[rulkc] [PATCH] nix: introduce initial generic configuration
Viacheslav Dubeyko
slava at dubeyko.com
Mon May 25 19:46:43 MSK 2026
On Sun, 2026-05-24 at 02:47 +0300, Maxim Moskalets wrote:
> From b79db7775ef24c75cd85becf98618d16344d2daf Mon Sep 17 00:00:00
> 2001
> From: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
> Date: Fri, 22 May 2026 23:55:35 +0300
> Subject: [PATCH] nix: introduce initial generic configuration
>
Where is the commit message? It is completely not clear what this patch
is about and what is the goal of the patch. Every patch MUST HAVE a
clear and precise commit message.
Thanks,
Slava.
> Signed-off-by: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
> ---
> config/default.nix | 8 +++++
> config/disko.nix | 33 +++++++++++++++++
> config/nix.nix | 8 +++++
> config/programs/default.nix | 5 +++
> config/programs/neovim.nix | 8 +++++
> config/services/default.nix | 6 ++++
> config/services/firewall.nix | 3 ++
> config/services/ssh.nix | 21 +++++++++++
> flake.lock | 48
> +++++++++++++++++++++++++
> flake.nix | 37 +++++++++++++++++++
> modules/admins.nix | 39 ++++++++++++++++++++
> modules/default.nix | 7 ++++
> modules/hostings/beget.nix | 34 ++++++++++++++++++
> modules/hostings/default.nix | 6 ++++
> modules/hostings/selectel.nix | 29 +++++++++++++++
> modules/services/default.nix | 3 ++
> modules/services/landau-cgit.nix | 42 ++++++++++++++++++++++
> servers/cgit-hardware-configuration.nix | 2 ++
> servers/cgit.nix | 21 +++++++++++
> 19 files changed, 360 insertions(+)
> create mode 100644 config/default.nix
> create mode 100644 config/disko.nix
> create mode 100644 config/nix.nix
> create mode 100644 config/programs/default.nix
> create mode 100644 config/programs/neovim.nix
> create mode 100644 config/services/default.nix
> create mode 100644 config/services/firewall.nix
> create mode 100644 config/services/ssh.nix
> create mode 100644 flake.lock
> create mode 100644 flake.nix
> create mode 100644 modules/admins.nix
> create mode 100644 modules/default.nix
> create mode 100644 modules/hostings/beget.nix
> create mode 100644 modules/hostings/default.nix
> create mode 100644 modules/hostings/selectel.nix
> create mode 100644 modules/services/default.nix
> create mode 100644 modules/services/landau-cgit.nix
> create mode 100644 servers/cgit-hardware-configuration.nix
> create mode 100644 servers/cgit.nix
>
> diff --git a/config/default.nix b/config/default.nix
> new file mode 100644
> index 0000000..764f222
> --- /dev/null
> +++ b/config/default.nix
> @@ -0,0 +1,8 @@
> +{
> + imports = [
> + ./disko.nix
> + ./nix.nix
> + ./programs
> + ./services
> + ];
> +}
> diff --git a/config/disko.nix b/config/disko.nix
> new file mode 100644
> index 0000000..7366aee
> --- /dev/null
> +++ b/config/disko.nix
> @@ -0,0 +1,33 @@
> +{
> + disko.devices.disk.main = {
> + type = "disk";
> + content = {
> + type = "gpt";
> + partitions = {
> + boot = {
> + name = "boot";
> + size = "1M";
> + type = "EF02";
> + };
> + esp = {
> + size = "256M";
> + type = "EF00";
> + content = {
> + type = "filesystem";
> + format = "vfat";
> + mountpoint = "/boot";
> + };
> + };
> + root = {
> + name = "root";
> + size = "100%";
> + content = {
> + type = "filesystem";
> + format = "ext4";
> + mountpoint = "/";
> + };
> + };
> + };
> + };
> + };
> +}
> diff --git a/config/nix.nix b/config/nix.nix
> new file mode 100644
> index 0000000..5b8037c
> --- /dev/null
> +++ b/config/nix.nix
> @@ -0,0 +1,8 @@
> +{
> + nix.settings.experimental-features = [
> + "nix-command"
> + "flakes"
> + ];
> +
> + system.stateVersion = "25.11";
> +}
> diff --git a/config/programs/default.nix
> b/config/programs/default.nix
