chore: resonite, storage and forgejo setup

2026-02-27 21:47:24 +01:00 · 2026-02-27 21:47:24 +01:00 · 279e95a1ec
commit 279e95a1ec
parent d79fe97b7e
18 changed files with 203 additions and 167 deletions
--- a/roles/device/default.nix
+++ b/roles/device/default.nix
@ -1,11 +1,42 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
    ./firewall.nix
+    ./network.nix
    ./secrets.nix
    ./sudo.nix
    ./users.nix
  ]
  ++ import ../../modules/top-level.nix;
+
+  nix =
+    let
+      flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+    in
+    {
+      registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+      nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+
+      settings = {
+        warn-dirty = false;
+        trusted-users = [ "@wheel" ];
+
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+
+        substituters = [
+          "https://cache.garnix.io"
+          "https://nix-community.cachix.org"
+        ];
+
+        trusted-public-keys = [
+          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        ];
+      };
+    };
+
 }
--- a/roles/device/network.nix
+++ b/roles/device/network.nix
@ -0,0 +1,3 @@
+{
+  networking.useNetworkd = true;
+}
--- a/roles/device/secrets.nix
+++ b/roles/device/secrets.nix
@ -5,7 +5,7 @@
  ...
 }:
 let
-  hostSecretsFile = ../../systems + "${config.networking.hostName}/secrets.yaml";
+  hostSecretsFile = ../../systems + "/${config.networking.hostName}/secrets.yaml";
 in
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
--- a/roles/headless/bootloader.nix
+++ b/roles/headless/bootloader.nix
@ -1,3 +0,0 @@
-{
-  boot.loader.systemd-boot.enable = true;
-}
--- a/roles/headless/default.nix
+++ b/roles/headless/default.nix
@ -2,6 +2,5 @@
  imports = [
    ../device
    ./access.nix
-    ./bootloader.nix
  ];
 }
--- a/roles/webserver/default.nix
+++ b/roles/webserver/default.nix
@ -0,0 +1,21 @@
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "contact@bddvlpr.com";
+  };
+}