{ pkgs, pkgs-unstable, ... }: let home-manager = builtins.fetchTarball { url = "https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz"; sha256 = "07pk5m6mxi666dclaxdwf7xrinifv01vvgxn49bjr8rsbh31syaq"; }; in { imports = [ ./hardware-configuration.nix (import "${home-manager}/nixos") ./services/forgejo.nix ./services/vaultwarden.nix ./services/nginx.nix # ./mailserver.nix # TEMP: location # ./minecraft-server.nix # TEMP: location ../modules/bashistrans.nix ]; nix.settings = { # make wheel group trusted users allows my "ae" user # to import packages not signed by a trusted key # (aka super duper easier to remote deploy) trusted-users = ["root" "@wheel"]; experimental-features = [ "nix-command" "flakes" ]; }; time.timeZone = "Australia/Brisbane"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "us"; }; # colmena deployment configuration deployment = { targetHost = "imbored.dev"; targetUser = "ae"; targetPort = 22; sshOptions = [ "-A" # forward ssh-agent ]; buildOnTarget = false; # build locally then deploy }; # super duper minimum grub2 config boot.loader.grub = { enable = true; device = "/dev/vda"; }; networking = { hostName = "hyrule"; networkmanager.enable = true; firewall = { enable = true; allowedTCPPorts = [ 22 # sshd 80 # nginx # 143 # IMAP4 443 # nginx # 587 # SMTPS 2222 # forgejo ssh 2035 # debug (for my job) # 3000 (INTERNAL) forgejo # 3306 (INTERNAL) forgejo sqlite3 database 5000 # debug (for my job) # 8222 (INTERNAL) vaultwarden 45000 # minecaft server ]; allowedUDPPorts = [ 54231 # Wireguard ]; }; wg-quick.interfaces = { wg0 = { address = [ "10.10.10.4/24" ]; dns = ["10.10.10.1"]; privateKeyFile = "/root/wg_agrivpn_hyrule"; peers = [ { # peer's public key publicKey = "iZ4aqYjbT8O8tfUHEuV+yWLtdoQbdBb6Nt0M4usMSiY="; # choose which traffic to forward allowedIPs = [ "10.0.51.0/24" "10.10.10.0/24" ]; endpoint = "150.242.34.33:54231"; } ]; }; }; }; users = { defaultUserShell = pkgs.bash; users = { # primary user ae = { isNormalUser = true; extraGroups = ["wheel"]; shell = pkgs.bash; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" ]; }; # TODO: reduce security implications of subspace subspace = { isNormalUser = true; shell = pkgs.bash; home = "/home/subspace"; packages = with pkgs; [ wishlist ]; }; }; }; virtualisation.docker.enable = true; home-manager = { users = { ae = import ../../homes/ae; subspace = import ../../homes/subspace; }; }; services = { openssh = { enable = true; ports = [22]; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; AllowUsers = ["ae" "subspace"]; # DO NOT ALLOW ALL UseDns = true; X11Forwarding = false; }; }; }; security = { # accept Lets Encrypt's security policy (for nginx) acme = { acceptTerms = true; # TODO: change this to me@imbored.dev defaults.email = "eclarkboman@gmail.com"; }; sudo = { enable = true; wheelNeedsPassword = true; }; # allow SSH keys for passwordless auth # TODO: DO NOT USE THIS (create my own alternative to colmena) pam = { enableSSHAgentAuth = true; services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module }; }; environment.systemPackages = with pkgs; [ eza git vim helix ]; system.stateVersion = "24.11"; # DO NOT MODIFY }