dotfiles/provision/hosts/torus/configuration.nix

{ config, pkgs, user, lib, ... }:
{
  imports = [ 
    ../../modules 
    ./wireguard-server.nix
    ./samba-server.nix
    ./syncthing.nix
    ./obsidian-vault.nix
    ./share.nix
    ./rss.nix
    ./home-assistant
  ];

  nix = {
    package = pkgs.nixFlakes;
    extraOptions = "experimental-features = nix-command flakes";

    settings.auto-optimise-store = true;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
  };

  # Add non-free packages
  nixpkgs.config.allowUnfree = true;
  nixpkgs.overlays = import ../../lib/overlays.nix;

  # Use normal kernel
  boot.kernelPackages = pkgs.linuxPackages;

  # Set kernel modules
  boot.kernelModules = [ "sg" ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # Set networking options
  networking.hostName = "torus"; 
  # Needed for wireguard-server
  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
  };
  networking.firewall.enable = true;
  networking.firewall.checkReversePath = "loose";
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];

  # Set your time zone.
  time.timeZone = "America/Los_Angeles";
  i18n.defaultLocale = "en_US.UTF-8";

  # Enable virtualisation
  virtualisation.docker.enable = true;
  virtualisation.docker.storageDriver = "btrfs";
  virtualisation.docker.enableNvidia = true;
  services.xserver.videoDrivers = [ "nvidia" ];

  hardware.opengl = {
    enable = true;
    driSupport = true;
    driSupport32Bit = true;
    setLdLibraryPath = true;
  };

  # Define user account.
  users.users.${user} = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.bash;
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    docker-compose
    python3
    zk
    gollum
  ];

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.pcscd.enable = true;
  programs.gnupg.agent = {
     enable = true;
     pinentryFlavor = "curses";
     enableSSHSupport = true;
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "starrtyler88@gmail.com";
  };


  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "shadow" ];
  };

  networking.nameservers = [ "8.8.8.8" "8.8.4.4" ];
  
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    additionalModules = [ pkgs.nginxModules.pam ];
    virtualHosts = let
    SSL = { 
      enableACME = true; 
      forceSSL = true;
    }; in {
      "rss.tstarr.us" = (SSL // {
        locations."/".proxyPass = "http://localhost:8081/"; 
      });
      "home.tstarr.us" = (SSL // {
        locations."/".proxyPass = "http://localhost:8123/"; 
      });
      "media.tstarr.us" = (SSL // {
        locations."/".proxyPass = "http://localhost:8096/"; 
      });
      "vault.tstarr.us" = (SSL // {
        locations."/".proxyPass = "http://localhost:5000/"; 
        extraConfig = ''
          auth_pam  "Password Required";
          auth_pam_service_name "nginx";        
        '';
      });
      "share.tstarr.us" = (SSL // {
        locations."/".proxyPass = "http://localhost:5001/"; 
        extraConfig = ''
          auth_pam  "Password Required";
          auth_pam_service_name "nginx";        
        '';
      });
    };
  };

  # Enable modules
  modules = {
    devel = {
      tooling.enable = true;
    };
    services = {
      jellyfin.enable = true;
    };
    system = {
      terminal.enable = true;
      ssh.enable = true;
      secrets.enable = true;
    };
  };
  # Did you read the comment?
  system.stateVersion = "23.11";
}