[rulkc] [PATCH v2] nix: introduce initial generic configuration
Maxim Moskalets
maximmosk4 at gmail.com
Tue May 26 00:22:23 MSK 2026
>From 2a9a7022bdc0e01fac7f37dda7f324c52d2c69e0 Mon Sep 17 00:00:00 2001
From: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
Date: Fri, 22 May 2026 23:55:35 +0300
Subject: [PATCH] nix: introduce initial generic configuration
Add a NixOS configuration for cgit server as initial.
Services added:
- cgit (over HTTP)
- sshd
- fail2ban
- firewall (iptables as default backend)
Nix and NixOS used for versionability and reproducibility of the
system. As bonus, it also provides a way to easily deploy the system
on different machines.
Signed-off-by: Maxim Moskalets <Maxim.Moskalets at kaspersky.com>
---
v2:
- Add fail2ban service
- Add beget hardware-configuration
- Add build and deploy guide to README.md
- Switch to nixos-unstable branch
---
.gitignore | 2 ++
README.md | 30 ++++++++++++++++
config/default.nix | 8 +++++
config/disko.nix | 33 +++++++++++++++++
config/nix.nix | 8 +++++
config/programs/default.nix | 5 +++
config/programs/neovim.nix | 8 +++++
config/services/default.nix | 7 ++++
config/services/fail2ban.nix | 15 ++++++++
config/services/firewall.nix | 3 ++
config/services/ssh.nix | 21 +++++++++++
flake.lock | 48 +++++++++++++++++++++++++
flake.nix | 39 ++++++++++++++++++++
modules/admins.nix | 39 ++++++++++++++++++++
modules/default.nix | 7 ++++
modules/hostings/beget.nix | 34 ++++++++++++++++++
modules/hostings/default.nix | 6 ++++
modules/hostings/selectel.nix | 29 +++++++++++++++
modules/services/default.nix | 3 ++
modules/services/landau-cgit.nix | 42 ++++++++++++++++++++++
servers/cgit-hardware-configuration.nix | 36 +++++++++++++++++++
servers/cgit.nix | 21 +++++++++++
22 files changed, 444 insertions(+)
create mode 100644 .gitignore
create mode 100644 README.md
create mode 100644 config/default.nix
create mode 100644 config/disko.nix
create mode 100644 config/nix.nix
create mode 100644 config/programs/default.nix
create mode 100644 config/programs/neovim.nix
create mode 100644 config/services/default.nix
create mode 100644 config/services/fail2ban.nix
create mode 100644 config/services/firewall.nix
create mode 100644 config/services/ssh.nix
create mode 100644 flake.lock
create mode 100644 flake.nix
create mode 100644 modules/admins.nix
create mode 100644 modules/default.nix
create mode 100644 modules/hostings/beget.nix
create mode 100644 modules/hostings/default.nix
create mode 100644 modules/hostings/selectel.nix
create mode 100644 modules/services/default.nix
create mode 100644 modules/services/landau-cgit.nix
create mode 100644 servers/cgit-hardware-configuration.nix
create mode 100644 servers/cgit.nix
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a4ee727
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.patch
+*.qcow2
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..577a8bb
--- /dev/null
+++ b/README.md
@@ -0,0 +1,30 @@
+# LANDAU servers configurations
+
+## Installation
+
+Run the following command to install NixOS to remote host:
+
+```bash
+nixos-anywhere --flake .#cgit root@<host ip>
+```
+
+After installation, run `nixos-rebuild switch` to apply changes. You can also use `--build-host` and `--remote-host` options to build on a different machine.
+
+For first-time setup on new hosting, hardware configuration is required. Use `--generate-hardware-config nixos-generate-config ./servers/cgit-hardware-configuration.nix` to generate it.
+
+## Run locally
+
+You can also run this configuration locally in a VM:
+
+```bash
+nixos-rebuild build-vm --flake .#cgit --image-variant qemu
+QEMU_NET_OPTS="hostfwd=tcp::8080-:80" ./result/bin/run-cgit-vm -nographic
+```
+
+Now you can access the [server](http://localhost:8080/) for debug purposes.
