.dotfiles/dot_config/flake/machines/saffron/configuration.nix

{
  pkgs,
  outputs,
  ...
}: let
  secrets = builtins.fromTOML (builtins.readFile ./secrets.toml);
in {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
  ];

  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;

    config = {
      allowUnfree = true;
      permittedInsecurePackages = [
      ];
    };
  };

  # Use GRUB 2 boot loader
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.efiInstallAsRemovable = true;
  boot.loader.grub.device = "nodev";
  boot.loader.efi.efiSysMountPoint = "/efi";

  services.tailscale = {
    package = pkgs.unstable.tailscale;
    enable = true;
  };

  networking.hostName = "saffron"; # Define your hostname.
  networking.firewall.allowedTCPPorts = [443];

  networking.nameservers = ["8.8.8.8" "8.8.4.4" "1.1.1.1"];

  virtualisation.oci-containers = {
    backend = "docker";
    containers = {
      baszel = {
        image = "henrygd/beszel-agent:latest";
        autoStart = true;
        environment = {
          PORT = "45876";
          KEY = secrets.baszel_key;
          HUB_URL = "http://serenity.pizzly-bortle.ts.net:8090";
          TOKEN = secrets.baszel_token;
        };
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock"
        ];
      };
    };
  };

  # Caddy reverse proxy with DNS challenge
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = ["github.com/caddy-dns/cloudflare@v0.2.2"];
      hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U=";
    };
    environmentFile = "/etc/caddy/environment";
    virtualHosts."rss.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:5600
      '';
    };
    virtualHosts."search.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:6000
      '';
    };
    virtualHosts."monitor.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:8090
      '';
    };
    virtualHosts."gitforge.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:3000
      '';
    };
    virtualHosts."ssh.gitforge.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:3022
      '';
    };
    virtualHosts."immich.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:2283
      '';
    };
    virtualHosts."nextcloud.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:8100
      '';
    };
    # virtualHosts."documentserver.mayoff.ca" = {
    #   extraConfig = ''
    #     tls {
    #       dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    #     }
    #     reverse_proxy serenity.pizzly-bortle.ts.net:8101
    #   '';
    # };
    virtualHosts."chat.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:8009
      '';
    };
    virtualHosts."media.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy serenity.pizzly-bortle.ts.net:8096
      '';
    };
    virtualHosts."homeassistant.mayoff.ca" = {
      extraConfig = ''
        tls {
          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        reverse_proxy homeassistant.pizzly-bortle.ts.net:8123 {
          header_up Host {upstream_hostport}
          header_up X-Real-IP {remote_host}
          header_up X-Forwarded-For {remote_host}
          header_up X-Forwarded-Proto {scheme}
          header_up X-Forwarded-Host {host}
        }
      '';
    };
  };

  # Set your time zone.
  time.timeZone = "America/Toronto";

  users.users.tyler = {
    isNormalUser = true;
    description = "tyler";
    extraGroups = ["wheel"];
    shell = pkgs.fish;
  };
  programs.fish.enable = true;

  services.openssh.enable = true;

  system.stateVersion = "25.05"; # Did you read the comment?
}