{ config, lib, pkgs, modulesPath, ... }: { imports = [ # Since this will be rarely configured, make sure to import the appropriate # hardware modules depending on the hosting provider (and even just the # server). ./modules/profiles/hetzner-cloud-cx21.nix # The users for this host. (lib.getUser "nixos" "admin") (lib.getUser "nixos" "plover") # Hardened profile from nixpkgs. "${modulesPath}/profiles/hardened.nix" ./modules ]; # Host-specific modules structuring. hosts.plover.services = { # The essential services. backup.enable = true; database.enable = true; firewall.enable = true; dns-server.enable = true; idm.enable = true; monitoring.enable = true; reverse-proxy.enable = true; fail2ban.enable = true; # The self-hosted services. atuin.enable = true; gitea.enable = true; grafana.enable = true; vaultwarden.enable = true; wireguard.enable = true; }; # Automatic format and partitioning. disko.devices = import ./disko.nix { disks = [ "/dev/sda" ]; }; # Offline SSH!?! programs.mosh.enable = true; sops.secrets = lib.getSecrets ./secrets/secrets.yaml { "ssh-key" = { }; "lego/env" = { }; }; # All of the keys required to deploy the secrets. sops.age.keyFile = "/var/lib/sops-nix/key.txt"; profiles.server = { enable = true; headless.enable = true; hardened-config.enable = true; cleanup.enable = true; }; # DNS-related settings. We're settling by configuring the ACME setup with a # self-hosted DNS server. security.acme.defaults = { email = "admin+acme@foodogsquared.one"; dnsProvider = "rfc2136"; dnsResolver = "1.1.1.1"; credentialsFile = config.sops.secrets."lego/env".path; }; # Enable generating new DH params. security.dhparams.enable = true; # !!! The keys should be rotated at an interval here. services.openssh.hostKeys = [{ path = config.sops.secrets."ssh-key".path; type = "ed25519"; }]; # Make Nix experimental. nix.package = pkgs.nixUnstable; system.stateVersion = "23.11"; }