{ self, lib, config, pkgs, ... }: let nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); in { imports = [ self.nixosModules.hcloud ]; users.users.root = { openssh.authorizedKeys.keys = nixosVars.ssh_keys; initialPassword = "nixos"; }; system.stateVersion = "23.11"; networking = { hostName = nixosVars.hostname; domain = nixosVars.domain_netname; firewall = { allowedUDPPorts = [3478]; allowedTCPPorts = [80 443]; checkReversePath = "loose"; }; }; sops = { #secrets = { # cloudflare-api-token = {}; #}; templates."caddy-env.conf".content = '' CLOUDFLARE_API_TOKEN=${config.sops.placeholder.cloudflare-api-token} ''; defaultSopsFile = ./secrets/secrets.yaml; age = { keyFile = "/var/lib/secrets/age"; generateKey = true; }; }; services = { openssh = { enable = true; settings = { PasswordAuthentication = false; AllowTcpForwarding = "yes"; AllowAgentForwarding = "yes"; }; }; cloud-init.enable = lib.mkForce false; headscale = { enable = true; address = "[::]"; port = 8080; settings = { server_url = "https://${nixosVars.hostname}.${nixosVars.domain_netname}"; logtail.enabled = false; dns = { base_domain = "ts.${nixosVars.domain_netname}"; magic_dns = true; search_domains = ["${nixosVars.domain_netname}"]; nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ]; }; ip_prefixes = [ "100.64.0.0/10" "fd7a:115c:a1e0::/48" ]; }; }; tailscale = { enable = true; }; caddy = { enable = true; package = pkgs.caddy.withPlugins { plugins = [ "github.com/caddy-dns/cloudflare@v0.0.0-20250214163716-188b4850c0f2" ]; hash = "sha256-izuQXvxIq3ycxcUuMErz7MbP9RwLkj+bhliK9H6Heqc="; }; globalConfig = '' acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} cert_issuer acme { resolvers 1.1.1.1 } ''; virtualHosts = { "${nixosVars.hostname}.${nixosVars.domain_netname}".extraConfig = '' reverse_proxy localhost:8080 ''; "ts.${nixosVars.domain_netname}".extraConfig = '' respond "Access Denied" 403 ''; "*.ts.${nixosVars.domain_netname}".extraConfig = '' respond "Access Denied" 403 ''; "${nixosVars.domain_realname}".extraConfig = '' reverse_proxy http://docker ''; "${nixosVars.domain_netname}".extraConfig = '' reverse_proxy http://docker ''; "*.${nixosVars.domain_realname}".extraConfig = '' reverse_proxy http://docker ''; "*.${nixosVars.domain_netname}".extraConfig = '' reverse_proxy http://docker ''; }; }; }; systemd = { services = { caddy = { unitConfig = { After = [ "sops-nix.service" ]; }; serviceConfig = { EnvironmentFile = lib.mkForce [config.sops.templates."caddy-env.conf".path]; }; }; }; network.networks."10-wan" = { matchConfig.MACAddress = "96:00:04:16:ed:c5"; address = [ "${nixosVars.ipv4_address}/32" "${nixosVars.ipv6_address}/64" ]; routes = [ { Gateway = "fe80::1"; } { Gateway = "172.31.1.1"; GatewayOnLink = true; } ]; linkConfig.RequiredForOnline = "routable"; }; }; boot.supportedFilesystems = ["btrfs"]; environment.systemPackages = [ pkgs.btrfs-progs pkgs.shadow pkgs.vim pkgs.speedtest-cli pkgs.git pkgs.hcloud pkgs.dhcpcd pkgs.age ]; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; }; }