{ self, moduleWithSystem, ... }: { flake.nixosModules.code-server = moduleWithSystem ( { ... }: # Note: only explicit parameters are passed to this. { pkgs, modulesPath, lib, ... }: { imports = [ self.inputs.disko.nixosModules.disko (modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/profiles/headless.nix") (modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/qemu-guest.nix") ./code_server_disk.nix ]; system.stateVersion = "24.11"; boot.kernelParams = [ "zfs.zfs_arc_max=536870912" ]; boot.zfs.extraPools = [ "zroot" ]; boot.initrd.postMountCommands = lib.mkAfter '' zfs rollback -r zroot/root@blank ''; services.zfs.autoScrub.enable = true; boot.loader.grub = { enable = true; # No need to set devices, disko will add all devices that have an EF02 partition to the list already. # devices = []; efiSupport = true; efiInstallAsRemovable = true; }; fileSystems = { "/var/lib/systemd" = { device = "/persisted/var/lib/systemd"; options = [ "bind" ]; }; "/var/lib/forgejo" = { device = "/persisted/var/lib/forgejo"; options = [ "bind" ]; }; }; networking.hostId = "9f1dfd86"; # Required by ZFS. networking.useNetworkd = true; networking.firewall.logRefusedConnections = false; nix.gc.automatic = true; nix.gc.dates = "02:15"; services.cloud-init = { enable = true; network.enable = true; settings = { datasource_list = [ "Hetzner" ]; # The NixOS cloud-init settings declares the entire `system_info` with `lib.mkDefault`, so we need to copy the defaults from it here and make the changes we want to make. system_info = { paths = { cloud_dir = "/persisted/var/lib/cloud"; }; distro = "nixos"; network = { renderers = [ "networkd" ]; activators = [ "networkd" ]; }; }; cloud_init_modules = [ "migrator" "seed_random" "bootcmd" ]; cloud_config_modules = [ "ssh-import-id" "timezone" "runcmd" "ssh" ]; cloud_final_modules = [ "keys-to-console" "final-message" "power-state-change" ]; }; }; services.openssh = { enable = true; hostKeys = [ { path = "/persisted/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; settings = { PasswordAuthentication = false; }; }; users.users.root = { home = lib.mkForce "/persisted/root"; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; # UDP allowed for HTTP/3. networking.firewall.allowedUDPPorts = [ 80 443 ]; services.caddy = { enable = true; globalConfig = '' # Comment this if building the prod image. The following is only useful for testing. local_certs skip_install_trust ''; virtualHosts."code.akols.com".extraConfig = '' encode zstd gzip reverse_proxy http://127.0.0.1:3000 # @exclude_lfs not path *.git/info/lfs* # basic_auth @exclude_lfs { # boardgamers $2a$14$Tni1.M8JUU4EXyWlVTL2jetDlWPamXtXZlYZizm2DtU.cwyLetbCm # } ''; }; services.forgejo = { enable = true; package = pkgs.forgejo; lfs.enable = true; settings = { service = { DISABLE_REGISTRATION = true; }; database = { SQLITE_JOURNAL_MODE = "WAL"; }; cache = { ADAPTER = "twoqueue"; HOST = "{\"size\":100,\"recent_ratio\":0.25,\"ghost_ratio\":0.5}"; }; server = { HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3000; DOMAIN = "code.akols.com"; ROOT_URL = "https://code.akols.com"; }; session = { COOKIE_SECURE = true; }; security = { LOGIN_REMEMBER_DAYS = 365; }; }; }; } ); }