ops-jrz1/configuration.nix

{ config, pkgs, ... }:

{
  # Main NixOS configuration for ops-jrz1 server
  # Imports host-specific configuration from hosts/ops-jrz1.nix

  # Boot loader configuration (Legacy BIOS for Vultr VPS)
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";  # Install to MBR

  # Network configuration
  networking.useDHCP = false;
  networking.interfaces.ens3.useDHCP = true;

  # Time zone
  time.timeZone = "UTC";

  # Internationalization
  i18n.defaultLocale = "en_US.UTF-8";

  # System packages
  environment.systemPackages = with pkgs; [
    vim
    git
    htop
    curl
  ];

  # Enable Nix flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # SSH configuration
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  # SSH authorized keys for root
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
  ];

  # Firewall (will be configured for Matrix services)
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 80 443 ];  # SSH, HTTP, HTTPS
  };

  # ACME for Let's Encrypt certificates
  security.acme = {
    acceptTerms = true;
    defaults.email = "dlei@duck.com";
  };

  # Allow deprecated olm library for Matrix bridges
  # Note: olm is deprecated with known CVEs but required by mautrix bridges
  # This is necessary for Matrix bridge functionality until alternatives are available
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];

  # This value determines the NixOS release compatibility
  system.stateVersion = "24.05";
}