> new file mode 100644
> index 0000000..73b5f39
> --- /dev/null
> +++ b/config/programs/default.nix
> @@ -0,0 +1,5 @@
> +{
> + imports = [
> + ./neovim.nix
> + ];
> +}
> diff --git a/config/programs/neovim.nix b/config/programs/neovim.nix
> new file mode 100644
> index 0000000..d4abca3
> --- /dev/null
> +++ b/config/programs/neovim.nix
> @@ -0,0 +1,8 @@
> +{
> + programs.neovim = {
> + enable = true;
> + defaultEditor = true;
> + viAlias = true;
> + vimAlias = true;
> + };
> +}
> diff --git a/config/services/default.nix
> b/config/services/default.nix
> new file mode 100644
> index 0000000..88c5d35
> --- /dev/null
> +++ b/config/services/default.nix
> @@ -0,0 +1,6 @@
> +{
> + imports = [
> + ./firewall.nix
> + ./ssh.nix
> + ];
> +}
> diff --git a/config/services/firewall.nix
> b/config/services/firewall.nix
> new file mode 100644
> index 0000000..09045f4
> --- /dev/null
> +++ b/config/services/firewall.nix
> @@ -0,0 +1,3 @@
> +{
> + networking.firewall.enable = true;
> +}
> diff --git a/config/services/ssh.nix b/config/services/ssh.nix
> new file mode 100644
> index 0000000..edf5651
> --- /dev/null
> +++ b/config/services/ssh.nix
> @@ -0,0 +1,21 @@
> +let
> + ports = [
> + 22
> + 8822
> + ];
> +in
> +{
> + services.openssh = {
> + enable = true;
> + allowSFTP = false;
> + inherit ports;
> + settings = {
> + PasswordAuthentication = false;
> + PermitRootLogin = "no";
> + AllowGroups = [ "wheel" ];
> + KbdInteractiveAuthentication = false;
> + };
> + };
> +
> + networking.firewall.allowedTCPPorts = ports;
> +}
> diff --git a/flake.lock b/flake.lock
> new file mode 100644
> index 0000000..6414d27
> --- /dev/null
> +++ b/flake.lock
> @@ -0,0 +1,48 @@
> +{
> + "nodes": {
> + "disko": {
> + "inputs": {
> + "nixpkgs": [
> + "nixpkgs"
> + ]
> + },
> + "locked": {
> + "lastModified": 1779226674,
> + "narHash": "sha256-
> wuOkjI6pRiN4sEn/EPBRnNW5cmcpvd7xtIM8y5LooAs=",
> + "owner": "nix-community",
> + "repo": "disko",
> + "rev": "65fb947964bd44fc0008faf77d1fcb7a9f40bb32",
> + "type": "github"
> + },
> + "original": {
> + "owner": "nix-community",
> + "repo": "disko",
> + "type": "github"
> + }
> + },
> + "nixpkgs": {
> + "locked": {
> + "lastModified": 1779102034,
> + "narHash": "sha256-
> vZJZjLo513IeI8hjzHFc6TDezUd4uCE2Eq4SNO3DNNg=",
> + "owner": "NixOS",
> + "repo": "nixpkgs",
> + "rev": "687f05a9184cad4eaf905c48b63649e3a86f5433",
> + "type": "github"
> + },
> + "original": {
> + "owner": "NixOS",
> + "ref": "nixos-25.11",
> + "repo": "nixpkgs",
> + "type": "github"
> + }
> + },
> + "root": {
> + "inputs": {
> + "disko": "disko",
> + "nixpkgs": "nixpkgs"
> + }
> + }
> + },
> + "root": "root",
> + "version": 7
> +}
> diff --git a/flake.nix b/flake.nix
> new file mode 100644
> index 0000000..cd8d8e1
> --- /dev/null
> +++ b/flake.nix
> @@ -0,0 +1,37 @@
> +{
> + description = "LANDAU infrastructure";
> +
> + inputs = {
> + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
> + disko = {
> + url = "github:nix-community/disko";
> + inputs.nixpkgs.follows = "nixpkgs";
> + };
> + };
> +
> + outputs =
> + {
> + nixpkgs,
> + disko,
> + ...
> + }:
> + let
> + makeServerSystem =
> + modules: extraConfig:
> + nixpkgs.lib.nixosSystem {
> + system = "x86_64-linux";
> + modules = [
> + disko.nixosModules.disko
> + ./config
> + ./modules
> + ]
> + ++ modules;
> + }
> + // extraConfig;
> + in
> + {
> + nixosConfigurations = {
> + cgit = makeServerSystem [ ./servers/cgit.nix ] { };
> + };
> + };
> +}
> diff --git a/modules/admins.nix b/modules/admins.nix
> new file mode 100644
> index 0000000..2d7e7e8
> --- /dev/null
> +++ b/modules/admins.nix
> @@ -0,0 +1,39 @@
> +{
> + config,
> + lib,
> + ...
