{ lib, config, adminUser, ... }: { imports = [ ../../../profiles/authelia.nix ../../../profiles/cgroups.nix ../../../profiles/defaults.nix ../../../profiles/disk/btrfs-on-luks.nix ../../../profiles/git-server.nix ../../../profiles/hardware/framework-desktop.nix ../../../profiles/home-manager.nix ../../../profiles/miniflux.nix ../../../profiles/remote-unlock.nix ../../../profiles/restic-backup.nix ../../../profiles/server.nix ]; age = { secrets = { wireguard = { file = ../../../secrets/rivendell/wireguard.age; }; }; }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; networking.hostName = "rivendell"; networking.useDHCP = lib.mkDefault true; systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; users.users.builder = { openssh.authorizedKeys.keys = [ # my personal key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" # remote builder ssh key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" ]; isNormalUser = true; group = "nogroup"; }; nix.settings.trusted-users = [ "builder" ]; networking.wireguard = { enable = true; interfaces.wg0 = { ips = [ "10.100.0.60/32" ]; listenPort = 51871; privateKeyFile = config.age.secrets.wireguard.path; peers = [ { # digital ocean droplet publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; allowedIPs = [ "10.100.0.50/32" ]; endpoint = "165.232.158.110:51871"; persistentKeepalive = 25; } { # argonath publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w="; allowedIPs = [ "10.100.0.51/32" ]; endpoint = "157.230.146.234:51871"; persistentKeepalive = 25; } ]; }; }; networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.allowedUDPPorts = [ 51871 ]; services.website = { enable = true; openFirewall = true; }; home-manager = { users.${adminUser.name} = { imports = [ ../../../home/profiles/minimal.nix ]; inherit (adminUser) userinfo; }; }; system.stateVersion = "23.11"; # Did you read the comment? }