{ pkgs, inputs, ... }: { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; systemd.services.ann = { enable = true; description = "Ann"; script = '' export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" ${inputs.ann.apps.${pkgs.system}."migrate-up".program} exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} ''; wantedBy = [ "multi-user.target" ] }; services.freshrss = { enable = true; defaultUser = "freshrss"; passwordFile = "/run/secrets/freshrss"; dataDir = "/srv/freshrss/data"; virtualHost = "rssf.mccd.space"; baseUrl = "https://rssf.mccd.space"; }; services.postgresql = { enable = true; ensureDatabases = [ "ann" ]; settings = { listen_addresses = pkgs.lib.mkForce "*"; }; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust host all all ::1/128 trust ''; }; services.nginx = { enable = true; gitweb = { enable = false; }; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."rssf.mccd.space" = { forceSSL = true; enableACME = true; }; virtualHosts."ann.sh" = { enableACME = true; addSSL = true; locations."~" = { proxyPass = "http://localhost:8080"; proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = # required when the target is also TLS server with multiple hosts "proxy_ssl_server_name on;" + # required when the server wants to use HTTP Authentication "proxy_pass_header Authorization;" ; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443]; security.acme = { acceptTerms = true; defaults.email = "marcc@mccd.space"; }; environment.systemPackages = with pkgs; [ git vim ]; users.users.git = { isNormalUser = true; home = "/home/git"; description = "Git User"; extraGroups = [ "wheel" "networkmanager" "git" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8= marcc@mccd" ]; }; boot.cleanTmpDir = true; zramSwap.enable = true; networking.hostName = "nix"; networking.domain = "ann"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcVScuh69V2OoYvMvPPgg0V2rNOaaEBBKpfsflnb97u1XltWeO9GnjkSfnfkY73M67eWuMwf9VwSjcYuDAguUEtCBlFEiZydmqgA5efqHwTIoxAegXL4Imb/pWnvryFQ7bbpcbY6gCNIskGMsUOv67AVXL5zPcFPmh/gQEOQH+Zp7AaJ264HWkwBuM63OYxuQ4vB/6jxWGW8j6UF9dvqemtRyFytpXW8R7y3B7sbI+tO+vuB2+O5NNguv3KStT00ktfLxoZJ2koAIb0HBOoKlbeoFVR/K3S8NeWbsZQMHY1W519rQm3TN6rDBLjdRDYQS1Y5ECNAfgbdrz5Ed8R1P1AqqzBAfEp0ooFeitN8BDrwbntiMF+qpPWzNIzJkWOgpfU7YBr/JCsSdtnVAMJo4lKC3mu5PKGROUE/rfd0/rn03HD/rgyhPvREtwUrfQTc4VzQP2Ntdw3tsZRpaNk7FZPtXApKu9Wt6TwS74n6ma4Q33opfqyDV0UzpsUCYncx8='' ]; }