nixos-config/config/host-config/nutboy3.nix

{ config, pkgs, ... }:

with pkgs.lib;
let
  hostname = "nutboy3";
  host-fqdn = config.instance.host-fqdn;
  host-ipv4 = "199.87.154.175";
  domain-name = config.fudo.hosts.${hostname}.domain;
  domain = config.fudo.domains.${domain-name};
  site-name = config.fudo.hosts.${hostname}.site;
  site = config.fudo.sites.${site-name};

  local-packages = with pkgs; [ ldns.examples ];

  host-secrets = config.fudo.secrets.host-secrets.${hostname};

  # postgresql-user = config.systemd.services.postgresql.serviceConfig.User;

  files = config.fudo.secrets.files;

  acme-copies = config.fudo.acme.host-domains.${hostname};

in {

  imports = [
    ./nutboy3/cashew.nix
    # ./nutboy3/forum_selby_ca.nix
  ];

  config = {
    boot.kernelModules = [ "veth" ];

    networking = {
      nameservers = [ "1.1.1.1" ];
      defaultGateway = {
        address = site.gateway-v4;
        interface = "extif0";
      };

      interfaces.extif0.ipv4.addresses = [{
        address = host-ipv4;
        prefixLength = 31;
      }];
    };

    systemd = {
      tmpfiles.rules = [
        "L /etc/adjtime - - - - /state/etc/adjtime"
        "d /state/services 0555 - - - -"
      ];
      # services.grafana = {
      #   bindsTo = [ "postgresql.service" ];
      #   requires = [ "postgresql.service" ];
      # };
    };

    environment = { systemPackages = local-packages; };

    security.acme.defaults.email = "admin@fudo.org";

    fudo = {
      hosts."${hostname}".external-interfaces = [ "extif0" ];

      acme.host-domains.${hostname} = {
        ${host-fqdn}.local-copies = {
          # openldap = {
          #   user = config.services.openldap.user;
          #   dependent-services = [ "openldap.service" ];
          #   part-of = [ config.fudo.auth.ldap-server.systemd-target ];
          # };

          # postgresql = {
          #   user = postgresql-user;
          #   dependent-services = [ "postgresql.service" ];
          #   part-of = [ config.fudo.postgresql.systemd-target ];
          # };
        };
      };

      client.dns = {
        ipv4 = true;
        ipv6 = true;
        user = "fudo-client";
        external-interface = "extif0";
      };

      services = {
        # jabber = {
        #   domain = "jabber.fudo.org";
        #   ldap.servers = [ "nutboy3.fudo.org" ];
        #   state-directory = "/state/ejabberd";
        # };

        auth = {
          ldap.state-directory = "/state/auth/ldap";
          kerberos = {
            state-directory = "/state/services/heimdal-kdc";
            # master-key-file = host-secrets.heimdal-master-key.target-file;
          };
        };

        # postgresql = {
        #   state-directory = "/state/services/postgresql";
        #   keytab = extractFudoKeytab {
        #     realm = domain.gssapi-realm;
        #     principals = [ "postgres/${host-fqdn}" ];
        #   };
        # };

        metrics = {
          prometheus.state-directory = "/state/services/prometheus";
          grafana.state-directory = "/state/services/grafana";
        };

        logging.loki.state-directory = "/state/services/loki";
      };

      # dns.state-directory = "/state/nsd";

      # mail-server = {
      #   enableContainer = true;
      #   debug = true;

      #   domain = domain-name;
      #   mail-hostname = "${host-fqdn}";
      #   monitoring = false;
      #   mail-user = "mailuser";
      #   mail-user-id = 525;
      #   mail-group = "mailgroup";
      #   clamav.enable = true;
      #   dkim.signing = true;

      #   dovecot = {
      #     ssl-certificate = acme-certificate "imap.${domain-name}";
      #     ssl-private-key = acme-private-key "imap.${domain-name}";
      #   };

      #   postfix = {
      #     ssl-certificate = acme-certificate "smtp.${domain-name}";
      #     ssl-private-key = acme-private-key "smtp.${domain-name}";
      #   };

      #   # This should NOT include the primary domain
      #   local-domains = [ host-fqdn "smtp.${domain-name}" ];

      #   mail-directory = "/srv/mailserver/mail";
      #   state-directory = "/srv/mailserver/state";

      #   trusted-networks = [ "172.86.179.16/29" "127.0.0.0/16" ];

      #   alias-users = {
      #     root = [ "niten" ];
      #     postmaster = [ "niten" ];
      #     hostmaster = [ "niten" ];
      #     webmaster = [ "niten" ];
      #     system = [ "niten" ];
      #     admin = [ "niten" ];
      #     dmarc-report = [ "niten" ];
      #   };
      # };

      # git = {
      #   enable = true;
      #   hostname = "git.informis.land";
      #   site-name = "informis git";
      #   user = "gituser";
      #   repository-dir = /srv/git/repo;
      #   state-dir = /srv/git/state;
      #   database = {
      #     user = "gituser";
      #     password-file =
      #       host-secrets.gitea-database-password.target-file;
      #     hostname = "127.0.0.1";
      #     name = "git";
      #   };
      #   ssh = {
      #     listen-ip = host-ipv4;
      #     listen-port = 2222;
      #   };
      # };
    };

    # services.factorio = {
    #   enable = true;
    #   public = false;
    #   port = 34197;
    #   lan = false;
    #   description = "Fudo Factorio Server";
    #   bind = host-ipv4;
    #   admins = [ "niten" ];
    #   openFirewall = true;
    #   autosave-interval = 10;
    #   loadLatestSave = true;
    #   package = pkgs.factorio-headless-experimental;
    # };
  };
}