From 4a6efc0c1a298dd59e75d2a39c62578900a79cc7 Mon Sep 17 00:00:00 2001
From: itamar <itamar@itamar.site>
Date: Fri, 20 Mar 2026 21:00:38 +0000
Subject: [PATCH] nix server config

---
 configuration.nix |  59 +++++++++++++++++++++++
 fm.nix            |  27 +++++++++++
 forgejo.nix       |  65 ++++++++++++++++++++++++++
 matrix.nix        | 117 ++++++++++++++++++++++++++++++++++++++++++++++
 website.nix       |  19 ++++++++
 5 files changed, 287 insertions(+)
 create mode 100644 configuration.nix
 create mode 100644 fm.nix
 create mode 100644 forgejo.nix
 create mode 100644 matrix.nix
 create mode 100644 website.nix

diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..85c14a3
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,59 @@
+{ pkgs, modulesPath, ... }:
+
+{
+  system.stateVersion = "25.11";
+  nix.settings.experimental-features = "flakes nix-command";
+  virtualisation.docker.enable = true;
+  users.users.root.extraGroups = [ "docker" ];
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./matrix.nix
+    ./website.nix
+    ./fm.nix
+    ./gitea.nix
+  ];
+  fileSystems."/" = {
+    device = "/dev/vda1";
+    fsType = "ext4";
+  };
+  boot.loader.grub.device = "/dev/vda";
+  boot.loader.timeout = 30;
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  boot.tmp.cleanOnBoot = true;
+  swapDevices = [
+    { device = "/swap"; size = 2121; }
+  ];
+  zramSwap.enable = true;
+
+  networking = {
+    useNetworkd = true;
+    usePredictableInterfaceNames = true;
+    hostName = "peopleswar";
+    domain = "cc";
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."40-wan" = {
+      matchConfig.Name = "enx5254597fe862";
+      address = [ "" ];
+      routes = [
+        { Gateway = ""; GatewayOnLink = true; }
+      ];
+      dns = [ "2020:fe::10" "9.9.9.10" ];
+    };
+  };
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHioVSkG7cILl5SQiGm3TaL641BGU00FLSgexBx6xtYy nixos@nixos"
+  ];
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+    fcgiwrap
+    wget
+  ];
+}
+
diff --git a/fm.nix b/fm.nix
new file mode 100644
index 0000000..ef6d5ba
--- /dev/null
+++ b/fm.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "itamar@itamar.site";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."fm.itamar.site" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:4110";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
+
+
diff --git a/forgejo.nix b/forgejo.nix
new file mode 100644
index 0000000..a0bb486
--- /dev/null
+++ b/forgejo.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.forgejo;
+  domain = "code.itamar.site";
+in {
+  services.nginx = {
+    enable = true;
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+        '';
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "itamar@itamar.site";
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = 3000;
+        HTTP_ADDR = "127.0.0.1";
+        SSH_DOMAIN = domain;
+        SSH_PORT = 22;
+        START_SSH_SERVER = true;
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+
+      repository = {
+        DEFAULT_BRANCH = "main";
+      };
+
+      ui.DEFAULT_THEME = "forgejo-auto";
+
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+}
diff --git a/matrix.nix b/matrix.nix
new file mode 100644
index 0000000..630b3a9
--- /dev/null
+++ b/matrix.nix
@@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+
+let
+  fqdn = "matrix.itamar.site";
+  domain = "itamar.site";
+in {
+
+  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '';
+      CREATE DATABASE "matrix-synapse"
+        ENCODING 'UTF8'
+        LC_COLLATE='C'
+        LC_CTYPE='C'
+        TEMPLATE=template0
+        OWNER "matrix-synapse";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+
+    settings = {
+      server_name = domain;        
+      public_baseurl = "https://${fqdn}";
+
+      listeners = [{
+        port = 8008;
+        bind_addresses = [ "127.0.0.1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          { names = [ "client" "federation" ]; compress = false; }
+        ];
+      }];
+
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "matrix-synapse";
+          password = "galoisoverGF2";   
+          database = "matrix-synapse";
+          host = "localhost";
+          cp_min = 5;
+          cp_max = 10;
+        };
+      };
+
+      enable_registration = false;
+      registration_shared_secret = "";
+
+      media_store_path = "/var/lib/matrix-synapse/media";
+
+      log_config = "/var/lib/matrix-synapse/log.yaml";
+    };
+
+    extraConfigFiles = [ "/run/secrets/synapse.yaml" ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "itamar@itamar.site";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings   = true;
+    recommendedOptimisation   = true;
+    recommendedGzipSettings   = true;
+    recommendedProxySettings  = true;
+
+    virtualHosts = {
+
+      "${domain}" = {
+        enableACME = true;
+        forceSSL   = true;
+
+        locations."= /.well-known/matrix/server".extraConfig = let
+          server = { "m.server" = "${fqdn}:443"; };
+        in ''
+          add_header Content-Type application/json;
+          return 200 '${builtins.toJSON server}';
+        '';
+
+        locations."= /.well-known/matrix/client".extraConfig = let
+          client = {
+            "m.homeserver"     = { "base_url" = "https://${fqdn}"; };
+            "m.identity_server" = { "base_url" = "https://vector.im"; };
+          };
+        in ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON client}';
+        '';
+      };
+
+      # matrix.itamar.site — reverse proxy to Synapse
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL   = true;
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8008";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            client_max_body_size 50M;
+          '';
+        };
+      };
+    };
+  };
+}
diff --git a/website.nix b/website.nix
new file mode 100644
index 0000000..fd2d985
--- /dev/null
+++ b/website.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."itamar.site" = {
+      enableACME = true;
+      forceSSL   = true;
+      root       = "/var/www/itamar.site";
+
+      locations."/" = {
+        tryFiles = "$uri $uri/ =404";
+      };
+    };
+  };
+}
+