nixos/hosts/stranox-strato/configuration.nix

{ pkgs, inputs, config, ... }: {
	imports = [
		./hardware-configuration.nix
		../../modules/rare/realmail.nix
		../../modules/misc/virt.nix
		#../../modules/server/collabora.nix

		inputs.sops-nix.nixosModules.sops
	];

	networking.hosts = {
		"127.0.0.1" = [
			"dash.hahn1.one"
			"sync.hahn1.one"
			"jagd.hahn1.one"
			"cloud.hahn1.one"
			"cool.hahn1.one"
			"hahn1.one"
		];
		"::1" = [
			"dash.hahn1.one"
			"sync.hahn1.one"
			"jagd.hahn1.one"
			"cloud.hahn1.one"
			"cool.hahn1.one"
			"hahn1.one"
		];
	};

	# Enable all the old services on gullfoss
	services.postgresql = {
		enable = true;

		# Ensure databases here
		ensureDatabases = [ "mydatabase" ];
		# TODO: integrate the old permission
		authentication = pkgs.lib.mkOverride 10 ''
	  #type database  DBuser  auth-method
	  local all       all     trust
		'';
	};

	#systemd.services.nixBuildTmuxSession = {
	#	description = "Start tmux nix build session if not already running";
	#	after = [ "network.target" ];
	#	path = with pkgs; [nix tmux ];

	#	serviceConfig = {
	#		Type = "oneshot";
	#		User = "jonas"; # Change this!
	#	};

	#	script = ''exec /home/jonas/projects/perdash/start_server.sh'';

	#};

	services.cron.enable = true;

	# Sops setup
	sops = {
		defaultSopsFile = ../../../secrets.yaml;
		defaultSopsFormat = "yaml";
		# hard code the username here
		age.keyFile =  "/home/jonas/.config/sops/age/keys.txt";
		secrets = {
			joncook = {};
			jondash = {};
			jondav = {};
			jondavpass = {};
			nextpass = {
				group = "nextcloud";
				owner = "nextcloud";
			};
		};
		templates = {
			"jontemp2" = {
				owner = "nginx";
				group = "nginx";
				content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
			};
			"jontemp" = {
				owner = "nginx";
				group = "nginx";
				content = ''"${config.sops.placeholder.joncook}" "yes";'';
			};
			"webdavconf" = {
				owner = "webdav";
				group = "webdav";
				content = ''
#permissions: CRUD
#debug: true
#behindProxy: true

address: 0.0.0.0
auth: true
modify: true
port: 6065
#scope: /var/lib/webdav/
directory: /var/lib/webdav/
#rules: []
#permissions: R

users:
- password: '${config.sops.placeholder.jondavpass}'
  username: ${config.sops.placeholder.jondav}
  permissions: CRUD

'';
				path = "/etc/webdav/config.yaml";
			};

		};
	};

	systemd.tmpfiles.rules = [
	  "d /var/lib/webdav 0750 webdav webdav -"
	];


	boot.tmp.cleanOnBoot = true;
	zramSwap.enable = true;
	swapDevices = [ { device = "/swapfile"; size = 8192; } ];

	networking.hostName = "stranox";

	# setup syncthing
	# This is not needed for now because one should only use syncthing when not having battery problems
	services = {
		syncthing = {
			enable = true;
			user = "jonas";
			#guiAddress = "0.0.0.0:8384";
			dataDir = "/home/jonas/syncthing";
			configDir = "/home/jonas/.config/syncthing";
			overrideDevices = true;     # overrides any devices added or deleted through the WebUI
			overrideFolders = true;     # overrides any folders added or deleted through the WebUI
			settings = {
				devices = {
					"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
					"androidp" = { id = "UIJS6LQ-CQY7UWH-3KTJ2VH-3N73VNK-V6NWTIE-L4ZUEWW-R625SV4-YKMVKQY"; };
				};
				folders = {
					# This is the mail folder to keep synced accross everything
					# Its nice to have this declarativery and just work with the respectively ids
					#		"syncthing" = {
					#		"synct	path = "/home/jonas/synced";
					#		"synct	devices = [ "thinix" ];
					#		"synct	ignorePerms = true;
					#		"synct	versioning = {
					#		"synct		type = "staggered";
					#		"synct	};
					#		"synct};

