dotfiles/hosts/hyrule/default.nix

{
  pkgs,
  pkgs-unstable,
  ...
}: let
  home-manager = builtins.fetchTarball {
    url = "https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz";
    sha256 = "07pk5m6mxi666dclaxdwf7xrinifv01vvgxn49bjr8rsbh31syaq";
  };
in {
  imports = [
    ./hardware-configuration.nix
    (import "${home-manager}/nixos")

    ./services/forgejo.nix
    ./services/vaultwarden.nix
    ./services/nginx.nix
    # ./mailserver.nix # TEMP: location
    # ./minecraft-server.nix # TEMP: location

    ../modules/bashistrans.nix
  ];

  nix.settings = {
    # make wheel group trusted users allows my "ae" user
    # to import packages not signed by a trusted key
    # (aka super duper easier to remote deploy)
    trusted-users = ["root" "@wheel"];
    experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  time.timeZone = "Australia/Brisbane";

  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  # colmena deployment configuration
  deployment = {
    targetHost = "imbored.dev";
    targetUser = "ae";
    targetPort = 22;
    sshOptions = [
      "-A" # forward ssh-agent
    ];
    buildOnTarget = false; # build locally then deploy
  };

  # super duper minimum grub2 config
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  networking = {
    hostName = "hyrule";
    networkmanager.enable = true;

    firewall = {
      enable = true;
      allowedTCPPorts = [
        22 # sshd
        80 # nginx
        # 143 # IMAP4
        443 # nginx
        # 587 # SMTPS
        2222 # forgejo ssh
        2035 # debug (for my job)
        # 3000 (INTERNAL) forgejo
        # 3306 (INTERNAL) forgejo sqlite3 database
        5000 # debug (for my job)
        # 8222 (INTERNAL) vaultwarden
        45000 # minecaft server
      ];
      allowedUDPPorts = [
        54231 # Wireguard
      ];
    };

    wg-quick.interfaces = {
      wg0 = {
        address = [
          "10.10.10.4/24"
        ];
        dns = ["10.10.10.1"];
        privateKeyFile = "/root/wg_agrivpn_hyrule";
        peers = [
          {
            # peer's public key
            publicKey = "iZ4aqYjbT8O8tfUHEuV+yWLtdoQbdBb6Nt0M4usMSiY=";

            # choose which traffic to forward
            allowedIPs = [
              "10.0.51.0/24"
              "10.10.10.0/24"
            ];
            endpoint = "150.242.34.33:54231";
          }
        ];
      };
    };
  };

  users = {
    defaultUserShell = pkgs.bash;

    users = {
      # primary user
      ae = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        shell = pkgs.bash;
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net"
        ];
      };

      # TODO: reduce security implications of subspace
      subspace = {
        isNormalUser = true;
        shell = pkgs.bash;
        home = "/home/subspace";
        packages = with pkgs; [
          wishlist
        ];
      };
    };
  };

  virtualisation.docker.enable = true;

  home-manager = {
    users = {
      ae = import ../../homes/ae;
      subspace = import ../../homes/subspace;
    };
  };

  services = {
    openssh = {
      enable = true;
      ports = [22];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = ["ae" "subspace"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };

  security = {
    # accept Lets Encrypt's security policy (for nginx)
    acme = {
      acceptTerms = true;
      # TODO: change this to me@imbored.dev
      defaults.email = "eclarkboman@gmail.com";
    };

    sudo = {
      enable = true;
      wheelNeedsPassword = true;
    };
    # allow SSH keys for passwordless auth
    # TODO: DO NOT USE THIS (create my own alternative to colmena)
    pam = {
      enableSSHAgentAuth = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };

  environment.systemPackages = with pkgs; [
    eza
    git
    vim
    helix
  ];

  system.stateVersion = "24.11"; # DO NOT MODIFY
}