# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, lib, pkgs, ... }: { # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "driftwood"; time.timeZone = "America/Louisville"; i18n.defaultLocale = "en_US.UTF-8"; system.stateVersion = "24.11"; # Did you read the comment? networking.nat = { enable = true; internalInterfaces = ["ve-+"]; externalInterface = "enp5s0f0"; # Lazy IPv6 connectivity for the container enableIPv6 = true; }; # Nginx configuration # Configure automated TLS acquisition/renewal security.acme = { acceptTerms = true; defaults = { email = "admin@stranger.systems"; }; # Get a wildcard cert certs."tailnet.stranger.systems" = { domain = "tailnet.stranger.systems"; extraDomainNames = ["*.tailnet.stranger.systems"]; dnsProvider = "cloudflare"; dnsPropagationCheck = true; credentialFiles = { "CLOUDFLARE_EMAIL_FILE" = "/run/secrets/cloudflare/email"; "CLOUDFLARE_API_KEY_FILE" = "/run/secrets/cloudflare/key"; }; }; }; # ACME data must be readable by the NGINX user users.users.nginx.extraGroups = [ "acme" ]; # Enable nginx services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedOptimisation = true; }; # Open firewall ports for HTTP, HTTPS, and Matrix federation networking.firewall.allowedTCPPorts = [80 443 8448]; networking.firewall.allowedUDPPorts = [80 443 8448]; # Syncthing host as an untrusted backup services.syncthing = { enable = true; user = "nathan"; guiAddress = "100.64.0.3:8384"; }; # Allow reboot on autoupgrades system.autoUpgrade = { allowReboot = true; rebootWindow = { lower = "03:00"; upper = "05:00"; }; }; # Setup garbage collection, keep the past month nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; }