{ config, lib, pkgs, inputs, ... }: { # Sops setup for this machine sops.secrets = { "borg-ssh-key" = { sopsFile = ../../secrets/fusion/borg.yaml; format = "yaml"; }; "borg-password" = { sopsFile = ../../secrets/fusion/borg.yaml; format = "yaml"; }; }; # Setup system configuration nathan = { services = { nginx = { enable = true; acme = true; }; borg = { enable = true; extraExcludes = [ "/var/log" ]; passwordFile = config.sops.secrets."borg-password".path; sshKey = config.sops.secrets."borg-ssh-key".path; }; }; config = { setupGrub = false; nix = { autoUpdate = true; autoGC = true; }; harden = false; }; }; # Configure bootloader boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "net.ifnames=0" ]; # Configure networking networking = { domain = "mccarty.io"; useDHCP = true; nameservers = [ "1.1.1.1" ]; # Open ports in firewall firewall = { allowedTCPPorts = [ ]; allowedUDPPorts = [ ]; }; }; # Setup home manager home-manager.users.nathan = import ./home.nix; # Setup gitea services.gitea = { enable = true; domain = "git.stranger.systems"; rootUrl = "https://git.stranger.systems"; appName = "Stranger Systems Git Mirror"; settings = { service = { DISABLE_REGISTRATION = true; }; repository = { DEFAULT_BRANCH = "trunk"; DISABLE_STARS = true; ENABLE_PUSH_CREATE_ORG = true; }; }; }; services.nginx.virtualHosts."git.stranger.systems" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000"; }; }; # Update later than everyone else, since this one hosts our updates system.autoUpgrade.dates = "6:00"; }