{ pkgs, config, ... }: let rootDomain = "lgmrszd.xyz"; gtnhDomain = "gtnh.${rootDomain}"; discDomain = "discourse.testdrive.${rootDomain}"; akkoDomain = "akko.testdrive.${rootDomain}"; iceDomain = "ice.testdrive.${rootDomain}"; in { imports = [ ./hardware-configuration.nix (fetchTarball { url = "https://github.com/cariandrum22/nixos-vscode-server/tarball/support-for-new-dir-structure-of-vscode-server"; sha256 = "1sp4h0nb7dh7mcm8vdflihv76yz8azf5zifkcbxhq7xz48c8k5pd"; }) ]; systemd.tmpfiles.rules = [ "d /shared/openvscode 2770 root ${config.services.openvscode-server.group}" ]; programs.fish.enable = true; nix.settings.experimental-features = [ "nix-command" "flakes" ]; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "lgm-vps1"; networking.domain = "contaboserver.net"; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.openssh = { enable = true; ports = [ 37163 ]; settings.PermitRootLogin = "no"; settings.PasswordAuthentication = false; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "eth0"; services.endlessh-go = { enable = true; openFirewall = true; port = 22; }; services.vscode-server = { enable = true; nodejsPackage = pkgs.nodejs_18; installPath = "$HOME/.vscodium-server"; }; services.openvscode-server = { enable = true; }; containers.akkotest = let secretpath = "${config.sops.secrets.example_key.path}"; in { ephemeral = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; bindMounts."${secretpath}".isReadOnly = true; specialArgs = {inherit secretpath;}; config = { config, pkgs, secretpath, ... }: { users = { users."akkoma" = { description = "Akkoma user"; group = "akkoma"; isSystemUser = true; uid = 1234; }; groups."akkoma" = { gid = 1234; }; }; }; }; users = { users."akkoma" = { description = "Fake Akkoma user to set up secrets permissions"; group = "akkoma"; isSystemUser = true; uid = 1234; }; groups."akkoma" = { gid = 1234; }; }; sops = { defaultSopsFile = ../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; secrets.example_key = { owner = config.users.users.akkoma.name; group = config.users.users.akkoma.group; }; secrets.porkbun = { sopsFile = ../../secrets/porkbun.env; format = "dotenv"; }; }; users.users.nginx.extraGroups = [ "acme" ]; services.nginx = { enable = true; virtualHosts."${rootDomain}80" = { serverName = rootDomain; rejectSSL = true; default = true; locations."/" = { return = "301 https://${rootDomain}$request_uri"; }; }; virtualHosts.${rootDomain} = { onlySSL = true; useACMEHost = "${rootDomain}"; root = "/var/www/todo"; }; virtualHosts.${gtnhDomain} = { forceSSL = true; useACMEHost = "${rootDomain}"; root = "/var/www/gtnh"; }; virtualHosts.${discDomain} = { forceSSL = true; useACMEHost = "${rootDomain}"; root = "/var/www/todo"; }; virtualHosts.${akkoDomain} = { forceSSL = true; useACMEHost = "${rootDomain}"; root = "/var/www/todo"; }; virtualHosts.${iceDomain} = { forceSSL = true; useACMEHost = "${rootDomain}"; root = "/var/www/todo"; }; }; security.acme = { acceptTerms = true; defaults.email = "lgmrszd@disroot.org"; certs.${rootDomain} = { # domain = "*.${rootDomain}"; dnsProvider = "porkbun"; environmentFile = config.sops.secrets.porkbun.path; extraDomainNames = [ "*.${rootDomain}" # gtnhDomain # akkoDomain # iceDomain # discDomain ]; }; }; programs.mosh.enable = true; environment.systemPackages = with pkgs; [ git vim tmux sops ]; users.users.lgm = { isNormalUser = true; description = "lgm"; extraGroups = [ "wheel" "docker" config.services.openvscode-server.group ]; shell = pkgs.fish; openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHFPA2RhqZIVCLwYuEUDQyOnJ4g1R6IfQyhGqZ2Cvvu+AAAABHNzaDo= lgm@lgm-nixos'']; }; system.stateVersion = "23.11"; }