{ hostName, config, lib, ... }: { imports = [ ./hardware-configuration.nix ../../common/boot.nix ../../common/locales.nix ../../common/nix.nix ../../common/users.nix ../../modules/nixos/bash.nix ../../modules/nixos/tailscale.nix ]; fileSystems = { "/".options = [ "compress=zstd" ]; "/home".options = [ "compress=zstd" ]; "/nix".options = [ "compress=zstd" "noatime" ]; "/swap".options = [ "noatime" ]; }; swapDevices = [{ device = "/swap/swapfile"; size = 8192; }]; networking.hostName = "${hostName}"; environment.defaultPackages = lib.mkForce []; programs.git = { enable = true; config = { user = { name = "wo2wz"; email = "189177184+wo2wz@users.noreply.github.com"; }; safe.directory = "/etc/nixos"; }; }; services = { scx.scheduler = lib.mkForce "scx_rusty"; cloudflared = { enable = true; tunnels = { }; }; caddy = { enable = true; virtualHosts = { "drone.taild5f7e6.ts.net".extraConfig = '' encode # most of this doesnt matter but why not header { Strict-Transport-Security "max-age=31536000;" X-Frame-Options "SAMEORIGIN" X-Content-Type-Options "nosniff" -Server -X-Powered-By } # block connections to admin login respond /admin/* 403 reverse_proxy localhost:8000 ''; # "example.com".extraConfig = '' # encode # header { # Strict-Transport-Security "max-age=31536000;" # X-Frame-Options "DENY" # X-Content-Type-Options "nosniff" # # nobody is gonna find this site through a search engine anyway # X-Robots-Tag "noindex, nofollow" # -Server # -X-Powered-By # } # reverse_proxy localhost:3000 # ''; }; }; tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs vaultwarden = { enable = true; backupDir = "/var/backups/vaultwarden"; config = { DOMAIN = "https://drone.taild5f7e6.ts.net"; SIGNUPS_ALLOWED = false; }; environmentFile = "/var/secrets/vaultwarden/secrets.env"; }; zipline = { enable = true; environmentFiles = [ "/var/secrets/zipline/secrets.env" ]; }; }; system.stateVersion = "25.05"; }