> +}:
> +
> +{
> + options.admins = {
> + all = lib.mkEnableOption "All availiable admins";
> + moskalets = lib.mkEnableOption "Maxim Moskalets admin";
> + };
> +
> + config.users.users =
> + let
> + makeAdmin =
> + user: description: extraAttrs:
> + lib.mkIf (config.admins.${user} || config.admins.all) {
> + isNormalUser = true;
> + inherit description;
> + extraGroups = [
> + "wheel"
> + ];
> + }
> + // extraAttrs;
> + in
> + {
> + moskalets = makeAdmin "moskalets" "Maxim Moskalets" {
> + # $ argon2 $(openssl rand -base64 18) -id -t 4 -m 18 -p 4
> + # <password>
> + initialHashedPassword = null;
> +
> + # YubiKey
> + openssh.authorizedKeys.keys = [
> + "ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAACAQDH+C8vzOOqDx7un96FhGewfE6UufLHys3Y3ke6W
> xoV05XPWc+d/1T9wCU7escUgdOUI90+Ps/0Os4PzfP0znOE08Xj+6nZsRSkhu+WEFyRu8
> e86NRoCEIk2u8WNxMhR112taT6bLf/TRWzDyai159sKz7PhuIW/uP/SwsIzpr+AWhBVzz
> T0Ytz3QVX4JCrRYXyuFwTLNIFRzziKBP69nkl/KKwRdULGIzlGXqHTOzLLL26sSWuGTaZ
> g3ao+DfLV5gmL3VkU9jEyF2OVodsxmQ3qeoRRsHlSy7FmQeCg4I3uhbi/v8bR1xyhfn7Y
> LaKfFkuTnK0EfFfbRTPLyWglwb3yeulkUg3oDc4AKSoks3Dzi53LBSEI//5Yw3nfFu3Hu
> 85UgZQ6A9lRolrkibjKil1s8yodU5vSGKtGkh98U//KzXDEHOLqZ7mfY+hvvY11oQ0KOL
> YzgYX9hwvMgYTa3dmzADRfs/PMfOqja1TDsVvnHNnIfmjNe8WojbBPzB8ytmTDpMERIAO
> NwyR2p0Bf6fon04hQu/yyc/iE+zbn/JDf9LYbj4+yr6RpRJXbbh5KsfXAJ6vf0XBEkdV5
> KymD1N6Ni44lGFwg5clDs3rj5K/liSZK4joyqUaUtzGi0DxwT1lypl87iJpw0cThCOr80
> fVl4FiyEkTjZjMc0UP/cA6BQ== cardno:29_610_165
> +"
> + ];
> + };
> + };
> +}
> diff --git a/modules/default.nix b/modules/default.nix
> new file mode 100644
> index 0000000..a1f9a42
> --- /dev/null
> +++ b/modules/default.nix
> @@ -0,0 +1,7 @@
> +{
> + imports = [
> + ./admins.nix
> + ./hostings
> + ./services
> + ];
> +}
> diff --git a/modules/hostings/beget.nix b/modules/hostings/beget.nix
> new file mode 100644
> index 0000000..4ee53ce
> --- /dev/null
> +++ b/modules/hostings/beget.nix
> @@ -0,0 +1,34 @@
> +{
> + config,
> + lib,
> + ...
> +}:
> +
> +{
> + options.hostings.beget.enable = lib.mkEnableOption "Server on
> Beget platform";
> +
> + # See
> https://beget.com/ru/kb/faq/cloud/sozdanie-servera-iz-svoego-obraza
> + config = lib.mkIf config.hostings.beget.enable {
> + disko.devices.disk.main.device = "/dev/vda";
> +
> + boot.loader.grub.efiSupport = false;
> +
> + services.qemuGuest.enable = true;
> + services.cloud-init = {
> + enable = true;
> + network.enable = true;
> + settings = {
> + datasource_list = [
> + "NoCloud"
> + "ConfigDrive"
> + ];
> + };
> + };
> +
> + networking = {
> + useDHCP = false;
> + useNetworkd = true;
> + networkmanager.enable = false;
> + };
> + };
> +}
> diff --git a/modules/hostings/default.nix
> b/modules/hostings/default.nix
> new file mode 100644
> index 0000000..cab83b2
> --- /dev/null
> +++ b/modules/hostings/default.nix
> @@ -0,0 +1,6 @@
> +{
> + imports = [
> + ./beget.nix
> + ./selectel.nix
> + ];
> +}
> diff --git a/modules/hostings/selectel.nix
> b/modules/hostings/selectel.nix
> new file mode 100644
> index 0000000..0880dbe
> --- /dev/null
> +++ b/modules/hostings/selectel.nix
> @@ -0,0 +1,29 @@
> +{
> + config,
> + lib,
> + ...
