{ depot, ... }: let inherit (depot.users.grfn) terraform ; in terraform.workspace "bbbg" { plugins = (p: with p; [ aws cloudflare ]); } { machine = terraform.nixosMachine { name = "bbbg"; instanceType = "t3a.small"; rootVolumeSizeGb = 250; extraIngressPorts = [ 80 443 ]; configuration = { pkgs, lib, config, depot, ... }: { imports = [ ./module.nix "${depot.third_party.agenix.src}/modules/age.nix" ]; services.openssh.enable = true; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; }; networking.firewall.enable = false; programs.zsh.enable = true; users.users.grfn = { isNormalUser = true; initialPassword = "password"; extraGroups = [ "wheel" "networkmanager" "audio" "docker" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ depot.users.grfn.keys.main ]; }; security.sudo.extraRules = [{ groups = [ "wheel" ]; commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; }]; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; age.secrets = { bbbg.file = depot.users.grfn.secrets."bbbg.age"; }; services.bbbg.enable = true; services.bbbg.database.enable = true; services.bbbg.proxy.enable = true; services.bbbg.domain = "bbbg.gws.fyi"; security.acme.defaults.email = "root@gws.fyi"; security.acme.acceptTerms = true; }; }; dns = { data.cloudflare_zone.gws-fyi = { name = "gws.fyi"; }; resource.cloudflare_record.bbbg = { zone_id = "\${data.cloudflare_zone.gws-fyi.id}"; name = "bbbg"; type = "A"; value = "\${aws_instance.bbbg_machine.public_ip}"; proxied = false; }; }; }