ungodly what if of Nix on .NET

sharpix.cs

using Sharpix.Workstation;
using Sharpix.Workstation.Syntax;
using static Sharpix.Workstation.Syntax.Expressions;
using static Sharpix.Workstation.Packages;

var giteaDomain = Domain("forge.example.net");
var giteaPort = TcpPort(3000);
var publicIpv6 = Ip6Address("2001:db8:100:1::1");
var trustedPeers = Ip6Pool(
    "2001:db8:100:2::2",
    "2001:db8:100:2::3"
);

var giteaBackup = Service.Process("gitea-backup") with
{
    Description = "Nightly Gitea snapshot",
    ExecStart = Command.ForPackage(PackageRef.From("gitea").Name, "gitea", "dump --target /var/backups/gitea"),
    User = "gitea",
    Group = "gitea",
    Restart = RestartPolicy.No,
    Environment = EnvVars(EnvVar("GITEA_WORK_DIR", "/var/lib/gitea")),
    After = ["gitea.service"],
    Wants = ["postgresql.service"]
};

return Workstation("edge-router") with
{
    Imports = [Import.HomeManager()],

    Networking = Networking.Host("edge-router") with
    {
        Firewall = Firewall.Enabled with
        {
            AllowedTcp = Ports(22, 53, 80, 443, 9418),
            AllowedUdp = Ports(53),
            Rules = [
                FirewallRule.AllowIpv6(TcpPort(51820)).From(trustedPeers).WithComment("WireGuard peers")
            ]
        }
    },

    Users = [
        User.Normal("netadmin") with
        {
            Mutable = false,
            Groups = ["wheel"],
            AuthorizedKeys = SshKeys("ssh-ed25519 AAAA...netadmin")
        }
    ],

    Packages = PackageSet("infra") with
    {
        Ids = [Git, PackageRef.From("wireguard-tools"), Htop, PackageRef.From("acme-sh"), PackageRef.From("nginx"), PackageRef.From("postgresql")],
        Bundles = [PackageBundle.DotNetSdk(8)]
    },

    Environment = EnvironmentBlock() with
    {
        Variables = EnvVars(EnvVar("GITEA_DATA", "/var/lib/gitea"))
    },

    Services = [
        Service.OpenSsh(agent: true, extraHosts: Array.Empty<SshHost>()),
        Service.Nginx() with
        {
            VirtualHosts = [
                NginxHost(giteaDomain.Value) with
                {
                    Listeners = [
                        HttpListener.Loopback(80),
                        HttpListener.Ssl(publicIpv6, 443)
                    ],
                    Certificates = CertPath($"/var/lib/acme/{giteaDomain.Value}/cert.pem", $"/var/lib/acme/{giteaDomain.Value}/key.pem"),
                    Proxy = ReverseProxy.ToLocal(giteaPort, enableWebSockets: true),
                    RedirectHttp = true
                }
            ]
        },
        Service.Gitea() with
        {
            AppName = "Example Forge",
            Database = DatabaseBinding.Postgres("gitea"),
            DumpFormat = "tar.xz",
            Server = new ServerUrls
            {
                Root = $"https://{giteaDomain.Value}/",
                Domain = giteaDomain.Value,
                HttpPort = giteaPort.Value
            }
        },
        giteaBackup
    ],

    Databases = [
        Database.Postgres("16") with
        {
            EnsureDatabases = ["gitea"],
            EnsureUsers = [DatabaseUser("gitea", ownsDatabase: true)]
        }
    ],

    Certificates = [
        Certificate.Acme("[email protected]") with
        {
            Domains = [DomainCert(giteaDomain) with { Group = "nginx", ReloadServices = ServiceRefs(ServiceRef.From("nginx"), giteaBackup.Handle) }]
        }
    ],

    System = SystemProfile() with { AutoUpgrade = Schedule.Weekly }
};