{ config, pkgs, lib, modulesPath, flake-inputs, ... }: { imports = [ flake-inputs.disko.nixosModules.disko flake-inputs.sops-nix.nixosModules.sops flake-inputs.tlaternet-webserver.nixosModules.default "${modulesPath}/profiles/minimal.nix" (import ../modules) ./services/afvalcalendar.nix ./services/backups.nix ./services/battery-manager.nix ./services/conduit.nix ./services/fail2ban.nix ./services/foundryvtt.nix ./services/gitea.nix ./services/metrics ./services/minecraft.nix ./services/nextcloud.nix ./services/webserver.nix ./services/wireguard.nix # ./services/starbound.nix -- Not currently used ./services/postgres.nix ./nginx.nix ./sops.nix ]; nixpkgs.overlays = [ (final: prev: { local = import ../pkgs { pkgs = prev; lib = prev.lib; }; }) ]; nix = { package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; # Enable remote builds from tlater settings.trusted-users = [ "@wheel" ]; }; # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 boot.kernelParams = [ "highres=off" "nohz=off" ]; networking = { usePredictableInterfaceNames = false; useDHCP = false; firewall = { allowedTCPPorts = [ # http 80 443 # ssh 2222 # matrix 8448 # starbound 21025 config.services.coturn.listening-port config.services.coturn.tls-listening-port config.services.coturn.alt-listening-port config.services.coturn.alt-tls-listening-port ]; allowedUDPPorts = [ config.services.coturn.listening-port config.services.coturn.tls-listening-port config.services.coturn.alt-listening-port config.services.coturn.alt-tls-listening-port ]; allowedUDPPortRanges = [ { from = config.services.coturn.min-port; to = config.services.coturn.max-port; } ]; }; }; systemd.network.enable = true; time.timeZone = "Europe/London"; users.users.tlater = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ]; }; services = { openssh = { enable = true; allowSFTP = false; ports = [ 2222 ]; startWhenNeeded = true; settings = { GatewayPorts = "yes"; PermitRootLogin = "no"; PasswordAuthentication = false; }; }; logrotate.enable = true; }; security = { sudo.execWheelOnly = true; pam = { sshAgentAuth = { enable = true; authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ]; }; services.sudo.sshAgentAuth = true; }; }; # Remove some unneeded packages environment.defaultPackages = [ ]; system.stateVersion = "20.09"; }