{ config, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./modules/caddy.nix ./modules/forgejo.nix ./modules/mail.nix ./modules/searx.nix ./modules/matrix.nix ./modules/monitoring.nix ./modules/ntfy.nix ./modules/blackbox-exporter.nix ./modules/noisebell.nix ./modules/noisepics.nix ]; # Agenix secrets age.secrets = { forgejo-db.file = ./secrets/forgejo-db.age; stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; }; searx-env.file = ./secrets/searx-env.age; tailscale-key.file = ./secrets/tailscale-key.age; grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; }; matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; }; ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age; webhook-secret.owner = "stalwart-mail"; }; # Bootloader boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; boot.loader.grub.efiInstallAsRemovable = true; # Networking networking.hostName = "extremist-software"; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS # Tailscale services.tailscale.enable = true; # We assume the user will authenticate manually or via a one-time key service # For now, let's enable it and allow the user to run `tailscale up` or provision via key # Users users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" ]; users.users.jet = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" ]; }; # SSH - Secure it services.openssh = { enable = true; settings.PasswordAuthentication = false; settings.PermitRootLogin = "prohibit-password"; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; # Fail2ban services.fail2ban = { enable = true; maxretry = 5; bantime = "1h"; bantime-increment = { enable = true; maxtime = "168h"; overalljails = true; }; ignoreIP = [ "100.64.0.0/10" "127.0.0.0/8" ]; jails.sshd.settings = { backend = "systemd"; maxretry = 3; }; }; # nh (yet another nix helper) programs.nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep 2"; }; # Automatic upgrades system.autoUpgrade = { enable = true; dates = "04:00"; allowReboot = false; }; # System system.stateVersion = "24.05"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.trusted-users = [ "root" "jet" ]; nix.settings.max-jobs = "auto"; nix.settings.cores = 0; security.sudo.wheelNeedsPassword = false; services.postgresql.package = pkgs.postgresql_15; nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.) # Time time.timeZone = "UTC"; # ZRAM for limited RAM zramSwap.enable = true; zramSwap.memoryPercent = 50; services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path; # Website services.jetpham-website = { enable = true; tor.enable = true; qaMailDomain = "jetpham.com"; qaReplyDomain = "jetpham.com"; }; # Allow Tailscale traffic networking.firewall.trustedInterfaces = [ "tailscale0" ]; # Required for Tailscale subnet routing and exit nodes, and often helpful for connectivity networking.firewall.checkReversePath = "loose"; }