{ config, pkgs, agenix, ... }: let ports = { ssh = [ 2322 2323 2324 ]; gitea = 10010; headscale = 10020; wg0 = 51820; }; pubkeys = { labyrinth = { wg = "HY3MkwtX9Dundouv5leD35xM/TRLgbt/tA1QSrH2ihI="; nix = "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0="; }; }; in { imports = [ ./hardware.nix ../../modules/gitea ../../modules/headscale ../../modules/observatory ../../users/christian ]; services = { gitea.enable = true; headscale.enable = true; observatory.enable = true; nginx = { enable = true; recommendedProxySettings = true; }; openssh = { enable = true; ports = ports.ssh; }; }; programs.mosh.enable = true; users.mutableUsers = false; users.users = { christian = { isNormalUser = true; extraGroups = [ "wheel" ]; }; }; networking.hostName = "fugitive"; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ ports.wg0 ]; }; networking.wireguard.enable = true; networking.wireguard.interfaces = { wg0 = { ips = ["10.11.12.1/24" ]; listenPort = ports.wg0; privateKeyFile = "/srv/wireguard/wg0.private"; generatePrivateKeyFile = true; peers = [{ publicKey = pubkeys.labyrinth.wg; allowedIPs = [ "10.11.12.2/32" ]; }]; }; }; age.secrets = { namecheap.file = ../../../secrets/namecheap.age; grafana = { file = ../../../secrets/grafana.age; owner = "grafana"; }; }; security = { sudo = { wheelNeedsPassword = false; extraConfig = '' Defaults lecture = never ''; }; acme = { acceptTerms = true; defaults.email = "monitor@ctsk.dev"; certs."enclave.ctsk.dev" = { dnsProvider = "namecheap"; environmentFile = config.age.secrets.namecheap.path; group = "nginx"; extraDomainNames = [ "*.enclave.ctsk.dev" ]; }; }; }; nix.settings = { trusted-users = [ "@wheel" ]; trusted-public-keys = [ pubkeys.labyrinth.nix ]; }; environment.systemPackages = with pkgs; [ config-archive ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; system.stateVersion = "24.05"; }