{ pkgs, lib, modulesPath, ... }: { imports = [ "${modulesPath}/profiles/headless.nix" (import ../modules) ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix ./services/starbound.nix ./services/postgres.nix ./sops.nix ]; nixpkgs.overlays = [ (final: prev: { local = import ../pkgs { pkgs = prev; }; }) ]; nix = { package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; # Enable remote builds from tlater trustedUsers = ["@wheel"]; }; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steamcmd"]; # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 boot.kernelParams = ["highres=off" "nohz=off"]; networking = { hostName = "tlaternet"; usePredictableInterfaceNames = false; useDHCP = false; interfaces.eth0.useDHCP = true; firewall.allowedTCPPorts = [80 443 2222 21025]; }; time.timeZone = "Europe/London"; users.users.tlater = { isNormalUser = true; extraGroups = ["wheel"]; openssh.authorizedKeys.keyFiles = [../keys/tlater.pub]; }; services.openssh = { enable = true; allowSFTP = false; passwordAuthentication = false; permitRootLogin = "no"; ports = [2222]; startWhenNeeded = true; gatewayPorts = "yes"; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "10G"; domain = "tlater.net"; }; security.acme = { defaults.email = "tm@tlater.net"; acceptTerms = true; }; services.fail2ban = { enable = true; extraPackages = [pkgs.ipset]; banaction = "iptables-ipset-proto6-allports"; bantime-increment.enable = true; jails = { nginx-botsearch = '' enabled = true logpath = /var/log/nginx/access.log ''; }; ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; }; system.stateVersion = "20.09"; }