server-config/configuration.nix

{ pkgs, system, blog, web-files, Scylla, ... }:
let
  productionSite = blog.english {
    ssl = true;
    host = "danilafe.com";
  };
  draftSite = blog.english {
    drafts = true;
    host = "drafts.danilafe.com";
  };
  webFiles = {
    "static.danilafe.com" = {
      root = web-files;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        extraConfig = ''
          add_header 'Access-Control-Allow-Origin' '*';
	'';
      };
    };
  };
  gitea = {
    "dev.danilafe.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:3000/";
    };
  };
  scylla = {
    "scylla.danilafe.com" = {
      root = Scylla;
      addSSL = true;
      enableACME = true;
      locations."/static/" = {
        tryFiles = "$uri =404";
      };
      locations."/" = {
        tryFiles = "$uri $uri/ /index.html";
      };
    };
  };
  allVirtualHosts = [scylla gitea webFiles] ++ map blog.virtualHostFor [productionSite draftSite];
in
  {
    imports = [
      ./hardware-configuration.nix
      ./networking.nix # generated at runtime by nixos-infect
    ];

    system.stateVersion = "24.05";

    nix = {
      package = pkgs.nixVersions.latest;
      extraOptions = ''
        experimental-features = nix-command flakes
      '';
    };

    environment.systemPackages = with pkgs; [
      git
    ];

    boot.tmp.cleanOnBoot = true;
    networking.hostName = "nixos-droplet-v2";
    networking.firewall.allowPing = true;
    networking.firewall.allowedTCPPorts = [ 22 80 443 ];

    services.openssh.enable = true;
    users.users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXYJZfEOgccfCa3uQV9z2rHvGn4AuVnXbIDXv27HgEk vanilla@arch-xps" 
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzk0SnRBJhpfNpPBgkReQoDpul2Egl2yJhRw7ldYEzF NixOS" 
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoyFSuik6XRU2b+O4v9C1bc7rKJyjKgzUeaBaVNQKN6 vanilla-pinebook"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjTgUFIwo/mtoB1kyj1zJ4QxAwLAgdvvePGXmLqjeY1 vanilla@Daniels-MBP.home"
    ];

    security.acme = {
      defaults.email = "danila.fedorin@gmail.com";
      acceptTerms = true;
    };

    users.groups.www = {};
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      virtualHosts = pkgs.lib.mkMerge allVirtualHosts;
    };

    users.groups.gitea = {};
    users.users.gitea = {
      group = "gitea";
      isSystemUser = true;
    };
    services.gitea = {
      enable = true;
      appName = "Daniel's Tiny Cup Of Tea";
      stateDir = "/var/lib/gitea";

      # Default database settings (sqlite3, 127.0.0.1, path) all what we want
      database = {};

      # Default server settings are fine, except we need to customize domain etc.
      settings.server = {
        DOMAIN = "dev.danilafe.com";
        ROOT_URL = "https://dev.danilafe.com";
        OFFLINE_MODE = false;
	# STATIC_ROOT_PATH = "/var/lib/gitea/data";
      };

      # Default settings are fine.
      settings.service = {};

      # NixOS service overrides cookies to insecure, but Gitea default is secure
      settings.session = {
        COOKIE_SECURE = true;
        PROVIDER = "file";
      };

      settings.security = {
        INSTALL_LOCK = true;
      };

      settings.indexer = {
        REPO_INDEXER_ENABLED = true;
      };
    };

    users.defaultUserShell = pkgs.zsh;
    programs.zsh.enable = true;
    programs.zsh.ohMyZsh = {
      enable = true;
      plugins = [ "git" ];
    };
  }