{ config, inputs, lib, pkgs, ... }: let domain = "antoinevaure.fr"; domainAlex = "pulsewidth.ovh"; sshKeys = (import ../../sshKeys.nix); in { imports = [ ./hardware-configuration.nix ../common.nix inputs.simple-nixos-mailserver.nixosModule ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; networking.domain = domain; networking.hostName = "ks"; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root.openssh.authorizedKeys = [ sshKeys.hs ]; users.users.ant = { isNormalUser = true; description = "ant"; extraGroups = [ "networkmanager" "wheel" "jellyfin" ]; openssh.authorizedKeys.keys = with sshKeys; [ basado hs moon ]; }; security.sudo.wheelNeedsPassword = false; services.fail2ban = { enable = true; ignoreIP = [ "antoinev.freeboxos.fr" ]; }; mailserver = { enable = true; fqdn = "mail.${domain}"; domains = [ domain domainAlex ]; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { "contact@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; # aliases = [ "me@${domain}" ]; }; "news@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; "me@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; "microsoft@${domain}" = { hashedPasswordFile = "/var/mail_passwd"; }; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. certificateScheme = "acme-nginx"; }; security.acme = { acceptTerms = true; defaults.email = "contact@antoinevaure.fr"; }; services.qbittorrent = { enable = true; serverConfig = { Preferences = { WebUI = { Username = "ant"; Password_PBKDF2 = "HWKPqI96WHoQOR46XaKm6Q==:CybDN9tU8rH0aYcgo1X0m5R/6XiNtx9i5JBgLJlYlpv8oXejAYoJ7SqYjZInMbR2WJIQv76RlfAwJ/PepNtevg=="; }; }; }; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = let reverseProxy = port: { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString port}"; proxyWebsockets = true; }; }; in { "qbittorrent.${domain}" = (reverseProxy config.services.qbittorrent.webuiPort); "nextcloud.${domain}" = { enableACME = true; forceSSL = true; }; }; }; nix.optimise.automatic = true; programs.git = { enable = true; }; networking.firewall.allowedTCPPorts = [ 22 # ssh 80 # http 443 # ssl 38774 # qbittorrent ]; services = { syncthing = { enable = true; openDefaultPorts = true; group = "syncthing"; user = "syncthing"; dataDir = "/home/syncthing/shares"; configDir = "/home/syncthing/config"; overrideDevices = true; # overrides any devices added or deleted through the WebUI overrideFolders = true; # overrides any folders added or deleted through the WebUI settings = { devices = { "home" = { id = "FRCTEHB-WI3Q3CH-6MPKKRX-FTJMOCK-44K2D32-ORM52ZI-S2GTX2X-IRUSAQ5"; }; "android" = { id = "4Z7HDYB-C56BONH-JRBN5D7-LDFNHQJ-5BQDLVU-O3SMBPI-3VZTL7V-ERGU2Q5"; }; "allegro" = { id = "CLANFN6-Q26KKQL-S6OZ4JW-75CM2JC-R47DIWM-G7RBX7T-B4TJPTS-5U3ZRQH"; }; }; folders = { "notes" = { id = "njhxw-6wmte"; type = "receiveencrypted"; path = "/home/syncthing/shares/notes"; # Which folder to add to Syncthing devices = [ "home" "android" "allegro" ]; # Which devices to share the folder with }; "passdb" = { id = "eo3io-kbitv"; type = "receiveencrypted"; path = "~/passdb"; devices = [ "home" "android" "allegro" ]; # Which devices to share the folder with }; }; }; }; }; services.nextcloud = { enable = true; package = pkgs.nextcloud31; hostName = "nextcloud.antoinevaure.fr"; https = true; config = { adminpassFile = "/nextcloud_root_pass"; dbtype = "sqlite"; }; settings = { "filesystem_check_changes" = "1"; }; phpExtraExtensions = all: [ all.pdlib ]; configureRedis = true; # caching }; system.stateVersion = "23.11"; }