Modular server configs

nix.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+{
+  system = {
+    autoUpgrade = {
+      enable = true;
+      allowReboot = true;
+    };
+  };
+
+  nix = {
+    optimise.automatic = true;
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+  };
+
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22
+        80
+        443
+        2222
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    vim
+    wget
+    neovim
+  ];
+}

ssh.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+{
+  users.users.kamov = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "www" ];
+    openssh.authorizedKeys.keyFiles = [ /root/.ssh/kamov.pub ];
+  };
+
+  services = {
+    endlessh = {
+      enable = true;
+      port = 22;
+    };
+    openssh = {
+      enable = true;
+      ports = [ 2222 ];
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+  };
+}

web.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+{
+  # Group for people who can edit the website
+  users.groups.www = {};
+
+  # Directory for web content
+  systemd.tmpfiles.rules = [
+    "d /var/www/kamoshi.org 775 root www"
+  ];
+
+  # Automatically renew certs
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "maciej@kamoshi.org";
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "kamoshi.org" = {
+          root = "/var/www/kamoshi.org";
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+  };
+}