "nodes": {
+ "disko": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1779226674,
+ "narHash": "sha256-wuOkjI6pRiN4sEn/EPBRnNW5cmcpvd7xtIM8y5LooAs=",
+ "owner": "nix-community",
+ "repo": "disko",
+ "rev": "65fb947964bd44fc0008faf77d1fcb7a9f40bb32",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "disko",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1779102034,
+ "narHash": "sha256-vZJZjLo513IeI8hjzHFc6TDezUd4uCE2Eq4SNO3DNNg=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "687f05a9184cad4eaf905c48b63649e3a86f5433",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-25.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "disko": "disko",
+ "nixpkgs": "nixpkgs"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..cd8d8e1
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,37 @@
+{
+ description = "LANDAU infrastructure";
+
+ inputs = {
+ nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+ disko = {
+ url = "github:nix-community/disko";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ };
+
+ outputs =
+ {
+ nixpkgs,
+ disko,
+ ...
+ }:
+ let
+ makeServerSystem =
+ modules: extraConfig:
+ nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ disko.nixosModules.disko
+ ./config
+ ./modules
+ ]
+ ++ modules;
+ }
+ // extraConfig;
+ in
+ {
+ nixosConfigurations = {
+ cgit = makeServerSystem [ ./servers/cgit.nix ] { };
+ };
+ };
+}
diff --git a/modules/admins.nix b/modules/admins.nix
new file mode 100644
index 0000000..2d7e7e8
--- /dev/null
+++ b/modules/admins.nix
@@ -0,0 +1,39 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.admins = {
+ all = lib.mkEnableOption "All availiable admins";
+ moskalets = lib.mkEnableOption "Maxim Moskalets admin";
+ };
+
+ config.users.users =
+ let
+ makeAdmin =
+ user: description: extraAttrs:
+ lib.mkIf (config.admins.${user} || config.admins.all) {
+ isNormalUser = true;
+ inherit description;
+ extraGroups = [
+ "wheel"
+ ];
+ }
+ // extraAttrs;
+ in
+ {
+ moskalets = makeAdmin "moskalets" "Maxim Moskalets" {
+ # $ argon2 $(openssl rand -base64 18) -id -t 4 -m 18 -p 4
+ # <password>
+ initialHashedPassword = null;
+
+ # YubiKey
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDH+C8vzOOqDx7un96FhGewfE6UufLHys3Y3ke6WxoV05XPWc+d/1T9wCU7escUgdOUI90+Ps/0Os4PzfP0znOE08Xj+6nZsRSkhu+WEFyRu8e86NRoCEIk2u8WNxMhR112taT6bLf/TRWzDyai159sKz7PhuIW/uP/SwsIzpr+AWhBVzzT0Ytz3QVX4JCrRYXyuFwTLNIFRzziKBP69nkl/KKwRdULGIzlGXqHTOzLLL26sSWuGTaZg3ao+DfLV5gmL3VkU9jEyF2OVodsxmQ3qeoRRsHlSy7FmQeCg4I3uhbi/v8bR1xyhfn7YLaKfFkuTnK0EfFfbRTPLyWglwb3yeulkUg3oDc4AKSoks3Dzi53LBSEI//5Yw3nfFu3Hu85UgZQ6A9lRolrkibjKil1s8yodU5vSGKtGkh98U//KzXDEHOLqZ7mfY+hvvY11oQ0KOLYzgYX9hwvMgYTa3dmzADRfs/PMfOqja1TDsVvnHNnIfmjNe8WojbBPzB8ytmTDpMERIAONwyR2p0Bf6fon04hQu/yyc/iE+zbn/JDf9LYbj4+yr6RpRJXbbh5KsfXAJ6vf0XBEkdV5KymD1N6Ni44lGFwg5clDs3rj5K/liSZK4joyqUaUtzGi0DxwT1lypl87iJpw0cThCOr80fVl4FiyEkTjZjMc0UP/cA6BQ== cardno:29_610_165
+"
+ ];
+ };
+ };
+}
diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 0000000..a1f9a42
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,7 @@
+{
+ imports = [
+ ./admins.nix
+ ./hostings
+ ./services
+ ];
+}
diff --git a/modules/hostings/beget.nix b/modules/hostings/beget.nix
new file mode 100644
index 0000000..4ee53ce
--- /dev/null
+++ b/modules/hostings/beget.nix
@@ -0,0 +1,34 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.hostings.beget.enable = lib.mkEnableOption "Server on Beget platform";
+
+ # See https://beget.com/ru/kb/faq/cloud/sozdanie-servera-iz-svoego-obraza
+ config = lib.mkIf config.hostings.beget.enable {
+ disko.devices.disk.main.device = "/dev/vda";
+
+ boot.loader.grub.efiSupport = false;
