nixos-config/modules/sv1.nix

{
  lib,
  pkgs,
  ...
}: {
  imports = with lib.nixosModules; [
    disko
    impermanence
  ];

  disko.devices.disk.NixOS = {
    device = "/dev/sda";
    type = "disk";
    content = {
      type = "gpt";
      partitions = {
        BSP = {
          type = "EF02";
          size = "1M";
        };
        Crypt = {
          size = "100%";
          content = {
            type = "luks";
            name = "crypt";
            extraFormatArgs = ["--type luks1"];
            content = {
              type = "btrfs";
              postCreateHook = ''
                btrfs="$(mktemp -d)"
                mount -o subvol=/ /dev/mapper/crypt "$btrfs"
                btrfs subvolume snapshot -r "$btrfs/root" "$btrfs/blank"
                umount "$btrfs"
                rm -rf "$btrfs"
                boot="$(mktemp -d)"
                mount -o subvol=/boot /dev/mapper/crypt "$boot"
                dd if=/dev/urandom "of=$boot/luks.bin" bs=1024 count=4
                cryptsetup luksAddKey                     \
                  /dev/disk/by-partlabel/disk-NixOS-Crypt \
                  "$boot/luks.bin"
                umount "$boot"
                rm -rf "$boot"
              '';
              subvolumes = {
                "/root" = {
                  mountpoint = "/";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/boot" = {
                  mountpoint = "/boot";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/home" = {
                  mountpoint = "/home";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/nix" = {
                  mountpoint = "/nix";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/persist" = {
                  mountpoint = "/persist";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/log" = {
                  mountpoint = "/var/log";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                  ];
                };
                "/swap" = {
                  mountpoint = "/.swap";
                  swap.swapfile.size = "4G";
                };
              };
            };
          };
        };
      };
    };
  };
  fileSystems = {
    "/persist".neededForBoot = true;
    "/var/log".neededForBoot = true;
  };

  boot = {
    loader = {
      grub = {
        enable = true;
        enableCryptodisk = true;
      };
    };
    initrd = {
      availableKernelModules = [
        "virtio_net"
        "virtio_pci"
        "virtio_mmio"
        "virtio_blk"
        "virtio_scsi"
        "9p"
        "9pnet_virtio"
        "ahci"
        "xhci_pci"
        "virtio_pci"
        "virtio_scsi"
        "sd_mod"
        "sr_mod"
      ];
      kernelModules = [
        "virtio_balloon"
        "virtio_console"
        "virtio_rng"
        "virtio_gpu"
      ];
      secrets."/luks.bin" = "/boot/luks.bin";
      luks.devices.crypt = {
        device = "/dev/disk/by-partlabel/disk-NixOS-Crypt";
        keyFile = "/luks.bin";
      };
      postDeviceCommands = lib.mkBefore ''
        btrfs="$(mktemp -d)"
        mount -o subvol=/ /dev/mapper/crypt "$btrfs"
        trap "umount $btrfs_root; rm -rf $btrfs" EXIT
        btrfs subvolume list -o "$btrfs/root"           \
          | cut -f9 -d' '                               \
          | while read subvolume; do                    \
            btrfs subvolume delete "$btrfs/$subvolume"
          done                                          \
          && btrfs subvolume delete "$btrfs/root"
        btrfs subvolume snapshot "$btrfs/blank" "$btrfs/root"
      '';
    };
  };

  networking = {
    hostName = "sv1";
    networkmanager.enable = true;
    firewall.allowedTCPPorts = [
      80
      443
    ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme.evict519@simplelogin.com";
    #certs."dylanblades.com".extraDomainNames = ["*.dylanblades.com"];
  };

  time.timeZone = "Europe/London";
  i18n.defaultLocale = "en_GB.UTF-8";
  console.keyMap = "uk";

  users = {
    mutableUsers = false;
    users = {
      root = {
        isSystemUser = true;
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
      user = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
    };
  };

  services = {
    openssh = {
      enable = true;
      settings.PermitRootLogin = "without-password";
    };
    gitea = {
      enable = true;
      settings = {
        server.DOMAIN = "gitea.dylanblades.com";
        ui.DEFAULT_THEME = "gitea-dark";
      };
    };
    nginx = {
      enable = true;
      virtualHosts = {
        "dylanblades.com" = {
          forceSSL = true;
          enableACME = true;
          #serverAliases = ["*.dylanblades.com"];
          root = pkgs.my-site;
        };
        "gitea.dylanblades.com" = {
          forceSSL = true;
          useACMEHost = "dylanblades.com";
          locations."/" = {
            proxyPass = "http://localhost:3000";
            extraConfig = ''
              client_max_body_size 512M;
              proxy_set_header Connection $http_connection;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
          };
        };
      };
    };
  };

  nixpkgs.overlays = [lib.overlays.pkgs];
  environment = {
    persistence."/persist" = {
      hideMounts = true;
      directories = ["/var/lib/nixos"];
    };
    systemPackages = with pkgs; [
      git
      my-vim
    ];
  };

  nix.settings = {
    trusted-users = ["root"];
    experimental-features = [
      "nix-command"
      "flakes"
    ];
  };

  system.stateVersion = "24.11";
}