4 files changed, 219 insertions, 0 deletions

diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
new file mode 100644
index 0000000..8ced4e1
--- /dev/null
+++ b/nix/machines/vm-synology/default.nix
@@ -0,0 +1,71 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./git.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  networking.hostName = "vm-synology";
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  nix = {
+    package = pkgs.nixVersions.latest;
+    settings = {
+      trusted-users = [
+        "@admin"
+        "fcuny"
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  time.timeZone = "America/Los_Angeles";
+
+  # Don't require password for sudo
+  security.sudo.wheelNeedsPassword = false;
+
+  # Virtualization settings
+  virtualisation.docker.enable = true;
+
+  # Select internationalisation properties.
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.mutableUsers = false;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    vim
+    jq
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = true;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+  ];
+
+  networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/nix/machines/vm-synology/disk.nix b/nix/machines/vm-synology/disk.nix
new file mode 100644
index 0000000..1641339
--- /dev/null
+++ b/nix/machines/vm-synology/disk.nix
@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix
new file mode 100644
index 0000000..6ca6ec7
--- /dev/null
+++ b/nix/machines/vm-synology/git.nix
@@ -0,0 +1,61 @@
+{ pkgs, ... }:
+{
+
+  services.gitolite = {
+    enable = true;
+    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    user = "git";
+    group = "git";
+    extraGitoliteRc = ''
+      # Make dirs/files group readable, needed for webserver/cgit. (Default
+      # setting is 0077.)
+      $RC{UMASK} = 0027;
+      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
+      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
+      push( @{$RC{ENABLE}}, 'symbolic-ref' );
+    '';
+  };
+
+  # let's make sure the default branch is `main'.
+  systemd.tmpfiles.rules = [
+    "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" ''
+      [init]
+      	defaultBranch = main
+    ''}"
+  ];
+
+  # # TODO also rsync the backups to the nas
+  # # TODO need the ssh key for the nas for rsync ?
+  # age.secrets.restic = {
+  #   file = ../../../secrets/restic-backups.age;
+  #   owner = "root";
+  #   group = "root";
+  #   path = "/etc/restic/secret";
+  #   mode = "600";
+  # };
+
+  # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
+  # services.restic.backups.git = {
+  #   passwordFile = "/etc/restic/secret";
+  #   repository = "/srv/backups/git";
+  #   initialize = true;
+  #   paths = [ "/var/lib/gitolite" ];
+  #   exclude = [
+  #     "/var/lib/gitolite/.bash_history"
+  #     "/var/lib/gitolite/.ssh"
+  #     "/var/lib/gitolite/.viminfo"
+  #   ];
+  #   extraBackupArgs = [
+  #     "--exclude-caches"
+  #     "--compression=max"
+  #   ];
+  #   timerConfig = {
+  #     OnCalendar = "daily";
+  #   };
+  #   pruneOpts = [
+  #     "--keep-daily 7"
+  #     "--keep-weekly 4"
+  #     "--keep-monthly 3"
+  #   ];
+  # };
+}
diff --git a/nix/machines/vm-synology/hardware.nix b/nix/machines/vm-synology/hardware.nix
new file mode 100644
index 0000000..c894a80
--- /dev/null
+++ b/nix/machines/vm-synology/hardware.nix
@@ -0,0 +1,32 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ./disk.nix
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}