					"syncthingtest" = {
						path = "/home/jonas/phonebla";
						devices = [ "androidp" ];
						ignorePerms = true;
						versioning = {
							type = "staggered";
						};
					};
				};
			};
		};
	};

	services.radicale = {
	  enable = true;
	  settings.server.hosts = [ "127.0.0.1:5232" ];
		settings.auth.type = "none";
	};

	services.nextcloud = {
		enable = false;
		# Use the defualt home
		#home = "/mnt/nextcloudStorage";
		package = pkgs.nextcloud30;
		hostName = "cloud.hahn1.one";
		settings = {
			#trusted_domains = [""];
		};
		config = {
			adminpassFile = config.sops.secrets.nextpass.path;
			dbtype = "sqlite";
		};
		extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
		extraAppsEnable = true;
		https = true;
		configureRedis = true;
		maxUploadSize = "1G";
	};


	# configure users for small machine
	users = {
		defaultUserShell = pkgs.zsh;
		groups = {
			nginx = {};
			nextcloud = {};
			podman = {};
			docker = {};
			webdav = {};
		};
		users = {
			nginx = {
				isSystemUser = true;
				group = "nginx";
			};
			webdav = {
				isSystemUser = true;
				group = "webdav";
			};
			nextcloud = {
				isSystemUser = true;
				group = "nextcloud";
			};
			root = {
				openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
			};
			jonas = {
				isNormalUser = true;
				extraGroups = [ "wheel" "docker" "podman" "webdav" "davfs2" ];
				openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
				packages = with pkgs; [
					neovim
					pkgs.unstable.yazi
					zsh
					git
					starship
					eza
					bat
					lazygit
					btop
					gdu
					fastfetch
					sops
					w3m
					typst
					tmux
					wget
					curl
					pipx
					fd
					python3
					nodejs
					gcc
					gnumake
					findutils.locate
					gradle
					lua
					todo-txt-cli
				];
			};
		};
	};

	#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
	# source the local httppass for the nginx login

	environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;

	networking.firewall = {
		enable = true;
		allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
		allowedUDPPorts = [3478   ];
	};

	# Services for the cloud
	services = {
		openssh.enable = true;
		nginx = {
			mapHashBucketSize = 128;
			enable = true;
			appendHttpConfig =  ''
		map $cookie_letmein $dash_hascookie {
			include ${config.sops.templates.jontemp.path};
		  default           "no";
		}

		map $dash_hascookie $dash_authentication {
		  "yes" "off";
		  default  "Your credentials please";
		}
			'';
			virtualHosts = {
				"dash.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:8000";
						proxyWebsockets = true;

						extraConfig = ''
		  auth_basic  $dash_authentication;
		  auth_basic_user_file /etc/nginx/htpasswd/jondash;
		  proxy_set_header Host $host;
		  proxy_set_header X-Forwarded-For $remote_addr;
		  include ${config.sops.templates.jontemp2.path};
						'';
					};

				};
				"rad.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };
					locations."/" = {
						root = "${pkgs.nginx}/html";
						index = "index.html";
					};
				};
				"dev.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:8384";
						proxyWebsockets = true;
					};

				};

				#	"qrank.hahn1.one" = {
				#	"qr	forceSSL = true;
				#	"qr	enableACME = true;
				#	"qr	#basicAuth = { jonas = "1234"; };

				#	"qr	locations."/" = {
				#	"qr		proxyPass = "http://127.0.0.1:18765";
				#	"qr		proxyWebsockets = true;
				#	"qr	};

				#	"qr};

				# Easter special for having a schintzeljagt that implements modern technology
				"jagd.hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					#basicAuth = { jonas = "1234"; };

					locations."/" = {
						proxyPass = "http://127.0.0.1:2345";
						proxyWebsockets = true;
					};

				};
				#"dev.hahn1.one" = {
				#	forceSSL = true;
				#	forenableACME = true;
				#	for#basicAuth = { jonas = "1234"; };

