nix_config/sys/platforms/vps/default.nix

{
  config,
  lib,
  pkgs,
  flakes,
  modulesPath,
  doctrine,
  ...
}:
with lib; {
  imports = [
    flakes.vpsadminos.nixosConfigurations.container
    flakes.home-manager.nixosModules.home-manager
    flakes.impermanence.nixosModule
    ./hardware-configuration.nix
    ./srv
    ./networkMap.nix
  ];

  
  local.soju = {
    enable = true;
    fullyQualifiedDomain = "soju.posixlycorrect.com";
  };

  local.sys = {
    baseline.enable = true;

    borgsync = {
      enable = true;
      paths = [
        "/var/lib/forgejo"
        "/var/lib/mealie"
        "/var/lib/trilium"
        "/var/lib/forgejo"
      ];
      repoName = "vps";
    };

    users.fabian = {
      enable = true;
      sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
    };
  };

  networking = {
    hostName = "vps";
    domain = "posixlycorrect.com";
  };

  services.openssh = {
    settings.PasswordAuthentication = false;
  };

  programs.mosh.enable = true;

  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;

    extraSpecialArgs = {
      inherit flakes;
      doctrine = flakes.trivionomicon.lib.mkDoctrine {
        inherit pkgs;
        inherit (doctrine) prefix;
        namespace = "home";
      };
    };

    users.fabian = {
      imports = [
        flakes.impermanence.nixosModules.home-manager.impermanence
        "${flakes.self}/home/platforms/fabian@vps"
        "${flakes.self}/home"
      ];
    };
  };

  networking.firewall.allowedUDPPorts = [51820]; #TODO

  systemd = {
    extraConfig = ''
      DefaultTimeoutStartSec=900s
    '';

    network = let
      inherit (config.local.sys) nets;
    in {
      enable = true;

      netdevs = {
        wg-vpn = {
          netdevConfig = {
            Name = "wg-vpn";
            Kind = "wireguard";
          };

          wireguardConfig = {
            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
            ListenPort = "51820";
          };

          wireguardPeers = [
            {
              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
            }
            {
              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
            }
          ];
        };
      };

      networks = {
        wg-vpn = {
          name = "wg-vpn";

          networkConfig = {
            Address = [
              nets.vpn-vps.hosts.vps.v6.cidr
            ];
          };

          routes = [
            {
              Destination = nets.vpn.v6.cidr;
            }
            {
              Source = nets.vpn.v6.cidr;
            }
          ];
        };
      };
    };
  };

  time.timeZone = "Europe/Amsterdam";
}