62 lines
1.7 KiB
Nix
62 lines
1.7 KiB
Nix
{ config, pkgs, modulesPath, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./modules/caddy.nix
|
|
./modules/forgejo.nix
|
|
./modules/mail.nix
|
|
./modules/searx.nix
|
|
./modules/matrix.nix
|
|
./modules/minecraft.nix
|
|
./modules/monitoring.nix
|
|
./modules/secrets-scheme.nix
|
|
# Impure Secrets
|
|
./secrets.nix
|
|
];
|
|
|
|
# ... (rest of imports block replaced by ./secrets/secrets.nix being added to imports)
|
|
|
|
|
|
# Bootloader
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.efiSupport = true;
|
|
boot.loader.grub.efiInstallAsRemovable = true;
|
|
|
|
# Networking
|
|
networking.hostName = "extremist-software";
|
|
networking.firewall.allowedTCPPorts = [ 80 443 25565 ]; # HTTP, HTTPS, Minecraft
|
|
networking.firewall.allowedUDPPorts = [ 25565 ]; # Minecraft
|
|
|
|
# Tailscale
|
|
services.tailscale.enable = true;
|
|
# We assume the user will authenticate manually or via a one-time key service
|
|
# For now, let's enable it and allow the user to run `tailscale up` or provision via key
|
|
|
|
# Users
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
|
config.mySecrets.sshPublicKey
|
|
];
|
|
|
|
# SSH - Secure it
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
settings.PermitRootLogin = "prohibit-password";
|
|
};
|
|
|
|
# System
|
|
system.stateVersion = "24.05";
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.)
|
|
|
|
# Time
|
|
time.timeZone = "UTC";
|
|
|
|
# ZRAM for limited RAM
|
|
zramSwap.enable = true;
|
|
zramSwap.memoryPercent = 50;
|
|
|
|
# Secrets handled via ./secrets.nix importing to config.mySecrets
|
|
environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
|
|
services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
|
|
}
|