gistfile1.txt

{ config, pkgs, ... }:

let
  ip6Address = "xxxx::2";
  ttydEntrypoint = pkgs.writeScript "ttyd-entrypoint.sh" ''
    #!${pkgs.bash}/bin/bash
    set -euo pipefail

    read -p "Enter username: " username

    if [[ "$username" == "root" || "$username" == "joachim" ]]; then
      echo "Launching secure login for system user $username..."
      exec ${pkgs.shadow}/bin/login "$username"
    else
      # Validate username: only allow a-z,0-9, underscores; no dashes (for security)
      if ! [[ "$username" =~ ^[a-z_][a-z0-9_]*$ ]]; then
        echo "Invalid username. Only lowercase letters, numbers, and underscores allowed, and must not start with a digit."
        exit 1
      fi

      if ! id "$username" &>/dev/null; then
        echo "Creating user $username ..."
        # Add user with home, shell is nu, password disabled, no sudo, no-group
        ${pkgs.shadow}/bin/useradd -m -s ${pkgs.fish}/bin/fish "$username"
      fi
      echo "Logging you in as $username (dynamic session, passwordless)..."
      exec ${pkgs.su}/bin/su - "$username"
    fi
  '';
in

{
   imports = [
      ./hardware-configuration.nix
  ];

  i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
  documentation.enable = false;
  programs.fish.enable = true;

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.tmp.cleanOnBoot = true;
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  networking.hostName = "git-training";

  time.timeZone = "UTC";

  networking = {
    interfaces.ens3 = {
      ipv6.addresses = [ { address = ip6Address; prefixLength = 64; } ];
    };
    defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
  };

  # $ nix search wget
  environment.systemPackages = with pkgs; [
fish
nixfmt
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
     mosh tmux rsync dfc lsof jq htop
     goaccess
     dua # du -sh .
     tig
     gitui
     gitSVN
  ];


  users.users = {
   joachim = {
    isNormalUser  = true;
    home  = "/home/joachim";
    description  = "Joachim Schiele";
   };
  };

  zramSwap = { 
    enable = true;
  };

  programs.mosh.enable = true;
  users = {
    defaultUserShell= pkgs.fish;
  };

  services.openssh = {
    enable = true;
    ports = [22 20202];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "js@lastlog.de";
  };


  services.ttyd = {
    enable = true;
    port = 7681;
    writeable = true;
    user = "root";
    entrypoint = [ "${ttydEntrypoint}" ];
  };

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    virtualHosts = {
      git_training = {
        serverName = "test.example.com";
        serverAliases = [ "test.example.com" ];
        forceSSL = true;
        enableACME = true;
        locations = {
          "/ttyd/" = {
            proxyPass = "http://127.0.0.1:7681/";
            proxyWebsockets = true;
            extraConfig = ''
              auth_basic "ttyd secure area";
              # nix-shell -p apacheHttpd
              # htpasswd -nbB admin vvvvvvvvvvvv
              auth_basic_user_file ${pkgs.writeText "htpasswd" ''
                admin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
              ''};
            '';
          };
        };
      };
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 443 ];
    allowedUDPPorts = [ ];
  };
  system.stateVersion = "23.11";
}