nix-system/os/hs/configuration.nix

{ config, pkgs, ... }:

let
  sshKeys = with (import ../../sshKeys.nix); [
    basado
    moon
    allegro
    hs
  ];
  domain = "antoinev.freeboxos.fr";
in {
  imports = [
    ./hardware-configuration.nix
    ./syncthing.nix
    ./disks.nix
    ./backup.nix
    ../common.nix
    (import ../remote-disk-unlock.nix sshKeys)
  ];

  boot = {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
  };

  hardware = {
    graphics = {
      enable = true;
      enable32Bit = true;
      extraPackages = with pkgs; [ nvidia-vaapi-driver ];
    };
    nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_535;
  };
  services.xserver.videoDrivers = [ "nvidia" ];

  networking.hostName = "hs"; # Define your hostname.
  networking.domain = domain;

  users.users.ant = {
    isNormalUser = true;
    description = "ant";
    extraGroups = [
      "networkmanager"
      "wheel"
      "jellyfin"
    ];
    openssh.authorizedKeys.keys = sshKeys;
  };
  security.sudo.wheelNeedsPassword = false;

  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [ neovim tmux nh git curl wget htop ];

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [
    80
    443 # ssl
    25565
  ];
  networking.firewall.allowedUDPPorts = [ 25565 ];

  networking.interfaces.enp10s0.wakeOnLan.enable = true;
  systemd.services.ragnamod = {
    enable = false;
    after = [ "network.target" ];
    wantedBy = [ "default.target" ];
    description = "Ragnamod server";
    path = [ pkgs.jre ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "/home/ant/ragnamod/startserver.sh";
      User = "ant";
    };
  };

  services.glances = {
    enable = true;
    openFirewall = true;
  };

  services.immich = {
    enable = true;
    accelerationDevices = null;
  };
  users.users.immich.extraGroups = [ "video" "render" ];

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = let
      reverseProxy = port: {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${builtins.toString port}";
          proxyWebsockets = true;
        };
      };
    in {
      "immich.antoinevaure.fr" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            client_max_body_size 50000M;
            proxy_read_timeout   600s;
            proxy_send_timeout   600s;
            send_timeout         600s;
          '';
          proxyPass =
            "http://localhost:${builtins.toString config.services.immich.port}";
        };
      };

      "jellyfin.antoinevaure.fr" = (reverseProxy 8096);
      # "sonarr.${domain}" = (reverseProxy 8989);
      # "radarr.${domain}" = (reverseProxy 7878);
      # "qbittorrent.${domain}" = (reverseProxy qbittorrentPort);
      "git.antoinevaure.fr" = (reverseProxy 3000);
      # "nextcloud.${domain}" = {
      #   enableACME = true;
      #   forceSSL = true;
      # };
      "nixcache.antoinevaure.fr" = (reverseProxy config.services.nix-serve.port);
    };
  };

  services.forgejo = {
    enable = true;
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = "git.antoinevaure.fr";
        ROOT_URL = "https://git.antoinevaure.fr/"; 
        HTTP_PORT = 3000;
      };
      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true; 
      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        # DEFAULT_ACTIONS_URL = "github";
      };

      repository = {
        ENABLE_PUSH_CREATE_USER = true;
        ENABLE_PUSH_CREATE_ORG = true;
      };
      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration >  Mailer Configuration 
      # mailer = {
      #   ENABLED = true;
      #   SMTP_ADDR = "mail.example.com";
      #   FROM = "noreply@${srv.DOMAIN}";
      #   USER = "noreply@${srv.DOMAIN}";
      # };
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "monolith";
      url = "https://git.antoinevaure.fr";
      # Obtaining the path to the runner token file may differ
      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
      tokenFile = /root/forgejo_runner_token;
      labels = [
        "native:host"
      ];
      hostPackages = with pkgs; [ bash coreutils gitMinimal config.nix.package ];
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "contact@antoinevaure.fr";
  };

  services.jellyfin.enable = true;

  system.stateVersion = "24.11";

  services.nix-serve = {
    enable = true;
    secretKeyFile = "/var/cache-priv-key.pem";
  };
}