nixos/hosts/granodomus-lima.nix

{
  pkgs,
  lib,
  config,
  ...
}: let
  sopsPath = key: config.sops.secrets.${key}.path;

  mkVirtHost = certificateName:
    lib.attrsets.recursiveUpdate {
      forceSSL = true;
      sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
      sslCertificateKey = sopsPath "certificate-key-${certificateName}";
      sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
    };
in {
  imports = [
    ../hardware/netcup-vps-200-g10.nix
    ../modules/nginx-reverse-proxy.nix
  ];
  config = {
    boot.loader.grub.enable = true;
    boot.loader.grub.device = "/dev/sda";

    networking.hostId = "94d74a20";
    networking.hostName = "granodomus-lima";
    networking.interfaces.ens3.useDHCP = true;

    settings.ssh.openOutsideVPN = true;

    users.users = {
      root = {
        hashedPassword = "$6$Yb1gdlKIpY1hRW1X$uUcNFuNnK2JFFN55Tkc.fPV.4I7RJvIfLEQayVP1utfkmjF0f/EHjtypxq11jR5NUUIJFQLW6ffajjduA2689.";
      };
    };

    sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml;
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

    services.fail2ban = {
      enable = true;
      ignoreIP = let
        vpn = (builtins.import ../state.nix).vpn;
        extractIPs = host: config: [config.v4 config.v6];
      in
        lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
    };

    # Run radicale with infcloud interface for me and Marie
    services.radicaleWithInfcloud.enable = true;

    services.nginx.virtualHosts = let
      services = (builtins.import ../state.nix).services;
      removeUnexposed = lib.attrsets.filterAttrs (name: config: config ? "external" && config.external);
      createVirtHost = name: config: {
        name = "${name}.tammena.me";
        value = mkVirtHost "${name}-tammena-me" {
          locations."/" = {
            proxyPass = "http://${config.host}:${builtins.toString config.port}";
            proxyWebsockets = true;
          };
        };
      };
    in
      lib.mapAttrs' createVirtHost (removeUnexposed services);

    sops.secrets =
      lib.mapAttrs' (name: config: {
        name = "certificate-key-${name}-tammena-me";
        value = {
          owner = "nginx";
          mode = "0400";
        };
      })
      (builtins.import ../state.nix).services;

    # services.nginx.virtualHosts = {
    #   "config.tammena.me" = mkVirtHost "config-tammena-me" {
    #     locations."/" = {
    #       proxyPass = "https://config.home";
    #       proxyWebsockets = true;
    #     };
    #   };
    #   "todo.tammena.me" = mkVirtHost "todo-tammena-me" {
    #     locations."/" = {
    #       proxyPass = "https://todo.home";
    #       proxyWebsockets = true;
    #     };
    #   };
    #   "time.tammena.me" = mkVirtHost "time-tammena-me" {
    #     locations."/" = {
    #       proxyPass = "https://time.home";
    #       proxyWebsockets = true;
    #     };
    #   };
    # };

    services.qemuGuest.enable = true;

    services.bind = {
      enable = true;
      cacheNetworks = ["any"];
      forwarders = ["100.100.100.100"];
      listenOn = ["any"];
      listenOnIpv6 = ["any"];
      zones."home" = let
        granodomus-lima = config.state.vpn.machine.granodomus-lima;
        faunus-ater = config.state.vpn.machine.faunus-ater;
        point = domain: host: ''
          ${domain} AAAA ${host.ipv6}
          ${domain} A    ${host.ipv4}
        '';
      in {
        master = true;
        # TODO: Fix TTLs
        file = pkgs.writeText "home-zone" ''
          $TTL   1
          @      IN    SOA  home. malte.home. (
                            5     ; Serial
                            1  ; Refresh
                            1  ; Retry
                            1  ; Expire
                            1) ; Negative Cache TTL
          @            NS    home.
          ${point "home." granodomus-lima}
          ${point "cal" granodomus-lima}
          ${point "mc" granodomus-lima}
          ${point "foto" faunus-ater}
          ${point "doc" faunus-ater}
          ${point "sheet" faunus-ater}
          ${point "media" faunus-ater}
          ${point "file" faunus-ater}
          ${point "stats" faunus-ater}
          ${point "cache" faunus-ater}
          ${point "hydra" faunus-ater}
          ${point "git" faunus-ater}
          ${point "read" faunus-ater}
          ${point "note" faunus-ater}
          ${point "time" faunus-ater}
          ${point "todo" faunus-ater}
          ${point "support" faunus-ater}
          ${point "config" faunus-ater}
          ${point "listen" faunus-ater}
        '';
      };
    };
    networking.firewall.allowedTCPPorts = [53];
    networking.firewall.allowedUDPPorts = [53];

    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "21.05"; # Did you read the comment?
  };
}