{ modulesPath, lib, pkgs, config, inputs', ... }: let inherit (lib.my) mkVHost; in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix ./forgejo.nix ./headscale ./fail2ban.nix ]; age.secrets = { couchdb.file = ../../secrets/couchdb.age; rustypaste = { file = ../../secrets/rustypaste.age; owner = "rustypaste"; group = "rustypaste"; }; }; boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; }; modules = { server.rustypaste = { enable = true; package = inputs'.packages.packages.rustypaste; authTokenFile = config.age.secrets.rustypaste.path; settings = { server = { url = "https://rusty.ccnlc.eu"; max_content_length = "50MB"; timeout = "30s"; expose_version = false; expose_list = false; handle_spaces = "replace"; }; paste = { random_url = { type = "petname"; words = 3; separator = "-"; }; default_extension = "txt"; mime_blacklist = [ "application/x-dosexec" "application/java-archive" "application/java-vm" ]; duplicate_files = false; default_expiry = "1h"; delete_expired_files = { enabled = true; interval = "1h"; }; }; }; }; services.tailscale = { enable = true; tags = [ "server" ]; extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now }; }; services.headscale.enable = true; networking = { nftables.enable = true; firewall = { enable = true; allowedTCPPorts = [ 80 # for acme challenges 443 ] ++ [ config.services.endlessh.port ]; }; }; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; security.acme.defaults.email = "admin@ccnlc.eu"; security.acme.acceptTerms = true; services.nginx = { package = pkgs.nginxQuic; enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "50M"; virtualHosts = builtins.listToAttrs [ (mkVHost "rusty.ccnlc.eu" 8000 true) ]; }; services.endlessh = { enable = true; port = 22; }; services.fail2ban.enable = true; environment.systemPackages = map lib.lowPrio [ pkgs.curl pkgs.gitMinimal ]; system.stateVersion = "24.11"; }