NixOS/hosts/server/configuration.nix

{
  pkgs,
  config,
  lib,
  inputs,
  ...
}:
{
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
    ../../config/stylix.nix
  ];
  my = import ./toggles.nix { inherit config inputs; } // {
    nix.cores = 6;
    users.nixremote.enable = true;
    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
      "nixworkstation"
      "nixminiserver"
    ];
    network.firewall.enabledServicePorts = true;
    network.firewall.additionalPorts = [
      2049 # idk
      8384 # syncthing gui
      22000 # syncthing relay
      3452 # sonarqube
      8448 # synapse ssl
    ];
  };
  nix.buildMachines = [
    {
      hostName = "workstation";
      system = "x86_64-linux";
      sshUser = "nixremote";
      maxJobs = 8;
      speedFactor = 2;
      supportedFeatures = config.my.nix.features;
    }
  ];
  sops.secrets."wireguard/server/private" = lib.mkIf config.my.secureHost {
    sopsFile = ../../secrets/wireguard.yaml;
  };
  networking = {
    hostName = "server";
    firewall = {
      allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
      interfaces.wg0.allowedTCPPorts = [ 8081 ];
    };
    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-server}/32" ];
      privateKeyFile = config.sops.secrets."wireguard/server/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
          endpoint = "${config.my.ips.linode}:51820";
          allowedIPs = [
            "${config.my.ips.wg-linode}/32"
            "${config.my.ips.wg-friends}/24"
          ];
          persistentKeepalive = 25;
        }
      ];
    };
  };
  users.users.jawz.packages = builtins.attrValues {
    inherit (pkgs) podman-compose attic-client;
  };
  services.btrfs.autoScrub = {
    enable = true;
    fileSystems = [
      "/"
      "/srv/pool"
    ];
  };
}