nixos-config/hosts/Drone/default.nix

{ hostName, config, lib, ... }:

{
  imports = [
    ./hardware-configuration.nix
    
    ../../common/boot.nix
    ../../common/locales.nix
    ../../common/nix.nix
    ../../common/users.nix

    ../../modules/nixos/bash.nix
    ../../modules/nixos/tailscale.nix
  ];
  
  fileSystems = {
    "/".options = [ "compress=zstd" ];
    "/home".options = [ "compress=zstd" ];
    "/nix".options = [ "compress=zstd" "noatime" ];
    "/swap".options = [ "noatime" ];
  };

  swapDevices = [{
    device = "/swap/swapfile";
    size = 8192;
  }];

  networking.hostName = "${hostName}";

  environment.defaultPackages = lib.mkForce [];
  
  programs.git = {
    enable = true;
    config = {
      user = {
        name = "wo2wz";
        email = "189177184+wo2wz@users.noreply.github.com";
      };
      safe.directory = "/etc/nixos";
    };
  };

  services = {
    scx.scheduler = lib.mkForce "scx_rusty";
    
    cloudflared = {
      enable = true;
      tunnels = {
	
      };
    };

    caddy = {
      enable = true;
      virtualHosts = {
	"drone.taild5f7e6.ts.net".extraConfig = ''
	  encode

	  # most of this doesnt matter but why not
          header {
	      Strict-Transport-Security "max-age=31536000;"
	      X-Frame-Options "SAMEORIGIN"
	      X-Content-Type-Options "nosniff"
	      -Server
	      -X-Powered-By
	  }

	  # block connections to admin login
          respond /admin/* 403
	  
	  reverse_proxy localhost:8000
        '';
#	"example.com".extraConfig = ''
#	  encode

#          header {
#	      Strict-Transport-Security "max-age=31536000;"
#	      X-Frame-Options "DENY"
#	      X-Content-Type-Options "nosniff"
#	      # nobody is gonna find this site through a search engine anyway
#	      X-Robots-Tag "noindex, nofollow"
#	      -Server
#	      -X-Powered-By
#	  }

#	  reverse_proxy localhost:3000
#	'';
      };
    };

    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs

    vaultwarden = {
      enable = true;
      backupDir = "/var/backups/vaultwarden";
      config = {
        DOMAIN = "https://drone.taild5f7e6.ts.net";

        SIGNUPS_ALLOWED = false;
      };
      environmentFile = "/var/secrets/vaultwarden/secrets.env";
    };

    zipline = {
      enable = true;
      environmentFiles = [ "/var/secrets/zipline/secrets.env" ];
    };
  };

  system.stateVersion = "25.05";
}