{ lib, pkgs, config, ... }: { imports = [ ./hardware-configuration.nix ./backups.nix ./forgejo-runner.nix ]; sops = { secrets = { "env" = { sopsFile = ../../secrets/cf-acme.yaml; }; }; }; documentation = { enable = lib.mkDefault false; info.enable = lib.mkDefault false; man.enable = lib.mkDefault false; nixos.enable = lib.mkDefault false; }; environment.systemPackages = with pkgs; [ git vim docker-compose tmux ]; services = { # zfs.autoScrub.enable = true; # zfs.autoSnapshot.enable = true; fstrim.enable = true; tailscale.enable = true; k3s = { enable = true; role = "server"; extraFlags = toString [ "--disable=traefik" ]; }; fail2ban = { enable = true; maxretry = 5; bantime = "1h"; ignoreIP = [ "172.16.0.0/12" "192.168.0.0/16" "10.0.0.0/8" "tailc353f.ts.net" ]; bantime-increment = { enable = true; multipliers = "1 2 4 8 16 32 64 128 256"; maxtime = "24h"; overalljails = true; }; }; openssh = { enable = true; ports = [ 2022 ]; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; PermitEmptyPasswords = false; PermitTunnel = false; UseDns = false; KbdInteractiveAuthentication = false; X11Forwarding = false; MaxAuthTries = 3; MaxSessions = 2; ClientAliveInterval = 300; ClientAliveCountMax = 0; TCPKeepAlive = false; AllowTcpForwarding = false; AllowAgentForwarding = false; LogLevel = "VERBOSE"; }; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; immich = { enable = false; port = 2283; host = "localhost"; openFirewall = true; machine-learning.enable = true; mediaLocation = "/srv/immich"; }; nginx = { enable = false; virtualHosts."img.10110110.xyz" = { forceSSL = true; useACMEHost = "10110110.xyz"; locations."/" = { proxyPass = "http://localhost:${toString config.services.immich.port}"; proxyWebsockets = true; recommendedProxySettings = true; extraConfig = '' client_max_body_size 50000M; proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; ''; }; }; }; }; boot = { tmp.cleanOnBoot = true; # supportedFilesystems = ["zfs"]; # zfs.forceImportRoot = false; # zfs.extraPools = ["rice"]; }; networking.hostId = "91238132"; zramSwap.enable = false; swapDevices = [ { device = "/swapfile"; size = 16 * 1024; } ]; virtualisation.docker.enable = true; networking = { hostName = "consensus"; firewall = { enable = true; allowedTCPPorts = [ 22 443 2022 6443 25565 9001 30303 ]; allowedUDPPorts = [ 9001 30303 ]; logRefusedConnections = true; }; }; users.users = { root = { openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'' ]; }; e = { isNormalUser = true; extraGroups = [ "wheel" ]; home = "/home/e"; openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone ]; }; }; security.sudo-rs.wheelNeedsPassword = false; # security.acme = { # acceptTerms = true; # defaults.email = "acme@10110110.xyz"; # certs = { # "10110110.xyz" = { # domain = "*.10110110.xyz"; # group = config.services.nginx.group; # dnsProvider = "cloudflare"; # environmentFile = config.sops.secrets."env".path; # }; # }; # }; nix.settings.trusted-users = [ "e" ]; system.stateVersion = "23.11"; }