{ inputs, lib, config, pkgs, ... }: let ngx_http_geoip2_module = pkgs.stdenv.mkDerivation { name = "ngx_http_geoip2_module-a28ceff"; src = pkgs.fetchgit { url = "https://github.com/leev/ngx_http_geoip2_module"; rev = "445df24ef3781e488cee3dfe8a1e111997fc1dfe"; sha256 = "1h2xkxpb2nk4r3pkbzgas5rbl95i59jpa59rh94x2hyzxmzrzvv8"; }; installPhase = '' mkdir $out cp *.c config $out/ ''; fixupPhase = ""; }; in { system.stateVersion = "23.11"; # BOOT boot.loader.systemd-boot.enable = true; # PROXMOX services.qemuGuest.enable = true; services.cloud-init = { enable = true; network.enable = true; settings = lib.mkOptionDefault { datasource = { NoCloud = { }; ConfigDrive = { }; }; cloud_init_modules = [ [ "write-files" "always" ] ]; cloud_config_modules = [ [ "runcmd" "always" ] ]; system_info = { default_user = { name = "nixos"; }; }; }; }; # USER MANAGEMENT security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "nixos" ]; users.users.nixos = { isNormalUser = true; password = "hunter2"; extraGroups = [ "wheel" ]; }; # SSH services.openssh = { enable = true; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "no"; }; # TAILSCALE services.tailscale = { enable = true; authKeyFile = "/run/secrets/tailscale.com/authkey"; extraUpFlags = [ "--ssh" "--accept-routes" ]; }; systemd.services.qemu-guest-agent.after = [ "tailscaled-autoconnect.service" ]; systemd.services.qemu-guest-agent.requires = [ "tailscaled-autoconnect.service" ]; # FIREWALL networking.useNetworkd = true; networking.firewall = { enable = true; trustedInterfaces = [ "tailscale0" ]; allowedUDPPorts = [ config.services.tailscale.port ]; allowedTCPPorts = [ 22 80 443 ]; }; # NGINX services.nginx = { enable = true; package = pkgs.nginx.overrideAttrs (oldAttrs: { configureFlags = oldAttrs.configureFlags ++ [ "--add-module=${ngx_http_geoip2_module}" ]; buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ]; }); }; # WEBHOOK # TODO: we will have multiple instances of these, # should they somehow broadcast changes to eachother? # Should this be a GO service instead? With some raft mechanism? # At that point, we could also switch from nginx to envoy or something... services.webhook = { enable = true; port = 9000; hooks = { test = { execute-command = "echo 'test'"; }; }; }; environment.systemPackages = [ pkgs.nginx ]; }