NixOS/hosts/server/configuration.nix

{
  pkgs,
  config,
  lib,
  inputs,
  ...
}:
let
  lidarrMbGapId = 968;
in
{
  imports = [
    inputs.lidarr-mb-gap.nixosModules.lidarr-mb-gap
    ./hardware-configuration.nix
    ./network.nix
    ../../config/base.nix
    ../../config/stylix.nix
  ];
  my = import ./toggles.nix { inherit config inputs; } // {
    nix.cores = 6;
    users.nixremote = {
      enable = true;
      authorizedKeys = inputs.self.lib.getSshKeys [
        "nixworkstation"
        "nixminiserver"
      ];
    };
  };
  nix.buildMachines = [
    {
      hostName = "workstation";
      system = "x86_64-linux";
      sshUser = "nixremote";
      maxJobs = 8;
      speedFactor = 2;
      supportedFeatures = config.my.nix.features;
    }
  ];
  nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ];
  sops.secrets = {
    "server/private" = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/wireguard.yaml;
    };
    lidarr-mb-gap = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/env.yaml;
    };
    "private_keys/lidarr-mb-gap" =
      let
        cfg = config.services.lidarr-mb-gap;
        usr = config.users.users.lidarr-mb-gap;
      in
      lib.mkIf (config.my.secureHost && cfg.enable) {
        sopsFile = ../../secrets/keys.yaml;
        owner = usr.name;
        inherit (usr) group;
        path = "${usr.home}/.ssh/ed25519_lidarr-mb-gap";
      };
  };
  networking.hostName = "server";
  users = {
    groups.lidarr-mb-gap.gid = lidarrMbGapId;
    users = {
      jawz.packages = builtins.attrValues {
        inherit (pkgs) podman-compose attic-client;
      };
      lidarr-mb-gap = {
        uid = lidarrMbGapId;
        isSystemUser = true;
        group = "lidarr-mb-gap";
        home = "/var/lib/lidarr-mb-gap";
      };
    };
  };
  services = {
    btrfs.autoScrub = {
      enable = true;
      fileSystems = [
        "/"
        "/srv/pool"
      ];
    };
    lidarr-mb-gap = {
      enable = true;
      package = inputs.lidarr-mb-gap.packages.${pkgs.stdenv.hostPlatform.system}.lidarr-mb-gap;
      home = "/var/lib/lidarr-mb-gap";
      envFile = config.sops.secrets.lidarr-mb-gap.path;
      runInterval = "weekly";
      syncToVPS = true;
      vpsPort = 3456;
      vpsHost = "lidarr-reports@${config.my.ips.vps}";
      vpsPath = "/var/www/html/lidarr-mb-gap";
      sshKeyFile = config.sops.secrets."private_keys/lidarr-mb-gap".path;
      sshKnownHosts.vps = {
        hostNames = [
          config.my.ips.vps
          "[${config.my.ips.vps}]:3456"
        ];
        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPp0wAuZXk96OyA/+2YpQalokS9lZdacjJqY9zN8IScP";
      };
    };
  };
}