nix-config/nixos/primordial/configuration.nix

{
  config,
  pkgs,
  ...
}: let
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets."gitea.env" = {};
  sops.secrets."keycloak_db_pw" = {};

  imports = [
    ./mail.nix
    ./hardware-configuration.nix
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking = {
    hostName = "primordial";

    interfaces.enp1s0 = {
      ipv6.addresses = [
        {
          address = "2a01:4f8:c010:b448::";
          prefixLength = 64;
        }
      ];
    };

    defaultGateway6 = {
      address = "fe80::1";
      interface = "enp1s0";
    };

    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];
    };
  };

  time.timeZone = "Europe/Berlin";

  i18n.defaultLocale = "en_US.UTF-8";

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "huanzodev@gmail.com";

  services = {
    openssh = {
      enable = true;
      ports = [22];
      openFirewall = true;
      settings = {
        PermitRootLogin = "yes";
        PasswordAuthentication = false;
      };
    };

    postgresql = {
      enable = true;
      ensureDatabases = ["matrix-synapse"];
      ensureUsers = [
        {
          name = "matrix-synapse";
          ensureDBOwnership = true;
        }
      ];
      authentication = pkgs.lib.mkOverride 10 ''
        #type database  DBuser  auth-method
        local all       all     trust
        host  all       all     127.0.0.1/32 md5
      '';
    };

    matrix-synapse = {
      enable = true;
      settings.server_name = "fuckwit.dev";
      # The public base URL value must match the `base_url` value set in `clientConfig` above.
      # The default value here is based on `server_name`, so if your `server_name` is different
      # from the value of `fqdn` above, you will likely run into some mismatched domain names
      # in client applications.
      settings.public_baseurl = "https://matrix.fuckwit.dev";
      settings.listeners = [
        {
          port = 8005;
          bind_addresses = ["127.0.0.1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];
    };

    nginx = {
      enable = true;

      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;

      virtualHosts."fuckwit.dev" = let
        serverConfig."m.server" = "matrix.fuckwit.dev:443";
        clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
      in {
        enableACME = true;
        forceSSL = true;
        # This section is not needed if the server_name of matrix-synapse is equal to
        # the domain (i.e. example.org from @foo:example.org) and the federation port
        # is 8448.
        # Further reference can be found in the docs about delegation under
        # https://element-hq.github.io/synapse/latest/delegate.html
        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
        # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
        # Further reference can be found in the upstream docs at
        # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
      };

      virtualHosts."matrix.fuckwit.dev" = {
        enableACME = true;
        forceSSL = true;
        # It's also possible to do a redirect here or something else, this vhost is not
        # needed for Matrix. It's recommended though to *not put* element
        # here, see also the section about Element.
        locations."/".extraConfig = ''
          return 404;
        '';
        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
        # *must not* be used here.
        locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
        # Forward requests for e.g. SSO and password-resets.
        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
      };

      virtualHosts."vault.fuckwit.dev" = {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8000";
        };
      };

      virtualHosts."git.fuckwit.dev" = {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8001";
        };
      };

      virtualHosts."grafana.fuckwit.dev" = {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8002";
          proxyWebsockets = true;
        };
      };

      virtualHosts."influx.fuckwit.dev" = {
        enableACME = true;
        addSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8003";
          proxyWebsockets = true;
        };
      };

      virtualHosts."sso.fuckwit.dev" = {
        enableACME = true;
        addSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8004";
          proxyWebsockets = true;
        };
      };

      # virtualHosts."drone.fuckwit.dev" = {
      #   enableACME = true;
      #   addSSL = true;

      #   locations."/" = {
      #     proxyPass = "http://127.0.0.1:8004";
      #     proxyWebsockets = true;
      #   };
      # };
    };

    vaultwarden = {
      enable = true;

      config = {
        DOMAIN = "https://vault.fuckwit.dev";
        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8000;
        SIGNUPS_ALLOWED = false;
      };
    };

    gitea = {
      enable = true;

      settings.service.DISABLE_REGISTRATION = true;
      settings.actions.ENABLED = true;
      settings.server = {
        DOMAIN = "git.fuckwit.dev";
        ROOT_URL = "https://git.fuckwit.dev";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 8001;
      };
      lfs.enable = true;
    };

    grafana = {
      enable = true;

      settings.server = {
        domain = "grafana.fuckwit.dev";
        http_addr = "127.0.0.1";
        http_port = 8002;
      };
    };

    influxdb2 = {
      enable = true;

      settings = {
        http-bind-address = "127.0.0.1:8003";
      };
    };

    keycloak = {
      enable = true;

      database = {
        type = "postgresql";
        createLocally = true;
        passwordFile = config.sops.secrets."keycloak_db_pw".path;
      };

      settings = {
        hostname = "sso.fuckwit.dev";
        http-host = "127.0.0.1";
        http-port = 8004;
        proxy = "edge";
      };
    };

    # drone-server = {
    #   enable = true;
    #   config = {
    #     giteaServer = "https://git.fuckwit.dev";
    #     serverHost = "drone.fuckwit.dev";
    #     serverPort = ":8004";
    #     serverProto = "https";
    #   };
    #   environmentFile = config.sops.secrets."gitea.env".path;
    # };
  };

  users.users."root".openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
  ];

  system.stateVersion = "23.05";
}