From 53f5850a3dd5feae97ffe599a7d763feb62b39fe Mon Sep 17 00:00:00 2001
From: reym <reym@veril.mozmail.com>
Date: Wed, 29 Apr 2026 02:12:44 +0200
Subject: [PATCH] init

---
 .gitignore        |   2 +
 configuration.nix | 138 ++++++++++++++++++++++++++++++++++++++++++++++
 disko.nix         |  33 +++++++++++
 flake.lock        |  48 ++++++++++++++++
 flake.nix         |  24 ++++++++
 justfile          |  11 ++++
 6 files changed, 256 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 configuration.nix
 create mode 100644 disko.nix
 create mode 100644 flake.lock
 create mode 100644 flake.nix
 create mode 100644 justfile

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b21ce41
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+result
+garp*
diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..2430cf5
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,138 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  # CHANGE THESE
+  domain = "git.example.com";
+  acmeEmail = "you@example.com";
+  sshKeys = [
+    "ssh-ed25519 AAAA...replace-with-your-public-key... user@host"
+  ];
+in
+{
+  # ─── Boot ──────────────────────────────────────────────────────────
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ─── Networking ────────────────────────────────────────────────────
+  networking.hostName = "garp";
+  networking.useDHCP = lib.mkDefault true;
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+    443
+  ];
+
+  time.timeZone = "UTC";
+
+  nix = {
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+  };
+
+  services.xserver.xkb = {
+    layout = "de";
+  };
+  console.keyMap = "de";
+
+  # SSH (needed for nixos-anywhere and later rebuilds)
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+    };
+  };
+  users.users.root.openssh.authorizedKeys.keys = sshKeys;
+
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+
+  # Native module (not Docker) — gets proper systemd units, log
+  # integration, and works with services.forgejo.dump for backups.
+  services.forgejo = {
+    enable = true;
+    database.type = "sqlite3";
+    settings = {
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${domain}/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+      };
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      log.LEVEL = "Warn";
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    email = acmeEmail;
+    virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy 127.0.0.1:3000
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    neovim
+    btop
+    tmux
+    curl
+  ];
+
+  # VM-only overrides (applied by `nixos-rebuild build-vm`)
+  virtualisation.vmVariant = {
+    virtualisation = {
+      memorySize = 2048;
+      cores = 2;
+      forwardPorts = [
+        {
+          from = "host";
+          host.port = 2222;
+          guest.port = 22;
+        }
+        {
+          from = "host";
+          host.port = 3000;
+          guest.port = 3000;
+        }
+        {
+          from = "host";
+          host.port = 8080;
+          guest.port = 80;
+        }
+      ];
+    };
+
+    # Reach Forgejo from the host via the forwarded port
+    services.forgejo.settings.server.HTTP_ADDR = lib.mkForce "0.0.0.0";
+
+    # Caddy without TLS in the VM (no real DNS / ACME)
+    services.caddy.virtualHosts = lib.mkForce {
+      ":80".extraConfig = ''
+        reverse_proxy 127.0.0.1:3000
+      '';
+    };
+
+    # Easy SSH into the VM for poking around
+    services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
+    services.openssh.settings.PasswordAuthentication = lib.mkForce true;
+    users.users.root.password = lib.mkForce "test";
+  };
+
+  system.stateVersion = "25.11";
+}
diff --git a/disko.nix b/disko.nix
new file mode 100644
index 0000000..0005656
--- /dev/null
+++ b/disko.nix
@@ -0,0 +1,33 @@
+{
+  disko.devices.disk.main = {
+    # CHANGE THIS to match the target disk:
+    #   /dev/sda       — typical SATA / SCSI
+    #   /dev/vda       — KVM / QEMU virtio
+    #   /dev/nvme0n1   — NVMe
+    device = "/dev/vda";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..aa5c40a
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,48 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1776613567,
+        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1777077449,
+        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..9ddfb12
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,24 @@
+{
+  description = "Minimal NixOS server: Docker + Caddy + Forgejo";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    { nixpkgs, disko, ... }:
+    {
+      nixosConfigurations.garp = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          disko.nixosModules.disko
+          ./disko.nix
+          ./configuration.nix
+        ];
+      };
+    };
+}
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..299399c
--- /dev/null
+++ b/justfile
@@ -0,0 +1,11 @@
+# https://just.systems
+
+default:
+    echo 'Hello, world!'
+
+vm:
+    nixos-rebuild build-vm --flake .#server
+    ./result/bin/run-garp-vm -nographic
+ 
+ rebuild-remote:
+     nixos-rebuild switch --flake .#garp --target-host root@{{ domain }}