# NixOS configuration for Vultr development VPS # Optimized for Matrix + Forgejo deployment without federation { config, pkgs, lib, ... }: { imports = [ ../modules/dev-services.nix ./vultr-hardware.nix ]; # sops-nix secrets management sops = { defaultSopsFile = ../secrets/secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Secret declarations secrets."matrix-registration-token" = { mode = "0400"; }; secrets."acme-email" = { mode = "0400"; # Using direct email value, no secret needed }; }; # Boot configuration for Vultr VPS (Legacy BIOS mode) boot = { loader = { grub = { enable = true; device = "/dev/vda"; # Legacy BIOS - install to MBR efiSupport = false; useOSProber = false; }; }; # Vultr uses virtio drivers initrd.availableKernelModules = [ "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; }; # Filesystem configuration managed by vultr-hardware.nix # Boot partition, root partition, and swap declared via generated hardware config # Network configuration for Vultr networking = { hostName = "matrix"; # Vultr-specific network interface useDHCP = false; interfaces.ens3 = { # Vultr uses ens3 useDHCP = true; }; enableIPv6 = true; # Firewall - only expose reverse proxy ports firewall = { enable = true; allowedTCPPorts = [ 22 # SSH 80 # HTTP (ACME challenges, redirects) 443 # HTTPS ]; allowPing = true; logRefusedConnections = false; # Reduce log noise on public VPS }; }; # SSH configuration - secure but accessible for development services.openssh = { enable = true; settings = { PermitRootLogin = "prohibit-password"; # More secure than "yes" PasswordAuthentication = false; KbdInteractiveAuthentication = false; X11Forwarding = false; }; # Basic security settings extraConfig = '' MaxAuthTries 3 MaxSessions 10 ClientAliveInterval 300 ClientAliveCountMax 2 ''; }; # SSH key for root and admin users users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025" ]; users.users.admin = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025" ]; }; # Enable sudo without password for development convenience security.sudo.wheelNeedsPassword = false; # Enable fail2ban for brute force protection security.fail2ban-enhanced = { enable = true; bantime = "1h"; maxretry = 3; }; # Enable ACME for TLS certificates security.acme = { acceptTerms = true; defaults.email = "admin@example.com"; # Using direct email as ACME doesn't support emailFile }; # Dev services stack - simplified without federation services.dev-platform = { enable = true; domain = "example.com"; matrix = { enable = true; port = 8008; }; forgejo = { enable = true; subdomain = "git"; port = 3000; }; slackBridge = { enable = true; }; }; # Basic monitoring for development services.netdata = { enable = true; config = { global = { "bind to" = "127.0.0.1"; # Localhost only for security }; }; }; # Automatic garbage collection to manage disk space nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; }; # Allow insecure packages needed for Matrix bridges nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; # NixOS configuration optimized for VPS nix.settings = { experimental-features = [ "nix-command" "flakes" ]; # Optimize for VPS builds and downloads max-jobs = "auto"; cores = 0; # Use all available cores substituters = [ "https://cache.nixos.org" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; }; # Timezone and locale for VPS time.timeZone = "UTC"; i18n.defaultLocale = "en_US.UTF-8"; system.stateVersion = "24.11"; }