+
+## Nix-related checklist
+
+- [ ] Format all files with `nix run nixpkgs#nixfmt-tree`
+- [ ] Check for any warnings with `nix flake check`
+- [ ] Update lock file (if needed) with `nix flake update`
diff --git a/config/default.nix b/config/default.nix
new file mode 100644
index 0000000..764f222
--- /dev/null
+++ b/config/default.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./disko.nix
+ ./nix.nix
+ ./programs
+ ./services
+ ];
+}
diff --git a/config/disko.nix b/config/disko.nix
new file mode 100644
index 0000000..7366aee
--- /dev/null
+++ b/config/disko.nix
@@ -0,0 +1,33 @@
+{
+ disko.devices.disk.main = {
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ size = "256M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/config/nix.nix b/config/nix.nix
new file mode 100644
index 0000000..5b8037c
--- /dev/null
+++ b/config/nix.nix
@@ -0,0 +1,8 @@
+{
+ nix.settings.experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+
+ system.stateVersion = "25.11";
+}
diff --git a/config/programs/default.nix b/config/programs/default.nix
new file mode 100644
index 0000000..73b5f39
--- /dev/null
+++ b/config/programs/default.nix
@@ -0,0 +1,5 @@
+{
+ imports = [
+ ./neovim.nix
+ ];
+}
diff --git a/config/programs/neovim.nix b/config/programs/neovim.nix
new file mode 100644
index 0000000..d4abca3
--- /dev/null
+++ b/config/programs/neovim.nix
@@ -0,0 +1,8 @@
+{
+ programs.neovim = {
+ enable = true;
+ defaultEditor = true;
+ viAlias = true;
+ vimAlias = true;
+ };
+}
diff --git a/config/services/default.nix b/config/services/default.nix
new file mode 100644
index 0000000..67cc069
--- /dev/null
+++ b/config/services/default.nix
@@ -0,0 +1,7 @@
+{
+ imports = [
+ ./fail2ban.nix
+ ./firewall.nix
+ ./ssh.nix
+ ];
+}
diff --git a/config/services/fail2ban.nix b/config/services/fail2ban.nix
new file mode 100644
index 0000000..050fb93
--- /dev/null
+++ b/config/services/fail2ban.nix
@@ -0,0 +1,15 @@
+{
+ services.fail2ban = {
+ enable = true;
+
+ bantime = "30m";
+ maxretry = 5;
+
+ bantime-increment = {
+ enable = true;
+ maxtime = "3d";
+ factor = "4";
+ rndtime = "10m";
+ };
+ };
+}
diff --git a/config/services/firewall.nix b/config/services/firewall.nix
new file mode 100644
index 0000000..09045f4
--- /dev/null
+++ b/config/services/firewall.nix
@@ -0,0 +1,3 @@
+{
+ networking.firewall.enable = true;
+}
diff --git a/config/services/ssh.nix b/config/services/ssh.nix
new file mode 100644
index 0000000..edf5651
--- /dev/null
+++ b/config/services/ssh.nix
@@ -0,0 +1,21 @@
+let
+ ports = [
+ 22
+ 8822
+ ];
+in
+{
+ services.openssh = {
+ enable = true;
+ allowSFTP = false;
+ inherit ports;
+ settings = {
+ PasswordAuthentication = false;
+ PermitRootLogin = "no";
+ AllowGroups = [ "wheel" ];
+ KbdInteractiveAuthentication = false;
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = ports;
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..738d96f
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,48 @@
+{
+ "nodes": {
+ "disko": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1779699611,
+ "narHash": "sha256-EcCaSTKnmg2o4wLKaN1aqQFomwyhO7ik0bX9COdyCas=",
+ "owner": "nix-community",
+ "repo": "disko",
+ "rev": "5ba0c9555c28685e57fa54c7a25e42c7efdbfc8d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "disko",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1779560665,
+ "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "disko": "disko",
+ "nixpkgs": "nixpkgs"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..06a6be2
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,39 @@
+{
+ description = "LANDAU infrastructure";
+
+ inputs = {
+ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+ disko = {
+ url = "github:nix-community/disko";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+ };
+
+ outputs =
+ {
+ nixpkgs,
+ disko,
+ ...
