NixOS/hosts/vps/configuration.nix

{
  lib,
  inputs,
  pkgs,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
  ];
  my = {
    secureHost = true;
    enableProxy = true;
    users.nixremote = {
      enable = true;
      authorizedKeys = inputs.self.lib.getSshKeys [
        "nixworkstation"
        "nixserver"
        "nixminiserver"
      ];
    };
    interfaces = lib.mkMerge [
      {
        vps = "eth0";
      }
    ];
    services = {
      network.enable = true;
      wireguard.enable = true;
    };
  };
  environment.etc."iptables.rules".source = ../../iptables;
  networking.firewall.enable = false;
  networking.nftables.enable = false;
  systemd.services.iptables-restore = {
    description = "Apply iptables ruleset";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-pre.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
    };
  };
  image.modules.linode = { };
  networking.hostName = "vps";
  security.sudo-rs.extraRules = [
    {
      users = [ "nixremote" ];
      commands = [
        {
          command = "/run/current-system/sw/bin/nixos-rebuild";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  services.openssh.ports = [ 3456 ];
  sops.age = {
    generateKey = true;
    keyFile = "/var/lib/sops-nix/key.txt";
    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  users = {
    groups = {
      deploy = { };
      lidarr-reports = { };
    };
    users = {
      deploy = {
        isSystemUser = true;
        group = "deploy";
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
      };
      lidarr-reports = {
        isSystemUser = true;
        group = "lidarr-reports";
        openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
      };
    };
  };
  environment.systemPackages = [ ];
}