{ config, pkgs, lib, ... }: { imports = [ ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix ./services/starbound.nix ./ids.nix ]; nix = { # Enable flakes package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; # Enable remote builds from tlater trustedUsers = ["@wheel"]; }; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"]; sops = { defaultSopsFile = ../keys/external.yaml; secrets.steam = {}; }; boot.kernelParams = ["highres=off" "nohz=off"]; networking = { hostName = "tlaternet"; usePredictableInterfaceNames = false; useDHCP = false; interfaces.eth0.useDHCP = true; firewall.allowedTCPPorts = [80 443 2222 2221 21025]; }; time.timeZone = "Europe/London"; users.users.tlater = { isNormalUser = true; extraGroups = ["wheel"]; openssh.authorizedKeys.keyFiles = [../keys/tlater.pub]; }; services.openssh = { enable = true; allowSFTP = false; passwordAuthentication = false; permitRootLogin = "no"; ports = [2222]; startWhenNeeded = true; gatewayPorts = "yes"; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "10G"; domain = "tlater.net"; virtualHosts = let host = port: extra: lib.recursiveUpdate { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ''; } extra; domain = config.services.nginx.domain; in { "${domain}" = host 3002 {serverAliases = ["www.${domain}"];}; "gitea.${domain}" = host 3000 {}; "nextcloud.${domain}" = host 3001 {}; }; }; security.acme = { email = "tm@tlater.net"; acceptTerms = true; }; virtualisation.oci-containers.backend = "podman"; system.stateVersion = "20.09"; }