Add 'legacy/server-config/' from commit '4bc5d57fa69a393877e7019d7673ceb33c3ab4b4'

git-subtree-dir: legacy/server-config git-subtree-mainline: dc481c24b0 git-subtree-split: 4bc5d57fa6
2026-04-18 00:45:33 -04:00
parent dc481c24b0 4bc5d57fa6
commit 6448a0427f
136 changed files with 12893 additions and 0 deletions
--- a/legacy/server-config/flake.nix
+++ b/legacy/server-config/flake.nix
@@ -0,0 +1,281 @@
+{
+  description = "Flake for server muffin";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+
+    nix-minecraft = {
+      url = "github:Infinidoge/nix-minecraft";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    llamacpp = {
+      url = "github:TheTom/llama-cpp-turboquant/feature/turboquant-kv-cache";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    srvos = {
+      url = "github:nix-community/srvos";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+      inputs.darwin.follows = "";
+    };
+
+    senior_project-website = {
+      url = "github:Titaniumtown/senior-project-website";
+      flake = false;
+    };
+
+    website = {
+      url = "git+https://git.sigkill.computer/titaniumtown/website";
+      flake = false;
+    };
+
+    trackerlist = {
+      url = "github:ngosang/trackerslist";
+      flake = false;
+    };
+
+    ytbn-graphing-software = {
+      url = "git+https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software";
+    };
+
+    arr-init = {
+      url = "git+ssh://gitea@git.gardling.com/titaniumtown/arr-init";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixpkgs-p2pool-module = {
+      url = "github:JacoMalan1/nixpkgs/create-p2pool-service";
+      flake = false;
+    };
+
+    qbittorrent-metrics-exporter = {
+      url = "git+https://codeberg.org/anriha/qbittorrent-metrics-exporter";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nix-minecraft,
+      nixos-hardware,
+      vpn-confinement,
+      home-manager,
+      lanzaboote,
+      disko,
+      srvos,
+      deploy-rs,
+      impermanence,
+      arr-init,
+      nixpkgs-p2pool-module,
+      ...
+    }@inputs:
+    let
+      username = "primary";
+      hostname = "muffin";
+      eth_interface = "enp4s0";
+      system = "x86_64-linux";
+
+      service_configs = import ./service-configs.nix;
+
+      # Bootstrap pkgs used only to apply patches to nixpkgs source.
+      bootstrapPkgs = import nixpkgs { inherit system; };
+
+      # Patch nixpkgs to add PostgreSQL backend support for firefox-syncserver.
+      patchedNixpkgsSrc = bootstrapPkgs.applyPatches {
+        name = "nixpkgs-patched";
+        src = nixpkgs;
+        patches = [
+          ./patches/nixpkgs/0001-firefox-syncserver-add-postgresql-backend-support.patch
+        ];
+      };
+
+      pkgs = import patchedNixpkgsSrc {
+        inherit system;
+        targetPlatform = system;
+        buildPlatform = builtins.currentSystem;
+      };
+      lib = import ./modules/lib.nix { inherit inputs pkgs service_configs; };
+      testSuite = import ./tests/tests.nix {
+        inherit pkgs lib inputs;
+        config = self.nixosConfigurations.muffin.config;
+      };
+    in
+    {
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-tree;
+      nixosConfigurations.${hostname} = lib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit
+            username
+            hostname
+            eth_interface
+            service_configs
+            inputs
+            ;
+        };
+        modules = [
+          # SAFETY! port sanity checks
+          (
+            { config, lib, ... }:
+            let
+              publicPorts = lib.attrValues service_configs.ports.public;
+              privatePorts = lib.attrValues service_configs.ports.private;
+              allPortNumbers = map (p: p.port) (publicPorts ++ privatePorts);
+              uniquePortNumbers = lib.unique allPortNumbers;
+
+              # Which public ports must be in each firewall list
+              publicTcp = map (p: p.port) (lib.filter (p: p.proto == "tcp" || p.proto == "both") publicPorts);
