nixos-config/sites/sunflower/configuration.nix

{ config, lib, pkgs, ... }:

{
  imports = [ ./hardware-configuration.nix ];

  boot.initrd.supportedFilesystems = [ "zfs" ];
  boot.initrd.systemd.enable = true;
  services.zfs.autoScrub.enable = true;
  services.zfs.trim.enable = true;

  networking.hostName = "sunflower";
  networking.hostId = "77d68c52";
  networking.useNetworkd = true;
  systemd.network.enable = true;
  systemd.network.networks."30-wan" = {
    matchConfig.Name = "enp1s0";
    networkConfig.DHCP = "ipv4";
    address = [
      "2a01:4f9:c013:ce62::1/64"
    ];
    routes = [
      { Gateway = "fe80::1"; }
    ];
  };

  system.stateVersion = "24.11";

  security.sudo.wheelNeedsPassword = false;

  networking.firewall.allowedTCPPorts = [ 22 80 443 1337 1338 ];
  networking.firewall.allowedUDPPorts = [ 1337 1338 ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "audrey@rhelmot.io";
  };

  services.bingosync = {
    enable = true;
    domain = "celestebingo.rhelmot.io";
    socketsDomain = "sockets-celestebingo.rhelmot.io";
    databaseUrl = "postgres://%2Frun%2Fpostgresql/bingosync";
    extraPythonPackages = p: [ p.psycopg2 ];
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [
      "bingosync"
      "mspa"
    ];
    ensureUsers = [
      { name = "bingosync"; ensureDBOwnership = true; }
      { name = "mspa"; ensureDBOwnership = true; }
    ];
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser  auth-method optional_ident_map
      local all  all     peer        map=defaultmap
    '';
    identMap = ''
      # ArbitraryMapName systemUser DBUser
       defaultmap      root      postgres
       defaultmap      postgres  postgres
       defaultmap      php-nginx     mspa
       defaultmap      bingosync bingosync
    '';
  };

  users.users.php-nginx = {
    isSystemUser = true;
    group = "php-nginx";
  };
  users.groups.php-nginx = {};

  services.phpfpm.pools.nginx = {
    user = "php-nginx";
    settings = {
      "pm" = "dynamic";
      "listen.owner" = config.services.nginx.user;
      "pm.max_children" = 5;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 1;
      "pm.max_spare_servers" = 3;
      "pm.max_requests" = 500;
    };
  };

  services.nginx = {
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "rhelmot.io" = {
        default = true;
        forceSSL = true;
        enableACME = true;
        root = "/var/www/rhelmot.io/";
        locations."/secret/" = {
          basicAuthFile = "/var/lib/rhelmot.io/secret";
        };
        locations."~ ^/MSPA/(.*\\.php|)$" = {
          extraConfig = ''
            fastcgi_pass  unix:${config.services.phpfpm.pools.nginx.socket};
            fastcgi_index index.php;
          '';
          index = "index.php index.html";
        };
      };
      "www.rhelmot.io" = {
        globalRedirect = "rhelmot.io";
        enableACME = true;
      };
      "blog.rhelmot.io" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = "/nix/var/nix/profiles/blog-rhelmot-io";
        };
      };
      "www.blog.rhelmot.io" = {
        globalRedirect = "blog.rhelmot.io";
        enableACME = true;
      };

      "bingosync.rhelmot.io" = {
        locations."/" = {
          proxyPass = "https://bingosync.com/";
          proxyWebsockets = true;
        };
      };
      # proxy conf generated by services.bingosync
      "celestebingo.rhelmot.io" = {
        enableACME = true;
        addSSL = true;
      };
      "sockets-celestebingo.rhelmot.io" = {
        enableACME = true;
        addSSL = true;
      };
      "www.celestebingo.rhelmot.io" = {
        globalRedirect = "celestebingo.rhelmot.io";
        enableACME = true;
      };

      "minal.rhelmot.io" = {
        forceSSL = true;
        enableACME = true;
        locations."/".root = "/var/www/minal.rhelmot.io/";
      };
      "www.minal.rhelmot.io" = {
        globalRedirect = "minal.rhelmot.io";
        enableACME = true;
      };
      "mimispastrypost.com" = {
        forceSSL = true;
        enableACME = true;
        locations."/".root = "/var/www/mimispastrypost.com/";
      };
      "www.mimispastrypost.com" = {
        globalRedirect = "mimispastrypost.com";
        enableACME = true;
      };
    };
  };

  systemd.services.spamkick = let
    src = pkgs.fetchFromGitHub {
      owner = "maddie480";
      repo = "SpamKick";
      rev = "9dd5b5e3cc78e2520b13a0875ae7ef264a5a52c5";
      hash = "sha256-ZjxnqIiXBaxrZwrCfDPVTpGmRxtrL5kc5ZcDUaQtbZo=";
    };
    env = pkgs.python3.withPackages (ps: with ps; [ discordpy ]);
  in {
    path = [ env ];
    script = ''
      export TOKEN="$(cat /var/lib/spamkick/token.txt)"
      exec python ${src}/main.py
    '';
    serviceConfig = {
      Type = "simple";
      Restart = "always";
    };
    wantedBy = [ "multi-user.target" ];
    environment = {
      LOG_CHANNEL_ID = "532689319350108160";
      CHANNEL_COUNT = "4";
      DELAY_SECONDS = "5";
      DEBUG = "0";
    };
  };
}