ingress/configuration.nix

{
  lib,
  config,
  pkgs,
  modulesPath,
  ...
}:
let
  ngx_http_geoip2_module = pkgs.stdenv.mkDerivation {
    name = "ngx_http_geoip2_module-a28ceff";
    src = pkgs.fetchgit {
      url = "https://github.com/leev/ngx_http_geoip2_module";
      rev = "445df24ef3781e488cee3dfe8a1e111997fc1dfe";
      sha256 = "1h2xkxpb2nk4r3pkbzgas5rbl95i59jpa59rh94x2hyzxmzrzvv8";
    };
    installPhase = ''
      mkdir $out
      cp *.c config $out/
    '';
    fixupPhase = "";
  };
  instance = builtins.fromJSON (builtins.readFile "/etc/tjo.cloud/meta.json");
in
{
  system.stateVersion = "24.05";

  ## FROM infrastructure/proxmox.tjo.cloud/configuration.nix
  # Couldn't figure out the import to work.
  imports = [
    "${toString modulesPath}/profiles/qemu-guest.nix"
  ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    autoResize = true;
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-label/ESP";
    fsType = "vfat";
  };
  boot.growPartition = true;
  boot.kernelParams = [ "console=ttyS0" ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.timeout = 0;
  services.qemuGuest.enable = true;
  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = lib.mkOptionDefault {
      datasource = {
        NoCloud = { };
        ConfigDrive = { };
      };
    };
  };
  networking.useNetworkd = true;
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  environment.systemPackages = [ pkgs.nginx ];
  ## END FROM

  nix.nixPath = [ "nixos-config=/etc/tjo.cloud/configuration.nix" ];
  system.autoUpgrade = {
    enable = true;
    dates = "06:00";
    randomizedDelaySec = "45min";
  };

  # NETWORK
  networking.hostName = instance.name;
  networking.domain = instance.domain;

  # USER MANAGEMENT
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = [ "nixos" ];
  users.users.nixos = {
    isNormalUser = true;
    password = "hunter2";
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = instance.ssh_keys;
  };

  # SSH
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
  };

  # TAILSCALE
  services.tailscale = {
    enable = true;
    authKeyFile = "/etc/tjo.cloud/secrets/tailscale.com/authkey";
    extraUpFlags = [
      "--ssh"
      "--accept-routes"
    ];
  };
  systemd.services.qemu-guest-agent.after = [ "tailscaled-autoconnect.service" ];
  systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ];

  # FIREWALL
  networking.firewall = {
    enable = true;

    trustedInterfaces = [ "tailscale0" ];

    allowedUDPPorts = [ config.services.tailscale.port ];
    allowedTCPPorts = [
      22
      80
      443
    ];
  };

  # NGINX
  services.nginx = {
    enable = true;
    package = pkgs.nginx.overrideAttrs (oldAttrs: {
      configureFlags = oldAttrs.configureFlags ++ [ "--add-module=${ngx_http_geoip2_module}" ];
      buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ];
    });
  };

  # WEBHOOK
  # TODO: we will have multiple instances of these,
  #       should they somehow broadcast changes to eachother?
  # Should this be a GO service instead? With some raft mechanism?
  # At that point, we could also switch from nginx to envoy or something...
  services.webhook = {
    enable = true;
    port = 9000;
    hooks = {
      test = {
        execute-command = "echo 'test'";
      };
    };
  };
}