NixOS/hosts/server/configuration.nix

{
  pkgs,
  config,
  lib,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
    ../../config/stylix.nix
  ];
  my = import ./toggles.nix { inherit config; };
  sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
  networking =
    let
      enabledPorts =
        config.my.servers
        |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
        |> lib.attrValues
        |> map (srv: srv.port);
      ports = enabledPorts ++ [
        2049 # idk
        8384 # syncthing gui
        22000 # syncthing relay
        3452 # sonarqube
        config.services.gitea.settings.server.SSH_PORT
      ];
    in
    {
      hostName = "server";
      firewall = {
        allowedTCPPorts = ports;
        allowedUDPPorts = ports;
        interfaces.wg0.allowedTCPPorts = [ 8081 ];
      };
      wireguard.interfaces.wg0 = {
        ips = [ "${config.my.ips.wg-server}/32" ];
        privateKeyFile = config.sops.secrets."vps/home/private".path;
        peers = [
          {
            publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
            endpoint = "${config.my.ips.vps}:51820";
            allowedIPs = [
              "${config.my.ips.wg-vps}/32"
              "${config.my.ips.wg-friends}/24" # all friends
            ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  nix =
    let
      featuresList = [
        "nixos-test"
        "benchmark"
        "big-parallel"
        "kvm"
        "gccarch-znver3"
        "gccarch-skylake"
        "gccarch-alderlake"
      ];
    in
    {
      settings.cores = 6;
      buildMachines = [
        {
          hostName = "workstation";
          system = "x86_64-linux";
          sshUser = "nixremote";
          maxJobs = 12;
          speedFactor = 1;
          supportedFeatures = featuresList;
        }
      ];
    };
  users = {
    groups.nixremote.gid = 555;
    users = {
      jawz.packages = builtins.attrValues {
        inherit (pkgs) stash podman-compose;
      };
      nixremote = {
        isNormalUser = true;
        createHome = true;
        group = "nixremote";
        home = "/var/nixremote/";
        openssh.authorizedKeys.keyFiles = [
          ../../secrets/ssh/ed25519_nixworkstation.pub
          ../../secrets/ssh/ed25519_nixminiserver.pub
        ];
      };
    };
  };
  services.btrfs.autoScrub = {
    enable = true;
    fileSystems = [
      "/"
      "/srv/pool"
    ];
  };
}