NixOS/hosts/server/configuration.nix

{ pkgs, config, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
    ../../config/stylix.nix
  ];
  my = import ./toggles.nix { inherit config; };
  sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
  networking =
    let
      ports = [
        2049 # idk
        9999 # stash
        8384 # syncthing
        5201 # vps speed test
        3452 # sonarqube
        config.my.servers.audiobookshelf.port
        config.my.servers.bazarr.port
        config.my.servers.collabora.port
        config.my.servers.homepage.port
        config.my.servers.kavita.port
        config.my.servers.lidarr.port
        config.my.servers.maloja.port
        config.my.servers.microbin.port
        config.my.servers.multi-scrobbler.port
        config.my.servers.plex.port
        config.my.servers.prowlarr.port
        config.my.servers.radarr.port
        config.my.servers.readeck.port
        config.my.servers.ryot.port
        config.my.servers.sonarr.port
        config.my.servers.synapse.port
        config.my.servers.vaultwarden.port
        config.my.servers.jellyfin.port
        config.my.servers.mealie.port
        config.my.servers.gitea.port
        config.services.gitea.settings.server.SSH_PORT
      ];
    in
    {
      hostName = "server";
      firewall = {
        allowedTCPPorts = ports;
        allowedUDPPorts = ports;
        interfaces.wg0.allowedTCPPorts = [ 8081 ];
      };
      wireguard.interfaces.wg0 = {
        ips = [ "${config.my.wgServerIp}/32" ];
        privateKeyFile = config.sops.secrets."vps/home/private".path;
        peers = [
          {
            publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
            endpoint = "51.222.141.104:51820";
            allowedIPs = [ "${config.my.wgVpsIp}/32" ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  nix =
    let
      featuresList = [
        "nixos-test"
        "benchmark"
        "big-parallel"
        "kvm"
        "gccarch-znver3"
        "gccarch-skylake"
        "gccarch-alderlake"
      ];
    in
    {
      settings.cores = 6;
      buildMachines = [
        {
          hostName = "workstation";
          system = "x86_64-linux";
          sshUser = "nixremote";
          maxJobs = 12;
          speedFactor = 1;
          supportedFeatures = featuresList;
        }
      ];
    };
  users = {
    groups.nixremote.gid = 555;
    users = {
      jawz.packages = builtins.attrValues {
        inherit (pkgs) stash podman-compose;
      };
      nixremote = {
        isNormalUser = true;
        createHome = true;
        group = "nixremote";
        home = "/var/nixremote/";
        openssh.authorizedKeys.keyFiles = [
          ../../secrets/ssh/ed25519_nixworkstation.pub
          ../../secrets/ssh/ed25519_nixminiserver.pub
        ];
      };
    };
  };
  services.btrfs.autoScrub = {
    enable = true;
    fileSystems = [
      "/"
      "/srv/pool"
    ];
  };
}