{ lib, config, inputs, pkgs, ... }: let root_host = "grimmauld.de"; # git add --intent-to-add email.txt ; git update-index --assume-unchanged email.txt root_email = (builtins.elemAt (lib.strings.match "[[:space:]]*([^[:space:]]+)[[:space:]]*" (builtins.readFile ./email.txt)) 0); in { imports = [ ./hardware-configuration.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; services.logrotate.checkConfig = false; # needed or this explodes users.users.grimmauld = { isNormalUser = true; description = "grimmauld"; extraGroups = [ "wheel" "docker" ]; shell = pkgs.xonsh; packages = with pkgs; [ hyfetch ]; openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); }; programs.xonsh.enable = true; environment.systemPackages = with pkgs; [ wget vulnix tree git file git-lfs util-linux btop mkpasswd linuxPackages.perf gitea matrix-synapse-tools.synadm matrix-synapse # ffmpeg-full pufferpanel (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@") (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@") ]; environment.sessionVariables = { NIXPKGS_ALLOW_UNFREE="1"; OMP_NUM_THREADS = "4"; }; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; allowPing = true; allowedUDPPortRanges = []; }; # services.nginx.package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; virtualHosts."${root_host}" = { forceSSL = true; enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies useACMEHost = root_host; locations."/" = { root = "/var/www/grimmauld.duckdns.org"; }; }; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; boot.tmp.cleanOnBoot = true; system.stateVersion = "unstable"; zramSwap.enable = true; networking.hostName = "grimmauld-nixos-server"; networking.domain = ""; services.openssh.enable = true; # users.users.root.openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); }