Move personal modules hosts/ahmed -> modules/nixos/

4 files changed, 184 insertions, 0 deletions

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 3fcc34c..c1ab502 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -8,5 +8,8 @@
 
   personal = {
     duksebot = import ./duksebot;
+    graphics = import ./graphics;
+    "linus.onl" = import ./linus.onl;
+    "notifications.linus.onl" = import ./nofitications.linus.onl;
   };
 }
diff --git a/modules/nixos/graphics/default.nix b/modules/nixos/graphics/default.nix
new file mode 100644
index 0000000..f54d043
--- /dev/null
+++ b/modules/nixos/graphics/default.nix
@@ -0,0 +1,37 @@
+# This module configures a basic graphical environment. I use this sometimes for
+# ahmed when muhammed is being repaired.
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.modules.graphics;
+in {
+  options.modules.graphics.enable = mkEnableOption "basic graphical environment";
+
+  config = mkIf cfg.enable {
+    services.xserver.enable = true;
+
+    # Match console keyboard layout but swap capslock and escape.
+    # TODO: Create a custom keymap with esc/capslock swap so console can use it.
+    services.xserver.layout = config.console.keyMap;
+    services.xserver.xkbOptions = "caps:swapescape";
+
+    # Enable touchpad support.
+    services.xserver.libinput.enable = true;
+
+    services.xserver.windowManager.dwm.enable = true;
+
+    # Enable sound.
+    sound.enable = true;
+    hardware.pulseaudio.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      st # suckless terminal - dwm is pretty sucky without this
+      dmenu # application launcher
+    ];
+  };
+}
diff --git a/modules/nixos/linus.onl/default.nix b/modules/nixos/linus.onl/default.nix
new file mode 100644
index 0000000..52703fe
--- /dev/null
+++ b/modules/nixos/linus.onl/default.nix
@@ -0,0 +1,100 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkOption types mkIf optional;
+
+  domain = "linus.onl";
+
+  cfg = config.modules."${domain}";
+in {
+  options.modules."${domain}" = {
+    enable = mkEnableOption "${domain} static site";
+
+    useACME = mkEnableOption "built-in HTTPS stuff";
+  };
+
+  config = mkIf cfg.enable {
+    # Create a user to run the build script under.
+    users.users."${domain}-builder" = {
+      description = "builds ${domain}";
+      group = "${domain}-builder";
+      isSystemUser = true;
+    };
+    users.groups."${domain}-builder" = {};
+
+    # Create the output directory.
+    system.activationScripts."${domain}-create-www" = lib.stringAfter ["var"] ''
+      mkdir -p /var/www/${domain}
+      chown ${domain}-builder /var/www/${domain}
+      chgrp ${domain}-builder /var/www/${domain}
+      chmod 0755 /var/www/${domain}
+    '';
+
+    # Create a systemd service which rebuild the site regularly.
+    #
+    # This can't be done using Nix because the site relies on the git build and
+    # there are some inherent difficulties with including .git/ in the
+    # inputSource for derivations.
+    #
+    # See: https://github.com/NixOS/nix/issues/6900
+    # See: https://github.com/NixOS/nixpkgs/issues/8567
+    #
+    # TODO: Integrate rebuilding with GitHub webhooks to rebuild on push.
+    systemd.services."${domain}-source" = {
+      description = "generate https://${domain} source";
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "${domain}-builder";
+        Group = "${domain}-builder";
+      };
+      startAt = "*-*-* *:00/5:00";
+
+      path = with pkgs; [
+        git
+        rsync
+        coreutils-full
+        tcl-8_5
+        gnumake
+      ];
+      environment.TCLLIBPATH = "$TCLLIBPATH ${pkgs.tcl-cmark}/lib/tclcmark1.0";
+      script = ''
+        set -ex
+        tmpdir="$(mktemp -d -t linus.onl-source.XXXXXXXXXXXX)"
+        cd "$tmpdir"
+        trap 'rm -rf $tmpdir' EXIT
+        # TODO: Only do minimal possible cloning
+        git clone https://github.com/linnnus/${domain} .
+        make _build
+        rsync --archive --delete _build/ /var/www/${domain}
+      '';
+
+      # TODO: Harden service
+
+      # Network must be online for us to check.
+      after = ["network-online.target"];
+      requires = ["network-online.target"];
+
+      # We must generate some files for NGINX to serve, so this should be run
+      # before NGINX.
+      before = ["nginx.service"];
+      wantedBy = ["nginx.service"];
+    };
+
+    # Register domain name with ddns.
+    services.cloudflare-dyndns.domains = [domain];
+
+    # Register virtual host.
+    services.nginx = {
+      virtualHosts."${domain}" = {
+        # NOTE: 'forceSSL' will cause an infite loop, if the cloudflare proxy does NOT connect over HTTPS.
+        enableACME = cfg.useACME;
+        forceSSL = cfg.useACME;
+        root = "/var/www/${domain}";
+      };
+    };
+  };
+}
diff --git a/modules/nixos/nofitications.linus.onl/default.nix b/modules/nixos/nofitications.linus.onl/default.nix
new file mode 100644
index 0000000..d77a0e7
--- /dev/null
+++ b/modules/nixos/nofitications.linus.onl/default.nix
@@ -0,0 +1,44 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkOption types mkIf optional;
+
+  domain = "notifications.linus.onl";
+
+  # TODO: Make option internal-port.
+  internal-port = 13082;
+
+  cfg = config.modules."notifications.linus.onl";
+in {
+  options.modules."notifications.linus.onl" = {
+    enable = mkEnableOption "notifications.linus.onl static site";
+
+    useACME = mkEnableOption "built-in HTTPS stuff";
+  };
+
+  config = mkIf cfg.enable {
+    services.push-notification-api = {
+      enable = true;
+      # host = "notifications.linus.onl";
+      host = "0.0.0.0";
+      port = internal-port;
+      openFirewall = false; # We're using NGINX reverse proxy.
+    };
+
+    # Register domain name.
+    services.cloudflare-dyndns.domains = ["notifications.linus.onl"];
+
+    # Serve the generated page using NGINX.
+    services.nginx.virtualHosts."notifications.linus.onl" = {
+      enableACME = cfg.useACME;
+      forceSSL = cfg.useACME;
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:${toString internal-port}";
+      };
+    };
+  };
+}