tlaternet-server/configuration/default.nix

{
  config,
  pkgs,
  lib,
  modulesPath,
  flake-inputs,
  ...
}: {
  imports = [
    flake-inputs.disko.nixosModules.disko
    flake-inputs.sops-nix.nixosModules.sops
    flake-inputs.tlaternet-webserver.nixosModules.default

    "${modulesPath}/profiles/minimal.nix"
    (import ../modules)

    ./services/afvalcalendar.nix
    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit.nix
    ./services/fail2ban.nix
    ./services/foundryvtt.nix
    ./services/gitea.nix
    ./services/metrics
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/wireguard.nix
    ./services/starbound.nix
    ./services/postgres.nix
    ./nginx.nix
    ./sops.nix
  ];

  nixpkgs.overlays = [
    (final: prev: {
      local = import ../pkgs {
        pkgs = prev;
        lib = prev.lib;
      };
    })
  ];

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';

    # Enable remote builds from tlater
    settings.trusted-users = ["@wheel"];
  };

  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];

  # Optimization for minecraft servers, see:
  # https://bugs.mojang.com/browse/MC-183518
  boot.kernelParams = ["highres=off" "nohz=off"];

  networking = {
    usePredictableInterfaceNames = false;
    useDHCP = false;

    firewall = {
      allowedTCPPorts = [
        # http
        80
        443
        # ssh
        2222
        # matrix
        8448
        # starbound
        21025
        # Minecraft
        25565

        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPorts = [
        # More minecraft
        25565

        config.services.coturn.listening-port
        config.services.coturn.tls-listening-port
        config.services.coturn.alt-listening-port
        config.services.coturn.alt-tls-listening-port
      ];

      allowedUDPPortRanges = [
        {
          from = config.services.coturn.min-port;
          to = config.services.coturn.max-port;
        }
      ];
    };
  };

  systemd.network.enable = true;

  time.timeZone = "Europe/London";

  users.users.tlater = {
    isNormalUser = true;
    extraGroups = ["wheel"];
    openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
  };

  services = {
    openssh = {
      enable = true;
      allowSFTP = false;
      ports = [2222];
      startWhenNeeded = true;

      settings = {
        GatewayPorts = "yes";
        PermitRootLogin = "no";
        PasswordAuthentication = false;
      };
    };

    logrotate.enable = true;
  };

  security = {
    sudo.execWheelOnly = true;

    pam = {
      enableSSHAgentAuth = true;
      services.sudo.sshAgentAuth = true;
    };
  };

  # Remove some unneeded packages
  environment.defaultPackages = [];

  system.stateVersion = "20.09";
}