> +}:
> +
> +{
> + options.hostings.selectel.enable = lib.mkEnableOption "Server on
> Selectel platform";
> +
> + # See
> https://docs.selectel.ru/en/cloud-servers/images/create-custom-image/
> + config = lib.mkIf config.hostings.selectel.enable {
> + disko.devices.disk.main.device = "/dev/sda";
> +
> + boot.loader.grub.efiSupport = false;
> +
> + services.qemuGuest.enable = true;
> + services.cloud-init = {
> + enable = true;
> + network.enable = true;
> + settings = {
> + datasource_list = [
> + "ConfigDrive"
> + "Ec2"
> + "None"
> + ];
> + };
> + };
> + };
> +}
> diff --git a/modules/services/default.nix
> b/modules/services/default.nix
> new file mode 100644
> index 0000000..83797f7
> --- /dev/null
> +++ b/modules/services/default.nix
> @@ -0,0 +1,3 @@
> +{
> + imports = [ ./landau-cgit.nix ];
> +}
> diff --git a/modules/services/landau-cgit.nix
> b/modules/services/landau-cgit.nix
> new file mode 100644
> index 0000000..66412a9
> --- /dev/null
> +++ b/modules/services/landau-cgit.nix
> @@ -0,0 +1,42 @@
> +{
> + config,
> + lib,
> + ...
> +}:
> +let
> + host = "git.rulkc.org";
> + mkAssetPath = file: toString (./. +
> "/../../git.rulkc.org/cgit/${file}");
> +in
> +{
> + options.services.landau-cgit.enable = lib.mkEnableOption "cgit
> configured for LANDAU";
> +
> + config = lib.mkIf config.services.landau-cgit.enable {
> + services.nginx.virtualHosts.${host}.locations = {
> + "= /cgit.png".alias = mkAssetPath "cgit.png";
> + "= /cgit.css".alias = mkAssetPath "cgit.css";
> + "= /favicon.ico".alias = mkAssetPath "favicon.ico";
> + };
> +
> + services.cgit.${host} = {
> + enable = true;
> + scanPath = "/var/lib/git";
> + gitHttpBackend.checkExportOkFiles = false;
> + settings = {
> + # Features
> + enable-git-config = true;
> + enable-http-clone = true;
> + enable-index-owner = true;
> + snapshots = "tar.gz zip";
> +
> + # Appearance
> + root-title = "LANDAU git repositories";
> + root-desc = "Git repositories for Linux kernel Advanced for
> Next-gen Devices & Architectures";
> +
> + clone-url = "https://${host}/$CGIT_REPO_URL
> git://git.rulkc.org/$CGIT_REPO_URL ssh://git@${host}/$CGIT_REPO_URL";
> + section-from-path = 3;
> + max-stats = "quarter";
> + };
> + };
> + networking.firewall.allowedTCPPorts = [ 80 ];
> + };
> +}
> diff --git a/servers/cgit-hardware-configuration.nix b/servers/cgit-
> hardware-configuration.nix
> new file mode 100644
> index 0000000..2cc9b40
> --- /dev/null
> +++ b/servers/cgit-hardware-configuration.nix
> @@ -0,0 +1,2 @@
> +{ }
> +#throw "Run nixos-anywhere with `--generate-hardware-config nixos-
> generate-config ./servers/cgit-hardware-configuration.nix`"
> diff --git a/servers/cgit.nix b/servers/cgit.nix
> new file mode 100644
> index 0000000..916dc33
> --- /dev/null
> +++ b/servers/cgit.nix
> @@ -0,0 +1,21 @@
> +{
> + config,
> + pkgs,
> + lib,
> + modulesPath,
> + ...
> +}:
> +{
> + imports = [
> + (modulesPath + "/installer/scan/not-detected.nix")
> + (modulesPath + "/profiles/qemu-guest.nix")
> + ./cgit-hardware-configuration.nix
> + ];
> +
> + networking.hostname = "cgit";
> +
> + services.landau-cgit.enable = true;
> + hostings.beget.enable = true;
> +
> + admins.moskalets = true;
> +}
More information about the rulkc
mailing list