{ self, ... }@inputs: { pkgs, modulesPath, lib, ... }: # let # pkgs = self.inputs.nixpkgs.legacyPackages.x86_64-linux; # in { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ../../users/root ../../users/erwin ]; eboskma = { users.erwin = { enable = true; server = true; }; caddy-proxy = { enable = true; package = inputs.caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare; proxyHosts = [ { externalHostname = "git.datarift.nl"; proxyAddress = "gitea.barn-beaver.ts.net:3000"; external = true; } ]; }; headscale = { enable = false; baseDomain = "asgard.datarift.nl"; serverUrl = "https://heimdall.datarift.nl"; }; keycloak.enable = true; nix-common = { enable = true; }; }; networking = { hostName = "heimdall"; domain = "datarift.nl"; usePredictableInterfaceNames = lib.mkForce false; useDHCP = false; networkmanager.enable = false; useNetworkd = true; firewall.trustedInterfaces = [ "tailscale0" ]; }; systemd.network = { enable = true; networks = { "40-eth0" = { matchConfig = { Name = "eth0"; }; networkConfig = { Address = [ "159.69.211.175/32" "2a01:4f8:1c1e:5fb2::1/64" "fe80::9400:2ff:fe12:a2eb/64" ]; DHCP = "no"; Gateway = [ "172.31.1.1" "fe80::1" ]; }; routes = [ { routeConfig = { Destination = "172.31.1.1/32"; Scope = "link"; Protocol = "static"; }; } { routeConfig = { Destination = "fe80::1/128"; Scope = "link"; Protocol = "static"; }; } ]; }; }; }; ### Hetzner stuff boot = { tmp.cleanOnBoot = true; loader.grub.device = "/dev/sda"; initrd = { availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; kernelModules = [ "nvme" ]; }; }; fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; zramSwap.enable = true; ### END Hetzner stuff time.timeZone = "Europe/Amsterdam"; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; services = { udev.extraRules = '' ATTR{address}=="96:00:02:12:a2:eb", NAME="eth0" ''; openssh = { enable = true; settings = { PasswordAuthentication = false; }; }; tailscale = { enable = true; permitCertUid = "caddy"; }; caddy = { virtualHosts = { "datarift.nl" = { extraConfig = '' @webfinger-erwin { path /.well-known/webfinger query resource=acct:erwin@datarift.nl } respond @webfinger-erwin 200 { body `{"subject":"acct:erwin@datarift.nl","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://id.datarift.nl/realms/datarift"}]}` close } ''; }; }; }; }; security = { sudo-rs = { enable = true; }; sudo.enable = false; apparmor = { enable = true; killUnconfinedConfinables = true; }; protectKernelImage = true; }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { keycloak-db-password = { }; caddy-env = { }; }; system.stateVersion = "23.05"; }