NixOS/hosts/vps/configuration.nix

{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ./network.nix
    ./nginx-nextcloud.nix
    ../../config/base.nix
  ];
  my =
    import ./toggles.nix {
      inherit config inputs lib;
    }
    // {
      secureHost = true;
      users.nixremote = {
        enable = true;
        authorizedKeys = inputs.self.lib.getSshKeys [
          "nixworkstation"
          "nixserver"
          "nixminiserver"
        ];
      };
    };
  image.modules.linode = { };
  environment.systemPackages = [ ];
  security.sudo-rs.extraRules = [
    {
      users = [ "nixremote" ];
      commands = [
        {
          options = [ "NOPASSWD" ];
          command = "/run/current-system/sw/bin/nixos-rebuild";
        }
      ];
    }
  ];
  systemd.tmpfiles.rules = [
    "d /var/www/html 2775 deploy www-data -"
    "d /var/www/html/portfolio 2775 deploy www-data -"
    "d /var/www/html/blog 2775 deploy www-data -"
    "d /var/www/html/lidarr-mb-gap 2775 lidarr-reports lidarr-reports -"
  ];
  sops.age = {
    generateKey = true;
    keyFile = "/var/lib/sops-nix/key.txt";
    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  networking.hostName = "vps";
  services = {
    smartd.enable = lib.mkForce false;
    openssh.ports = [ config.my.ports.ssh ];
  };
  users = {
    groups = {
      deploy = { };
      lidarr-reports = { };
      www-data = { };
    };
    users = {
      nginx = lib.mkIf config.my.secureHost {
        extraGroups = [
          "www-data"
          "lidarr-reports"
        ];
      };
      deploy = {
        isSystemUser = true;
        group = "deploy";
        home = "/var/lib/deploy";
        createHome = true;
        shell = pkgs.bashInteractive;
        extraGroups = [ "www-data" ];
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
      };
      lidarr-reports = {
        isSystemUser = true;
        group = "lidarr-reports";
        home = "/var/lib/lidarr-reports";
        createHome = true;
        shell = pkgs.bashInteractive;
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
      };
    };
  };
}