From 6a6f4a68afcfc8216e1e5d60435095493316111a Mon Sep 17 00:00:00 2001
From: zedddie <zedddie@zedddie.rs>
Date: Tue, 24 Feb 2026 01:56:35 +0000
Subject: [PATCH] base working nginx forgejo prosody cert

---
 configuration.nix          | 178 +++++++++++++++++++++++++++++++++++++
 hardware-configuration.nix |  31 +++++++
 2 files changed, 209 insertions(+)
 create mode 100644 configuration.nix
 create mode 100644 hardware-configuration.nix

diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..ead0521
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,178 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/vda3";
+    preLVM = true;
+  };
+
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "vps";
+
+  networking.networkmanager.enable = true;
+
+  users.users.vps = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINXz5vcBi2+yGMhxlBXmb67/euntVyLI7BdTvuCZzax zedddiezxc@gmail.com"
+    ];
+    shell = pkgs.fish;
+    packages = with pkgs; [
+      tree
+    ];
+  };
+
+  programs.fish.enable = true;
+  programs.fish.interactiveShellInit = ''
+    set -g fish_greeting ""
+    fish_vi_key_bindings
+    set -g fish_cursor_default block
+  '';
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "zedddie@protonmail.com";
+  };
+
+  services.nginx.enable = true;
+  security.acme.certs."zedddie.rs".group = "acme";
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.nginx = {
+    virtualHosts = {
+      "zedddie.rs" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/www/main";
+      };
+      "git.zedddie.rs" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+          proxyWebsockets = true;
+        };
+      };
+      "blog.zedddie.rs" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/www/blog";
+      };
+      "xmpp.zedddie.rs" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5280";
+        };
+      };
+    };
+  };
+  services.nginx.virtualHosts."fs.zedddie.rs" = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 50M;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:5280";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+      '';
+    };
+  };
+  services.forgejo = {
+    package = pkgs.forgejo-lts;
+    enable = true;
+    database.type = "postgres";
+    settings = {
+      server = {
+        DOMAIN = "git.zedddie.rs";
+        ROOT_URL = "https://git.zedddie.rs/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+  services.prosody.xmppComplianceSuite = false;
+  users.users.prosody.extraGroups = [ "acme" ];
+  services.prosody = {
+    enable = true;
+    admins = [ "admin@zedddie.rs" ];
+
+    ssl = {
+      cert = "/var/lib/acme/zedddie.rs/fullchain.pem";
+      key = "/var/lib/acme/zedddie.rs/key.pem";
+    };
+
+    modules = {
+      pep = true;
+    };
+
+    httpFileShare = {
+      enable = true;
+      domain = "fs.zedddie.rs";
+    };
+
+    virtualHosts."zedddie.rs" = {
+      enabled = true;
+      domain = "zedddie.rs";
+      ssl = {
+        cert = "/var/lib/acme/zedddie.rs/fullchain.pem";
+        key = "/var/lib/acme/zedddie.rs/key.pem";
+      };
+    };
+
+    extraModules = [
+      "pubsub"
+      "adhoc"
+    ];
+
+    extraConfig = ''
+      http_external_url = "https://fs.zedddie.rs/"
+      trusted_proxies = { "127.0.0.1" }
+    '';
+
+  };
+  environment.shellAliases = {
+    zix = ''nix run "git+https://codeberg.org/zedddie/zix" --extra-experimental-features "nix-command flakes" --'';
+  };
+
+  services.openssh = {
+    enable = true;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PasswordAuthentication = false;
+    settings.PermitRootLogin = "no";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    5222
+    5269
+  ];
+
+  system.stateVersion = "25.11";
+
+}
diff --git a/hardware-configuration.nix b/hardware-configuration.nix
new file mode 100644
index 0000000..3392d48
--- /dev/null
+++ b/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/mapper/vg-root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7d964ac4-17b5-43ce-b363-b0d54b89aec7";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/mapper/vg-swap"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}