From d3c0b4cf3c8008f1c0637c8d5650b58e27d2fdbc Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 16 Mar 2022 23:47:14 +0100
Subject: [PATCH] Initial commit

---
 atlantis.nix | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 134 insertions(+)
 create mode 100644 atlantis.nix

diff --git a/atlantis.nix b/atlantis.nix
new file mode 100644
index 0000000..59ff530
--- /dev/null
+++ b/atlantis.nix
@@ -0,0 +1,134 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/vda";
+
+  networking.hostName = "atlantis.zotan.network";
+
+  time.timeZone = "Europe/Berlin";
+
+  networking.useDHCP = false;
+  networking.interfaces.enp1s0.ipv4.addresses = [{
+    address = "10.42.0.7";
+    prefixLength = 24;
+  }];
+
+  networking.interfaces.enp1s0.ipv6.addresses = [{
+    address = "2a01:4f8:241:5bb4:acab::2";
+    prefixLength = 64;
+  }];
+
+  networking.defaultGateway.address = "116.202.163.154";
+  networking.defaultGateway.interface = "enp1s0";
+  networking.defaultGateway6.address = "fe80::1";
+  networking.defaultGateway6.interface = "enp1s0";
+  networking.nameservers = ["1.1.1.1"];  
+
+  users.users.zotan = {
+    home = "/home/zotan";
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    wget
+    nftables
+    htop
+    git
+  ];
+
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWDArL4+m9kUmLyWcmUby5+CVrmBThP0KbQWep32+BF laura@zotan.network"];
+
+  services.caddy = {
+    enable = true;
+    globalConfig = ''
+      servers :443 {
+        protocol {
+          experimental_http3
+        }
+      }
+    '';
+    virtualHosts = {
+      "h3.zotan.pw" = {
+        extraConfig = ''
+          root * /var/www/sites/zotan.pw
+          encode gzip zstd
+          try_files /blog/posts/{path} {path}.php
+
+          file_server {
+            precompressed zstd br gzip
+          }
+
+          # "legacy" PHP
+          route {
+            # Add trailing slash for directory requests
+            @canonicalPath {
+              file {path}/index.php
+              not path */
+            }
+            redir @canonicalPath {path}/ 308
+
+            # If the requested file does not exist, try index files
+            @indexFiles file {
+              try_files {path} {path}/index.php
+              split_path .php
+            }
+            rewrite @indexFiles {http.matchers.file.relative}
+
+            # Proxy PHP files to the FastCGI responder
+            @phpFiles path *.php
+            reverse_proxy @phpFiles unix/${config.services.phpfpm.pools.caddy.socket} {
+              transport fastcgi {
+                split .php
+              }
+            }
+          }
+        '';
+      };
+    };
+  };
+
+  services.phpfpm.pools = {
+    caddy = {
+      user = "php";
+      group = "php";
+      phpPackage = pkgs.php;
+      settings = {
+        "listen.owner" = config.services.caddy.user;
+        "pm" = "dynamic";
+        "pm.max_children" = 75;
+        "pm.start_servers" = 10;
+        "pm.min_spare_servers" = 5;
+        "pm.max_spare_servers" = 20;
+        "pm.max_requests" = 500;
+      };
+    };
+  };
+
+    users.users.php = {
+      isSystemUser = true;
+      createHome = false;
+      group = "php";
+    };
+    users.groups.php = {};
+
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 443 ];
+
+  networking.firewall.package = pkgs.iptables-nftables-compat;
+
+  system.stateVersion = "21.11"; # Leave this alone
+}
\ No newline at end of file