{ description = "Flake for server muffin"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; lanzaboote = { url = "github:nix-community/lanzaboote"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nix-minecraft = { url = "github:Infinidoge/nix-minecraft"; inputs.nixpkgs.follows = "nixpkgs"; }; vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; home-manager = { url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; }; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; llamacpp = { url = "github:TheTom/llama-cpp-turboquant/feature/turboquant-kv-cache"; inputs.nixpkgs.follows = "nixpkgs"; }; srvos = { url = "github:nix-community/srvos"; inputs.nixpkgs.follows = "nixpkgs"; }; deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; impermanence = { url = "github:nix-community/impermanence"; inputs.nixpkgs.follows = "nixpkgs"; }; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.home-manager.follows = "home-manager"; inputs.darwin.follows = ""; }; senior_project-website = { url = "github:Titaniumtown/senior-project-website"; flake = false; }; website = { url = "git+https://git.sigkill.computer/titaniumtown/website"; flake = false; }; trackerlist = { url = "github:ngosang/trackerslist"; flake = false; }; ytbn-graphing-software = { url = "git+https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software"; }; arr-init = { url = "git+ssh://gitea@git.gardling.com/titaniumtown/arr-init"; inputs.nixpkgs.follows = "nixpkgs"; }; nixpkgs-p2pool-module = { url = "github:JacoMalan1/nixpkgs/create-p2pool-service"; flake = false; }; qbittorrent-metrics-exporter = { url = "git+https://codeberg.org/anriha/qbittorrent-metrics-exporter"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self, nixpkgs, nix-minecraft, nixos-hardware, vpn-confinement, home-manager, lanzaboote, disko, srvos, deploy-rs, impermanence, arr-init, nixpkgs-p2pool-module, ... }@inputs: let username = "primary"; hostname = "muffin"; eth_interface = "enp4s0"; system = "x86_64-linux"; service_configs = import ./service-configs.nix; # Bootstrap pkgs used only to apply patches to nixpkgs source. bootstrapPkgs = import nixpkgs { inherit system; }; # Patch nixpkgs to add PostgreSQL backend support for firefox-syncserver. patchedNixpkgsSrc = bootstrapPkgs.applyPatches { name = "nixpkgs-patched"; src = nixpkgs; patches = [ ./patches/0001-firefox-syncserver-add-postgresql-backend-support.patch ]; }; pkgs = import patchedNixpkgsSrc { inherit system; targetPlatform = system; buildPlatform = builtins.currentSystem; }; lib = import ./modules/lib.nix { inherit inputs pkgs service_configs; }; testSuite = import ./tests/tests.nix { inherit pkgs lib inputs; config = self.nixosConfigurations.muffin.config; }; in { formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-tree; nixosConfigurations.${hostname} = lib.nixosSystem { inherit system; specialArgs = { inherit username hostname eth_interface service_configs inputs ; }; modules = [ # SAFETY! port sanity checks ( { config, lib, ... }: let publicPorts = lib.attrValues service_configs.ports.public; privatePorts = lib.attrValues service_configs.ports.private; allPortNumbers = map (p: p.port) (publicPorts ++ privatePorts); uniquePortNumbers = lib.unique allPortNumbers; # Which public ports must be in each firewall list publicTcp = map (p: p.port) (lib.filter (p: p.proto == "tcp" || p.proto == "both") publicPorts); publicUdp = map (p: p.port) (lib.filter (p: p.proto == "udp" || p.proto == "both") publicPorts); privatePortNumbers = map (p: p.port) privatePorts; fwTcp = config.networking.firewall.allowedTCPPorts; fwUdp = config.networking.firewall.allowedUDPPorts; missingTcp = lib.filter (p: !(builtins.elem p fwTcp)) publicTcp; missingUdp = lib.filter (p: !(builtins.elem p fwUdp)) publicUdp; leakedTcp = lib.filter (p: builtins.elem p fwTcp) privatePortNumbers; leakedUdp = lib.filter (p: builtins.elem p fwUdp) privatePortNumbers; in { config.assertions = [ { assertion = (lib.length allPortNumbers) == (lib.length uniquePortNumbers); message = "Duplicate port numbers detected in ports.public / ports.private"; } { assertion = missingTcp == [ ]; message = "Public ports missing from allowedTCPPorts: ${builtins.toString missingTcp}"; } { assertion = missingUdp == [ ]; message = "Public ports missing from allowedUDPPorts: ${builtins.toString missingUdp}"; } { assertion = leakedTcp == [ ] && leakedUdp == [ ]; message = "Private ports leaked into firewall allow-lists — TCP: ${builtins.toString leakedTcp}, UDP: ${builtins.toString leakedUdp}"; } ]; } ) # sets up things like the watchdog srvos.nixosModules.server # diff terminal support srvos.nixosModules.mixins-terminfo ./disk-config.nix ./configuration.nix # Replace upstream firefox-syncserver module + package with patched # versions that add PostgreSQL backend support. { disabledModules = [ "services/networking/firefox-syncserver.nix" ]; imports = [ "${patchedNixpkgsSrc}/nixos/modules/services/networking/firefox-syncserver.nix" ]; nixpkgs.overlays = [ nix-minecraft.overlay (import ./modules/overlays.nix) (_final: prev: { syncstorage-rs = prev.callPackage "${patchedNixpkgsSrc}/pkgs/by-name/sy/syncstorage-rs/package.nix" { }; }) ]; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [ "minecraft-server" ]; } lanzaboote.nixosModules.lanzaboote arr-init.nixosModules.default (import "${nixpkgs-p2pool-module}/nixos/modules/services/networking/p2pool.nix") home-manager.nixosModules.home-manager ( { home-manager, ... }: { home-manager.users.${username} = import ./modules/home.nix; } ) ] ++ (with nixos-hardware.nixosModules; [ common-cpu-amd-pstate common-cpu-amd-zenpower common-pc-ssd common-gpu-intel ]); }; deploy.nodes.muffin = { hostname = "server-public"; profiles.system = { sshUser = "root"; user = "root"; path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin; }; }; checks.${system} = testSuite; packages.${system} = { tests = pkgs.linkFarm "all-tests" ( pkgs.lib.mapAttrsToList (name: test: { name = name; path = test; }) testSuite ); } // (pkgs.lib.mapAttrs' (name: test: { name = "test-${name}"; value = test; }) testSuite); }; }