System/nixos/machines/driftwood/configuration.nix

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
  config,
  lib,
  pkgs,
  ...
}: {
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "driftwood";

  time.timeZone = "America/Louisville";
  i18n.defaultLocale = "en_US.UTF-8";

  system.stateVersion = "24.11"; # Did you read the comment?
  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "enp5s0f0";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };

  # Nginx configuration
  # Configure automated TLS acquisition/renewal
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "admin@stranger.systems";
    };
    # Get a wildcard cert
    certs."tailnet.stranger.systems" = {
      domain = "tailnet.stranger.systems";
      extraDomainNames = ["*.tailnet.stranger.systems"];
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;
      credentialFiles = {
        "CLOUDFLARE_EMAIL_FILE" = "/run/secrets/cloudflare/email";
        "CLOUDFLARE_API_KEY_FILE" = "/run/secrets/cloudflare/key";
      };
    };
  };

  # ACME data must be readable by the NGINX user
  users.users.nginx.extraGroups = [
    "acme"
  ];

  # Enable nginx
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
  };

  # Open firewall ports for HTTP, HTTPS, and Matrix federation
  networking.firewall.allowedTCPPorts = [80 443 8448];
  networking.firewall.allowedUDPPorts = [80 443 8448];

  # Syncthing host as an untrusted backup
  services.syncthing = {
    enable = true;
    user = "nathan";
    guiAddress = "100.64.0.3:8384";
  };
}