{ config, lib, pkgs, inputs, ... }: { imports = [ ./hardware-configuration.nix ../server.nix ]; networking = { hostId = "???"; hostName = "vps1"; domain = "mesh.vimium.net"; firewall = { enable = true; allowedTCPPorts = [ 22 # SSH 8448 # Matrix federation 80 # HTTP 443 # HTTPS 5349 # STUN TLS 5350 # STUN TLS alt ]; allowedUDPPortRanges = [ { from = 49152; to = 49999; } # TURN relay ]; }; }; users.users = { git = { isSystemUser = true; useDefaultShell = true; group = "git"; extraGroups = [ "gitea" ]; home = config.services.gitea.stateDir; }; jellyfin = { isSystemUser = true; group = "jellyfin"; shell = "/bin/sh"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin" ]; }; root = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com" ]; }; }; users.groups = { git = { }; jellyfin = { }; }; age.secrets."passwords/services/borg/vps1-passphrase" = { file = "${inputs.secrets}/passwords/services/borg/vps1-passphrase.age"; }; services.borgmatic = { enable = true; settings = { source_directories = [ "/home" "/var/lib" "/var/www" ]; repositories = [ { label = "borgbase"; path = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo"; } ]; storage = { encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/vps1-passphrase".path}"; ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key"; }; retention = { keep_daily = 7; keep_weekly = 4; keep_monthly = 6; }; }; }; # Without this override, `cat` is unavailable for `encryption_passcommand` systemd.services.borgmatic.confinement.fullUnit = true; age.secrets."passwords/services/coturn/shared-secret" = { file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age"; }; services.coturn = { enable = true; lt-cred-mech = true; use-auth-secret = true; static-auth-secret = "???"; realm = "turn.vimium.com"; relay-ips = [ "198.244.190.160" ]; no-tcp-relay = true; extraConfig = '' cipher-list="HIGH" no-loopback-peers no-multicast-peers ''; secure-stun = true; cert = "/var/lib/acme/turn.vimium.com/fullchain.pem"; pkey = "/var/lib/acme/turn.vimium.com/key.pem"; min-port = 49152; max-port = 49999; }; services.gitea = rec { package = pkgs.gitea; enable = true; user = "git"; appName = "Vimium Git"; stateDir = "/var/lib/gitea"; repositoryRoot = "${stateDir}/repositories"; database = { type = "sqlite3"; inherit user; path = "${stateDir}/gitea.db"; }; lfs = { enable = true; contentDir = "${stateDir}/lfs"; }; settings = { server = { SSH_USER = "git"; SSH_DOMAIN = "git.vimium.com"; SSH_PORT = lib.head config.services.openssh.ports; OFFLINE_MODE = true; PROTOCOL = "http+unix"; DOMAIN = config.networking.domain; ROOT_URL = "https://git.vimium.com/"; }; service.DISABLE_REGISTRATION = true; session.COOKIE_SECURE = true; log.ROOT_PATH = "${stateDir}/log"; ui = { THEMES = "gitea,arc-green,github-dark,bthree-dark"; DEFAULT_THEME = "github-dark"; }; actions.ENABLED = true; indexer = { REPO_INDEXER_ENABLED = true; }; packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload"; }; }; services.headscale = { enable = true; port = 8080; settings = { server_url = "https://headscale.vimium.net"; dns_config = { base_domain = "vimium.net"; }; logtail.enabled = false; }; }; services.matrix-synapse = { enable = true; settings = { database.name = "sqlite3"; enable_registration = false; server_name = "vimium.com"; turn_shared_secret = "???"; turn_uris = [ "turn:turn.vimium.com:5349?transport=udp" "turn:turn.vimium.com:5350?transport=udp" "turn:turn.vimium.com:5349?transport=tcp" "turn:turn.vimium.com:5350?transport=tcp" ]; }; }; services.tailscale.enable = true; networking.firewall = { checkReversePath = "loose"; trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [ config.services.tailscale.port ]; }; environment.systemPackages = with pkgs; [ config.services.headscale.package ]; system.stateVersion = "22.11"; }