dotfiles/nix/systems/oci-nixos.nix

{ hostName }:
inputs: {
  system = "x86_64-linux";

  modules = [
    ../nixos-modules/default.nix
    ({ pkgs, config, ... }:
      {
        magic_rb = {
          grub = {
            enable = true;
            efi.enable = true;
            devices = [ "nodev" ];
          };

          pins = {
            inherit (inputs)
              nixpkgs
              nixpkgs-unstable
              nixpkgs-master

              home-manager
              nixng
              fenix;
          };
          overlays = inputs.self.overlays;

          hardware."${hostName}" = true;
          flakes.enable = true;
        };

        users.groups.nix-cache =
          { gid = 1500; };
        users.users.nix-cache =
          { shell = "${pkgs.coreutils}/bin/nologin";
            group = "nix-cache";
            isSystemUser = true;
            home = "/var/nix-cache";
            description = "User for uploading things to the cache.";

            uid = 1500;
            openssh.authorizedKeys.keys =
              [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVkFvalffJ/SMjJGG3WPiqCqFygnWzhGUaeALBIoCsJ (none)" ];
          };

        environment.systemPackages =
          [ pkgs.git ];

        services.openssh = {
          enable = true;
          passwordAuthentication = true;
          permitRootLogin = "no";

          extraConfig = ''
            Match User nix-cache
              ChrootDirectory /var/nix-cache
              ForceCommand internal-sftp -d /cache
              AllowTcpForwarding no
          '';
        };

        services.nginx = {
          enable = true;

          config = (inputs.nixng.lib "${pkgs.stdenv.system}").generators.toNginx
            [
              {
                daemon = "off";
                worker_processes = 2;

                events."" = {
                  use = "epoll";
                  worker_connections = 128;
                };

                error_log = [ "/dev/stderr" "warn" ];

                pid = "/run/nginx/nginx.pid";

                http."" = {
                  server_tokens = "off";

                  include = [
                    [ "${pkgs.nginx}/conf/mime.types" ]
                  ];
                  charset = "utf-8";
                  access_log = [ "/dev/stdout" "combined" ];

                  server."" = {
                    listen = [ "80" "default_server" ];
                    server_name = [
                      "${hostName}.redalder.org"
                    ];

                    location."/" = {
                      return = "404";
                    };

                    location."/cache" = {
                      root = "/var/nix-cache";
                    };
                  };
                };
              }
            ];
        };

        networking = {
          firewall = {
            allowedTCPPorts = [ 22 80 ];
          };

          interfaces.ens3.useDHCP = true;

          firewall.enable = true;
          inherit hostName;
        };

        time.timeZone = "Europe/Bratislava";
        system.stateVersion = "20.09";
        security.pki.certificates = [ (builtins.readFile ../redalder.org.crt) ];
      })
  ];

}