{ config, lib, pkgs, ... }: let certs = config.security.acme.certs.${domain}; domain = config.networking.domain; bindUserDirs = sources: target: lib.mapAttrs' (user: dir: { name = target + user; value = { device = "${config.users.users.${user}.home}/${dir}"; options = [ "bind" ]; }; }) sources; in { environment = { enableAllTerminfo = true; systemPackages = with pkgs; [ git rsync vim ]; }; fileSystems = bindUserDirs { cnx = "www"; } "${config.services.nginx.virtualHosts.${domain}.root}/~"; imports = [ ./ipfs.nix ./matrix.nix ./vpsadminos.nix ]; networking = { domain = "loang.net"; firewall = { allowedTCPPorts = [ 80 # HTTP 443 # TLS 1965 # Gemini 2211 # SSH 4001 # IPFS ]; allowedUDPPorts = [ 4001 # IPFS ]; }; hostName = "brno"; }; security = { acme = { acceptTerms = true; defaults.email = "mcsinyx@disroot.org"; }; sudo = { enable = true; execWheelOnly = true; wheelNeedsPassword = false; }; }; services = { molly-brown = { certPath = "${certs.directory}/cert.pem"; docBase = "/var/lib/gemini/${domain}"; enable = true; hostName = domain; keyPath = "${certs.directory}/key.pem"; }; nginx = { enable = true; recommendedProxySettings = true; virtualHosts.${domain} = { enableACME = true; forceSSL = true; root = "/var/lib/www/${domain}"; }; }; openssh = { enable = true; passwordAuthentication = false; ports = [ 2211 ]; }; }; system.stateVersion = "22.05"; systemd = { extraConfig = '' DefaultTimeoutStartSec=900s ''; services.molly-brown.serviceConfig.SupplementaryGroups = [ certs.group ]; }; time.timeZone = "UTC"; users.users = { ckie = { isNormalUser = true; openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ]; }; cnx = { extraGroups = [ "wheel" ]; isNormalUser = true; openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ]; packages = with pkgs; [ stow ]; }; owocean = { isNormalUser = true; openssh.authorizedKeys.keyFiles = [ "/etc/ssh/owocean.pub" ]; }; xarvos = { isNormalUser = true; openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ]; }; }; }