+ }:
+ let
+ makeServerSystem =
+ modules: extraConfig:
+ nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ disko.nixosModules.disko
+ ./config
+ ./modules
+ ]
+ ++ modules;
+ }
+ // extraConfig;
+ in
+ {
+ nixosConfigurations = {
+ cgit = makeServerSystem [ ./servers/cgit.nix ] { };
+ };
+
+ inherit (nixpkgs) formatter;
+ };
+}
diff --git a/modules/admins.nix b/modules/admins.nix
new file mode 100644
index 0000000..2d7e7e8
--- /dev/null
+++ b/modules/admins.nix
@@ -0,0 +1,39 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.admins = {
+ all = lib.mkEnableOption "All availiable admins";
+ moskalets = lib.mkEnableOption "Maxim Moskalets admin";
+ };
+
+ config.users.users =
+ let
+ makeAdmin =
+ user: description: extraAttrs:
+ lib.mkIf (config.admins.${user} || config.admins.all) {
+ isNormalUser = true;
+ inherit description;
+ extraGroups = [
+ "wheel"
+ ];
+ }
+ // extraAttrs;
+ in
+ {
+ moskalets = makeAdmin "moskalets" "Maxim Moskalets" {
+ # $ argon2 $(openssl rand -base64 18) -id -t 4 -m 18 -p 4
+ # <password>
+ initialHashedPassword = null;
+
+ # YubiKey
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDH+C8vzOOqDx7un96FhGewfE6UufLHys3Y3ke6WxoV05XPWc+d/1T9wCU7escUgdOUI90+Ps/0Os4PzfP0znOE08Xj+6nZsRSkhu+WEFyRu8e86NRoCEIk2u8WNxMhR112taT6bLf/TRWzDyai159sKz7PhuIW/uP/SwsIzpr+AWhBVzzT0Ytz3QVX4JCrRYXyuFwTLNIFRzziKBP69nkl/KKwRdULGIzlGXqHTOzLLL26sSWuGTaZg3ao+DfLV5gmL3VkU9jEyF2OVodsxmQ3qeoRRsHlSy7FmQeCg4I3uhbi/v8bR1xyhfn7YLaKfFkuTnK0EfFfbRTPLyWglwb3yeulkUg3oDc4AKSoks3Dzi53LBSEI//5Yw3nfFu3Hu85UgZQ6A9lRolrkibjKil1s8yodU5vSGKtGkh98U//KzXDEHOLqZ7mfY+hvvY11oQ0KOLYzgYX9hwvMgYTa3dmzADRfs/PMfOqja1TDsVvnHNnIfmjNe8WojbBPzB8ytmTDpMERIAONwyR2p0Bf6fon04hQu/yyc/iE+zbn/JDf9LYbj4+yr6RpRJXbbh5KsfXAJ6vf0XBEkdV5KymD1N6Ni44lGFwg5clDs3rj5K/liSZK4joyqUaUtzGi0DxwT1lypl87iJpw0cThCOr80fVl4FiyEkTjZjMc0UP/cA6BQ== cardno:29_610_165
+"
+ ];
+ };
+ };
+}
diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 0000000..a1f9a42
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,7 @@
+{
+ imports = [
+ ./admins.nix
+ ./hostings
+ ./services
+ ];
+}
diff --git a/modules/hostings/beget.nix b/modules/hostings/beget.nix
new file mode 100644
index 0000000..4ee53ce
--- /dev/null
+++ b/modules/hostings/beget.nix
@@ -0,0 +1,34 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.hostings.beget.enable = lib.mkEnableOption "Server on Beget platform";
+
+ # See https://beget.com/ru/kb/faq/cloud/sozdanie-servera-iz-svoego-obraza
+ config = lib.mkIf config.hostings.beget.enable {
+ disko.devices.disk.main.device = "/dev/vda";
+
+ boot.loader.grub.efiSupport = false;
+
+ services.qemuGuest.enable = true;
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ settings = {
+ datasource_list = [
+ "NoCloud"
+ "ConfigDrive"
+ ];
+ };
+ };
+
+ networking = {
+ useDHCP = false;
+ useNetworkd = true;
+ networkmanager.enable = false;
+ };
+ };
+}
diff --git a/modules/hostings/default.nix b/modules/hostings/default.nix
new file mode 100644
index 0000000..cab83b2
--- /dev/null
+++ b/modules/hostings/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./beget.nix
+ ./selectel.nix
+ ];
+}
diff --git a/modules/hostings/selectel.nix b/modules/hostings/selectel.nix
new file mode 100644
index 0000000..0880dbe
--- /dev/null
+++ b/modules/hostings/selectel.nix
@@ -0,0 +1,29 @@
+{
+ config,
+ lib,
+ ...
