{ config, lib, pkgs, ... }: { imports = [ ./utils/bento.nix ./utils/modules/sops.nix ./utils/modules/nginx.nix ./modules/mysql.nix ./modules/web/stack.nix ./modules/laravel-storage.nix ./utils/modules/autoupgrade.nix ./utils/modules/promtail ./utils/modules/victoriametrics ./utils/modules/borgbackup.nix ./hardware-configuration.nix ./sites ]; environment.systemPackages = with pkgs; [ vim screen php82 ]; time.timeZone = "Europe/Vienna"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ./secrets.yaml; nix.gc = { automatic = true; options = "--delete-older-than 60d"; }; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "amzebs-01"; networking.domain = "cloonar.com"; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFshMhXwS0FQFPlITipshvNKrV8sA52ZFlnaoHd1thKg" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; programs.ssh = { knownHosts = { "git.cloonar.com" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlUj7eEfS/4+z/3IhFhOTXAfpGEpNv6UWuYSL5OAhus"; }; }; }; # backups - adjust repo for this host borgbackup.repo = "u149513-sub10@u149513-sub10.your-backup.de:borg"; # Use HTTP-01 challenge for Let's Encrypt (not DNS) security.acme.acceptTerms = true; security.acme.defaults.email = "admin+acme@cloonar.com"; networking.firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; # Allow MariaDB access only from specific IP extraCommands = '' iptables -A nixos-fw -p tcp --dport 3306 -s 77.119.230.30 -j nixos-fw-accept ''; }; system.stateVersion = "23.11"; }