nixos-config/machine/vps.nix

{ config, lib, pkgs, ... }:
let
  secrets-desktop = import ../configs/secrets-desktop.nix;
  secrets = import ../configs/secrets.nix;
  be = import ../configs/borg-exclude.nix;
in
{
  imports =
    [
      /etc/nixos/hardware-configuration.nix
      ../configs/common.nix
      ../configs/docker.nix
      ../configs/user.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

  networking.hostName = "vps"; # Define your hostname.

  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  networking = {
    useDHCP = false;
#    defaultGateway = {
#     "address" = "gw.contabo.net";
#     "interface" = "ens18";
#    };
    interfaces.ens18 = {
      useDHCP = true;
#      ipv4.addresses = [ {
#        address = "207.180.220.97";
#        prefixLength = 24;
#      } ];
      ipv6.addresses = [ {
        address = "2a02:c207:3008:1547::1";
        prefixLength = 64;
      } ];
    };
    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
        '';
        privateKey = secrets.wireguard-vps-private;
        peers = [{
          publicKey = secrets.wireguard-desktop-public;
          presharedKey = secrets.wireguard-preshared;
          allowedIPs = [ "10.100.0.2/32" ];
        }
          {
            publicKey = secrets.wireguard-mini-public;
            presharedKey = secrets.wireguard-preshared;
            allowedIPs = [ "10.100.0.3/32" ];
          }];
      };
    };

    nat = {
      enable = true;
      externalInterface = "ens18";
      internalInterfaces = [ "wg0" ];
    };
    firewall = {
      allowedTCPPorts = [ 80 443 22000 ];
      allowedUDPPorts = [ 80 443 51820 ];
      interfaces.wg0 = {
        allowedTCPPorts = [ 61208 19999 ];
      };
      # extraCommands = ''
      #   iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
      # '';
    };
  };

  programs.mtr.enable = true;

  security.acme.email = "webmaster@szczepan.ski";
  security.acme.acceptTerms = true;

  services = {
    fail2ban = {
      enable = true;

      jails.DEFAULT =
        ''
          bantime  = 7d
        '';

      jails.sshd =
        ''
          filter = sshd
          maxretry = 4
          action   = iptables[name=ssh, port=ssh, protocol=tcp]
          enabled  = true
        '';
    };
    netdata.enable = true;
    syncthing = {
      user = "alex";
      group = "users";
      enable = true;
      dataDir = "/home/alex";
      configDir = "/home/alex/.config/syncthing";
    };

    borgbackup.jobs.home = rec {
      compression = "auto,zstd";
      encryption = {
        mode = "repokey-blake2" ;
        passphrase = secrets-desktop.borg-key;
      };
      extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
      environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
      paths = "/home/alex";
      repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg";
      startAt = "daily";
      # user = "alex";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = 6;
      };
      extraPruneArgs = "--save-space --list --stats";
      exclude = map (x: paths + "/" + x) be.borg-exclude;
    };
  };

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;

  system.stateVersion = "21.05";
}