From 98e94297af73c583c9636c99772b2c1c34f98743 Mon Sep 17 00:00:00 2001
From: Kj Tsanaktsidis <kjtsanaktsidis@groq.com>
Date: Fri, 9 Jan 2026 11:58:31 +1100
Subject: some refactor

---
 modules/alt-arrow-vt.nix | 29 +++++++++++++++++++
 modules/cgit.nix         | 74 ++++++++++++++++++++++++++++++++++++++++++++++++
 modules/secureboot.nix   | 66 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 169 insertions(+)
 create mode 100644 modules/alt-arrow-vt.nix
 create mode 100644 modules/cgit.nix
 create mode 100644 modules/secureboot.nix

(limited to 'modules')

diff --git a/modules/alt-arrow-vt.nix b/modules/alt-arrow-vt.nix
new file mode 100644
index 0000000..d0dbb90
--- /dev/null
+++ b/modules/alt-arrow-vt.nix
@@ -0,0 +1,29 @@
+{
+  pkgs,
+  ...
+}:
+{
+  # Disable Alt+Left/Right virtual terminal switching
+  console.keyMap = "us";
+
+  # Create systemd service to disable only Alt+Arrow VT switching
+  systemd.services.disable-alt-arrow-vt = {
+    description = "Disable Alt+Arrow VT switching";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "systemd-vconsole-setup.service" ];
+    script = ''
+      # Define string sequences for Alt+Arrow that generate proper terminal escape sequences
+      cat << 'EOF' | ${pkgs.kbd}/bin/loadkeys
+      string F200 = "\033[1;3D"
+      string F201 = "\033[1;3C"
+      alt keycode 105 = F200
+      alt keycode 106 = F201
+      EOF
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
+}
diff --git a/modules/cgit.nix b/modules/cgit.nix
new file mode 100644
index 0000000..34fa377
--- /dev/null
+++ b/modules/cgit.nix
@@ -0,0 +1,74 @@
+{
+  pkgs,
+  ...
+}:
+{
+  nixpkgs.overlays = [
+    (import ../overlays/git-fix)
+  ];
+
+  users.users.git = {
+    isSystemUser = true;
+    group = "git";
+    home = "/var/lib/git";
+    createHome = false; # tmpfiles creates it
+    shell = "${pkgs.git}/bin/git-shell";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01"
+    ];
+  };
+  users.groups.git = { };
+  systemd.tmpfiles.rules = [
+    "d /var/lib/git 0755 git git -"
+  ];
+
+  services.openssh.extraConfig = ''
+    Match User git
+      PasswordAuthentication no
+      PubkeyAuthentication yes
+      X11Forwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.fcgiwrap.instances."git-http" = {
+    socket.user = "nginx";
+    socket.group = "nginx";
+    process.user = "nginx";
+    process.group = "nginx";
+    socket.type = "unix";
+    socket.address = "/run/fcgiwrap-git-http.sock";
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.kjtsanaktsidis.id.au" = {
+      forceSSL = false;
+      enableACME = false;
+      locations = {
+        # Block HTTP pushes explicitly (receive-pack)
+        "~ ^/git/.+\\.git/git-receive-pack$" = {
+          return = "403";
+        };
+
+        # Smart HTTP for clone/fetch
+        "~ ^/git(/.+\\.git)(/.*)?$" = {
+          extraConfig = ''
+            client_max_body_size 0;
+
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend;
+            fastcgi_param GIT_PROJECT_ROOT /var/lib/git;
+            fastcgi_param GIT_HTTP_EXPORT_ALL "";
+            fastcgi_param PATH_INFO $1$2;
+            fastcgi_param REMOTE_USER $remote_user;
+
+            fastcgi_pass unix:/run/fcgiwrap-git-http.sock;
+          '';
+        };
+      };
+    };
+  };
+}
diff --git a/modules/secureboot.nix b/modules/secureboot.nix
new file mode 100644
index 0000000..29bff21
--- /dev/null
+++ b/modules/secureboot.nix
@@ -0,0 +1,66 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  sb-do-enroll-keys = pkgs.writeShellApplication {
+    name = "sb-do-enroll-keys";
+    text = ''
+      set -ex;
+      ${pkgs.sbctl}/bin/sbctl enroll-keys
+    '';
+  };
+  sb-do-enroll-tpm = pkgs.writeShellApplication {
+    name = "sb-do-enroll-tpm";
+    runtimeInputs = [ pkgs.tpm2-tss ];
+    text = ''
+      set -ex;
+      LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}"
+      ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}"
+    '';
+  };
+in
+{
+  imports = [
+    inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  environment.systemPackages = [
+    pkgs.sbctl
+    sb-do-enroll-keys
+    sb-do-enroll-tpm
+  ];
+
+  # Lanzaboote currently replaces the systemd-boot module.
+  # This setting is usually set to true in configuration.nix
+  # generated at installation time. So we force it to false
+  # for now.
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.initrd.systemd.enable = true;
+  boot.initrd.systemd.tpm2.enable = true;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+
+  # Create and enroll Secure Boot keys on first boot
+  systemd.services.sbctl-setup = {
+    description = "Create and enroll Secure Boot keys";
+    wantedBy = [ "multi-user.target" ];
+    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    script = ''
+      echo "Creating Secure Boot keys..."
+      ${pkgs.sbctl}/bin/sbctl create-keys
+    '';
+  };
+}
-- 
cgit v1.2.3