				#	forlocations."/" = {
				#	for	proxyPass = "http://127.0.0.1:6065";
				#	for	proxyWebsockets = true;
				#	for};

				#};
				#"dev.hahn1.one" = {
				#	forceSSL = true;
				#	enableACME = true;

				#	# This is of course not secure but better than to have nothing
				#	# First one need to read this code to access
				#	basicAuth = { dev = "dev"; };

				#	# use a dev proxypass to test some applications
				#	locations."/" = {
				#		proxyPass = "http://127.0.0.1:8888";
				#		proxyWebsockets = true;
				#	};

				#};

				"cloud.hahn1.one" = {
					enableACME = true;
					addSSL = true;


					locations."/" = {
						proxyPass = "http://localhost:11000";
						proxyWebsockets = true;
					};
				};
				"sync.hahn1.one" = {
					enableACME = true;
					addSSL = true;

					locations."/" = {
						proxyPass = "http://127.0.0.1:6065";
						extraConfig = ''
						  proxy_set_header X-Real-IP $remote_addr;
						  proxy_set_header REMOTE-HOST $remote_addr;
						  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
						  proxy_set_header Host $host;
						  proxy_redirect off;

						  set $dest $http_destination;
						  if ($http_destination ~ "^https://dev.hahn1.one(?<path>(.+))") {
							set $dest /$path;
						  }
						  proxy_set_header Destination $dest;
						'';
						proxyWebsockets = true;
					};
				};
				"cool.hahn1.one" = {
					enableACME = true;
					addSSL = true;


					locations."/" = {
						proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
						proxyWebsockets = true;
					};
				};
				# Default nginx site to felx
				"hahn1.one" = {
					forceSSL = true;
					enableACME = true;
					default = true;

					locations."/" = {
						root = "${pkgs.nginx}/html";
						index = "index.html";
					};
					locations."/radicale/" = {
					  proxyPass = "http://127.0.0.1:5232/";
					  extraConfig = ''
						proxy_set_header X-Script-Name /radicale;
						proxy_pass_header Authorization;
					  '';
					};
				};
			};
		};
	};

	#networking.firewall.allowedTCPPorts = [
	#	6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
	#	# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
	#	# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
	#];
	#networking.firewall.allowedUDPPorts = [
	#	# 8472 # k3s, flannel: required if using multi-node for inter-node networking
	#];

	services.webdav.enable = true; # test turning off
	services.webdav.user = "webdav";

	services.webdav.group = "webdav";
	#services.webdav.settings =
	#  	{
    #         address = "0.0.0.0";
    #         port = 6065;
	#		#scope = "/var/lib/webdav/";
	#		directory = "/var/lib/webdav";
    #         modify = true;
    #         auth = true;
    #         users = [
    #           {
    #             username = "jonas";
    #             password = "jonasdav123";
    #           }
    #         ];
    #     };
	services.webdav.configFile = "/etc/webdav/config.yaml" ;

	# k3s testing
	services.k3s = {
		enable = true;
		role = "server";
		extraFlags = [
			"--disable=traefik"
			"--debug"
		];
	};

	security.acme = {
		acceptTerms = true;
		defaults.email = "security@hahn1.one";
	};

	nixpkgs.config.allowUnfree = true;
	nix.settings.experimental-features = ["flakes" "nix-command"];
	time.timeZone = "Europe/Berlin";

	environment = {
		sessionVariables = {
		};
		systemPackages = with pkgs; [
			git
			fastfetch
			ripgrep
			lazygit
			unzip
			fzf
			zathura

			# everywhere support
			starship
			zoxide

			# add sync support
			rsync
			flock
			unison

			# curl for scripting
			curl
		];
	};

	programs.zsh = {
		enable = true;
		autosuggestions.enable = true;
		ohMyZsh = {
			enable = true;
			plugins = [
				"history-substring-search"
				"git"
				"zoxide"
				"sudo"
				"vi-mode"
				"systemadmin"
			];
		};
	};

	# In case of gui usage
	programs = {
		nix-ld.enable = true;
	};

	# This was generated by the infect script I may just keep it this way for
	# Security reasons
	system.stateVersion = "23.11";
}