+              publicUdp = map (p: p.port) (lib.filter (p: p.proto == "udp" || p.proto == "both") publicPorts);
+
+              privatePortNumbers = map (p: p.port) privatePorts;
+
+              fwTcp = config.networking.firewall.allowedTCPPorts;
+              fwUdp = config.networking.firewall.allowedUDPPorts;
+
+              missingTcp = lib.filter (p: !(builtins.elem p fwTcp)) publicTcp;
+              missingUdp = lib.filter (p: !(builtins.elem p fwUdp)) publicUdp;
+              leakedTcp = lib.filter (p: builtins.elem p fwTcp) privatePortNumbers;
+              leakedUdp = lib.filter (p: builtins.elem p fwUdp) privatePortNumbers;
+            in
+            {
+              config.assertions = [
+                {
+                  assertion = (lib.length allPortNumbers) == (lib.length uniquePortNumbers);
+                  message = "Duplicate port numbers detected in ports.public / ports.private";
+                }
+                {
+                  assertion = missingTcp == [ ];
+                  message = "Public ports missing from allowedTCPPorts: ${builtins.toString missingTcp}";
+                }
+                {
+                  assertion = missingUdp == [ ];
+                  message = "Public ports missing from allowedUDPPorts: ${builtins.toString missingUdp}";
+                }
+                {
+                  assertion = leakedTcp == [ ] && leakedUdp == [ ];
+                  message = "Private ports leaked into firewall allow-lists — TCP: ${builtins.toString leakedTcp}, UDP: ${builtins.toString leakedUdp}";
+                }
+              ];
+            }
+          )
+
+          # sets up things like the watchdog
+          srvos.nixosModules.server
+
+          # diff terminal support
+          srvos.nixosModules.mixins-terminfo
+
+          ./disk-config.nix
+          ./configuration.nix
+
+          # Replace upstream firefox-syncserver module + package with patched
+          # versions that add PostgreSQL backend support.
+          {
+            disabledModules = [ "services/networking/firefox-syncserver.nix" ];
+            imports = [
+              "${patchedNixpkgsSrc}/nixos/modules/services/networking/firefox-syncserver.nix"
+            ];
+            nixpkgs.overlays = [
+              nix-minecraft.overlay
+              (import ./modules/overlays.nix)
+              (_final: prev: {
+                syncstorage-rs =
+                  prev.callPackage "${patchedNixpkgsSrc}/pkgs/by-name/sy/syncstorage-rs/package.nix"
+                    { };
+              })
+            ];
+            nixpkgs.config.allowUnfreePredicate =
+              pkg:
+              builtins.elem (nixpkgs.lib.getName pkg) [
+                "minecraft-server"
+              ];
+          }
+
+          lanzaboote.nixosModules.lanzaboote
+
+          arr-init.nixosModules.default
+
+          (import "${nixpkgs-p2pool-module}/nixos/modules/services/networking/p2pool.nix")
+
+          home-manager.nixosModules.home-manager
+          (
+            {
+              home-manager,
+              ...
+            }:
+            {
+              home-manager.users.${username} = import ./modules/home.nix;
+            }
+          )
+        ]
+        ++ (with nixos-hardware.nixosModules; [
+          common-cpu-amd-pstate
+          common-cpu-amd-zenpower
+          common-pc-ssd
+          common-gpu-intel
+        ]);
+      };
+
+      deploy.nodes.muffin = {
+        hostname = "server-public";
+        profiles.system = {
+          sshUser = "root";
+          user = "root";
+          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
+        };
+      };
+
+      checks.${system} = testSuite;
+
+      packages.${system} = {
+        tests = pkgs.linkFarm "all-tests" (
+          pkgs.lib.mapAttrsToList (name: test: {
+            name = name;
+            path = test;
+          }) testSuite
+        );
+      }
+      // (pkgs.lib.mapAttrs' (name: test: {
+        name = "test-${name}";
+        value = test;
+      }) testSuite);
+    };
+}