+
+ services.qemuGuest.enable = true;
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ settings = {
+ datasource_list = [
+ "NoCloud"
+ "ConfigDrive"
+ ];
+ };
+ };
+
+ networking = {
+ useDHCP = false;
+ useNetworkd = true;
+ networkmanager.enable = false;
+ };
+ };
+}
diff --git a/modules/hostings/default.nix b/modules/hostings/default.nix
new file mode 100644
index 0000000..cab83b2
--- /dev/null
+++ b/modules/hostings/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./beget.nix
+ ./selectel.nix
+ ];
+}
diff --git a/modules/hostings/selectel.nix b/modules/hostings/selectel.nix
new file mode 100644
index 0000000..0880dbe
--- /dev/null
+++ b/modules/hostings/selectel.nix
@@ -0,0 +1,29 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.hostings.selectel.enable = lib.mkEnableOption "Server on Selectel platform";
+
+ # See https://docs.selectel.ru/en/cloud-servers/images/create-custom-image/
+ config = lib.mkIf config.hostings.selectel.enable {
+ disko.devices.disk.main.device = "/dev/sda";
+
+ boot.loader.grub.efiSupport = false;
+
+ services.qemuGuest.enable = true;
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ settings = {
+ datasource_list = [
+ "ConfigDrive"
+ "Ec2"
+ "None"
+ ];
+ };
+ };
+ };
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
new file mode 100644
index 0000000..83797f7
--- /dev/null
+++ b/modules/services/default.nix
@@ -0,0 +1,3 @@
+{
+ imports = [ ./landau-cgit.nix ];
+}
diff --git a/modules/services/landau-cgit.nix b/modules/services/landau-cgit.nix
new file mode 100644
index 0000000..66412a9
--- /dev/null
+++ b/modules/services/landau-cgit.nix
@@ -0,0 +1,42 @@
+{
+ config,
+ lib,
+ ...
+}:
+let
+ host = "git.rulkc.org";
+ mkAssetPath = file: toString (./. + "/../../git.rulkc.org/cgit/${file}");
+in
+{
+ options.services.landau-cgit.enable = lib.mkEnableOption "cgit configured for LANDAU";
+
+ config = lib.mkIf config.services.landau-cgit.enable {
+ services.nginx.virtualHosts.${host}.locations = {
+ "= /cgit.png".alias = mkAssetPath "cgit.png";
+ "= /cgit.css".alias = mkAssetPath "cgit.css";
+ "= /favicon.ico".alias = mkAssetPath "favicon.ico";
+ };
+
+ services.cgit.${host} = {
+ enable = true;
+ scanPath = "/var/lib/git";
+ gitHttpBackend.checkExportOkFiles = false;
+ settings = {
+ # Features
+ enable-git-config = true;
+ enable-http-clone = true;
+ enable-index-owner = true;
+ snapshots = "tar.gz zip";
+
+ # Appearance
+ root-title = "LANDAU git repositories";
+ root-desc = "Git repositories for Linux kernel Advanced for Next-gen Devices & Architectures";
+
+ clone-url = "https://${host}/$CGIT_REPO_URL git://git.rulkc.org/$CGIT_REPO_URL ssh://git@${host}/$CGIT_REPO_URL";
+ section-from-path = 3;
+ max-stats = "quarter";
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 80 ];
+ };
+}
diff --git a/servers/cgit-hardware-configuration.nix b/servers/cgit-hardware-configuration.nix
new file mode 100644
index 0000000..2cc9b40
--- /dev/null
+++ b/servers/cgit-hardware-configuration.nix
@@ -0,0 +1,2 @@
+{ }
+#throw "Run nixos-anywhere with `--generate-hardware-config nixos-generate-config ./servers/cgit-hardware-configuration.nix`"
diff --git a/servers/cgit.nix b/servers/cgit.nix
new file mode 100644
index 0000000..916dc33
--- /dev/null
+++ b/servers/cgit.nix
@@ -0,0 +1,21 @@
+{
+ config,
+ pkgs,
+ lib,
+ modulesPath,
+ ...
+}:
+{
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ./cgit-hardware-configuration.nix
+ ];
+
+ networking.hostname = "cgit";
+
+ services.landau-cgit.enable = true;
+ hostings.beget.enable = true;
+
+ admins.moskalets = true;
+}
--
2.51.2
More information about the rulkc
mailing list