feat: add traffic nix config

flake.nix

@@ -65,7 +65,7 @@
     in {
       nixosConfigurations = mkSystems [
         { hostname = "media"; system = "x86_64-linux"; isHeadless = true; }
-        { hostname = "vm"; system = "x86_64-linux"; isHeadless = true; }
+        { hostname = "traffic"; system = "x86_64-linux"; isHeadless = true; }
       ];
 
       darwinConfigurations = mkSystems [

hosts/nixos.nix

@@ -43,7 +43,13 @@
   };
 
   # Common services.
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
   services.cron.enable = true;
   services.avahi = {
     enable = true;

hosts/traffic/configuration.nix

@@ -0,0 +1,46 @@
+{ pkgs, pkgs-unstable, modulesPath, hostname, user, ... }:
+
+let
+  serverHost = builtins.getEnv "SERVER_HOST";
+  email = builtins.getEnv "EMAIL";
+in {
+  imports = [
+    ../nixos.nix
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+
+  proxmoxLXC = {
+    privileged = false;
+    manageHostName = false;
+  };
+
+  # Make initial login passwordless.
+  # https://nixos.org/manual/nixos/stable/options#opt-users.users._name_.initialHashedPassword
+  users.users.root.initialHashedPassword = "";
+  users.users.${user}.initialHashedPassword = "";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+  networking.hostName = hostname;
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = email;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${serverHost} = {
+      addSSL = true;
+      enableACME = true;
+    };
+  };
+}

hosts/traffic/home.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ../../modules/direnv.nix
+    ../../modules/home.nix
+    ../../modules/scripts
+    ../../modules/zsh.nix
+  ];
+}