From 272fc2f2562908a72e7b2638368b5605e44508c0 Mon Sep 17 00:00:00 2001
From: thiloho <123883702+thiloho@users.noreply.github.com>
Date: Fri, 24 Oct 2025 11:21:28 +0200
Subject: [PATCH] Initialize nixos server config

---
 flake.lock         | 61 ++++++++++++++++++++++++++++++++++++++
 flake.nix          | 56 +++++++++++++++++++++++++++++++++++
 server/default.nix | 73 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 190 insertions(+)
 create mode 100644 flake.lock
 create mode 100644 flake.nix
 create mode 100644 server/default.nix

diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..a81b05f
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1761266473,
+        "narHash": "sha256-QxCyKWBmuzI+eMhYV1JmbZsiUnBNATRP1EW34OBt5Vg=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "5c71d4a730bd3c972befff343bb074421e345937",
+        "type": "github"
+      },
+      "original": {
+        "id": "home-manager",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1760878510,
+        "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..2c3938c
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,56 @@
+{
+  description = "NixOS configuration";
+
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+  outputs =
+    inputs@{ nixpkgs, home-manager, ... }:
+    let
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+
+      forAllSystems =
+        f:
+        builtins.listToAttrs (
+          map (system: {
+            name = system;
+            value = f system;
+          }) systems
+        );
+    in
+    {
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        {
+          default = pkgs.mkShell {
+            packages = with pkgs; [
+              nixd
+              nixfmt
+            ];
+          };
+        }
+      );
+
+      nixosConfigurations =
+        let
+          mkSystem =
+            entrypoint:
+            nixpkgs.lib.nixosSystem {
+              system = "x86_64-linux";
+              specialArgs = { inherit inputs; };
+              modules = [
+                entrypoint
+                { nix.registry.nixpkgs.flake = nixpkgs; }
+              ];
+            };
+        in
+        {
+          server = mkSystem ./server;
+        };
+    };
+}
diff --git a/server/default.nix b/server/default.nix
new file mode 100644
index 0000000..2e59cbf
--- /dev/null
+++ b/server/default.nix
@@ -0,0 +1,73 @@
+{ pkgs }:
+{
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  time.timeZone = "Europe/Amsterdam";
+
+  nixpkgs.config.allowUnfree = true;
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = "nixos-server";
+    firewall = {
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      allowedUDPPorts = [
+        80
+        443
+      ];
+    };
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+    };
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      virtualHosts = {
+        "redlib.thilohohlt.com" = {
+          enableACME = true;
+          forceSSL = true;
+        };
+      };
+    };
+  };
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "contact@thilohohlt.com";
+    };
+  };
+
+  users.users.thohlt = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+    ];
+    openssh.authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDvf71FYha3PYUlOfc1rh+qZaGd6zzqYAIfecV2K6td thohlt@archlinux"
+    ];
+  };
+
+  system.stateVersion = "25.10";
+}