+}:
+
+{
+ options.hostings.selectel.enable = lib.mkEnableOption "Server on Selectel platform";
+
+ # See https://docs.selectel.ru/en/cloud-servers/images/create-custom-image/
+ config = lib.mkIf config.hostings.selectel.enable {
+ disko.devices.disk.main.device = "/dev/sda";
+
+ boot.loader.grub.efiSupport = false;
+
+ services.qemuGuest.enable = true;
+ services.cloud-init = {
+ enable = true;
+ network.enable = true;
+ settings = {
+ datasource_list = [
+ "ConfigDrive"
+ "Ec2"
+ "None"
+ ];
+ };
+ };
+ };
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
new file mode 100644
index 0000000..83797f7
--- /dev/null
+++ b/modules/services/default.nix
@@ -0,0 +1,3 @@
+{
+ imports = [ ./landau-cgit.nix ];
+}
diff --git a/modules/services/landau-cgit.nix b/modules/services/landau-cgit.nix
new file mode 100644
index 0000000..66412a9
--- /dev/null
+++ b/modules/services/landau-cgit.nix
@@ -0,0 +1,42 @@
+{
+ config,
+ lib,
+ ...
+}:
+let
+ host = "git.rulkc.org";
+ mkAssetPath = file: toString (./. + "/../../git.rulkc.org/cgit/${file}");
+in
+{
+ options.services.landau-cgit.enable = lib.mkEnableOption "cgit configured for LANDAU";
+
+ config = lib.mkIf config.services.landau-cgit.enable {
+ services.nginx.virtualHosts.${host}.locations = {
+ "= /cgit.png".alias = mkAssetPath "cgit.png";
+ "= /cgit.css".alias = mkAssetPath "cgit.css";
+ "= /favicon.ico".alias = mkAssetPath "favicon.ico";
+ };
+
+ services.cgit.${host} = {
+ enable = true;
+ scanPath = "/var/lib/git";
+ gitHttpBackend.checkExportOkFiles = false;
+ settings = {
+ # Features
+ enable-git-config = true;
+ enable-http-clone = true;
+ enable-index-owner = true;
+ snapshots = "tar.gz zip";
+
+ # Appearance
+ root-title = "LANDAU git repositories";
+ root-desc = "Git repositories for Linux kernel Advanced for Next-gen Devices & Architectures";
+
+ clone-url = "https://${host}/$CGIT_REPO_URL git://git.rulkc.org/$CGIT_REPO_URL ssh://git@${host}/$CGIT_REPO_URL";
+ section-from-path = 3;
+ max-stats = "quarter";
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 80 ];
+ };
+}
diff --git a/servers/cgit-hardware-configuration.nix b/servers/cgit-hardware-configuration.nix
new file mode 100644
index 0000000..f5108e4
--- /dev/null
+++ b/servers/cgit-hardware-configuration.nix
@@ -0,0 +1,36 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
+
+{
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "sr_mod"
+ "virtio_blk"
+ ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/servers/cgit.nix b/servers/cgit.nix
new file mode 100644
index 0000000..54cf2d0
--- /dev/null
+++ b/servers/cgit.nix
@@ -0,0 +1,21 @@
+{
+ config,
+ pkgs,
+ lib,
+ modulesPath,
+ ...
+}:
+{
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ./cgit-hardware-configuration.nix
+ ];
+
+ networking.hostName = "cgit";
+
+ services.landau-cgit.enable = true;
+ hostings.beget.enable = true;
+
+ admins.moskalets = true;
+}
--
2.51.2
More information about the rulkc
mailing list