ashisgreat22
e0de37b15f
Remove LAPI server config causing null coercion error. Detection-only mode for now; bouncer can be added later. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
119 lines
2.7 KiB
Nix
119 lines
2.7 KiB
Nix
{ config, pkgs, lib, ... }: {
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
# Workaround for https://github.com/NixOS/nix/issues/8502
|
|
services.logrotate.checkConfig = false;
|
|
|
|
boot.tmp.cleanOnBoot = true;
|
|
zramSwap.enable = true;
|
|
networking.hostName = "nixos";
|
|
networking.domain = "";
|
|
|
|
# === Firewall ===
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ]; # SSH (80/443 added by nginx module)
|
|
allowPing = false;
|
|
};
|
|
|
|
# === SSH Hardening ===
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
# === User Account ===
|
|
users.users.ashie = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0OjmlFPbz/H0sv+Y7L+rHR7KCD9lL7HIevEnqy48qH ashisgreat22@github.com"
|
|
];
|
|
};
|
|
|
|
# === Sudo without password for wheel group ===
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
# === SOPS (Secrets Management) ===
|
|
sops = {
|
|
defaultSopsFile = ./secrets/secrets.yaml;
|
|
defaultSopsFormat = "yaml";
|
|
age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
# Generate with: nix-shell -p age --run "age-keygen -o key.txt"
|
|
# Then add the public key to .sops.yaml
|
|
};
|
|
|
|
# === Automatic Updates ===
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
allowReboot = false;
|
|
};
|
|
|
|
system.stateVersion = "23.11";
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
wget
|
|
git
|
|
nano
|
|
kitty.terminfo
|
|
htop
|
|
tmux
|
|
];
|
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
|
|
# === SearXNG ===
|
|
myModules.searxng = {
|
|
enable = true;
|
|
port = 8888;
|
|
domain = "search.ashisgreat.xyz"; # Change to your domain
|
|
instanceName = "Ashie Search";
|
|
};
|
|
|
|
# === Nginx Reverse Proxy ===
|
|
myModules.nginx = {
|
|
enable = true;
|
|
email = "info@ashisgreat.xyz";
|
|
domains = {
|
|
"search.ashisgreat.xyz" = {
|
|
port = 8888;
|
|
};
|
|
};
|
|
};
|
|
|
|
# === OpenClaw ===
|
|
myModules.openclaw-podman = {
|
|
enable = true;
|
|
port = 18789;
|
|
domain = "openclaw.ashisgreat.xyz";
|
|
};
|
|
|
|
# OpenClaw secrets
|
|
sops.secrets.openclaw_discord_token = { };
|
|
sops.secrets.openclaw_zai_api_key = { };
|
|
sops.secrets.openclaw_brave_api_key = { };
|
|
|
|
sops.templates."openclaw.env" = {
|
|
content = ''
|
|
DISCORD_TOKEN=${config.sops.placeholder.openclaw_discord_token}
|
|
ZAI_API_KEY=${config.sops.placeholder.openclaw_zai_api_key}
|
|
BRAVE_API_KEY=${config.sops.placeholder.openclaw_brave_api_key}
|
|
'';
|
|
};
|
|
|
|
# === Vaultwarden ===
|
|
myModules.vaultwarden = {
|
|
enable = true;
|
|
domain = "vault.ashisgreat.xyz";
|
|
signupAllowed = false;
|
|
};
|
|
|
|
# === CrowdSec ===
|
|
myModules.crowdsec.enable = true;
|
|
}
|